Morley Companies, Inc. is a corporation incorporated under the laws of the State of Michigan, with its head office at One Morley Plaza, Saginaw, Michigan 48603 in the United States of America. When the term "Morley" is used in this policy, it means Morley Companies, Inc.
Morley is a group travel, business theater, interactive, research, performance improvement, exhibit, display and experiential marketing firm that operates on a domestic and international basis.
Morley complies with the U.S.-EU Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. Morley has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Morley’s certification, please visit http://www.export.gov/safeharbor/
Morley is responsible for all personal information in its possession or custody, including information that has been transferred to it through any third party, such as an employer or medical practitioner assisting Morley and its client with a marketing research study. Morley is also responsible for all personal information that it provides to subcontractors and agents for processing to assist Morley in serving its clients. It is the responsibility of the Morley staff person proposing or supervising such activities to ensure that the written contract with the outside party will afford a comparable level of protection while the personal information is being processed by such third party.
Care shall be taken to select only contractors or third parties who can guarantee the technical and organizational requirements and security provisions necessary for the processing.
Morley's staff shall only have access to personal information on a need-to-know basis. See also Principle 5.
The purposes for which personal information is collected shall be identified by Morley before or at the time the information is collected. Morley shall also identify to the individual the classes of third parties to which the data may be transferred.
Morley staff shall collect and distribute personal information only as needed for the purposes of operating its business and administering client-related programs and projects including:
Morley generally uses such personal information to carry on its business and serve its customers as described above. If the business is transferred to a new owner, the personal information will also be transferred subject to the limitations of Principle 5.
The purposes for which a Morley staff person is collecting personal information shall be identified by the staff person at or before the time the information is collected. Only information that is necessary for the purposes that have been identified may be collected. The purposes for the collection, use and disclosure shall be communicated to the subject individual.
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except as provided by law.
When acting as a service provider to another organization with respect to the collection, use or disclosure of personal information, a Morley staff person shall obtain and adhere to any form of consent previously obtained by such organization, subject to the relevant exceptions.
Morley may not, as a condition for the supply of a service or employment, for example, require an individual to consent to the collection, use or disclosure of personal information beyond what is reasonably necessary for such purposes. In particular, without limiting the generality of the foregoing statement, government identifiers, such as Social Security numbers, are not to be adopted by Morley for its own identification purposes, and individuals must always have the opportunity to refuse to provide such identifiers, except of course for the duly authorized purposes for which such identifiers were created.
The adequacy of the form of consent depends upon the circumstances and the type of information that is being collected. Generally speaking, the more sensitive the information (such as heath information or employment evaluations), the more explicit or manifest is the form of consent that is required. In obtaining consent, the reasonable expectations of the individual must also be taken into account. Consent shall not be obtained through deception.
In principle, the processing of personal data concerning racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or details about the health or sexual orientation of the individual concerned based on implied consent is not permitted, except when the processing of this data is required or allowed by law, as these are particularly sensitive categories of personal information. Furthermore, processing of such sensitive categories of personal data is also permitted when it is necessary for the establishment, exercise, defense of legal claims or litigation, unless the legitimate interest of the individual to exclude the processing and usage of her or his personal data prevails. Otherwise, these sensitive data categories can also be processed if the data subject has given explicit consent.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The individual shall be informed of the implications of such withdrawal. Morley staff shall ensure that individuals are provided with clear and conspicuous, readily available and affordable mechanisms in order to withdraw their consent. In all circumstances, individuals must have the opportunity to opt out any disclosure of personal information to third parties, even for the same purpose for which it was originally collected, or where Morley proposes to use the information for a purpose different from that for which the information was originally collected.
The collection of personal information shall be limited to that which is necessary for the purposes identified by Morley. The information shall be collected by fair and lawful means.
Personal information shall not be collected indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified.
Personal information shall not be used or disclosed for purposes other than those for which the information was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
All disclosure to agents and subcontractors shall made in accordance with the terms set out under Principle 1 of this Policy.
Persons who have access to personal information shall only be those whose function and responsibility specifically include the handling of such personal information. The right of access is restricted according to the nature and scope of the individual function and responsibility.
Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased or made anonymous.
Personal information shall be accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
This is particularly important where the information is being used to make some evaluation or judgment about the individual, such as granting credit. The extent to which the personal information shall be accurate, complete and up-to-date will depend upon the use of the information taking into account the interests of the individual.
Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date.
