The ACEC-Ontario Board of Directors has approved the following governance standard regarding a Privacy Policy:
ACEC-Ontario has a privacy policy addressing the collection and protection of personal information, and the policy is posted in a readily accessible location on its website.
The attached Privacy Policy was approved by the ACEC-Ontario Board of Directors on October 1, 2020.
ACEC-Ontario Privacy Policy
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canadian federal legislation that addresses the collection and use of “personal information” for commercial purposes. At present, there is no equivalent provincial legislation applicable to private organizations. PIPEDA defines “personal information” as including factual or subjective information about an identifiable individual. This can include information in any form, such as name, age, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee records, credit records, medical records, etc.
PIPEDA clearly states that business contact information, such as an employee’s name, title, business address, telephone number or email addresses, that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession is not “personal information”. Further, not-for-profits and associations (including advocacy groups) are generally exempt from the legislation.
Notwithstanding the exemption and the fact that ACEC-Ontario collects little, if any, personal information for commercial purposes, this policy exists to ensure that the information collected by ACEC-Ontario about individuals is used and protected appropriately.
Policy
ACEC-Ontario will collect and use information about individuals for the establishment and operation of its Board, standing committees, liaison committees, task force committees and other advisory bodies created by the Board under its By-law authority. Further, information about individuals will be collected for the purposes of planning, development and delivery of programs (including programs related to advocacy and member services), events, activities, training courses and other educational or professional development opportunities.
To the extent that any information described above constitutes “personal information” as defined under PIPEDA, the collection, use, disclosure and retention of that “personal information” shall be guided by the “fair information principles” of PIPEDA (attached).
The Executive Director is the Chief Privacy Officer of ACEC-Ontario. Issues or concerns about the content or application of this policy should be directed to the Chief Privacy Officer.
This policy does not apply to information about ACEC-Ontario staff collected under the Employment Standards Act.
Approved: October 1, 2020
PIPEDA fair information principles
Revised: May 2019
PIPEDA’s 10 fair information principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.
In addition to these principles, PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.
The Office of the Privacy Commissioner has determined that the following purposes would generally be considered inappropriate by a reasonable person (i.e., no-go zones):
- collecting, using or disclosing personal information in ways that are otherwise unlawful;
- profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
- collecting, using or disclosing personal information for purposes that may cause significant harm to someone;
- publishing personal information with the intent of charging people for its removal;
- requiring passwords to social media accounts for the purpose of employee screening; and
- conducting surveillance on an individual using their own device’s audio or video functions.
This section sets out organizations’ responsibilities for each of the 10 fair information principles.
It outlines how to fulfill these responsibilities and offers some tips.
Principle 1 – Accountability
An organization is responsible for personal information under its control. It must appoint
someone to be accountable for its compliance with these fair information principles.
Principle 2 – Identifying Purposes
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
Principle 3 – Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4 – Limiting Collection
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure, and Retention
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Principle 6 – Accuracy
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Principle 7 – Safeguards
Personal information must be protected by appropriate security relative to the sensitivity of the information.
Principle 8 – Openness
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Principle 9 – Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 – Challenging Compliance
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.