Policy of Mintz Global Screening and its subsidiaries on privacy
1. PURPOSE
The confidentiality and the protection of personal information are elements which are of extreme importance to Mintz Global Screening, a subsidiary of Mintz Group, LLC (“Mintz”). As part of providing information services, we may collect, store, and use personal information about our clients and the individuals we report on in the ordinary course of business. We may also collect, store, and use personal information about our employees and service providers.
Mintz is committed to privacy in all aspects of the handling of personal information. Consequently, we have established a privacy policy in order to govern the gathering, use, retention and disclosure of personal information. We want to offer products and services of high quality to maintain the confidence of our clients and our employees. We adhere to the following principles in the treatment of personal information:
• To ensure the impartiality in our use of personal information;
• To minimize the risk of interferences;
• To protect the confidentiality of the personal information obtained;
• To transmit only to those who have the right to have access or when required by law;
• To comply with the applicable laws in the countries where we carry out our activities.
Policy Application
This Privacy Policy applies specifically to Mintz Global Screening Inc. ("MGS"). Mintz Group LLC and other Mintz subsidiaries ("Mintz" or "MG") maintain separate privacy notices as required, including policies related to website visitors and GDPR-covered processing. If more than one Mintz privacy notice may apply, the notice applicable to the specific context in which Personal Information was collected and processed will govern. For information regarding MG’s website visitor processing, refer to MG’s Website Data Protection Policy & Privacy Notice. For GDPR/UK GDPR processing of Client Data and Candidate Data, refer to MG’s GDPR Policy.
Updates
MGS periodically reviews its privacy policy to ensure it remains compliant with all applicable laws and regulations. Any necessary updates will be reflected in the policy.
2. SCOPE
This Privacy Policy applies to all data of MGS. Specifically, it includes:
• ALL Intellectual Property (IP), whether owned by MGS or provided by a third party;
• ALL Information related to employees, clients or other third parties;
• ALL Financial information for MGS, its employees, clients or other third parties;
• ANY other non-public data or information deemed the property of MGS.
3. COLLECTION, USE AND DISCLOSURE OF INFORMATION
MGS adheres to the Canadian Standard Association model for Privacy and is compliant with all applicable provincial and federal law on data handling and privacy including (but not limited to) Personal Information Protection and Electronic Documents Act (PIPEDA); Act respecting the protection of personal information in the private sector (Quebec) and Personal Information Protection Act (Alberta and BC).
Accountability
MGS is responsible for personal information under its control and has designated our Executive Director, Daniel Fallows as our main Data Protection Officer who can be reached at 1-877-359-8130 ext. 3770. We also designate two Privacy officers in each of our main data centres: Christopher McOuat, (English) - 1-877-359-8130 ext. 3772 and Sabrina Porfilio (French) - 1-877-359-8130 ext. 2388. Both Privacy officers are accountable for the organization’s compliance with the following principles. We maintain rigorous policies, ensure each employee receives appropriate training with annual refreshers, and are committed to continually improving our systems and storage to maintain a secure network.
Role of MGS (Controller vs. Processor)
Depending on the engagement and jurisdiction, MGS may act as either: (a) a controller (e.g., when processing Client representative information for onboarding, billing, compliance, and relationship management); or (b) a processor/service provider (e.g., when processing Candidate Personal Information on behalf of a Client for screening or investigative services, where the Client determines the purposes and legal basis for processing). Where MGS processes Candidate Personal Information on behalf of a Client, MGS processes such information in accordance with the Client’s documented instructions and applicable law.
Identifying Purposes
We only collect information for the purpose for which it was requested. No information will be collected unless the purpose is clear; that the individual is aware that we will be obtaining the information and that the data is the most up-to-date and accurate information available.
We do not knowingly collect, use, or process Personal Information from individuals under the age of eighteen (18) in website/marketing contexts, and our services are not directed to minors. If we learn we have collected Personal Information from a minor, we will take appropriate steps to delete it, subject to legal requirements.
