Legal · Privacy

Privacy Policy

Black Briar Group conducts surveillance and claims investigations as a commercial activity, so Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) applies to us in full. This policy explains, in plain language, what personal information we handle, why, how we protect it, and the rights you have.

TODO(owner): verify with counsel. Effective date: TODO(owner). This policy is a build artifact and must be reviewed by a privacy/regulatory lawyer before it is published or relied upon.

This policy is published by Black Briar Group INC(“Black Briar Group,” “we,” “us”), a licensed Ontario private investigation agency operating from Belleville, Ontario. It governs personal information we collect through our website and in the course of the investigative services we provide to our clients.

What personal information we collect, and from where

The personal information we handle falls into three broad groups, and comes from different sources:

Information about subjects of an investigation— images and video, identifying details, observed activity, location and movement, and other case data. This is collected by our investigators in the field and from lawful open sources. By the nature of covert investigative work, it is generally collected without the subject’s knowledge or consent under the exceptions described below.
Information about our clients and their representatives — name, employer, role, contact details, and the instructions, file or claim references, and authorizations they provide to us. This is collected directly from the client who retains us.
Information about website visitors— the contact details you choose to give us through a form or by email, and the limited technical data described under “Cookies” below.

Why we collect it — purposes

We collect, use, and disclose personal information only for the following purposes:

Conducting surveillance, claims investigation, and special investigations unit (SIU) support for the client who retains us;
Preparing and delivering investigative reports and evidence to that client, including for legal and litigation use;
Responding to inquiries, administering engagements, and billing; and
Operating and securing our website and systems.

Our lawful basis — including collection without consent

PIPEDA generally requires consent to collect personal information, but it also sets out specific exceptions for investigations. We rely on those exceptions rather than on any expired “investigative body” designation, which no longer exists in law.

Collection without consent (PIPEDA s. 7(1)).We may collect personal information without the individual’s knowledge or consent where it is reasonable to expect that seeking consent would compromise the availability or accuracy of the information, and the collection is reasonable for investigating a breach of an agreement or a contravention of a law of Canada or a province.
Disclosure without consent (PIPEDA s. 7(3)(d.1) and (d.2)). We may disclose personal information to the organization that retains us where doing so is reasonable for investigating a breach of an agreement or a contravention of law, or for detecting, suppressing, or preventing fraud, and where seeking consent would compromise that work.

We want to be honest about a real limit of this work: where the law permits collection without consent for an active investigation, the subject of covert surveillance cannot be notified at the time of collection, because doing so would defeat the lawful purpose. We do not use these exceptions as a blank cheque — every engagement is governed by a documented lawful basis, a record that less-invasive alternatives were considered, and a commitment to collect only what is necessary and proportionate. We continue to honour the access, correction, and complaint rights described below.

TODO(owner): verify with counsel that the statutory references and wording above match the current consolidation of PIPEDA before publication.

Who we disclose information to

We do not sell personal information. We disclose it only:

To the client that retains us — the insurer, adjuster, counsel, or organization on whose instructions we are acting, as the deliverable of the engagement;
Where required or permitted by law — for example, in response to a court order, subpoena, or rules of court, or a lawful request from a government institution; and
To service providers that process information on our behalf (such as our secure hosting provider), bound by contract to a comparable level of protection and to use the information only for our purposes.

How we safeguard information

We protect personal information with safeguards appropriate to its sensitivity. Because case files, footage, and claimant details are sensitive, we apply a high standard, including:

Encryption in transit and at rest for case files, media, and our database;
Role-based, need-to-know access controls so that personnel can reach only the files they are assigned, with multi-factor authentication on our portal;
Audit logging that records who accessed, viewed, or exported each file and when; and
Disciplined handling of field media on encrypted, password-protected devices, with prompt upload to our secure systems.

Where your information is stored — Canadian data residency

We host client and case personal information in a Canadian data region. Where any service provider processes information outside Canada, that information may be subject to the laws of the country where it is processed, including lawful access by that country’s courts and authorities; in that case we disclose the arrangement and require, by contract, a comparable level of protection. We remain accountable for personal information while a service provider handles it.

TODO(owner): verify with counsel and confirm the pinned hosting region and the list of any cross-border subprocessors before publication.

How long we keep it, and secure destruction

We keep personal information only as long as it is needed for the purposes it was collected for, or as required by law, under a documented retention schedule with minimum and maximum periods by matter type. When information is no longer required, we securely destroy, erase, or anonymize it using secure methods, and we log the disposal.

TODO(owner): verify with counsel the specific retention periods (including any statutory minimums) before stating them publicly.

If a breach occurs

If we become aware of a breach of our security safeguards, we assess it against the legal test for a real risk of significant harm. Where that test is met, we report the breach to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible, and we notify any other organization that can help reduce the risk of harm. We keep a record of every breach, whether or not it meets that test, as required by law.

Your rights — access, correction, and complaints

Subject to the limited exceptions the law allows for active investigations and legal privilege, you have the right to:

Access the personal information we hold about you and learn how it has been used and disclosed;
Request a correction if you believe that information is inaccurate or incomplete; and
Complain about how we handle your personal information.

To exercise any of these rights, contact our Privacy Officer using the details below. If you are not satisfied with our response, you may escalate your complaint to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Cookies

We use only essential cookies that are necessary for the website to function and to keep it secure. We do not use cookies for advertising or third-party tracking.

Our Privacy Officer

Our designated Privacy Officer is accountable for our compliance with this policy and with applicable privacy law. You can reach the Privacy Officer by email at privacy@blackbriargroup.ca or by phone at (613) 555-0148.

TODO(owner): verify with counsel and name the individual who holds the Privacy Officer role before publication.