Your Privacy Responsibilities Guide

Canada’s Personal Information Protection and Electronic Documents Act

Your Privacy Responsibilities

PIPEDAOffice of the Privacy Commissionerof Canada

A GUIDE FOR BUSINESSES AND ORGANIZATIONS

b

YOUR PR I VACY RESPONS I B I L I T I E S – A GU IDE TO CANADA’ S PERSONAL INFORMAT ION PROTECT ION AND ELECTRON IC DOCUMENTS ACT

AboutThisGuide

This guide helps businesses understand and meet their new obligations under Part 1 of thePersonal Information Protection and Electronic Documents Act. *

The Act sets out ground rules for the management of personal information in the private sector.

It balances an individual’s right to the privacy of personal information with the need of organiza-tions to collect,use or disclose personal information for legitimate business purposes.

The Act establishes the Privacy Commissioner of Canada as the ombudsman for complaints underthe new law. The Commissioner seeks whenever possible to solve problems through voluntarycompliance, rather than heavy-handed enforcement. The Commissioner investigates complaints,conducts audits,promotes awareness of and undertakes research about privacy matters. TheCommissioner is also the ombudsman for complaints under the Privacy Act,which covers the fed-eral public sector.

Part 1 of the Act came into force in three phases,beginning January 1,2001.

For more information, contact:

The Office of the Privacy Commissioner of Canada112 Kent StreetOttawa,Ontario K1A 1H3

Telephone: (613) 995-8210Toll-free: 1 (800) 282-1376Fax: (613) 947-6850Web site:www.privcom.gc.ca

IP54-2/2004ISBN:0-662-68004-9

Updated September 2009

* This guide deals only with Part 1 of the Act. All references to the Act in this document refer only to Part 1. Parts 2 to 5 of the Act concernthe use of electronic documents and signatures as legal alternatives to original documents and signatures. For information on these, con-tact the Department of Justice.

While prepared with care to ensure accuracy and completeness, this guide has no legal status.For the official text of the new law,consult ourWeb site at www.privcom.gc.ca or call the Officeof the Privacy Commissioner of Canada.

c

TableofContents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Is Your Organization Subject to the Act? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

What is not covered by the Act? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Your Responsibilities under the Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Fair Information Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Be accountable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Identify the purpose of data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Obtain consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Limit collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Limit use,disclosure and retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Be accurate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Use appropriate safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Be open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Give individuals access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Provide recourse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Exceptions to the Consent and Access Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Role of the Privacy Commissioner of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Complaints to the Privacy Commissioner of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Applications to the Federal Court . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Audits of Personal Information Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . 25

Privacy Questionnaire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

1

Introduction

he Office of the Privacy Commissionerof Canada has prepared this guide tohelp organizations fulfil their responsi-

bilities under the Personal InformationProtection and Electronic Documents Act(PIPEDA). PIPEDA is good news for bothorganizations and individuals. Individualswill appreciate doing business with organi-zations that demonstrate a respect for theirprivacy rights,which can ultimately lead to acompetitive advantage. Organizations cansee this as an opportunity to review andimprove their personal information handlingpractices.

TheAct inBriefOrganizations covered by the Act mustobtain an individual’s consent when theycollect,use or disclose the individual’s per-sonal information. The individual has a rightto access personal information held by anorganization and to challenge its accuracy, ifneed be. Personal information can only beused for the purposes for which it was col-lected. If an organization is going to use itfor another purpose, consent must beobtained again. Individuals should also beassured that their information will be pro-tected by specific safeguards, includingmeasures such as locked cabinets, computerpasswords or encryption.

ComplaintsAn individual may complain to the organiza-tion in question or to the Office of thePrivacy Commissioner of Canada about anyalleged breaches of the law. TheCommissioner may also initiate a complaint,if there are reasonable grounds.

Application to theFederalCourtAfter receiving the Office of the PrivacyCommissioner of Canada’s investigationreport, a complainant may apply to theFederal Court for a hearing under certainconditions as set out in Section 14 of the Act.The Privacy Commissioner of Canada mayalso apply to the Court on her own or on thecomplainant’s behalf. The Court may orderan organization to change its practicesand/or award damages to a complainant,including damages for humiliation suffered.

AuditsThe Commissioner may,with reasonablegrounds, audit the personal informationmanagement practices of an organization.

OffencesIt is an offence to:

� destroy personal information that an indi-vidual has requested;

� retaliate against an employee who hascomplained to the Commissioner or whorefuses to contravene Sections 5 to 10 ofthe Act; or

� obstruct a complaint investigation or anaudit by the Commissioner or her dele-gate.

T

2


DEF IN I T IONS

Personal informationPersonal information includes any factual or subjectiveinformation, recorded or not,about an identifiable indi-vidual. This includes information in any form,such as:� age,name, ID numbers, income,ethnic origin,or blood

type;

� opinions,evaluations, comments, social status,or dis-ciplinary actions; and

� employee files, credit records, loan records,medicalrecords,existence of a dispute between a consumerand a merchant, intentions (for example, to acquiregoods or services,or change jobs)

Personal information does not include the name, title orbusiness address or telephone number of an employeeof an organization.

Commercial activityAny particular transaction,act,or conduct,or any regularcourse of conduct that is of a commercial character,including the selling,bartering or leasing of donor,mem-bership or other fund-raising lists.

OrganizationAn organization includes an association,a partnership,aperson or a trade union.

ConsentVoluntary agreement with what is being done or pro-posed. Consent can be either express or implied.Express consent is given explicitly,either orally or in writ-ing. Express consent is unequivocal and does notrequire any inference on the part of the organizationseeking consent. Implied consent arises where consentmay reasonably be inferred from the action or inactionof the individual.

DisclosureMaking personal information available to others outsidethe organization.

UseRefers to the treatment and handling of personal infor-mation within an organization.

Federal work,undertaking or businessIncludes“any work,undertaking or business that is underthe legislative authority of Parliament”. While most feder-ally regulated organizations would be captured underthis definition,not all these types of organizationsare federal works. For instance, insurance companiesand credit unions may be subject to some federal regu-lation, but are considered to be within provincial juris-diction under the Constitution and are not federal worksfor the purposes of the Act. The Act defines some of thespecific federal works subject to Part 1 as follows:� airports, aircraft or airlines

� banks

� grain elevators

� inter-provincial or international transportation byland or water

� nuclear facilities

� telecommunications

� offshore drilling operations

� radio and television broadcasting

Note that this is not an exhaustive list of“federal works,undertakings and businesses”. The fact that your com-pany is federally incorporated does not necessarilymean that it is a federal work,undertaking or business.If your company is subject to any part of the CanadaLabour Code, it is probably a federal work,undertakingor business.

