|
About BCA >> Policies,
Procedures & Strategic Plan >> Privacy Policy
BC Athletics Privacy Policy—all sections
In this section:
Appendices:
Introducing Private Sector Privacy Legislation
On January 1, 2004 the Personal Information Protection Act (PIPA) came into effect
for British Columbia. The
purpose of PIPA is to govern the collection, use and disclosure of
personal information by organizations including pubic groups such as BC
Athletics and its Member Clubs, by recognizing:
- The right of individuals to protect their personal information
- The need for organizations to collect, use, secure and disclose personal
information for purposes that a reasonable person would consider
appropriate under the circumstances.
BC Athletics and its
member clubs are covered by the Act because they collect personal
information relating to athletes and their families and, as employers,
information relating to staff.
The Act is complaint-driven which means that individuals will be able to make a
complaint regarding an organization’s use, collection or disclosure of
an individual’s personal information to the Provincial Privacy
Commissioner. Fines for
non-compliance can be substantial. The Act was brought about to deal with
the need for privacy protection in the wake of the Internet and the
ability of organizations to compile and use personal information, often
without the knowledge or consent of the individual.
Hence the Act brings
confidentiality to employment records and gives individuals the ability to
have control over the way their personal information is handled and the
right to request access to and correction of their personal information.
As well, a complaints handling process is also an essential
component of this Act.
This guide has been
prepared as a member service of BC Athletics to assist you in developing
your own privacy policy in order to comply with PIPA.
Top
Preparing for PIPA
1. IDENTIFYING PERSONAL INFORMATION
"Personal Information " is broadly defined as any information
about an identifiable individual that can be used to distinguish or
identify a specific individual; may be factual or subjective, recorded or
not.
Examples include
- Age, name, ID numbers, income
- Opinions, evaluations, comments, disciplinary actions
- Employee files, medical and benefits information
2. ASSIGNING RESPONSIBILITY
Under the Act, someone in each organization must assume the role of
Privacy Officer. The Privacy Officer is the first contact point when
privacy issues arise and is responsible for ensuring that the
organization's privacy policy and practices are fully implemented,
effective and communicated to its members, its employees and others. The
name and contact information of the Privacy Officer must be provided to
members.
The Privacy Officer has three main responsibilities:
- To encourage compliance with the Ten Principles of the Protection
of Privacy (see Appendix 1)
- To respond to issues related to personal information including
responding to request for access and correction of personal info.
- To work with the provincial Information and Privacy Commissioner
during an investigation should a complaint be filed.
3. LEARNING THE TEN PRIVACY PRINCIPLES
These principles are legally binding rules regulating how organizations
collect, use, disclose and ensure the security of personal information. (Appendix
1) Learn and understand them.
4. CONDUCTING A PRIVACY AUDIT
To comply with PIPA, it is essential to identify what personal
information is being held by the organization, how it is being held, who
has access to it, and what are the current security and disposal
procedures.
Generally speaking Clubs collect
- Information related to athletes-addresses, parents, age, medical
conditions, emergency contacts
- Athlete performance records
- Employment records related to staff (if applicable)
If you collect personal information other than that outlined above,
such as email addresses of those who have access to the organization's
website, please refer to the government website: www.mser.gov.bc.ca/foi_pop/privacy/tools/PIPA_tool_5.htm
In Appendix VII find an Audit Chart that contains questions to assist
you in conducting your organization's audit.
5. PUTTING YOUR ORGANIZATION TO THE TEST
Is the information being collected used?
If not, the information should cease to be collected. Limit the
collection of personal information to those purposes that a reasonable
person would consider appropriate under such circumstances.
In the case of your membership, is it clear to a reasonable person what
the purpose is in collecting their information as well as its use and
disclosure?
As long as it is clear to a reasonable person that an organization is
collecting information for the purpose of providing services to that
individual and it is given voluntarily, then the individual is deemed to
have provided consent; therefore, written consent is not required. It is
recommended that you communicate your purposes to members and staff by
developing a brochure or posting the information.
Are employees aware of what personal information is collected, used
and disclosed?
An employer can collect employee personal information without the
employee's consent provided its purpose is for establishing, managing or
terminating the employment relationship. However, the employer must notify
the employee of what information is collected and for what purposes prior
to collecting the information.
