|
Personal
Information Protection and Electronic Documents Act (Statutes
of Canada 2000, Chapter 5)
Includes:
CSA Model Code for the Protection of Personal Information (CAN/CSA-Q830-96)
The
Salt Spring Internet Privacy Code has been published to reflect
the changes associated with the implementation of the new legislation
referred to above.
Table
of Contents
Introduction
Summary of Principles
Scope and Application
Principle 1 : Accountability
Principle 2 : Identifying Purposes
Principle 3 : Consent
Principle 4 : Limiting Collection
Principle 5 : Limiting Use, Disclosure, and Retention
Principle 6 : Accuracy
Principle 7 : Safeguards
Principle 8 : Openness
Principle 9 : Customer and Employee Access
Principle 10 : Challenging Compliance
The Salt Spring Internet Privacy Code in Detail
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection 6
5. Limiting Use, Disclosure, and Retention 7
6. Accuracy 7
7. Safeguards 8
8. Openness 8
9. Customer and Employee Access 9
10. Challenging Compliance10
Introduction
Salt Spring Internet is an Internet Service Provider providing
a full range of Internet services primarily to the Gulf Islands.
For Salt Spring Internet, customer privacy is a high priority.
Federal Government Statute dictates that private sector organizations
must follow a standardized code for the protection of personal
information. Businesses, consumers, academics and government under
the auspices of the Canadian Standards Association developed the
code - the Personal Information Protection and Electronic Documents
Act ("the Act"). It lists 10 principles of fair information
practices, which form ground rules for the collection, use and
disclosure of personal information. These principles give individuals
control over how their personal information is handled in the
private sector. Salt Spring Internet is a strong believer in the
objectives and goals of the Code and this policy paper sets out
how we will adhere to the principles set down in the Code.
We
believe that an organization is responsible for the protection
of personal information and the fair handling of it at all times,
throughout the organization and in dealings with third parties.
Care in collecting, using and disclosing personal information
is essential to continued employee and consumer confidence and
good will.
The
10 principles that businesses must follow are:
Accountability
Identifying purposes
Consent
Limiting collection
Limiting use, disclosure, and retention
Accuracy
Safeguards
Openness
Customer and employee access
Challenging compliance
Scope
and Application
The ten principles, which form the basis of the Salt Spring Internet
Privacy Code, are interrelated and Salt Spring Internet adheres
to the ten principles as a whole. Each principle must be read
in conjunction with the accompanying commentary. As permitted
by the Act, the commentary in the Salt Spring Internet Privacy
Code has been tailored to reflect personal information issues
specific to Salt Spring Internet.
The
scope and application of the Salt Spring Internet Privacy Code
are as follows:
The
Code applies to personal information about Salt Spring Internet's
customers that is collected, used, or disclosed by Salt Spring
Internet.
The Code applies to the management of personal information in
any form whether oral, electronic or written.
The Code does not impose any limits on the collection, use or
disclosure of the following information by Salt Spring Internet:
a. A customer's name, address, telephone number and e-mail address,
when listed in a directory or available through directory assistance;
b.
An employee's name, title, business address (including e-mail
address) or business telephone or fax number; or
c.
Other information about the customer or employee that is publicly
available and is specified by regulation pursuant to the Personal
Information Protection and Electronic Documents Act.
The
Code does not apply to information regarding Salt Spring Internet's
corporate customers. However, such information is protected by
other Salt Spring Internet policies and practices and through
contractual arrangements.
The
application of the Salt Spring Internet Privacy Code is subject
to the requirements and provisions of Part 1 of the Act, the regulations
enacted thereunder, and any other applicable legislation or regulations,
including any applicable regulations of the Canadian Radio-television
and Telecommunications Commission.
The Salt Spring Internet Privacy Code in Detail
1.
Be accountable.
Our
responsibilities include:
Complying
with all 10 of the above principles.
Appointing
an individual (or individuals) to be responsible for our organization's
compliance with the Code.
Protecting
all personal information in our possession or transferred to a
third party for processing.
Developing
and implementing personal information policies and practices.
We
will fulfill these responsibilities by:
A.
Giving our designated privacy official authority to intervene
on privacy issues relating to any of our organization's operations.
B.
Communicating the name or title of this individual internally
and externally (e.g. on our web sites and in our publications).
C.
Analyzing all personal information handling practices including
ongoing activities and new initiatives, using the following checklist
to ensure that they meet fair information practices: -
(a)
What personal information do we collect?
(b) Why do we collect it?
(c) How do we collect it?
(d) What do we use it for?
(e) Where do we keep it?
(f) How is it secured?
(g) Who has access to or uses it?
(h) To whom is it disclosed?