Where there are reasonable grounds for believing that the personal information is inaccurate having regard to the purpose for which it is to be used, the personal information shall not be used for such purpose unless the data is corrected or updated, otherwise the data shall be erased. If materially inaccurate data has been earlier disclosed to any third party, even with consent, the third party shall be informed of the subsequent determination and provided with particulars of any correction.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. The nature of the safeguards will vary according to the sensitivity of the information. Morley will monitor security developments and reassess the risks at regular intervals.
The methods of protection will include physical measures, organizational measures and technological measures. All personal information shall be handled on a "need-to-know" basis and each Morley staff person shall be responsible for the protection of the personal information used in his or her job function.
Morley shall regularly make all of its staff aware of the importance of maintaining the security of personal information.
Care shall be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
Morley shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Morley shall be open about its policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about Morley's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
The information made available must include:
Specifically on or before the collection of any personal information, the individual must be informed of the items in a, b, c, f and g. See also Principle 2.
This information is also to be made available on the Web site.
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Before granting an individual access to the personal information, a Morley staff person must consult the Chief Privacy Officer or that person's delegate. There are restrictions on the grant of access in national laws, and in Schedule "B" where access would reveal personal information about a third party that cannot be severed from the information about the individual making the request, and in certain other circumstances there needs to be notification of governmental institutions before release.
Access may also be refused where the information is protected by solicitor-client privilege; where revealing the information would also reveal confidential commercial information; where revealing the information could reasonably be expected to threaten the life or security of another individual; if the information was collected during an investigation of a breach of an agreement or a contravention of the laws of a specific country on the reasonable expectation that the knowledge or consent of the individual would compromise the availability or accuracy of the information; or where the information was generated in the course of a formal dispute resolution process.
Upon such a request, Morley shall inform an individual whether or not Morley holds personal information about the individual. When disclosure is made to the individual, the organization shall provide an account of the use that has been made or is being made of the information and an account of the third parties to which the information has been disclosed. Before providing any information to the requestor, Morley must verify and satisfy itself as to the individual's identity.
Where the request for access is with respect to personal information collected, used or disclosed in the course of serving a client of Morley (other than where the personal information was collected as part of a blind market research study, or a promise of non-disclosure was otherwise made) or other third party, the customer or other third party shall immediately be provided with a copy of the request.
Morley shall respond to an individual's request within the time prescribed in the national law of the individual's place of residence, or if no time period is specified, within thirty (30) days and at minimal or no cost to the individual. Morley may require a reasonable payment for the information provided only if it has informed the individual in advance of the approximate cost and the individual has advised Morley that the request is not being withdrawn.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, Morley must amend the information as required. Depending upon the nature of the information challenged, amendment could involve the correction, deletion or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
When a challenge is not resolved to the satisfaction of the customer, the substance of the unresolved challenge shall be recorded by the member of Morley. When appropriate, the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.
An individual shall be able to address a challenge concerning compliance with the above privacy principles to the Chief Privacy Officer.
The individual accountable for Morley's compliance is the Chief Privacy Officer as appointed by the Privacy Committee from time to time. The members of the Privacy Committee are appointed by the Board of Directors of Morley. The Privacy Committee shall establish procedures to receive and respond to complaints or inquiries about Morley's policies and practices relating to the handling of personal information.
Morley staff shall inform individuals who make inquiries or lodge complaints of the existence of the relevant complaint mechanisms of Morley. Morley shall investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, Morley shall take appropriate measures, including amending its policies and practices if necessary.
Where the complaint arises out of a customer matter, the customer shall be informed immediately of such measures.
Date Adopted: June 1, 2004
The exceptions to the consent requirement for the collection, use and/or disclosure of personal information in this Schedule are subject to, and subordinate to, the laws of the relevant jurisdiction. In the event that the laws of such jurisdiction are more restrictive than the exemptions in this Schedule "A," then the more restrictive laws of the jurisdiction shall govern.
The consent of the individual shall not be required for the collection of personal information where (note that all these exceptions also apply to disclosures):
In addition to and including any of circumstances described above, the consent of the individual shall not be required for the disclosure of personal information where:
The limitations on affording an individual access to the personal information that Morley holds or has control over regarding the individual in this Schedule are subject to, and subordinate to, the laws of the relevant jurisdiction.
However, Morley will disclose any remaining personal information regarding an individual where it is able to sever and remove the prohibited and restricted information referred to in this Schedule "B".