3

IsYourOrganizationSubject to theAct?

PIPEDAcame into effect in threestages:

January1,2001In its first stage, the Act began applying topersonal information (except personalhealth information) that is collected,used ordisclosed in the course of commercial activi-ties by federal works,undertakings and busi-nesses. This includes,but is not limited to,federally-regulated organizations such asbanks, telecommunications and transporta-tion companies.

At this stage the Act began applying topersonal data that is collected,used or dis-closed by these same organizations abouttheir employees. In addition, at this stagethe Act began applying to disclosures of per-sonal information for consideration acrossprovincial or national borders,by organiza-tions such as credit reporting agencies ororganizations that lease, sell or exchangemailing lists or other personal information.The information itself must be the subject ofthe transaction and the consideration is forthe information.

January1,2002The Act extended to personal health infor-mation for the organizations and activitiescovered in the first stage. Personal healthinformation is defined as information aboutan individual’s mental or physical health,including information concerning healthservices provided and information abouttests and examinations.

January1,2004The Act extended to the collection,use ordisclosure of personal information in thecourse of any commercial activity within aprovince. However, the federal governmentmay exempt organizations and/or activitiesin provinces that have adopted substantiallysimilar privacy legislation. The Act alsoapplies to all personal information in allinterprovincial and international transac-tions by all organizations subject to the Actin the course of their commercial activities.

To date,Quebec,British-Columbia andAlberta have adopted legislation deemedsubstantially similar to the federal law.Thefederal government has stated that organi-zations and activities subject to the substan-tially similar privacy legislation in these threeprovinces will be exempted from the federalact for intraprovincial matters.

In November 2003, the Governor inCouncil issued an Order in Council declaringQuebec’s AnAct Respecting the Protection ofPersonal Information in the Private Sectorsubstantially similar.The Act,which predatedPIPEDA,came into effect on January 1,1994.

British Columbia and Alberta eachadopted legislation in 2003 that applies toall organizations within the two provinces,except for those covered by other provincialprivacy legislation, and federal works,under-takings or businesses that remain subject toPIPEDA.The two laws – both called thePersonal Information Protection Act – cameinto force on January 1,2004.The Governorin Council has issued two Orders in Councilexempting organizations,other than federal

4


works,undertakings or businesses, in Albertaand British Columbia respectively, from theapplication of PIPEDA.

Ontario’s Personal Health InformationProtection Act (PHIPA) came into force onNovember 1,2004.PHIPA establishes rulesfor the collection,use and disclosure of per-sonal health information by health informa-tion custodians in Ontario.Healthinformation custodians are individuals ororganizations listed under PHIPA that, as aresult of their power or duties,have custodyor control of personal health information.

In November 2005, the Governor inCouncil issued an Order in Council exempt-ing health information custodians in Ontariofrom the application of PIPEDA.As a result,Ontario health information custodians willnot be subject to PIPEDA with respect to thecollection,use and disclosure of personalhealth information.The Information andPrivacy Commissioner of Ontario will beresponsible for ensuring compliance withPHIPA, including investigating complaintsabout the personal information practices ofhealth information custodians within theprovince.

The Privacy Commissioner will continueto be responsible for oversight in relation tothe collection,use and disclosure of personalhealth information that crosses provincialboundaries in the course of commercialactivity.As well, our Office will continue tobe responsible for personal health informa-tion collected,used or disclosed in Ontarioin the course of commercial activities byorganizations that are not health informa-tion custodians.

What isnot coveredby theAct?� The collection,use or disclosure of per-

sonal information by federal governmentorganizations listed under the Privacy Act

� Provincial or territorial governments andtheir agents

� An employee’s name, title,businessaddress or telephone number

� An individual’s collection,use or disclo-sure of personal information strictly forpersonal purposes (e.g. personal greetingcard list)

� An organization’s collection,use or disclo-sure of personal information solely forjournalistic, artistic or literary purposes

� Employee information – except in thefederally-regulated sector

See relevant fact sheets on this and otherissues on ourWeb site.

5

YourResponsibilitiesunder theAct

rganizations must follow a code forthe protection of personal informa-tion, which is included in the Act as

Schedule 1.The code was developed by business,

consumers, academics and governmentunder the auspices of the CanadianStandards Association.

It lists 10 principles of fair informationpractices,which form ground rules for thecollection,use and disclosure of personalinformation. These principles give individu-als control over how their personal informa-tion is handled in the private sector.

An organization is responsible for the pro-tection of personal information and the fairhandling of it at all times, throughout theorganization and in dealings with third par-ties. Care in collecting,using and disclosingpersonal information is essential to contin-ued consumer confidence and good will.

The 10 principles that businesses mustfollow are:1. Accountability

2. Identifying purposes

3. Consent

4. Limiting collection

5. Limiting use,disclosure and retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual access

10. Challenging compliance

These principles must be read in conjunc-tion with key sections of the Act,particularlyincluding:

Sections2 to10of theActSchedule 1 must be read in conjunction withSections 2 to 10 of the Act. It is essential tocarefully consider the obligations set out inthese sections, along with the 10 principles.

Section2� Provides definitions including commercial

activity, federal work,undertaking or busi-ness, personal information,personalhealth information and organization.

� Specifies that the notes under clauses 4.3and 4.9 of Schedule 1 are not part ofthe law.

Section3Defines the purpose of the Act:

� recognizes individuals’ right to privacy oftheir personal information

� recognizes the need of organizations tocollect,use or disclose personal informa-tion for legitimate business purposes

� establishes rules for handling personalinformation

Section4Defines the scope of the Act’s application:

� covers all organizations that collect,use ordisclose personal information in thecourse of commercial activities

O

6


� includes the personal information of anemployee of a federal work,undertakingor business but not the personal informa-tion of other private sector employees.

Section5� Stipulates that every organization must

comply with the obligations of Schedule 1.

� Indicates what is not covered by the Act.