(i) When is it disposed of?
D.
Developing and implementing policies and procedures to protect
personal information by: -
(a)
Defining the purposes of its collection,
(b) Obtaining consent,
(c) Limiting its collection, use and disclosure,
(d) Ensuring information is correct, complete and current,
(e) Ensuring adequate security measures,
(f) Developing and updating retention and destruction timetables,
(g) Processing access requests, and
(h) Responding to inquiries and complaints.
E.
Including a privacy protection clause in contracts to guarantee
that the third party provides the same level of protection as
your organization does.
F.
Informing and training staff on privacy policies and procedures.
G.
Making information explaining these policies and procedures available
to clients and customers (e.g. in brochures and on web sites).
2. Identify the purpose.
Our
responsibilities include:
Before
or when any personal information is collected, identifying why
it is needed and how it will be used.
Documenting
why the information is collected.
Informing
the individual from whom the information is collected why it is
needed.
Identifying
any new purpose for the information and obtaining the individual's
consent before using it.
We
will fulfil these responsibilities by:
A.
Reviewing personal information holdings to ensure they are all
required for a specific purpose.
B.
Notifying the individual, either orally or in writing, of these
purposes which could include:
(a)
Opening an account
(b) Verifying creditworthiness
(c) Providing benefits to employees
(d) Identifying customer preferences
C.
Establishing customer eligibility for special offers or discounts
D.
Recording all identified purposes and obtained consents for easy
reference in case an individual requests an account of such information.
E.
Ensuring that these purposes are limited to what a reasonable
person would expect under the circumstances.
3.
Obtain consent.
Our
responsibilities include:
1.
Informing the individual in a meaningful way of the purposes for
the collection, use or disclosure of personal data.
Obtaining
the individual's consent before or at the time of collection,
as well as when a new use is identified.
We
will fulfil these responsibilities by:
A.
Obtaining consent from the individual whose personal information
is collected, used or disclosed.
B.
Communicating in a manner that is clear and can be reasonably
understood.
C.
Record the consent received (e.g. note to file, copy of e-mail,
copy of check-off box).
D.
Never obtaining consent by deceptive means.
E.
By not making consent a condition for supplying a product or a
service, unless the information requested is required to fulfil
an explicitly specified and legitimate purpose.
F.
Explaining to individuals the implications of withdrawing their
consent.
G.
Ensuring that employees collecting personal information are able
to answer an individual's questions about the purposes of the
collection.
4.
Limit collection.
Our
responsibilities include:
Not
collecting personal information indiscriminately.
Not
deceiving or misleading individuals about the reasons for collecting
personal information.
We
will fulfil these responsibilities by:
A.
Limiting the amount and type of the information gathered to what
is necessary for the identified purposes such as those set out
in 2(B) above. Salt Spring Internet would ordinarily collect personal
information only from its customers or employees, but it may also
include other sources such as Credit Bureaus, employers, or personal
references.
B.
Identifying the kind of personal information collected in our
information-handling policies and practices.
C.
Ensuring that staff members can explain why the information is
needed.
5.
Limit use, disclosure and retention.
Our
responsibilities include:
Using
or disclosing personal information only for the purpose for which
it was collected, unless the individual consents, or the use or
disclosure is authorized by the Act. This would include disclosing
personal information about employees in the context of providing
references in response to requests from prospective employers.
Keeping
personal information only as long as necessary to satisfy the
purposes.
Putting
guidelines and procedures in place for retaining and destroying
personal information.
Keeping
personal information used to make a decision about a person only
for a reasonable time period.
Destroying,
erasing, or rendering anonymous information that is no longer
required for an identified purpose or a legal requirement.
We
will fulfil these responsibilities by:
A. Documenting any new purpose for the use of personal information.
B.
Instituting maximum and minimum retention periods that take into
account any legal requirements or restrictions and redress mechanisms.
C.
Disposing of information that does not have a specific purpose
or that no longer fulfils its intended purpose.
D.
Disposing of personal information in a way that prevents improper
access such as shredding paper files or deleting electronic records.
E.
Establishing policies setting out the types of information that
need to be updated such as addresses or telephone numbers.
6.
Be accurate.
Our
responsibilities include:
Minimizing
the possibility of using incorrect information when making a decision
about the individual or when disclosing information to third parties.
We
will fulfill these responsibilities by:
A.
Keeping personal information as accurate, complete and up to date
as necessary, taking into account its use and the interests of
the individual. In most cases there is a reliance on the customer
or employee to provide updated personal information.
B.
Updating personal information only when necessary to fulfill the
specified purposes.
C.
Keeping frequently used information accurate and up to date unless
there are clearly set out limits to this requirement.
