1.01 Golf Ontario Privacy Policy Golf Ontario is committed to maintaining your confidence and trust, and accordingly maintains the following privacy policy to protect personal information you provide. As part of our commitment to your privacy, we have adopted the ten principles based on the values set by the Canadian Standards Association’s Model Code for the Protection of Personal Information and Canada’s PIPEDA. 1. Accountability The personal information you provide is stored in a secure location, is accessible only by designated staff, and is used only for the purposes for which you provide the information. 2. Identifying Purposes The purposes for which personal information is collected shall be identified before or at the time the personal information is collected. 3. Consent Individual’s consent will be obtained for the collection, use or disclosure of personal information, and in order to communicate with an individual by commercial electronic messages, except where the law provides an exemption. Consent is never required as a condition of supplying a product or service, to the collection, use or disclosure of information beyond what is necessary to fulfill explicitly specified and legitimate purposes. 4. Limiting Collection The personal information we collect shall be limited only to that which is necessary for the purposes identified and will not be collected indiscrimately. 5. Limiting Use, Disclosure and Retention Personal information shall only be used or disclosed for the purposes for which it was collected, (e.g. direct mail of Ontario Golf Magazine) unless an individual has otherwise consented or when it is required or permitted by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. 6. Accuracy We shall keep personal information as accurate, complete and up-to-date as may be necessary to fulfill the purposes for which it is to be used. 7. Safeguards We shall protect personal information using security safeguards that are appropriate to the sensitivity level of the personal information received. Privacy breaches will be managed according to the protocol set out in Appendix A. 8. Openness Golf Ontario will provide information to individuals about our policies and procedures relating to the management of personal information that is under our control. 9. Individual’s Access On written request to our Privacy Officer, an individual will be informed of the existence, use and disclosure of their personal information that is under our control, and may be given access to that personal information as required and permitted by law. Individuals are entitled to challenge the accuracy and completeness of that personal information and request that it be amended, if appropriate. Access Requests may be submitted using the form provided in Appendix C. 10. Handling Inquiries or Complaints Any questions or inquiries concerning compliance with our privacy policies and procedures may be addressed to our Privacy Officer, as set out below. Inquiries and Complaints may be submitted using the form provided in Appendix C. PRIVACY POLICY Golf Ontario – Privacy Policy Adopted from previous version dated February 2020 Board Approval: September 10, 2022 Page 2 of 7 Why we collect and use personal information Collecting personal information about you is essential to our being able to provide the services that best meet your needs. Personal information may be used to: • To measure the success of strategic or operational priorities • To determine eligibility for events, products or services • To process applications for members and provide requested information, products or services • To understand and assess member’s ongoing needs and offer products or services to meet those needs • For billing and accounting services related to our organization • For member communication, service and administration, including sending commercial electronic messages such as text messages and e-mails • For internal, external and regulatory audit purposes • To comply with legal and regulatory requirements Personal information may also be used for other purposes, subject to obtaining your prior consent for such use. Third Party Service Providers Golf Ontario may engage with third parties from time to time who process/store confidential personal information. Third parties performing services on our behalf must provide the same level of security safeguards as Golf Ontario itself provides. A list of current service providers is included in Appendix B. No Release of Information to Third Parties Personal information will not be released to third parties other than for the mailing of partnership golf publications and materials. There are no circumstances under which we will provide or sell personal information, including your email address, to third parties. Consent to use personal information may be obtained in various ways. We may obtain your express consent or we may determine that consent has been implied by the circumstances. Express consent could be in writing (for example in a signed consent, e-mail or application form), or verbally in person or over the telephone. When we receive personal information from you that enables us to provide you with requested services, your consent to allow us to deal with that personal information in a reasonable manner would be implied. Under Canada’s Anti-Spam Law, we may have implied consent to send you commercial electronic messages if there is an existing business relationship or an existing non-business relationship between Golf Ontario and yourself. If you need to provide personal information about other individuals (such as employees, dependants, etc.), you must obtain their consent for these purposes prior to your disclosure to us. Providing us with your personal information is always your choice. When you request services from us, we ask that you provide information that enables us to respond to your request. In doing so, you consent to our collection, use and disclosure of such personal information for these purposes. You also authorize us to use and