� In the Schedule:� “shall”means an obligation� “should”means a recommendation,not an obligation.

� Limits the collection,use and disclosureto purposes that a reasonable personwould consider appropriate in thecircumstances. The reasonable person’sperspective must be taken into accountwhen applying any aspect of Part 1 ofthe Act.

Section6� Establishes that identifying an individual

to be accountable for compliance doesnot mean that the organization is notresponsible for its obligations as set out inSchedule 1.

Section7� Specifies the circumstanceswhen personal

information may be collected,used or dis-closed without the individual’s consent.

Section8� Sets out procedures for individuals to

make requests for personal informationand corrections to that information.

Section9� Explains when access to personal

information may be refused.

Section10� Defines an organization’s obligation to

provide personal information in an alter-native format (e.g. Braille, large print oraudio tape) to a person with a sensorydisability.

Your responsibilities� Comply with all 10 of the principles of

Schedule 1.� Appoint an individual (or individuals) to

be responsible for your organization’scompliance.

� Protect all personal information held byyour organization or transferred to a thirdparty for processing.

� Develop and implement personal infor-mation policies and practices.

Howto fulfil these responsibilities� Give your designated privacy official sen-

ior management support and the author-ity to intervene on privacy issues relatingto any of your organization’s operations.

� Communicate the name or title of thisindividual internally and externally (e.g.onWeb sites and in publications).

� Analyze all personal information handlingpractices including ongoing activities andnew initiatives,using the following check-list to ensure that they meet fair informa-tion practices:� What personal information dowe collect?

� Why do we collect it?� How do we collect it?� What do we use it for?� Where do we keep it?� How is it secured?� Who has access to or uses it?� To whom is it disclosed?� When is it disposed of?

� Develop and implement policies and pro-cedures to protect personal information:� define the purposes of its collection� obtain consent� limit its collection,use and disclosure� ensure information is correct, completeand current

� ensure adequate security measures� develop or update a retention anddestruction timetable

� process access requests� respond to inquiries and complaints

� Include a privacy protection clause incontracts to guarantee that the thirdparty provides the same level of protec-tion as your organization does.

� Inform and train staff on privacy policiesand procedures.

� Make information available explainingthese policies and procedures tocustomers (e.g. in brochures and onWeb sites).

YOUR RESPONS I B I L I T I E S UNDER THE ACT

7

1. Beaccountable

This section sets out the responsibilities for eachof the10 fair informationprinciplesof Schedule 1. It outlineshowto fulfil these responsibilities andoffers some tips.

Fair InformationPrinciples

T I P STrain your front-line and management staff and keep theminformed, so they can answer the following questions:� How do I respond to public inquiries regarding our organiza-

tion’s privacy policies?� What is consent?When and how is it to be obtained?� How do I recognize and process requests for access to

personal information?� To whom should I refer complaints about privacy matters?� What are the ongoing activities and new initiatives relating to

the protection of personal information at our organization?� What are the ongoing activities and new initiatives relating to

the protection of personal information at our organization?

When transferring personal information to third parties,ensure that they:� Name a person to handle all privacy aspects of the contract.� Limit use of the personal information to the purposes specified

to fulfil the contract.� Limit disclosure of the information to what is authorized by your

organization or required by law.� Refer any people looking for access to their personal informa-

tion to your organization.� Return or dispose of the transferred information upon

completion of the contract.� Use appropriate security measures to protect the personal

information.� Allow your organization to audit the third party’s compliance

with the contract as necessary.

8


Your organization must identify the reasonsfor collecting personal information before orat the time of collection.

Your responsibilities� Before or when any personal information

is collected, identify why it is needed andhow it will be used.

� Document why the information iscollected.

� Inform the individual from whom theinformation is collected why it is needed.

� Identify any new purpose for the informa-tion and obtain the individual’s consentbefore using it.

Howto fulfil these responsibilities� Review your personal information hold-

ings to ensure they are all required for aspecific purpose.

� Notify the individual, either orally or inwriting,of these purposes.

� Record all identified purposes andobtained consents for easy reference incase an individual requests an accountof such information.

� Ensure that these purposes are limited towhat a reasonable person would expectunder the circumstances.

T I P S� Define your purposes for collecting data as clearly and narrowly

as possible so the individual can understand how the informa-tion will be used or disclosed.

� Avoid overly broad purposes as they may conflict with theknowledge and consent principle.

� Examples of purposes include:� opening an account� verifying creditworthiness� providing benefits to employees� processing a magazine subscription� sending out association membership information� guaranteeing a travel reservation� identifying customer preferences� establishing customer eligibility for special offers

or discounts.

GRANDFATHER INGPersonal information that your companyhas collected during the course of itscommercial activities is subject to the Act.Since it has already been collected, youdon’t need to recollect it. However, inorder to continue to use or disclose thisinformation, you now require consent.Some organizations have informed alltheir customers what they do with theirinformation, to whom it is disclosed andgiven customers the option to object tothese ongoing uses or disclosures.

See relevant best practices and factsheets on this and other issues on ourWeb site.

2. Identify thepurpose

Your responsibilities� Inform the individual in a meaningful way

of the purposes for the collection,use ordisclosure of personal data.

� Obtain the individual’s consent before orat the time of collection, as well as when anew use is identified.

Howto fulfil these responsibilities*� Obtain consent from the individual

whose personal information is collected,used or disclosed.

� Communicate in a manner that is clearand can be reasonably understood.

� Record the consent received (e.g. note tofile, copy of e-mail, copy of check-off box).

� Never obtain consent by deceptivemeans.

� Do not make consent a condition forsupplying a product or a service,unlessthe information requested is requiredto fulfil an explicitly specified andlegitimate purpose.

� Explain to individuals the implicationsof withdrawing their consent.

� Ensure that employees collectingpersonal information are able to answeran individual’s questions about thepurposes of the collection.


9

* Note:There are some exceptions to the principle of obtainingconsent. See page 17 of this guide for more information.

T I P S� Consent is normally obtained from the individual whose

personal information is collected,used or disclosed.� For an individual who is a minor, seriously ill, or mentally

incapacitated, consent may be obtained from a legal guardian,or person having power of attorney.

� Consent is only meaningful if the individuals understand howtheir information will be used.