Types of Personal Information Collected
Name and Contact Details
Basic identifiers such as full name, email address, mailing address, phone number, and other contact-related information may be collected to establish identity and facilitate communication.
Identification Information
To verify identity and legal status, Mintz may collect sensitive identification data including Social Insurance Number, passport number, birth certificate details, place of birth, nationality, and Canadian residency status.
Demographic Information
Demographic details such as date of birth and gender are often included to support accurate record matching and reporting.
Educational Background
Academic history, completed training programs, and diplomas or certifications may be reviewed to validate educational qualifications and professional development.
Employment and Professional Information
Information related to employment may include job title, occupation, professional affiliations, union involvement, references, and a detailed employment history—both past and present.
Financial Information
Financial data such as credit details, annual income, and credit score may be collected when relevant to the scope of the screening.
Public Records
Mintz may access information that is lawfully available from federal, provincial, or municipal sources. This includes court records, bankruptcy filings, and other public documentation.
Technical Data
Digital and device-related information may also be gathered, including geolocation, browser and device specifications, website usage statistics, referring URLs, advertising metrics, and standard web log data.
Other Information
In certain cases, criminal record details may be collected to provide a complete background profile.
How Personal Information Is Collected
Mintz collects personal information through the following means:
Direct Collection from You
We gather personal information when you submit an application form—either online or in paper format—as part of a background screening process. Additional data may be collected during interactions with Mintz, such as when you visit our website, contact support, or communicate with us via phone, email, or other channels.
Collection from Third Parties
With your consent or the consent of the Candidate where required, Mintz may obtain personal information from external sources to complete, verify, or update records and conduct background checks. These sources may include:
• Law enforcement agencies
• Screening and recruitment firms
• Credit reporting agencies
• Current or prospective employers
• Court registries
• Educational institutions
• Government bodies
• References you have provided
Website Tracking Technologies
When you visit our website, Mintz uses cookies and similar technologies to collect certain data.
Cookies are small data files stored by your browser that help us manage session identification and language preferences.
Limiting Collection
Mintz limits the collection of personal information strictly to what is necessary for the purposes identified in connection with our services. Information is collected through fair and lawful means. We regularly review the scope and nature of the data we collect to ensure it remains relevant and proportionate to our operational needs.
Consent
Mintz obtains the acknowledgement and consent of the individual as required for the collection, use, or disclosure of personal information; the consent will be clear, understandable and disclose the reason for the data collection.
Limiting Use, and Disclosure
Mintz is committed to protecting privacy. We do not use or disclose Personal Information for any purpose other than those for which it was originally collected, unless we have obtained your explicit consent or are required to do so by law.
Access to Personal Information is strictly limited to our employees and third-party service providers who require it to perform their duties. All individuals with access are bound by confidentiality agreements and are trained to handle data responsibly and securely.
We may also share Personal Information with our Network and Infrastructure team which supports us in delivering specialized services in areas such as:
• Network infrastructure
• Cybersecurity
• Cloud computing
• Server architecture and maintenance
These providers operate under strict contractual obligations to maintain the confidentiality and integrity of Personal Information.
Consent-Based Sharing
Where required by applicable law, we obtain appropriate consent for the collection, use, and disclosure of Personal Information. In other circumstances, processing and disclosure may occur based on other lawful grounds recognized under applicable law, or, where MGS processes Candidate Personal Information on behalf of a Client acting as controller in accordance with the Client’s instruction. Where MGS processes Candidate Personal Information for a Client engagement, the Client is responsible for obtaining consent or identifying the appropriate legal basis for processing, and MGS processes such information under the Client’s documented instructions, subject to applicable law.
Transfer of information outside Quebec and Canada
Our Data centre is located in Quebec and our main operational centres are Montreal, Quebec and Toronto, Ontario. While most of our work is done by our employees or authorized personnel who access Personal Information directly from our systems, we may need to transmit data outside of Canada in order for us to fulfil the requests that have been made. For example, if we were completing an education verification for education in Poland, we would need to transfer some personal information to the school in Poland to complete the verification.
