Policy on the protection of personal information of individuals working for Sphere
PURPOSE AND SCOPE OF APPLICATION
Sphere and its business units (“Sphere”) are committed to treating the personal information of persons who work for them in compliance with the Act respecting the protection of personal information in the private sector. This Policy on the Protection of Personal Information of Individuals Working for Sphere (“the Policy”) informs individuals working for Sphere of its practices with regard to the collection, use and communication of their personal information, as well as their rights in connection with their personal information.
This Policy applies to all individuals working for Sphere (the “Designated Individuals”) and its business partners.
DEFINITION OF “PERSONAL INFORMATION”
In this Policy, the term “personal information” refers to any information about a natural person that allows them to be identified, directly or indirectly.
COLLECTION OF PERSONAL INFORMATION
Sphere collects personal information about the Designated Individuals that is necessary for the management of its work relationship with them. Sphere may collect the following personal information about Designated Individuals:
- Identifiers and contact information, such as their name, e-mail and physical mail addresses, telephone number, government-issued identification (e.g., social insurance number, visa and passport information), work/residence permit.
- Demographic information, such as date of birth, gender, citizenship or medical records. In some cases, Sphere may collect demographic information (e.g., ethnic origin, sexual orientation) in connection with an equity, diversity and inclusion program, on a voluntary basis.
- Professional or employment-related information, such as job title and compensation history, work schedule and employment status, work experience, education, permits and other credentials, benefit and leave information, information relating to any problem or dispute that may arise, performance reports and appraisals, psychometric test results, disciplinary records, termination date and reasons (voluntary or involuntary and details) for termination.
- Financial information, such as that provided by Designated Individuals for payroll purposes (financial institution and bank account number) and information required to issue tax forms.
- Information about their emergency contacts, such as their names, their contact information and the nature of their relationship to the Designated Individual.
- Information that Sphere collects about the use made of the Internet, its networks, its devices and its premises, such as a device’s IP address (if it can be used to identify the Designated Individual) and identifier (e.g., if the Designated Individual logs on to Sphere’s Wi-Fi network). Sphere may collect information about Designated Individuals’ use of their work e-mail accounts, the Internet, Sphere’s computers, telephones and other devices to which they have access as part of their work, and their personal devices used in the course of their employment. Sphere may also collect video and still images by means of closed-circuit video cameras.
- Other information, such as that provided via the payroll system.
RETENTION AND DESTRUCTION OF PERSONAL INFORMATION
Sphere uses appropriate measures and controls to safeguard the Designated Individuals’ personal information. These measures include restricting physical access to Sphere’s offices and files, restricting unauthorized access, disclosure, use and mishandling of personal information in Sphere’s custody and control, storage of archival records with reliable third parties in secure facilities, and using firewalls, passwords and file encryption for online activity.
Sphere’s goal is to prevent any and all unauthorized access, loss, misuse, sharing or modification of the personal information in its possession. Sphere employs the same safeguards when deleting or destroying the Designated Individuals’ personal information.
Sphere endeavours to ensure that the personal information it holds is stored in Quebec or, where that is not possible, in Canada. However, information stored on the servers of Sphere’s service providers may be located in a country other than Canada and may therefore be subject to the laws of another country, including any law permitting access to such information by government authorities. Subject to such foreign laws, Sphere shall use contractual measures to the best of its ability to maintain safeguards that ensure protections for personal information at least equivalent to those applicable in Quebec.
Sphere retains the personal information of the Designated Individuals for only as long as is reasonably necessary for the fulfilment of the purpose for which it was collected, or as permitted or required by the Act respecting the protection of personal information in the private sector. Once it is no longer required, the personal information is securely destroyed or anonymized in compliance with said Act.
The following retention periods for personal information of Designated Individuals are considered reasonably necessary:
- In perpetuity for any document related to rights, copyright, neighbouring rights or any other rights necessary for the use of a work (e.g., contracts with authors, directors, performers).
- In perpetuity for any document certifying the Canadian origin of the productions and listing the contact details of key creative personnel.
- Seven (7) years following the end of the project for which the person worked for Sphere in the case of tax documents.
- Three (3) years following the end of the project for which the person was working for Sphere, in the case of all other personal information.
Sphere will implement this schedule of destruction or anonymization of personal information gradually until December 2028. Therefore, the personal information of Designated Individuals who worked for Sphere on projects or productions dating prior to September 1, 2023, may be retained for longer periods than those stated above.
USE OF PERSONAL INFORMATION
Sphere uses the personal information of the Designated Individuals for the purposes of managing its labour relations and for other legitimate purposes as outlined in this Policy, as well as for other purposes permitted under the Act respecting the protection of personal information in the private sector.
For example, Sphere may use the personal information of the Designated Individuals for the following purposes:
- To conduct staff administration, including verifying the identity of individuals working for Sphere, managing income taxes and social security, planning schedules and monitoring attendance and hours worked, setting up emergency contact information, and processing work-related requests from the Designated Individuals.
- To manage employee benefits, including determining the eligibility of persons working for Sphere and their dependents and beneficiaries.