� Consent clauses should:� be easy to find� use clear and straightforward language� not use blanket categories for purposes,uses

and disclosures� be specific as possible about which organizations

handle the information.� Consent can be obtained in person,by phone,by mail, via

the Internet etc.� The form of consent should take into consideration:

� reasonable expectations of the individual� circumstances surrounding the collection� sensitivity of the information involved.

� Express consent should be used whenever possible and in allcases when the personal information is considered sensitive.Relying on express consent protects both the individual andthe organization.

3. Obtain consent

10


Your responsibilities� Do not collect personal information

indiscriminately.

� Do not deceive or mislead individualsabout the reasons for collecting personalinformation.

Howto fulfil these responsibilities� Limit the amount and type of the infor-

mation gathered to what is necessaryfor the identified purposes.

� Identify the kind of personal informationyou collect in your information-handlingpolicies and practices.

� Ensure that staff members can explainwhy the information is needed.T I P S

� By reducing the amount of information gathered, you canlower the cost of collecting, storing, retaining and ultimatelyarchiving data.

� Collecting less information also reduces the risk of inappropriateuses and disclosures.

4. Limit collection

Your responsibilities� Use or disclose personal information only

for the purpose for which it was collected,unless the individual consents,or the useor disclosure is authorized by the Act.

� Keep personal information only as long asnecessary to satisfy the purposes.

� Put guidelines and procedures in placefor retaining and destroying personalinformation.

� Keep personal information used to makea decision about a person for a reason-able time period. This should allow theperson to obtain the information after thedecision and pursue redress.

� Destroy, erase or render anonymous infor-mation that is no longer required for anidentified purpose or a legal requirement.

Howto fulfil these responsibilities� Document any new purpose for the use

of personal information.

� Institute maximum and minimum reten-tion periods that take into account anylegal requirements or restrictions andredress mechanisms.

� Dispose of information that does nothave a specific purpose or that no longerfulfils its intended purpose.

� Dispose of personal information in a waythat prevents improper access. Shreddingpaper files or deleting electronic recordsare ideal.

� Establish policies setting out the types ofinformation that need to be updated. Anorganization can reasonably expect anindividual to provide updated informa-tion in certain circumstances (e.g. changeof address for a magazine subscription).


11

T I P S� It may be less onerous and complicated to destroy or erase

information than to make personal information anonymous.� Conduct regular reviews to help determine whether information

is still required. Establish a retention schedule to makethis easier.

5. Limituse,disclosureandretention

12


Your responsibilities� Minimize the possibility of using incorrect

information when making a decisionabout the individual or when disclosinginformation to third parties.

Howto fulfil these responsibilities� Keep personal information as accurate,

complete and up to date as necessary,taking into account its use and the inter-ests of the individual.

� Update personal information only whennecessary to fulfil the specified purposes.

� Keep frequently used information accu-rate and up to date unless there areclearly set out limits to this requirement.

T I P S� One way to determine if information needs to be updated is to

ask whether the use or disclosure of out of date or incompleteinformation would harm the individual.

� Apply the following checklist for accuracy:� List specific items of personal information required to provide

a service.� List the location where all related personal information can

be retrieved.� Record the date when the personal information was obtained

or updated.� Record the steps taken to verify accuracy, completeness and

timeliness of the information. This may require reviewing yourrecords or communicating with the client.

6. Beaccurate

Your responsibilities� Protect personal information against loss

or theft.

� Safeguard the information from unautho-rized access,disclosure, copying,use ormodification.

� Protect personal information regardlessof the format in which it is held.

Howto fulfil these responsibilities� Develop and implement a security policy

to protect personal information.

� Use appropriate security safeguardsto provide necessary protection:� physical measures (locked filingcabinets, restricting access to offices,alarm systems)

� technological tools (passwords,encryption, firewalls)

� organizational controls (securityclearances, limiting access on a“need-to-know”basis, staff training,agreements).

� Make your employees aware of theimportance of maintaining the securityand confidentiality of personalinformation.

� Ensure staff awareness by holding regularstaff training on security safeguards.

� The following factors should be consideredin selecting appropriate safeguards:� sensitivity of the information� amount of information� extent of distribution� format of the information (electronic,paper, etc.)

� type of storage.

� Review and update security measuresregularly.


13

T I P S� Make sure personal information that has no relevance to the

transaction is either removed or blocked out when providingcopies of information to others.

� Keep sensitive information files in a secure area or computersystem and limit access to individuals on a“need-to-know”basis only.

7. Useappropriate safeguards

14


Your responsibilities� Inform customers, clients and employees

that you have policies and practicesfor the management of personalinformation.

� Make these policies and practices under-standable and easily available.

Howto fulfil these responsibilities� Ensure front-line staff is familiar with the

procedures for responding to individualinquiries.

� Make the following available:� name or title and address of the personwho is accountable for your organiza-tion’s privacy policies and practices

� name or title and address of the personto whom access requests should be sent

� how an individual can gain access to hisor her personal information

� how an individual can complain to yourorganization

� brochures or other information thatexplain your organization’s policies,standards or codes

� a description of what personal informa-tion is made available to other organiza-tions (including subsidiaries) and why itis disclosed.

T I P S� Information about these policies and practices should be made

available in person, in writing,by telephone, in publications oron your organization’sWeb site. The information presentedshould be consistent, regardless of the format.

8. Beopen

Your responsibilities� When requested, inform individuals if

you have any personal informationabout them.

� Explain how it is or has been used andprovide a list of any organizations towhich it has been disclosed.

� Give individuals access to theirinformation.

� Correct or amend any personal informa-tion if its accuracy and completeness ischallenged and found to be deficient.

� An organization should note anydisagreement on the file and advisethird parties where appropriate.

Howto fulfil these responsibilities� Provide any help the individual needs to

prepare a request for access to personalinformation.

� Your organization may ask the individualto supply enough information to enableyou to account for the existence,use anddisclosure of personal information.

� Respond to the request as quickly aspossible and no later than 30 days afterreceipt of the request.

� The normal 30-day response time limitmay be extended for a maximum of 30additional days, according to specific cri-teria set out at Subsection 8(4) of the Act:� if responding to the request withinthe original 30 days would unreason-ably interferewith activities of yourorganization

� if additional time is necessary toconduct consultations

� if additional time is necessary toconvert personal information to analternate format.

