ENCORE REWARDS
Open Menui

Privacy

This document describes the responsibilities and procedures for the collection, access, use, storage, disclosure and disposal of Personal Information in accordance with all applicable laws and regulations.
This policy applies to all LAHAL team members employed at a casino or community gaming centre, all LAHAL subsidiaries and affiliates, and any third parties who act on behalf of LAHAL.
The Company is committed to protecting personal information in its custody or under its control. The Company embraces the privacy principles in applicable privacy laws and will only collect, use, access, retain, disclose and/or dispose of personal information in accordance with those applicable principles and laws.
  • Personal Information Protection Act (PIPA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Freedom of Information and Protection of Privacy Act (FIPPA)
  • Canadian Radio-Television and Telecommunications Commission Act
  • Canada’s Anti-Spam Legislation (CASL)

Section 1 - Privacy

  1. The company is accountable for establishing policies, procedures and controls to properly manage and protect personal information in its custody, including ensuring compliance with CASL and all other applicable laws and regulations.
  2. Establishing reasonable security procedures for preventing privacy breaches.
  3. Notifying individuals of the purposes for which their personal information will be collected, used and disclosed.
  4. Obtaining consent to collect, use and disclose personal information in accordance with applicable privacy and CASL laws.
  5. Limiting the collection of personal information to only what is required for reasonable purposes related to business operations or as required by law.
  6. Managing the retention and disposal of records containing personal information in accordance with all applicable laws.
  7. The Director of Compliance will act as the appointed Privacy Officer.
  8. Providing appropriate privacy training to team members.
  1. Keeping their personal information up to date.
  2. Follow company and BCLC personal information policies, procedures and training.
  3. Protect the confidentiality and security of any personal information they have access to.
  4. Adhere to CASL law when sending any commercial electronic messaging.
  5. Collect personal information only for valid business purposes, following all laws and policies.
  6. Refrain from accessing any personal information that is not directly related to a job function.
  7. Immediately report any suspected privacy incident/breach to their manager or Privacy Officer.
  8. Retain personal information for as long as is necessary to fulfil the purpose for collection and disposing of personal information in a secure mannaer and only in compliance with applicable record retention and destruction policies.
  9. Relinquish any personal information in their possession upon termination of their employment.
  10. Complete, and re-take prior to the expiry date, the BCLC Privacy course.
  1. Ensure that the proper consents have been obtained from team members at the time of hire or engagement with respect to the collection, use and disclosure of team member information or that proper notices are provided when consents are not required under applicable laws.
  2. Maintain systems and procedures to ensure team member records are kept confidential.
  3. Respond to team member requests for access or corrections to their personal information in accordance with applicable laws.
  4. Discipline team members who fail to comply with policies, procedures and laws in relation to handling personal information.
  1. Identify and promptly notify applicable bodies of any privacy complaint, breach or alleged or suspected break involving the public bodies’ personal information.
  2. Receive and manage responses to requests for access or corrections to personal information from persons other than team members of LAHAL, in accordance with applicable laws.
  3. Respond to privacy inquiries and complaints.
  4. Respond to and manage requests for access to personal information from regulatory and law enforcement agencies.
  5. Direct and manage the company’s compliance with court orders and other legal processes requiring the disclosure of personal information.
  6. Coordinate with government institutions and public bodies to respond to FOI requests in accordance with applicable laws.
  7. Support government institutions and public bodies in interactions with Privacy Commissioners including in connect with any investigations.
  8. Receive reports of privacy breaches, leading breach response and containment processes and directing investigations into privacy breaches.

Section 2 - Privacy Breach

This section’s purpose is to set out the process for reporting and responding to suspected or confirmed privacy breaches. Reporting suspected or confirmed privacy breaches as soon as possible provides the greatest opportunity to effectively contain, investigate and advise affected individuals and government bodies of the scope and circumstances of the breach.
This policy applies to all LAHAL team members employed at a casino or community gaming centre, all LAHAL subsidiaries and affiliates, and any third parties who act on behalf of LAHAL.

If a privacy complaint or (suspected) breach has occurred, the following steps must be followed:

Step 1

Report the suspected breach

Any team member who becomes aware of a possible breach of privacy involving Personal Information in the custody or control of the Company will immediately inform their supervisor or manager or the Privacy Officer.  When notified of a possible privacy breach, supervisors and managers are responsible for notifying the Privacy Officer as soon as practicable, via email at: [email protected].

The Privacy Officer will contact any other departments or individuals who have a need to know. Preliminary questions that a team member should be prepared to answer when reporting a breach or suspected breach are:

  • When was the incident discovered?
  • What was the date of the incident?
  • What was the location of the incident?
  • How was the incident discovered?
  • What happened?
  • Has the breach been contained?
  • How many individuals may be affected?


The Privacy Officer will initiate an investigation into the reported possible breach to be undertaken and will direct and monitor the actions in steps 2 – 5 below to contain, evaluate, respond to and remediate any breach that has occurred.