Personal Information will only be transferred where the recipient jurisdiction offers adequate protection for Personal Information, and only where there is a written agreement requiring the recipient to protect Personal Information and a Privacy Impact Assessment has been completed.
Unless otherwise specified by a Client controller for Candidate engagements (where applicable), MGS applies baseline retention periods designed to meet regulatory, contractual, and legal requirements. As a baseline, MGS retains certain records for a minimum of two (2) years and up to ten (10) years (seven (7) years for Quebec-related records), subject to applicable law, client instructions (where applicable), and legal hold/records management requirements.
Retention
MGS retains Personal Information only as long as necessary for the fulfillment of the identifying purposes as disclosed at the time of collection. Our minimum period of retention is 2 years to comply with regulatory and legal purposes. Our maximum period of retention is 10 years (7 years for Quebec).
Personal Information may be removed from our database before the maximum is reached at the request of our client, in accordance with their retention policies and contractual requirements. Personal Information may also be removed from our database at the request of a data subject in accordance with their “Right to be forgotten”.
When Personal Information is no longer required for the purposes for which it was collected or no longer required to be retained by law, we anonymize or destroy the information in accordance with this policy. Information Technology Equipment containing Personal Information is safely disposed of by using an approved data erasure program to securely remove the original information. We do not maintain paper files. Any paper files are converted to electronic documents and then destroyed using a secure onsite paper shredder.
We do not make decisions producing legal or similarly significant effects (e.g., hiring eligibility determinations) solely by automated means. Information and outputs generated by AI tools are subject to human review for accuracy and quality prior to being shared with clients, unless otherwise stated in a specific product offering, engagement letter or other correspondence.. In limited circumstances, we may use technology-assisted tools, including artificial intelligence-enabled tools, to support research workflows (for example, to help identify potentially relevant sources or organize information), subject to appropriate oversight and applicable law. For more information about Mintz Group’s use of AI, please refer to https://mintzgroup.com/artificial-intelligence/.
Safeguards
At MGS, we recognize the paramount importance of safeguarding personal information. We are committed to implementing and maintaining robust security measures that are appropriate to the sensitivity of the data we handle. Our approach to data protection is comprehensive, proactive, and continuously evolving to meet the highest standards of privacy and security.
Security Safeguards and Infrastructure
We maintain a secure environment at all times through a multi-layered security framework that includes:
• Data Encryption: All personal data is encrypted both at rest and in transit using industry-standard encryption protocols to prevent unauthorized access.
• Two-Factor Authentication (2FA): Access to sensitive systems and data requires multi-factor authentication, adding an extra layer of protection against unauthorized access.
• Secure Access Controls: Role-based access controls ensure that only authorized personnel can access specific data, minimizing exposure and risk.
• Employee Privacy Training: All employees undergo regular privacy and security training to ensure they understand and adhere to best practices in data handling and protection.
• Regular Security Testing and Upgrades: Our network infrastructure is routinely tested for vulnerabilities, and security systems are upgraded regularly to stay ahead of emerging threats.
• Strong Data Protection Policies: We enforce rigorous internal policies that govern the collection, use, storage, and disposal of personal information, fostering a culture of security and accountability.
Data Residency and Storage
MGS’s primary data hosting and storage environment is located in Canada, including at our data centre in Montreal, Quebec. However, depending on the services requested (e.g., international verifications) and operational needs, Personal Information may be transferred to, accessed from, or disclosed in other jurisdictions some of which may not provide the same level of protection of Personal Information as the jurisdiction in which you reside. Where such transfers occur, we have adopted appropriate safeguards to better protect your Personal Information, consistent with applicable legal requirements.
Continuous Improvement
While no method of data transmission or storage can be guaranteed to be 100% secure, we are dedicated to continuously reviewing, testing, and enhancing our safeguards. We monitor evolving threats and adapt our security posture accordingly to ensure that personal information remains protected against unauthorized access, disclosure, alteration, and destruction.