� If your organization extends the time,you must notify the individual makingthe request within 30 days of receivingthe request, and of his or her right tocomplain to the Privacy Commissionerof Canada.

� Give access at minimal or no cost tothe individual.

� Notify the individual of the approximatecosts before processing the request andconfirm that the individual still wants toproceed with the request.

� Give individuals access to their personalinformation.

� Make sure the requested informationis understandable. Explain acronyms,abbreviations and codes.

� Send any information that has beenamended,where appropriate, to anythird parties that have access to theinformation.

� Inform the individual in writing whenrefusing to give access, setting out thereasons and any recourse available.

� There are some exceptions to the princi-ple of providing access (see page 18 ofthis guide).


15

T I P S� Keep a record of where the information can be found to make

retrieval easier.� Never disclose personal information unless you are sure of the

identity of the requestor and that person’s right of access.� Record the date of receipt of the request for the information.� Ensure that staff know how to identify an access request and to

whom it should be referred within the organization.

9. Give individualsaccess

16


Your responsibilities� Develop simple and easily accessible

complaint procedures.� Inform complainants of their avenues of

recourse. These include your organiza-tion’s own complaint procedures, those ofindustry associations, regulatory bodiesand the Office of the PrivacyCommissioner of Canada.

� Investigate all complaints received.

� Take appropriate measures to correctinformation handling practices andpolicies.

Howto fulfil these responsibilities� Record the date a complaint is received

and the nature of the complaint (e.g.delays in responding to a request, in-complete or inaccurate responses,orimproper collection,use,disclosure orretention).

� Acknowledge receipt of the complaintpromptly.

� Contact the individual to clarify thecomplaint, if necessary.

� Assign the matter to a person with theskills necessary to review it fairly andimpartially and provide that individualwith access to all relevant records,employees or others who handled thepersonal information or access request.

� Notify individuals of the outcome ofinvestigations clearly and promptly,informing them of any relevant stepstaken.

� Correct any inaccurate personal informa-tion or modify policies and proceduresbased on the outcome of complaint, andensure that staff in the organization areaware of any changes to these policiesand procedures.

T I P S� Ensure that staff is aware of policies and procedures for com-

plaints, and to whom these complaints should be referredwithin the organization.

� Record all decisions to ensure consistency in applying the Act.� Handling a complaint fairly and appropriately may help to pre-

serve or restore the individual’s confidence in your organization.

10.Provide recourse

17

Exceptions to theConsentandAccessPrinciples

Organizations may collect personal informa-tion without the individual’s knowledge orconsent only:

� if it is clearly in the individual’s interests andconsent is not available in a timelyway;

� if knowledge and consentwould compro-mise the availability or accuracy of theinformation and collection is required toinvestigate a breach of an agreement orcontravention of a federal or provincial law;

� for journalistic,artistic or literary purposes;

� if it is publicly available as specified in theregulations.

Organizations may use personal informationwithout the individual’s knowledge orconsent only:

� if the organization has reasonablegrounds to believe the information couldbe useful when investigating acontravention of a federal,provincial orforeignlaw and the information is used for thatinvestigation;

� for an emergency that threatens anindividual’s life,health or security;

� for statistical or scholarly study orresearch (the organization must notifythe Privacy Commissioner of Canadabefore using the information);

� if it is publicly available as specified in theregulations;

� if the use is clearly in the individual’sinterest and consent is not available in atimely way; or

� if knowledge and consent wouldcompromise the availability or accuracyof the information and collection wasrequired to investigate a breach of anagreement or contravention of a federalor provincial law.

Organizations may disclose personal infor-mation without the individual’s knowledgeor consent only:

� to a lawyer representing the organization;

� to collect a debt the individual owes tothe organization;

� to comply with a subpoena,a warrant oran order made by a court or other bodywith appropriate jurisdiction;

� to the Financial Transactions and ReportsAnalysis Centre of Canada (FINTRAC) asrequired by the Proceeds of Crime (MoneyLaundering) andTerrorist Financing Act;

� to a government institution that hasrequested the information, identified itslawful authority to obtain the informa-tion, and indicates that disclosure is forthe purpose of enforcing, carrying out aninvestigation,or gathering intelligencerelating to any federal,provincial or for-eign law; or suspects that the information

here are a number of exceptions to the requirementsto obtain consent and provide access setout in the Act.T

Exceptions to consent inSection7

18


relates to national security, the defence ofCanada or the conduct of internationalaffairs; or is for the purpose of administer-ing any federal or provincial law;

� to an investigative body named in theRegulations of the Act or governmentinstitution on the organization’s initiativewhen the organization has reasonablegrounds to believe that the informationconcerns a breach of an agreement,or acontravention of a federal,provincial, orforeign law,or suspects the informationrelates to national security, the defence ofCanada or the conduct of internationalaffairs;

� if made by an investigative body for thepurposes related to the investigation of abreach of an agreement or a contraven-tion of a federal or provincial law;

� in an emergency threatening an individ-ual’s life,health,or security (the organiza-tion must inform the individual of thedisclosure);

� for statistical, scholarly study or research(the organization must notify the PrivacyCommissioner before disclosing theinformation);

� to an archival institution;

� 20 years after the individual’s death or100 years after the record was created;

� if it is publicly available as specified in theregulations; or

� if required by law.

* If this information can be removed, the organization mustrelease the remaining information.

Organizationsmust refuse an individualaccess to personal information:

� if it would reveal personal informationabout another individual* unless there isconsent or a life-threatening situation; or

� if the organization has disclosed informa-tion to a government institution for lawenforcement or national security reasons.Upon request, the government institutionmay instruct the organization to refuseaccess or not to reveal that the informa-tion has been released. The organizationmust refuse the request and notify thePrivacy Commissioner of Canada. Theorganization cannot inform the individualof the disclosure to the governmentinstitution,or that the institution wasnotified of the request,or that theCommissioner was notified of the refusal.

Organizationsmay refuse access to personalinformation if the information falls underone of the following:

� solicitor-client privilege

� confidential commercial information*

� disclosure could harm an individual’s lifeor security*

� it was collected without the individual’sknowledge or consent to ensure itsavailability and accuracy, and the collec-tion was required to investigate a breachof an agreement or contravention of afederal or provincial law (the PrivacyCommissioner of Canadamust be notified)

� it was generated in the course of a formaldispute resolution process

Exceptions toaccess inSection9

19

Roleof thePrivacyCommissionerofCanada

he Privacy Commissioner of Canadahas oversight of both the Privacy Actand Part 1 of PIPEDA. These acts pro-

tect personal information according to inter-nationally accepted fair informationprinciples and practices.

