Personal Information Protection Act. Information Sheet 5: 1. Personal Employee Information

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Personal Information Protection Act. Information Sheet 5: 1. Personal Employee Information"

Transcription

1 Personal Information Protection Act Information Sheet 5 Introduction The Personal Information Protection Act (PIPA) governs the collection, use, disclosure, retention and protection of personal information by private sector organizations in Alberta, including the personal information of employees. PIPA recognizes the special relationship that exists between employees and employers in specific provisions that address how organizations manage the personal information of their employees. These provisions for personal employee information balance an employee s right to informational privacy with an employer s legitimate need to collect, use and disclose personal employee information for purposes of human resource management. The general provisions of PIPA regarding personal information apply to personal employee information, including an employee s right to request access to his or her personal information held by the employer and to learn how that information has been used and to whom it has been disclosed. Employees may also ask an organization to correct personal information they believe is inaccurate. The purpose of this Information Sheet is to explain: what personal employee information is, the circumstances in which an organization may collect, use or disclose personal employee information without the consent of the employee, the obligations of the employer to provide access to or to correct personal employee information, the duty of the employer to safeguard the information, and how long an employer may retain the information. The Information Sheet also discusses business contact information. A number of amendments to the provisions for personal employee information were made by the Personal Information Protection Amendment Act, 2009 and the Personal Information Protection Act Amendment Regulation, both of which came into force on May 1, The most significant change is that personal employee information now clearly applies to former employees and the postemployment relationship. The collection, use and disclosure provisions have been restructured to parallel the language in the definition of personal employee information and to set out more clearly the conditions under which an organization may collect, use or disclose personal employee information without consent. A new provision more clearly permits the disclosure of employment references without consent. These and other relevant amendments are reflected in this Information Sheet. Definition of personal employee information PIPA applies to personal information about an identifiable individual, that is, information that can identify an individual or is about an individual (e.g. name, address, age, educational history, blood type). The Act protects personal information whether or not it is recorded. Personal employee information is personal information that may, in a particular context, be considered personal employee information. The Act defines personal employee information as personal information about an individual who is a Information Sheet 5: 1

2 potential employee, a current employee or a former employee, that is reasonably required by an organization for the purposes of establishing, managing or terminating an employment or a volunteer work relationship, or managing a postemployment or post-volunteer work relationship, between the organization and the individual (section 1(1)(j)). An employee is defined by PIPA in such a way as to encompass individuals who are not traditionally thought of as employees. In PIPA, employee means an individual employed by the organization or who performs a service for the organization, whether or not the individual is paid, and includes: an apprentice; a volunteer; a participant; a student; a partner, a director, officer or other office-holder, and an individual who performs a service for the organization under a contract or is an agent of the organization (section 1(1)(e)). A corporation that is performing a service for the organization under contract is not an employee of the organization, nor are the employees of that corporation employees of the organization. An individual who is performing a service for the organization under a contract is an employee of the organization for purposes of human resource management but a subcontractor of that individual is not an employee of the organization. The expanded definition of employee enables organizations to handle the personal information of volunteers, apprentices, participants, students, contractors, agents, partners, directors and officers for human resource management purposes in the same manner as they would for traditional employees. A potential employee means an individual who is being considered or may be considered for a position with the organization. A potential employee would include a potential apprentice, volunteer, participant, student, contractor, agent, partner, director or officer. A former employee means an individual who is no longer employed by the organization or performing a service for the organization. A former employee would include a former apprentice, volunteer, participant, student, contractor, agent, partner, director or officer. A volunteer work relationship is a relationship whereby the individual provides a service for the organization and the individual is acting as a volunteer or is otherwise unpaid for the service being provided (e.g. a volunteer answering phones for a local theatre group). A volunteer work relationship includes any similar relationship between an organization and an individual where the individual is a participant or a student (e.g. a work experience or co-op student). Managing an employment or volunteer work relationship means the carrying out of that part of human resource management that relates to the duties and Information Sheet 5: 2

3 responsibilities of employees. Managing also refers to activities carried out to administer personnel (PIPA Regulation, section 3), such as classification and compensation, training and development, succession planning, and administering a benefits program. Managing a post-employment or post-volunteer work relationship refers to the carrying out of those limited activities that arise out of the employment or volunteer work relationship but that occur after termination, such as payment of a pension or other post-employment benefits or income tax reporting. For ease of reference, the remainder of this Information Sheet discusses personal employee information in the context of establishing, managing or terminating the employment relationship. Unless otherwise indicated, the reader should consider this phrase as an abbreviation for establishing, managing or terminating the employment or volunteer-work relationship or for managing the post-employment or post-volunteer work relationship. When personal information is personal employee information There is no definitive category of personal employee information. It is the context in which personal information is being collected, used or disclosed that determines when personal information may be personal employee information. If an organization reasonably requires a piece of personal information about an employee or a potential employee for the purposes of establishing, managing or terminating the employment relationship with the individual, then the information can be considered personal employee information for that purpose. Personal information may be personal employee information in one situation; this does not mean that the same piece of personal information is personal employee information in all situations. The information will be personal employee information only when it is reasonably required for the employment relationship. For example, an individual s Social Insurance Number is personal information. The Social Insurance Number is personal employee information when the employer uses it to provide the employee with a T4 income tax slip. Other examples of personal information that may also be personal employee information include: personal contact information date of birth employee number salary or wages taxation or superannuation details hours worked, absences, vacation dates terms and conditions of employment performance assessments resumes and references work history disciplinary matters Not all personal information collected by an employer about the employee is personal employee information. By definition, only personal information that is Information Sheet 5: 3