7.
Use appropriate safeguards.
Our
responsibilities include:
Protecting
personal information against loss or theft regardless of the format
in which it is held.
Safeguarding
the information from unauthorized access, disclosure, copying,
use or modification.
We
will fulfil these responsibilities by:
A. Developing and implementing a security policy to protect personal
information.
B.
Using appropriate security safeguards to provide necessary protection
such as:
a.
Physical measures (locked filing cabinets, restricting access
to offices, alarm systems)
b.
Technological tools (passwords, encryption, firewalls, anonymizing
software)
c.
Organizational controls (limiting access on a "need-to-know"
basis, staff training, confidentiality agreements)
C.
Making our employees aware of the importance of maintaining the
security and confidentiality of personal information.
D.
Ensuring staff awareness by holding regular staff training on
security safeguards.
E.
Reviewing and updating security measures regularly.
8.
Be open.
Our
responsibilities include:
Informing
customers and employees that we have policies and practices for
the management of personal information.
Making
these policies and practices understandable and easily available.
We
will fulfil these responsibilities by:
A.
Ensuring front-line staff is familiar with the procedures for
responding to individual inquiries.
B.
Making the following available:
a.
Name, title, and address of the person who is accountable for
our organization's privacy policies and practices.
b.
Name, title, and address of the person to who access requests
should be sent.
c.
Procedures allowing an individual to gain access to his or her
personal information.
d.
Information as to how an individual can complain to our organization.
e.
Brochures or other information that explain our organization's
policies, standards or codes.
f.
A description of what personal information is made available to
other organizations (including subsidiaries) and why it is disclosed.
9.
Give individuals access.
Our
responsibilities include:
When
requested, informing individuals if we have any personal information
about them.
Explaining how it is or has been used and providing a list of
the sort of organizations to which it might have been disclosed.
Giving individuals access to their information.
Correcting or amending any personal information if its accuracy
and completeness is challenged and found to be deficient.
Providing a copy of the information requested, or reasons for
not providing access, including the following exceptions:
a. If disclosure would reveal confidential information about a
third party.
b.
If disclosure could reasonably be expected to threaten the life
or security of another individual.
c.
If disclosure would reveal confidential commercial information.
d.
If the information is protected solicitor ? client privilege.
e.
If the information was generated in the course of a formal dispute
resolution process.
f.
If the information was collected in relation to an investigation
of a breach of an agreement or a contravention of a Federal or
Provincial law.
We
will fulfil these responsibilities by:
A.
Providing any help the individual needs to prepare a request for
access to personal information
B.
Asking the individual to supply enough information to enable us
to account for the existence, use and disclosure of personal information.
C.
Responding to the request as quickly as possible and no later
than 30 days after receipt of the request - 60 days under some
circumstances including:-
a.
If responding to the request within the original 30 days would
unreasonably interfere with activities of our organization.
b.
If additional time is necessary to conduct consultations.
c.
If additional time is necessary to convert personal information
to an alternate format
D.
Giving access at minimal or no cost to the individual.
E.
Notifying the individual of the approximate costs before processing
the request.
F.
Making sure the requested information is understandable including
an explanation of acronyms, abbreviations and codes.
G.
Sending any information that has been amended, where appropriate,
to any third parties that have access to the information.
H.
Informing the individual in writing when refusing to give access,
setting out the reasons and any recourse available.
10.
Challenging compliance.
Our
responsibilities include:
Developing
simple and easily accessible complaint procedures.
Informing
complainants of avenues of recourse. These include our organization's
own complaint procedures, those of industry associations, regulatory
bodies, and the Privacy Commissioner of Canada.
Investigating
all complaints received.
Taking
appropriate measures to correct information handling practices
and policies.
We
will fulfil these responsibilities by:
A.
Recording the date a complaint is received and the nature of the
complaint including such things as: -
a.
Delays in responding to a request.
b.
Incomplete or inaccurate responses, or
c.
Improper collection, use, disclosure or retention of personal
information.
B.
Acknowledging receipt of a complaint promptly.
C.
Contacting the individual to clarify the complaint, if necessary.
D.
Assigning the investigation to a person with the skills necessary
to conduct it fairly and impartially.
E.
Giving the investigator access to all relevant records, employees
or others who handled the personal information or access request.
F.
Notifying customers. employees, and others of the outcome of investigations
clearly and promptly, informing them of any relevant steps taken.
G.
Correcting any inaccurate personal information or modify policies
and procedures based on the outcome of complaints.
For a copy of the Personal Information Protection and Electronic
Documents Act, please access the Privacy Commissioner of Canada
web site at http://www.privcom.gc.ca.
|