The Commissioner is an Officer ofParliament, like the Auditor General ofCanada or the Chief Electoral Officer. As anOfficer of Parliament, the Commissionerreports directly to the House of Commonsand to the Senate,not to the government ofthe day. This independence ensures impar-tiality and open-mindedness in exercisingher role as an ombudsman for privacy mat-ters. The Commissioner makes recommen-dations, not orders. However there isprovision to apply to the Federal Court toreview a case.

In addition to the Privacy Commissioner,the Office has an Assistant PrivacyCommissioner responsible for the Privacy Actand another Assistant Privacy Commissionerresponsible for PIPEDA.

AprivacyombudsmanMore than two decades of experienceinvestigating complaints under thePrivacy Act have helped define the PrivacyCommissioner’s ombudsman role. ThePrivacy Commissioner relies on the compe-tence, knowledge and impartiality of herstaff to seek whenever possible to resolvedisputes through investigation,persuasion,mediation and conciliation. Ideally thisapproach to resolving disputes can be lessintimidating to complainants and less costlyto business than recourse to the courts.While the Commissioner protects individualrights, she is also an advocate for the fairinformation principles that form the founda-tion of the legislation. The Commissioner’sthorough investigations and impartialityprotect both individual rights and the organ-ization against unfair accusations.

Specific responsibilitiesunder theActThe Act makes the Commissioner responsi-ble for ensuring compliance with the Actand for promoting its purposes.

T

20


Promoting thepurposesof theActThe Commissioner promotes the purposesof the Act through public education andawareness initiatives, research, reporting,and consultation and agreements.

The Commissioner’s mandate includesdeveloping and conducting public educa-tion and awareness programs to encourageand promote understanding of privacyissues.

PIPEDA also requires the Commissioner toundertake and publish research about pro-tecting personal information so as toincrease knowledge and improve compli-ance with the Act’s fair information princi-ples. The Commissioner may conductindependent research on privacy issues inconjunction with academic or otherresearchers. She may also provide grantsand contributions for academic or otherresearch on privacy issues.

The Commissioner may make publicany information about an organization’spersonal information handling practices, ifshe considers it in the public interest to doso. She reports annually to Parliament onprivacy issues including the extent towhich provinces have substantially similarlegislation.

The Commissioner may enter into agree-ments with provincial counterparts who,under substantially similar legislation,havesimilar powers and duties. These consulta-tions and agreements may cover complaintmechanisms, research and developingmodel contracts for protecting personalinformation in interprovincial or interna-tional matters. The Commissioner willencourage organizations to developdetailed policies and practices to complywith Part 1 of the Act.

21

Complaints to thePrivacyCommissionerofCanada

Typesof complaintsn individual may complain to theCommissioner about any matterspecified in Sections 5 to10 of the

Act or in the recommendations or obligationsset out in Schedule 1. This includes but isnot limited to allegations that an organiza-tion:

� denies an individual access to personalinformation;

� improperly collects,uses or discloses per-sonal information;

� refuses to correct inaccurate or incom-plete information;

� fails to provide access to personal infor-mation in an alternative format to anindividual with a sensory disability; or

� does not use appropriate safeguards toprotect personal information.

The Commissioner may initiate a complaintif there are reasonable grounds to believethat an investigation of a matter under Part 1of the Act is warranted.

Time limitsThere is no time limit for filing most typesof complaints.

The only exception is a complaint thataccess to personal information has beendenied. In this case, the complaint must bemade within six months after the organiza-tion’s refusal to provide the information,orafter the expiry of the time limit for respond-

ing to the request (see page 15 of this guidefor more on the time limit to respond to arequest). However, the Commissionermay extend the time limit for an accesscomplaint.

The Commissioner has one year from thedate of the complaint to prepare a report.

Howdoes thePrivacyCommissionerof Canadahandle complaints?As an ombudsman, the Commissionerseeks to take a cooperative and conciliatoryapproach to investigations whenever possi-ble. She encourages the resolution of com-plaints through negotiation and persuasion.Alternate dispute resolution methods suchas mediation and conciliation may be usedto settle matters at any stage of the investi-gation process. Although the Commissionerhas the power to summon witnesses, admin-ister oaths and compel the production ofevidence, these means are only likely tobe used if voluntary cooperation is notforthcoming.

At the outset of an investigation, theCommissioner will notify the organization inwriting of the substance of the complaintand will identify the investigator responsiblefor the case. The organization may submitrepresentations to the Commissioner at anytime during the process.

The investigator will contact the organi-zation’s designated staff member to indicatehow he or she intends to proceed with the

A

22


investigation and, if possible,which recordsneed to be reviewed and which staff mem-bers may be interviewed. The investigatormay also indicate whether on-site visits willbe needed.

Investigators obtain information directlyfrom individuals familiar with the matterunder investigation. These interviews areconducted in private. Investigators may alsorequire access to original documents.Documents given to an investigator arereturned within 10 days of a request for theirreturn,but they may be asked for again if theneed arises.

Prior to finalizing the investigation, theresults are disclosed to the parties involved.They may make additional representations ifthey see fit. This also gives them the oppor-tunity to resolve the matter before the com-plaint is finalized.

The investigator submits the results of theinvestigation to the Commissioner alongwith any representations. The Commissionerwill consider the case and issue a report tothe parties. The Commissioner can requestthat an organization give the Commissioner,within a specified time,notice of any actiontaken or proposed to be taken to implementreport recommendations,or explain why noaction has or will be taken. The reportincludes the results of the investigation, anysettlement reached by the parties, recom-mendations such as suggested changes ininformation management practices,whatsteps the organization has taken or willtake to address these recommendationsand, if applicable,notice of recourse to theFederal Court.

See relevant fact sheets on this and otherissues on ourWeb site.

A complaint may be disposed of in one ofthe following three ways:

1. Notwell foundedThere is no evidence to lead theCommissioner to conclude that theorganization violated the Act.

2.Well foundedThe investigation revealed that the organiza-tion failed to respect a provision of the Actand the complaint was not resolved.

