Last updated: February 8, 2020
Purpose
This document sets out CIIDRC’s policy regarding access to dispute records and information about disputes: who can access those records and what information in dispute records CIIDRC makes available to the public. The policy is intended to guide CIIDRC employees, and panelists when they are dealing with requests for access to records related to a CIIDRC dispute.
CIIDRC’s objectives for this policy are to:
- Strike the appropriate balance between the competing policy goals of maintaining effective decision-making processes and protecting the privacy interests of the parties involved,
- Promote consensual resolution of disputes, by confirming the confidentiality of settlement discussions between the parties to a CIIDRC dispute; and
- Protect, to the extent reasonably possible, the privacy interests of third parties (e.g. witnesses), where the third parties’ personal information becomes part of CIIDRC records as a result of the dispute resolution process.
Application of this Policy
- This policy applies to all CIIDRC records stored and maintained by CIIDRC that are linked to a CIIDRC dispute (“dispute records”), regardless of the method by which the information was recorded or the media on which it is stored.
- This policy applies only to records that are in the care, custody or control of CIIDRC and does not apply to records in the care, custody or control of a party or a Panelist.
- This policy does not apply to a personal note, communication or draft decision made by a Panelist in the course of adjudicating a dispute.
- This policy does not apply to CIIDRC administrative records, financial management and personnel records that are subject to the Freedom of Information and Protection of Privacy Act (FIPPA).
Protecting Personal Information and Privacy
CIIDRC’s goal of providing effective decision-making processes must be balanced with parties’ reasonable expectations that their personal information will not be disclosed except where authorized and necessary to support the dispute resolution process. As a result, CIIDRC policy requires that employees and panelists have an obligation to protect personal information and only disclose it to third parties when required by legislation, CIIDRC rules or a court order.
To the extent reasonably possible, CIIDRC:
- only includes personal information in notices, communications and decisions where there is an administrative or operational requirement to do so;
- takes steps to ensure that any notices and communications that contain personal information are delivered to the address provided by the recipient for that type of communication and that notices and communications are not misdirected to incorrect destinations;
- where disclosure is authorized by this Policy, only discloses as much personal information as is necessary to satisfy the request, the policy objectives outlined above, and the requirements of the UDRP and CIIDRC Rules; and
- where CIIDRC discloses information contrary to its policies, the centre will immediately take steps to inform the proper recipients of the information and remedy the inadvertent disclosure.
Security and Storage of Case Records
Most information provided by parties during CIIDRC’s dispute resolution process is recorded electronically in the centre’s Dispute Resolution Portal (DRP) platform. CIIDRC also uses the DRP to generate some records and send them to the parties. The DRP operates on a virtual private server provided by FullHost.com. The FullHost servers are located in Vancouver, British Columbia with fail-over servers in Toronto, Ontario. Both the CIIDRC platform and the FullHost servers are subject to the highest possible levels of security for the data it stores.
CIIDRC also uses other types of software (Word, Adobe Acrobat, Outlook) to create and distribute other records. These CIIDRC dispute records are stored locally on CIIDRC computers and shared through CIIDRC’s Local Area Network (LAN). CIIDRC also uses the LAN to store other records submitted by parties that cannot currently be recorded in DRP, including communications, evidence, submissions, request forms, etc. These records are stored in various electronic formats, including email, text files, Word, Adobe pdf, images, video, etc. Access to the documents is limited to employees and panelists authorized by CIIDRC.
CIIDRC requires that staff and panelists adhere to the following policies and procedures, to ensure dispute records are handled in a manner that ensures the security of the information in those records:
- Maintain the integrity and security of CIIDRC’s online systems, by adhering to policies, such as:
- not sharing passwords;
- viewing and downloading dispute records only where required for dispute resolution activities (e.g. by a Panelist for adjudication of the dispute);
- using only secure methods (e.g. encrypted USBs) where it is necessary to download dispute information from DRP or a CIIDRC server;
- Disclose records and information only in accordance with this policy;
- Verify the accuracy of the intended recipient’s address or contact information in all communications, before the communications are finalized and sent;
- Require that temporary records caches or folders on personal computers or electronic devices are cleared regularly (at least weekly);
- Restrict access to CIIDRC’s physical records storage area to authorized persons only;
- Limit the disclosure and communication of dispute information or records to persons and circumstances authorized by this policy.
CIIDRC has taken the following steps to ensure adherence to these security precautions and this policy:
- Developing DRP functionality so that the system generates and sends most dispute communications, reducing the risk of human error that results in communication being sent to the wrong person;
- Creating procedures, together with associated checklists, that reduce the potential for inadvertent unauthorized disclosure of information (e.g. a required step that staff double-check contact information before sending correspondence);
- Providing employees with privacy, security and records management training that is tailored to the unique requirements of CIIDRC, as set out in this policy;
- Requiring that employees acknowledge, in writing, that they have read and understood this policy.