retain this personal information for as long as it may be required for the purposes described above. Your consent remains valid even after the termination of our relationship with you, unless you provide us with written notice that such consent is withdrawn. By withdrawing your consent, or not providing it in the first place, you may limit or even prevent us from being able to provide you or an authorized third party (such as an employer) with the service desired. In certain circumstances, consent cannot be withdrawn. There are legal exceptions where we will not need to obtain consent or explain the purposes for collection, use or disclosure of personal information. For example, this exception would apply if there is an emergency that threatens the life, health or security of an individual, or if we must comply with a court order. Keeping information accurate and complete is essential. Having accurate information about you enables us to give you the best possible service. You have the right to access, verify and amend the information we have about you. We rely on you to keep us informed of any changes, such as a change of address, telephone number or any other circumstances – simply contact our office. Despite our best efforts, errors sometimes do occur. If you identify any personal information that is out of date, incorrect or incomplete, please let us know and we will make the corrections promptly and use every reasonable effort to communicate these changes to other parties who may have inadvertently received incorrect or out of date PRIVACY POLICY Golf Ontario – Privacy Policy Adopted from previous version dated February 2020 Board Approval: September 10, 2022 Page 3 of 7 information from us. Anti-Spam Policy Golf Ontario may use your personal information to send you commercial electronic messages, such as by email, text message or social media message. We will only send you electronic messages if you have provided us express consent or if consent can be implied under Canada’s Anti-Spam Law. All commercial electronic messages sent by us will comply with CASL, including the identification of the entity which sent the message and (if different) the entity on whose behalf the message is being sent, and we will include an unsubscribe mechanism that can be “readily performed.” At any time, you may opt out from receiving commercial electronic messages by using the unsubscribe mechanism in each message or by contacting Golf Ontario’s Privacy Officer. Privacy and the Internet Our server is not set up to track, collect or distribute personal information about its users. It does recognize the referring server of visitors, but not e-mail address or any personal information. For example, we can tell which Internet service Provider our visitors use, or what site they clicked in from, but not the names, addresses or other information about our visitors that would allow us to identify the particular visitors to our site. The Golf Ontario website may contain links to other third party sites that are not governed by this privacy policy. Although we endeavor to link only to sites with high privacy standards, our Privacy Policy will no longer apply once you leave this website (“gao.ca”). We are not responsible for privacy policies employed by other third parties or any foreign affiliates, since they would be governed by privacy legislation applicable in their country of residence. We suggest, therefore, that you examine the privacy statements of those sites to learn how personal information may be collected, used and/or disclosed. Contact Information Please contact our Privacy Officer to obtain further information about our policies and procedures or if you have any unresolved inquiries or concerns. Our Privacy Officer can be contacted as follows: Mail: Golf Ontario P.O. Box 970 Uxbridge, ON L9P 1N3 Attn: Privacy Officer Email: admin@gao.ca Fax: (905) 852-8893 Attn: Privacy Officer While Golf Ontario makes every effort to secure all communications within our control and on our premises, please be advised that no method of delivery is absolutely secure and any communication of personal information may be accidentally or deliberately intercepted by third parties. PRIVACY POLICY Golf Ontario – Privacy Policy Adopted from previous version dated February 2020 Board Approval: September 10, 2022 Page 4 of 7 APPENDIX A PROTOCOL FOR PRIVACY BREACHES 1. The Privacy Officer must report any breach of security safeguards involving personal information under Golf Ontario’s control if it is reasonable in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm to an individual to the Ontario Privacy Commissioner (OPC) and the affected individuals. 2. Significant harm, as defined by the law, includes: bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. 3. The Privacy Officer must complete a PIPEDA breach report form for these instances: : https://www.priv.gc.ca/en/report-a-concern/report-a-privacy-breach-at-your-organization/report-aprivacy-breach-at-your-business/ 4. A record of all such breaches must be kept for 2 years, including the following at minimum: • Assessment of classification as a “real risk of significant harm”; • Date or estimated date of the breach; • General description of the circumstances of the breach; • Nature of information involved in the breach; and • Whether or not the breach was reported to the Privacy Commissioner of Canada/individuals notified. APPENDIX B THIRD PARTY SERVICE PROVIDERS Golf Ontario engages the services of the following third parties who process/store confidential information: • Golf Genius (Tournament Registration) • Cognito LLC (Cognito Forms) • F1Tech Inc. (Computer Support and Service) • Golf Canada (Scorecentre) • SmartSheet Inc. (Collaboration and work management) • DocuSign (Digital document approval online tool) • Sterling Backcheck Canada Corp. (employee & volunteer background screening) • Better Impact Inc. (Volunteer management) • ADP (Payroll) • LA CRM (Member Facility & Clubs’ contact database) • Board Effect (Board Management Software)