Privacy...
A Company’s Steps towards Compliance with
Canada’s Privacy and Access to Information Legislation
1. Privacy Impact Assessment – (P.I.A.)
- a. Committee of representatives from IT, HR, Exec. Cttee, and Staff.
- What information is collected, used and disclosed?
- What purpose is the information collected, used and disclosed?
- What information is stored - how long?
- How information requests are handled?
- Consent
- When/Where is it needed?
- What exceptions apply?
- Who needs to know about when it applies and when it doesn’t?
- How to communicate/educate partners, associates and front-line personnel?
- Accuracy of Information
- Sources of personal information that require accuracy completeness?
- Client files?
- HR records?
- Other records?
- Current practice for checking accuracy – reviewing completeness of personal information?
- Safeguards
- Security of information:
- Physical
- Technical
- Organizational (i.e. staff training, agreements, limited access)
- Security of information:
- Openness
- Location of information if there is a request to review record?
- Who is designated as CPO?
- Who to designate to direct requests for information?
- Individual Access
- Where is the personal information available?
- Procedure for responding to request within 30 days?
- Procedure for notifying Privacy Commission if extension required?
- What exceptions apply to Company?
- Can personal information be stored on one location, or a record created identifying where personal information is located?
- Recourse
- How are complaints currently handled?
- What is the procedure for monitoring those complaints to ensure follow-through?
- Are the complaints, response and outcome documented anywhere?
- Is there any procedure for monitoring the complaint/customer service records to ensure consistency of approach?
- What policy/practice needs amending?
2. Policy and Procedures
- Accountability
- Clients
- Employees
- Policy for retaining information on employees within statutory period for redressing complaints
- Identify Purpose
- Consent
- Exceptions
- Limiting Collection
- Identify kind of personal information collected and information handling practices
- Limiting Use, Disclosure and Retention
- Destroy, erase or render anonymous information that is no longer required for an identified purpose or legal requirement
- Establish policy for minimum and maximum retention periods
- Type of legal case (i.e. personal injury vs. breach of fiduciary duty)
- Accuracy
- Determine which information needs to be updated (only that info that would harm the individual if used or disclosed and was incomplete or inaccurate).
- Locate where all related personal information can be retrieved.
- Record date when personal information obtained and/or updated.
- Record steps taken to verify accuracy, completeness and timeliness of information
- Safeguards
- Review, enhance and/or develop security policy for protection of personal information
- Security risk assessment:
- Physical
- Technical
- Organizational
- Staff training
- Staff confidentiality agreements
- Openness
- Identify Chief Privacy Officer.
- Develop and implement policy for handling access requests.
- Train front-line people for directing inquiries regarding personal information.
- Individual Access
- Procedure to meet 30 day deadline.
- Procedure to extending deadline.
- Noting exceptions to Freedom of Information legislation compliance – and identify files/legal practice where exceptions might apply.
- Is there one place where personal information may be stored to reduce cost of locating, retrieving, updating, etc.?
- If not, create a record of where the information is located to make retrieval easier.
- Legal files
- Employee records
- Electronic files
- Anything/anywhere else?
- Calculation of cost for responding to request.
- Template for information provision/information blanking (where exception applies).
- Review for ease of understanding.
- Explain acronyms, abbreviations and codes (if any).
- Process for sending any amended information to third parties that may have access.
- Procedure for refusing to give access, setting out reasons why and recourse.
- Procedure for noting access requests/complaints (and action taken) on file.
- Provide Recourse
- Procedure for receiving complaints.
- Privacy Commissioner
- Persons designated for ensuring complaints are:
- Documented
- Responded to promptly
- Followed through to ensure compliance
- Monitored to ensure consistency
- Form/Checklist for handling complaints
3. Internal and External Communication
- Client Communication
- Flyer, P.O.P. material, Posters & Website.
- Company’s responsibilities.
- General policies.
- What information is collected.
- Protecting information.
- Ensuring accuracy.
- When/in what circumstances is information used or disclosed.
- Where consent may be sought (if ever needed).
- What happens with it after the case is completed.
- Retention period.
- Disposing of personal information.
- Where to direct a request for information held on file.
- Statutory waiting and extension periods (and recourse).
- What information may be provided upon request.
- When information might be declined and recourse in that event.
- Chief Privacy Officer.
- Procedure for question or request for information.
- Client’s informed consent.
- Revise Retainer agreement to include purpose/consent clause.
- Mailing to existing clients.
- Board, Staff, Agent (Third Party) Communication
- Organization is responsible for ensuring that the staff members can explain why the information is needed.
- Brochure to staff regarding their rights and obligations respecting their personal information.
- Procedure for updating current files/tickler system to check client information for accuracy and completeness.
- Procedure/tickler for dating files for purpose of retention/destruction of files.
- Procedure/staff identified for handling access requests.
- Third party agreements to ensure agents, sub-contractors comply with Company’s privacy policies and procedures before outsourcing, including right of sight inspection to ensure compliance.
4. Ensuring Security of Information
- Internal security measures: organizational, technological and physical
- External security measures: safeguards for transporting personal and personal health information (i.e. lap tops, PDAs, client files, biological samples), whether by company personnel, or company agents (courier, sub-contractors).
5. On-going Compliance
- On-going monitoring of information handling practices to ensure compliance with legislation.
- Keeping current with changes and introductions to privacy and access to information legislation – amendments to policies and procedures to reflect changes in the legislation.
- Handing access requests and complaints in accordance with the legislation.
- Follow-up audits and report by Privacy Legal Counsel on an annual basis.
[ Top ]