Does the organization encourage personal information to be accurate
and up-to-date?
Reasonable efforts must be made to ensure that the personal information
collected is accurate and complete. Scheduled updates are recommended
Can a member access all their personal information that your
organization holds?
Members should have easy access to their records. Your organization may
need to explain how the personal information is being or has been used as
well as provide a list of any individuals or organizations to which the
personal information has been disclosed
Do employees have the right to access all their personal information
that your organization holds?
Upon request, employees are able to access their personal information
held by the organization as in the above statement. However, some
restrictions apply, as in termination of employment. A reason must be
given for withholding information.
Who has access to member personal information?
Access should be restricted to executive members involved in the day to
day operation of the organization i.e. the registrar. Where a contractor,
such as a software vendor or accountant, has periodic access to
confidential information, ensure that those contracts explicitly contain
confidentiality statements. Where existing contracts are in place, a
letter to the following effect will suffice: see Appendix III
Are there appropriate safeguards to protect personal information held
by the organization?
Personal information, especially health and employment records, is
considered confidential. The organization must make reasonable security
arrangements to prevent unauthorized access, collection, use, disclosure,
copying, modification, etc Personal information and employee files must be
secured in a protective manner.
For example:
- Electronic information should be password protected
- Computer monitors should ensure privacy
- Locked filing cabinets where there is uncontrolled access
- Files should not be left unattended
Are files destroyed in a manner that protects against disclosure of
personal information?
Under the Act the organization is responsible for destroying documents
that contain personal information. We highly recommend using a mechanical
shredding machine to destroy each document.
What about personal information that was collected prior to January 1,
2004?
PIPA does not apply to the collection of personal information that has
been collected before the Act came into force.
6. IMPLEMENTING CHANGES
Based on the above information, and after analyzing your office's
information handling practices, you may need to amend or implement new
policies to ensure compliance with the ACT and PIPA's ten privacy
principles.
For example, you may need to implement some of the following policies:
- Develop a record disposal schedule to ensure that only necessary
personal data is retained
- Ensure adequate security to match the sensitivity of the personal
information held
- Develop a process to allow and encourage members to review and
update their personal information
7. DEVELOPING A PRIVACY POLICY
You may want to discuss privacy expectations with members and staff and
think about ways to address any of their concerns. You will then be
provided with a sound basis for your privacy policy. This policy should be
written and readily available. See Appendices
II and III.
8. TRAINING STAFF
Every employee or member who collects, uses or discloses personal
information will need to understand that they must do so in accordance
with PIPA and your stated privacy policies. A training manual should be
developed and used.
9. DEVELOPING OR REVISING FORMS & COMMUNICATIONS
MATERIALS
To comply, it may be necessary for you to review and revise all forms
and brochures developed by your organization, as well as website content.
If your organization collects personal information through your forms or
website, you will need to note your collection purposes on them.
Brochures or other information that explain the privacy policies and
practices of the organization would also be helpful.
10. REVIEWING AND REVISING SERVICE CONTRACTS
If you utilize a software vendor to maintain electronic records, ensure
that your contract with them clearly states what requirements must be met
to comply with applicable privacy legislation and any policies your
organization has developed to properly manage personal information.
11. DEVELOPING AN EFFECTIVE COMPLAINTS HANDLING PROCESS
Under the Act, organizations will be required to develop a process for
handling privacy complaints. A complaint may stem from the inadvertent
release of personal information related to a member or an employee without
their consent.
In the event of a complaint, it is important that your policy:
- addresses complaints quickly and effectively
- identifies and addresses any systemic or ongoing compliance
problems
- fully complies with PIPA so an investigation by the Information
and Privacy Commissioner is not necessary
See Appendix IV for tips on setting up
effective complaints process.
Top
Contact Information
MINISTRY OF MANAGEMENT SERVICES
Corporate Privacy and Information Access Branch
www.mser.gov.bc.ca/foi_pop/privacy
PIPA HOTLINE
Within the Greater Victoria Region: (250) 356-1851
Outside the Greater Victoria Region 1-800-663-7867
request to be transferred to 356-1851
Top
|
