- Appendix I: TEN PRINCIPLES OF PRIVACY PROTECTION
- Appendix VI: COMPLAINT PROCESS CHECKLIST - BC Athletics Club Template
- Appendix VII: Conducting a Privacy Audit of Your Personal Information Holdings
Introducing Private Sector Privacy Legislation
On January 1, 2004 the Personal Information Protection Act (PIPA) came into effect for British Columbia. The purpose of PIPA is to govern the collection, use and disclosure of personal information by organizations including pubic groups such as BC Athletics and its Member Clubs, by recognizing:
- The right of individuals to protect their personal information
- The need for organizations to collect, use, secure and disclose personal information for purposes that a reasonable person would consider appropriate under the circumstances.
BC Athletics and its member clubs are covered by the Act because they collect personal information relating to athletes and their families and, as employers, information relating to staff.
The Act is complaint-driven which means that individuals will be able to make a complaint regarding an organization’s use, collection or disclosure of an individual’s personal information to the Provincial Privacy Commissioner. Fines for non-compliance can be substantial. The Act was brought about to deal with the need for privacy protection in the wake of the Internet and the ability of organizations to compile and use personal information, often without the knowledge or consent of the individual.
Hence the Act brings confidentiality to employment records and gives individuals the ability to have control over the way their personal information is handled and the right to request access to and correction of their personal information. As well, a complaints handling process is also an essential component of this Act.
Preparing for PIPA
1. IDENTIFYING PERSONAL INFORMATION
"Personal Information " is broadly defined as any information about an identifiable individual that can be used to distinguish or identify a specific individual; may be factual or subjective, recorded or not.
- Age, name, ID numbers, income
- Opinions, evaluations, comments, disciplinary actions
- Employee files, medical and benefits information
2. ASSIGNING RESPONSIBILITY
The Privacy Officer has three main responsibilities:
- To encourage compliance with the Ten Principles of the Protection of Privacy (see Appendix 1)
- To respond to issues related to personal information including responding to request for access and correction of personal info.
- To work with the provincial Information and Privacy Commissioner during an investigation should a complaint be filed.
3. LEARNING THE TEN PRIVACY PRINCIPLES
These principles are legally binding rules regulating how organizations collect, use, disclose and ensure the security of personal information. (Appendix 1) Learn and understand them.
4. CONDUCTING A PRIVACY AUDIT
To comply with PIPA, it is essential to identify what personal information is being held by the organization, how it is being held, who has access to it, and what are the current security and disposal procedures.
Generally speaking Clubs collect
- Information related to athletes-addresses, parents, age, medical conditions, emergency contacts
- Athlete performance records
- Employment records related to staff (if applicable)
If you collect personal information other than that outlined above, such as email addresses of those who have access to the organization's website, please refer to the government website: www.mser.gov.bc.ca/foi_pop/privacy/tools/PIPA_tool_5.htm
In Appendix VII find an Audit Chart that contains questions to assist you in conducting your organization's audit.
5. PUTTING YOUR ORGANIZATION TO THE TEST
Is the information being collected used?
If not, the information should cease to be collected. Limit the collection of personal information to those purposes that a reasonable person would consider appropriate under such circumstances.
In the case of your membership, is it clear to a reasonable person what the purpose is in collecting their information as well as its use and disclosure?
As long as it is clear to a reasonable person that an organization is collecting information for the purpose of providing services to that individual and it is given voluntarily, then the individual is deemed to have provided consent; therefore, written consent is not required. It is recommended that you communicate your purposes to members and staff by developing a brochure or posting the information.
Are employees aware of what personal information is collected, used and disclosed?
An employer can collect employee personal information without the employee's consent provided its purpose is for establishing, managing or terminating the employment relationship. However, the employer must notify the employee of what information is collected and for what purposes prior to collecting the information.
Does the organization encourage personal information to be accurate and up-to-date?
Reasonable efforts must be made to ensure that the personal information collected is accurate and complete. Scheduled updates are recommended
Can a member access all their personal information that your organization holds?
Members should have easy access to their records. Your organization may need to explain how the personal information is being or has been used as well as provide a list of any individuals or organizations to which the personal information has been disclosed
Do employees have the right to access all their personal information that your organization holds?
Upon request, employees are able to access their personal information held by the organization as in the above statement. However, some restrictions apply, as in termination of employment. A reason must be given for withholding information.
Who has access to member personal information?
Access should be restricted to executive members involved in the day to day operation of the organization i.e. the registrar. Where a contractor, such as a software vendor or accountant, has periodic access to confidential information, ensure that those contracts explicitly contain confidentiality statements. Where existing contracts are in place, a letter to the following effect will suffice: see Appendix III
Are there appropriate safeguards to protect personal information held by the organization?
Personal information, especially health and employment records, is considered confidential. The organization must make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, etc Personal information and employee files must be secured in a protective manner.
- Electronic information should be password protected
- Computer monitors should ensure privacy
- Locked filing cabinets where there is uncontrolled access
- Files should not be left unattended
Are files destroyed in a manner that protects against disclosure of personal information?
Under the Act the organization is responsible for destroying documents that contain personal information. We highly recommend using a mechanical shredding machine to destroy each document.
What about personal information that was collected prior to January 1, 2004?
PIPA does not apply to the collection of personal information that has been collected before the Act came into force.
6. IMPLEMENTING CHANGES
Based on the above information, and after analyzing your office's information handling practices, you may need to amend or implement new policies to ensure compliance with the ACT and PIPA's ten privacy principles.
For example, you may need to implement some of the following policies:
- Develop a record disposal schedule to ensure that only necessary personal data is retained
- Ensure adequate security to match the sensitivity of the personal information held
- Develop a process to allow and encourage members to review and update their personal information
8. TRAINING STAFF
Every employee or member who collects, uses or discloses personal information will need to understand that they must do so in accordance with PIPA and your stated privacy policies. A training manual should be developed and used.
9. DEVELOPING OR REVISING FORMS & COMMUNICATIONS MATERIALS
To comply, it may be necessary for you to review and revise all forms and brochures developed by your organization, as well as website content. If your organization collects personal information through your forms or website, you will need to note your collection purposes on them.
Brochures or other information that explain the privacy policies and practices of the organization would also be helpful.
10. REVIEWING AND REVISING SERVICE CONTRACTS
If you utilize a software vendor to maintain electronic records, ensure that your contract with them clearly states what requirements must be met to comply with applicable privacy legislation and any policies your organization has developed to properly manage personal information.
11. DEVELOPING AN EFFECTIVE COMPLAINTS HANDLING PROCESS
Under the Act, organizations will be required to develop a process for handling privacy complaints. A complaint may stem from the inadvertent release of personal information related to a member or an employee without their consent.
In the event of a complaint, it is important that your policy:
- addresses complaints quickly and effectively
- identifies and addresses any systemic or ongoing compliance?problems
- fully complies with PIPA so an investigation by the Information?and Privacy Commissioner is not necessary
See Appendix IV for tips on setting up effective complaints process.