3. ResolvedThe investigation supports the complaint,but the organization agrees to take correc-tive action to remedy the situation. Forexample, the organization agrees to releasepersonal information previously denied.

The complaint may also be resolved if itappears to be the result of miscommunica-tion or misunderstanding. For example, anorganization misunderstood the requestand now agrees to release the personalinformation sought by the complainant.

The complaint is also resolved if thecomplainant is satisfied with theCommissioner’s efforts and the results.

The Commissioner is not required to issuean investigation report if:

� the complainant has not pursued alter-nate redress mechanisms that are reason-ably available;

� the case could be more appropriatelydealt with through other legislation;

� too much time has passed since the mat-ter that prompted the complaint andreporting would serve no useful purpose;or

� the complaint is trivial, frivolous orvexatious,or is made in bad faith.

23

Applications to theFederalCourt

The Court will consider applications arisingfrom the complaint or any matter referred toin the Commissioner’s report and that isreferred to in one of the following:

Under Schedule14.1.3 Whether an organization has properly

exercised its responsibility for thepersonal information in its possessionincluding information transferred to athird party.

4.2 Whether an organization has properlyidentified and documented the pur-poses for which personal informationis being collected,used or disclosed,ator before the time of collection.

4.3.3 Whether an organization has refusedto provide a service to an individualbecause the individual would notconsent to the collection,use or dis-closure of more information thannecessary for the specified purpose.

4.4 Whether an organization has collectedmore information than necessaryfor the purposes or whether it wascollected by fair and lawful means.

4.6 Whether the information is accurate,up-to-date and as complete asnecessary.

4.7 Whether an organization has takenthe necessary steps to safeguard theinformation.

4.8 Whether an organization has madespecific information about its personalinformation management policiesreadily available to individuals.

Under Schedule1asmodifiedbySections5 to10of theAct4.3 Whether personal information has

been collected,used or disclosedwithout the knowledge or consentof the individual, except wherepermitted or required. (See page 17of this guide.)

4.5 Whether an organization has used ordisclosed personal information forpurposes other than those for which itwas collected,without the consent ofthe individual and in circumstancesnot authorized by the Act. As well,whether an organization has retainedthe information long enough for acomplainant to exhaust his or herremedies under the Act.

4.9 Whether an individual was wronglydenied access to information abouthimself except where permitted orrequired. (See page 18 of this guide.)

complainant may apply to the Federal Court for a hearing. The PrivacyCommissioner of Canada may apply on her own or on a complainant’sbehalf. Normally, an application must be made within 45 days of the

Commissioner’s report.AWhatMattersCanBeHeard

24


Sectionsof theAct5(3) Whether the informationwas collected,

used or disclosed only for purposesthat a reasonable person would con-sider appropriate.

8(6) Whether an individual has beencharged too much for access to infor-mation or was not notified in advanceof the cost.

8(7) Whether an organization has informedthe individual in writing of a refusal togive access,has given the reasons forthe refusal and set out the appropriaterecourse available.

10 Whether an organization has failed togrant access in an alternative formatto an individual with a sensorydisability.

The Federal Court may order an organizationto correct practices that do not comply withSections 5 to 10 of the Act. The Court mayalso order an organization to publish anotice of any action taken or proposed to

correct its practices. The Court can awarddamages to a complainant, includingdamages for humiliation. There is noceiling on monetary damages that theCourt may award.

Remediesavailable throughFederalCourt

25

AuditsofPersonal InformationManagementPractices

he Act gives the Privacy Commissionerof Canada the authority to audit anorganization’s personal information

management practices when she has rea-sonable grounds to believe the organizationis not fulfilling its obligations under Part 1 ofthe Act or is not respecting the recommen-dations of Schedule 1.

What can lead toanaudit?The following are examples of circumstancesthat may lead the Commissioner to audit thepersonal information management practicesof an organization:

� a group or series of complaints about aparticular organization’s practice(s)

� information provided by an individualunder the whistleblower provision

� an issue receiving media attention.

What toexpect fromanauditby theCommissionerIn keeping with the Commissioner’sombudsman approach,privacy audits arenon-confrontational whenever possibleand can be useful for organizations wantingto improve their personal informationhandling practices.

The Commissioner will inform the organi-zation in writing that an audit will be under-taken. The letter will specify the audit’sfocus,propose a reasonable time frame,andname the officer delegated to conduct the

audit.Although the Commissioner has the

power to summon witnesses, administeroaths and compel organizations to produceevidence, audits are unlikely to be con-ducted on such a formal basis unlessvoluntary cooperation is not forthcoming.

The officer will meet with the organiza-tion’s representative for a preliminarydiscussion of the intent,purpose and scopeof the review.

When the officer requires access to anyof the organization’s premises,he or she willsatisfy security requirements. The officermay interview any person in private on thepremises, examine records and obtain copiesor extracts of such records. The officer willreturn any document within 10 days of arequest for their return but may ask for themagain if the need arises.

Once the audit is finished, the officer willdebrief the organization’s representative onthe findings. The officer will report the auditfindings to the Commissioner who will makerecommendations. The Commissioner willsend the report to the organization and mayask to be kept informed of actions theorganization takes to correct problems.

The Commissioner may include the auditreport in her annual report or she may makepublic the personal information manage-ment practices of an organization if she con-siders it to be in the public interest to do so.

T

27

PrivacyQuestionnaire

Accountabilityoforganizationandstaff� Have you named a privacy officer who is

responsible for your organization’s overallcompliance with the Act?

� Is this responsibility shared with morethan one person?

� If these responsibilities are shared,havethey been clearly identified?

� Can your staff respond to internal andexternal privacy questions on behalf ofthe organization,or do they know whoshould respond?

� Does your staff know who receives andresponds to:

� requests for personal information?

� requests for correction?

� complaints from the public?

� Do your customers know whomto contact:

� for general inquiries regarding theirpersonal information?

� to request their personal information?

� to request corrections to theirpersonal information?

� for complaints?

� Is your privacy officer able to explain tothe public the steps and procedures forrequesting personal information andfiling complaints?

� Has your staff been trained on the Act?

� Will there be ongoing training?

he following are some common sensequestions you can use to help yourorganization implement PIPEDA. The

questionnaire may be used along with thedescription of the Act in this guide.