Data breaches
In the event of a confidentiality incident (including any breach involving unauthorized access to, use, communication, or loss of personal information), MGS activates a comprehensive incident response protocol designed to contain, assess, and mitigate the impact swiftly and effectively. Our security team immediately investigates the breach to determine its scope, origin, and the data affected. We notify all relevant stakeholders, including affected individuals and regulatory authorities, in accordance with applicable privacy laws. Remediation steps are taken to secure systems, prevent further unauthorized access, and restore integrity to our infrastructure. We also conduct a full post-incident review to identify root causes and implement improvements to our security posture. Transparency, accountability, and rapid action are central to our breach response, ensuring trust is maintained and future risks are minimized.
Openness
Mintz shall make readily available to individuals’ specific information about its policies and practices relating to the management of personal information; our Privacy officers can be contacted as follows: Christopher McOuat, (English) - 1-877-359-8130 ext. 3772 and Sabrina Porfilio (French) - 1-877-359-8130 ext. 2388.
Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of their personal information, and shall be given access to that information for no additional fees. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Mintz will respond to access requests within 30 days, which may be extended by an additional 30 days where necessary, with written notice to the individual. Information will be provided in a form that is generally understandable, including an explanation of any abbreviations, codes, or technical terms. Should a Candidate wish to access the results obtained during their screening they must make your request in writing and including a signature or the unique confirmation number provided by Mintz so we can authenticate to the original request. The signed written request should be as detailed as possible so that we may locate the correct records. All information provided during the disclosure process will be sent via electronic mail to the email address on file or will be provided via regular mail to the postal address we have on file.
You may send the request through an attachment in an email or Canada Post. Please send to the attention of Privacy Officer at compliance@mintzglobal.com (email) or the following address (mail):
Privacy Officer
Mintz Global Screening
305 Milner Avenue
Suite 1001
Toronto, ON, M1B 3V4
Privacy Rights
In addition to the rights enshrined in this policy, MGS recognizes that depending on the location of our data subjects, individuals may have certain rights based on legislative authority, these rights can include:
Right to challenge/rectification
An individual may have a right to challenge the accuracy of the information we collect or the results we have provided to a client.
Right to be forgotten / erasure
Subject to legal constraints, an individual may have the right to have their information removed from our systems and They may also request that we cease disseminating your personal information and, where the information was collected from third parties, that any hyperlink attached to your name providing access to the information be de-indexed (right to de-indexing).
Right to withdraw consent
An individual may have the right to withdraw their consent at any time and MGS will stop all handling.
Right to restrict processing
Subject to legal constraints, an individual may have the right to restrict the processing of your information at any time.
Right to data portability
An individual may have the right to request a copy of the information we have within our systems about them and receive it in an electronic format that is portable.
Right to information about automated decision-making
Where a decision based exclusively on automated processing is made about an individual, they have the right to be informed of such use of their personal information, the reasons and principal factors that led to the decision, and the right to have the personal information used to make the decision corrected.
Right to Object to Automated Processing
An individual may have the right to prevent a decision affecting them (with legal or similar significant effects) from being made solely by automated means, like algorithms, without human intervention. This includes the right to have human intervention in the decision-making process, the opportunity to express their point of view, and to receive an explanation of the decision and its consequences.
Requests relating to Candidate Personal Information processed on behalf of a Client
Where MGS processes Candidate Personal Information on behalf of a Client acting as controller, Mintz Group will promptly refer such inquiries to the Client(s) on whose behalf Mintz Group processed the Candidate’s Personal Data and the Client(s) will be responsible for providing a response as controller, consistent with applicable law and contractual obligations.
Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to our Privacy Officer at 1-877-359-8130 ext. 3772 (English) or ext. 2388 (French) or via email to compliance@mintzglobal.com. Individuals in Quebec may also file a complaint with the Commission d’accès à l’information du Québec. Individuals elsewhere in Canada may file a complaint with the Office of the Privacy Commissioner of Canada.
Contacting the correct privacy team
For matters relating to MGS services and this Policy, contact: compliance@mintzglobal.com. For matters relating to Mintz Group LLC website visitors or GDPR/UK GDPR processing under MG policies, contact: dataprotectionteam@mintzgroup.com.