- To manage payroll, medical benefits and leave.
- To assess performance, including making decisions about assignments, training, compensation and promotions.
- To take necessary measures to protect the health of Designated Individuals and ensure their safety as well as their physical and psychological integrity.
- To manage internal business operations, such as implementing disaster recovery, business continuity or similar emergency plans and procedures; conducting internal reviews, audits and investigations; and creating statistics and analytical tools for legitimate business purposes (e.g., improving Sphere’s business processes and workforce management).
- To prepare and manage work visa applications.
- To comply with legal and regulatory obligations or fulfil security requirements, and for fraud management purposes, including internal investigations, failure to perform duties, and breach of employment contract, including monitoring the use of Sphere’s information technology systems.
In addition to the purposes described above, Sphere may also collect the personal information of Designated Individuals for any other purpose, with their consent, when compelled to do so under the Act respecting the protection of personal information in the private sector.
Sphere may make the personal information of other Designated Individuals available to persons working for Sphere only to the extent necessary for the performance of those persons’ duties. Persons working for Sphere who have access to the personal information of other Designated Individuals must make sure to take appropriate measures and controls to protect such information. Persons working for Sphere shall not share, copy or use the personal information of other Designated Individuals for any purpose other than the performance of their duties.
COMMUNICATION OF PERSONAL INFORMATION
Sphere may also disclose the personal information of Designated Individuals to third parties for purposes outlined in this Policy and in other policies and notifications of Sphere, or as required or permitted by the Act respecting the protection of personal information in the private sector.
For example, Sphere may disclose the personal information of Designated Individuals to the following categories of third party:
- Government agencies that require access (e.g., to respond to employment insurance requests, as part of a subsidy or program application).
- Sphere’s service providers when necessary for the performance of a service contract that it entrusts to such providers. These services may include: audit services, information technology services, payroll administration services, human resources administration services, benefits provision and administration, or professional service firms such as law firms or accounting firms that provide professional services to Sphere. Sphere may disclose personal information of Designated Individuals to certain of its service providers located outside Quebec. Sphere shall enter into a written contract with any such provider, outlining the safeguards required to ensure the protection of the personal information of Designated Individuals, in compliance with the Act respecting the protection of personal information in the private sector.
- Third parties involved in verification of references or criminal records or where disclosure of personal information is contractually required by a client of Sphere.
- Third parties involved in a planned or concluded commercial transaction (e.g., purchase or sale of a company or assets, merger, financing operation) to which Sphere is a party, but only to the extent that the personal information is necessary for such transactions, in which case Sphere shall comply with applicable legal requirements when processing the personal information.
- Third parties required to enable the production or use of a work, and only to the extent deemed reasonable.
In addition, Sphere shall co-operate with the agencies tasked with enforcing the Act respecting the protection of personal information in the private sector and shall comply with any court order or law requiring the disclosure of personal information, without further notice to or consent of the Designated Individuals.
ACCURACY, ACCESS AND AMENDMENTS
Designated Individuals shall provide it with accurate and complete personal information, and shall promptly update their personal information held by Sphere after any change in such information.
The Designated Individuals may request information about, and access to, their personal information held by Sphere, and may request that their personal information be amended if it is inaccurate or incomplete, subject to various exceptions set out in the Act respecting the protection of personal information in the private sector (including instances where access must be denied so as to protect other persons and to protect privileged or confidential information of Sphere).
The Designated Individuals may also request further information about how Sphere treats their personal information, including which categories of individuals have access to their personal information held by Sphere and the retention period applicable to their information.
The Designated Individuals may address their requests for access to or amendment of personal information in writing to their manager or supervisor. Designated Individuals who are dissatisfied with the outcome of a request to a manager or supervisor may submit a formal access request directly to the Privacy Officer.
ROLES AND RESPONSIBILITIES OF STAFF MEMBERS THROUGHOUT THE PERSONAL INFORMATION LIFE CYCLE
All Designated Individuals who are provided with personal information in the course of their duties are responsible for maintaining the confidentiality of such information to the extent described in this Policy.
More specifically, the Executive Vice-President and Chief Legal Officer is Sphere’s Privacy Officer and is responsible for ensuring compliance with the Act respecting the protection of personal information in the private sector.
COMPLAINTS AND QUESTIONS
Designated Individuals who believe that their personal information has been used in violation of this Policy may raise the matter with their manager or supervisor. Designated Individuals who are dissatisfied with the outcome of a complaint or question may contact the Privacy Officer.
Any confidentiality incident involving personal information must be immediately reported to the Privacy Officer. A confidentiality incident includes the following situations:
- Access to personal information that is not authorized by law.
- Use of personal information that is not authorized by law.
- Disclosure of personal information that is not authorized by law.
- Loss of personal information or any other interference with its protection.
AMENDMENTS TO THIS POLICY
Sphere regularly reviews its policies and procedures, and may amend this Policy from time to time. This Policy, as amended from time to time, may be viewed at www.sphere-media.com/en/personal-information and on the employee portal.
In addition, Sphere will provide training on protection of privacy and information security to the Designated Individuals from time to time.