Note: BCLC Standards requirement: Service Providers shall notify BCLC Investigations Leadership by email at [email protected] and the Service Provider Compliance Officer immediately and without delay upon discovery of any actual or suspected unauthorized collection, use, access, disclosure, storage, or disposal of Player Personal Information.

Step 2

Contain the Breach

Take steps, as soon as possible, to contain the breach by, for example, stopping the unauthorized practice, recovering the records, disconnecting or shutting down the system that was breached, revoking or changing computer access codes and correcting weaknesses in security.

If the breach contains a public bodies’ Personal Information, the Company will comply with any directions that the public body delivers in regard to managing or containing the breach.

Step 3

Evaluate the Risks

Assess the risks associated with the breach. This step includes assessing:

  1. The number of individuals affected by the breach;
  2. The identity of persons affected by the breach (e.g., team members, guests, members of the public);
  3. The type, amount and sensitivity of the information involved;
  4. The probability that the Personal Information has been, is being or will be misused;
  5. The type(s) of potential harm to individuals (e.g., identity theft/fraud, security risks, financial loss, humiliation or damage to reputation);
  6. Potential harm to the Company (e.g., risks to reputation, loss of assets, exposure to legal proceedings, fines or other regulatory penalties);
  7. The cause of the breach (e.g., whether the breach was intentional/malicious or accidental), including the known or probable perpetrators;
  8. Security measures that were in place to protect the information (e.g., whether a lost device was password protected and/or whether accessed information was encrypted);
  9. Whether the breach resulted from an isolated incident or a systemic issue; and
  10. The extent of the breach, including the number of likely recipients and whether there is a risk of on- going breaches or further exposure of the information.

Step 4

Notify if Necessary or Prudent

If a breach occurs, the Privacy Officer will notify or cause authorized agents to notify relevant Crown Corporations or regulatory bodies. The Privacy Officer will work with these organizations in determining if notification to affected individuals is necessary or required. Team members of the Company will promptly cooperate and work with these organizations in every reasonable way to handle the breach.

The Privacy Officer will assess whether mandatory notification is required pursuant to any other contracts to which the Company is a party and whether notification is required under any Applicable Privacy Laws (e.g., notification of the Office of the Privacy Commissioner of Canada, affected individuals, and other organizations and government institutions pursuant to PIPEDA).

The Privacy Officer will also determine whether notification is necessary or prudent regardless of statutory requirements. For example, the Privacy Officer may contact:

  1. Legal counsel to assist with breach response and evaluation of legal obligations;
  2. Law enforcement authorities, if the breach appears to be caused by illegal action or could result in the commission of a crime;
  3. The Company’s insurer, if the breach is covered by an insurance Policy;
  4. Affected individuals, if they are at risk of harm;
  5. Credit monitoring organizations, where there is a risk of identity theft; or
  6. Relevant privacy commissioners even if not required by statute.

The Privacy Officer will take reasonable steps to ensure that the manner, content and timing of notifications does not negatively impact any on-going investigation or unintentionally lead to further breach of Personal Information and will also take in to account any statutorily mandated timing and content requirements applicable to notification. If the information contains the public bodies’ Personal Information, they will provide guidance and make decisions on appropriate notifications to the privacy commissioner and/or affected parties.

Step 5

Remediation

Analyze the cause of the breach. If necessary, this will include a security audit of physical, organizational and technological measures. As a result of this evaluation, if appropriate, the Privacy Officer will assist the responsible department(s) to put into effect additional safeguards against further breach and will review relevant policies, procedures and training programs to determine if amendments should be made based upon the circumstances giving rise to the breach.

Team members responsible for the breach, either through intentional action, negligence or non- compliance with the Company’s Privacy Policy will be subject to disciplinary action up to and including termination of employment or relationship with the Company.

Accurate records must be kept throughout the investigation and response process, in accordance with the direction of the Privacy Officer and any applicable policies and procedures as amended from time to time.

Inquiries & Complaints

LAHAL reserves the right to correct Personal Information in its possession. If you wish to cancel your enrollment, correct, or update your information, or withdraw consent to contact, please contact Guest Services at Elements Casino Victoria or Casino Nanaimo. A paper copy of the LAHAL Privacy Statement will be provided to you by a Guest Services Representative upon request. If you have questions or concerns about LAHAL’S collection of your Personal Information, compliance with this Privacy Statement, handling of your Personal Information, or our use of service providers outside Canada, you may contact LAHAL’S Privacy Officer at [email protected].

Casino Nanaimo

620 Terminal Ave
Nanaimo, BC
V9R 5E2

Sunday to Thursday | 10AM to 1AM
Friday & Saturday | 10AM to 2AM

Have a Question or Feedback? Get in touch

1-250-753-3033

GET IN TOUCH
Get Directions
Please enter an address.

© Copyright 2025 Casino Nanaimo | Privacy