If you are unsure about whether or whenthe Act applies to your organization,pleaserefer to page 3 of this guide.

Not all of the following questions willapply to all organizations, as the Act appliesto a wide variety and size of organizations.Consider each question along with yourorganization’s current practices. Answering“no”indicates areas that need to beaddressed or improved.

Personal informationholdings� Do you know what personal

information is?

� Do you collect,use or disclosepersonal information in your day-to-daycommercial activities?

� Do you have an inventory of yourpersonal information holdings?

� Do you know where personal informationis held (physical locations and files)?

� Do you know in what format(s) thepersonal information is kept (electronic,paper, etc.)?

� Do you know who has access to personalinformation in and outside yourorganization?

T

28


� Is your staff able to explain the purposesfor the collection,use and disclosure ofpersonal information to customers ineasy to understand terms?

� Is your staff able to explain to customerswhen and how they may withdraw con-sent and what the consequences, if any,there are of such a withdrawal?

� Will you inform your employees of newprivacy issues raised by technologicalchanges, internal reviews,public com-plaints and decisions of the courts?

Information for customersandemployees� Do you have documents that explain

your personal information practices andprocedures to your customers?

� Does this information include how to:

� obtain personal information?

� correct personal information?

� make an inquiry or complaint?

� Does this information describe personalinformation that is:

� held by the organization and how itis used?

� disclosed to subsidiaries and otherthird parties?

� Do you have a privacy policy for yourWeb site?

� Is your privacy policy prominent and easyto find? Is it easily understandable?

� Do your application forms,question-naires, survey forms,pamphlets andbrochures clearly state the purposesfor the collection,use or disclosure ofpersonal information?

� Have you reviewed all your publicinformation material to ensure thatany sections concerning personal infor-mation are clear and understandable?

� Have you ensured that the public canobtain this information easily andwithout cost?

� Is this information reviewed regularly toensure that it is accurate, complete andup to date?

� Does this information include the currentname or title of the person who is respon-sible for overseeing compliance withthe Act?

Limitingcollection,use,disclosureandretentionto identifiedpurposes� Have you identified the purposes for

collecting personal information?

� Are these purposes identified at or beforethe time the information is collected?

� Do you collect only the personal informa-tion needed for identified purposes?

� Do you document the purposes for whichpersonal information is collected?

� If you gather and combine personalinformation from more than one source,do you ensure that the original purposeshave not changed?

� Have you developed a timetable forretaining and disposing of personalinformation?

� When you no longer require personalinformation for the identified purposesor it is no longer required by law,do youdestroy, erase or make it anonymous?

Consent� Does your staff know that an individual’s

consent must be obtained before or atthe time they collect personal informa-tion?

� Does your staff know they must obtain anindividual’s consent before any new useor new disclosure of the information?

� Do you use express consent wheneverpossible, and in all cases where the infor-mation is sensitive or the individualwould reasonably expect it?

� Is your consent statement worded clearly,so that an individual can understandthe purpose of the collection,use ordisclosure?

� Do you make it clear to customers thatthey need not provide personal informa-tion that is not essential to the purposeof the collection,use or disclosure?

Thirdparty transfers� Do you use contracts to ensure the

protection of personal information trans-ferred to a third party for processing?

� Does the contract limit the third party’suse of information to purposes necessaryto fulfil the contract?

� Does the contract require the third partyto refer any requests for access or com-plaints about the information transferredto you?

� Does the contract specify how and whena third party is to dispose of or return anypersonal information it receives?

Ensuringaccuracy� Is personal information sufficiently accu-

rate, complete and up to date to minimizethe possibility that your organizationmight use inappropriate information?

� Does your organization document whenand how personal information is updated,to ensure its accuracy?

� Do you ensure that personal informationreceived from a third party is accurateand complete?

Safeguards� Have you reviewed your physical, techno-

logical and organizational securitymeasures?

� Do they prevent improper access,modifi-cation, collection,use,disclosure and/ordisposal of personal information?

� Is personal information protected bysecurity safeguards that are appropriateto the:

� sensitivity of the information?

� scale of distribution?

� format of the information?

� method of storage?

� Have you developed a“need-to-know”test to limit access to personal informa-tion to what is necessary to performassigned functions?

� Has your staff been trained about securitypractices to protect personal information?For example, is staff aware that personalinformation should not be left displayedon their computer screens or desktops intheir absence?

� Is your staff aware that they shouldproperly identify individuals and establishtheir right to access the personal informa-tion before disclosing it?

� Do you have rules about who is permittedto add, change or delete personalinformation?

� Is there a records management systemthat assigns user accounts, access rightsand security authorizations?

� Do you ensure that no unauthorizedparties may dispose of,obtain access to,modify or destroy personal information?

PR I VACY QUEST IONNA I R E

29

30


Requests foraccess topersonal information� Is your staff aware of the time limits the

law allows to respond to access requests?

� Can you retrieve personal information torespond to individual access requestswith a minimal disruption to operations?

� Do your information systems facilitatethe retrieval and accurate reporting ofan individual’s personal information,including disclosures to third partyorganizations?

� Do you provide personal information tothe individual at minimal or no cost?

� Do you advise requesters of costs, if any,before personal information is retrieved?

� Do you record an individual’s response tobeing notified of the cost of retrievingpersonal information?

� Do you provide personal information in aform that is generally understandable? (Forexample,do you explain abbreviations?)

� Does your organization have proceduresfor responding to requests for personalinformation in an alternate format (suchas Braille or audiotapes)?

Handlingcomplaints� Can an individual easily find out how to

file a complaint with you?

� Do you deal with complaints in a timelyfashion?

� Do you investigate all complaintsreceived?

� Are your customer assistance and otherfront-line staff able to distinguish acomplaint under the law from a generalinquiry? If unsure,do they discuss thiswith the individual?

� Do you advise individuals about all avail-able avenues of complaint, including thePrivacy Commissioner of Canada?

� Are staff responses to public inquiries,requests and complaints reviewed toensure they are handled fairly, accuratelyand quickly?

� When a complaint is found to be justified,do you take appropriate corrective meas-ures, such as amending your policies andadvising staff of the outcome?

Your Privacy Responsibilities Guide

Business

Transcript of Your Privacy Responsibilities Guide