4 reasonably required for the establishment, management or termination of the employment relationship can be personal employee information. Personal information that is not reasonably required for these purposes will not be regarded as personal employee information under PIPA (e.g. information about an employee s hobbies or extracurricular activities). Business information Business information created by or provided to an employee as part of their workplace duties (e.g. correspondence, memoranda or reports written or received by the employee on behalf of the organization) is not created or provided for the purpose of establishing, managing or terminating the employment relationship and, therefore, is not personal employee information. These records represent an organization s position on a particular matter and differ from records that are about the individual as an employee of an organization, such as a report for performance planning purposes, a record regarding leave or information about participation in a benefits program. Records of business information may contain some personal information, but it is likely to be business contact information, i.e. the employee s name, position title, business address and telephone number. The differentiation between records containing business information and those containing personal employee information is significant in determining what records may be disclosed on an access request by the employee. This is discussed later in this publication (page 14). Business contact information An employee s name, title or position, business telephone number, address, fax number and address is business contact information under PIPA (section 1(1)(a)). PIPA does not apply to business contact information when it is being collected, used or disclosed for the purposes of enabling the individual to be contacted in relation to his or her business responsibilities and for no other purpose (section 4(3)(d)). The provision applies to business contact information of individuals in the public sector as well as the private sector. The exclusion allows an organization to routinely collect, use and disclose business contact information as part of its daily operations. It applies to situations where the organization collects, uses or discloses business contact information for the purposes of enabling staff members to be contacted (e.g. posting contact information of sales representatives on the organization s website), or making contact with individuals outside the organization (e.g. compiling a list of telephone numbers of suppliers for staff use). Collection, use and disclosure of personal employee information The employment relationship is a special relationship that brings the parties into continual contact, places obligations and responsibilities on each party and requires mutual trust and respect. An employee has a right to privacy but it is not an absolute right. An employer has a legitimate need to collect, use and disclose certain types of personal information about employees in order to operate the business and fulfill its obligations as an employer (see PIPA Investigation Report P2005-IR-004). There are circumstances where an employer would not be able to carry out its functions and legal obligations if an employee could withhold consent to the Information Sheet 5: 4

5 collection, use or disclosure of certain personal information. For example, an employer requires certain personal information to process the payroll and must follow laws regarding income tax, employment insurance and pension plans. The consequences of an employee withholding consent would be that the employee could not be paid and the employer would be in breach of various laws. PIPA balances the interests of the employer and employee by permitting an organization to collect, use or disclose personal employee information without consent for reasonable purposes related to the recruitment, management or termination of employees (sections 15, 18, and 21). The employer is held accountable because the Act requires the collection, use or disclosure of the information to be solely for the purposes of recruitment, management or termination, and it must be reasonable to collect, use or disclose the information for the particular purpose. The employer is also required to provide current employees with notice of the purposes for which the information is being collected, used or disclosed. If notice is not given, consent is required. (See page 6 for more information on notification.) The privacy rights of the employee are further protected by the employee s right to request access to and correction of his or her own personal information (section 24) and by the obligations on the employer to make a reasonable effort to ensure the information collected, used or disclosed is accurate and complete (section 33), is safeguarded against unauthorized access, modification or destruction (section 34), and is retained only for as long as it is reasonably required for business or legal purposes and thereafter stripped of personal identifiers or the records destroyed (section 35). Consent is not required under sections 15, 18 and 21 Sections 15, 18 and 21 establish the conditions under which an employer may collect, use or disclose personal employee information without the consent of the employee. An organization may collect, use or disclose personal employee information without consent of the employee the information is about, if: the information is collected, used or disclosed solely for the purposes of establishing, managing or terminating the employment or volunteer work relationship between the organization and the employee; it is reasonable to collect, use or disclose the information for the particular purpose for which the information is being collected, used or disclosed (as the case may be); and notice is given to current employees that the organization is going to collect, use or disclose the information and of the purposes for the collection, use or disclosure. Solely for the purpose Since sections 15, 18 and 21 are exceptions to the general principle of consent, the provisions make it clear that employer organizations can only collect, use or disclose the information without consent for the stated purposes of establishing, managing or terminating the employment relationship. An organization would have to obtain the employee s consent to collect, use or disclose the information Information Sheet 5: 5

6 for any other purpose, unless another without consent provision of the Act applies. Reasonable for the particular purpose The application of sections 15, 18 and 21 is further restricted by requiring that the collection (or use or disclosure) of a specific element of information be reasonable not only for general employment-related purposes, but also for the particular purpose for which the element is being collected. For example, it would be reasonable for a potential employer to collect information about the candidate s education history for the particular purpose of determining the candidate s suitability, but it would not be reasonable to collect the candidate s Social Insurance Number for that purpose. Notification An organization must give current employees reasonable notification that their personal information is going to be collected, used or disclosed and of the purposes for the collection, use and disclosure. Notification needs to occur prior to the collection, use and disclosure. A good business practice for organizations is to create a general written notification statement that is circulated to every current employee and given to each new employee when they start work. The statement can be comprehensive, specifying all the purposes for which the organization collects, uses and discloses personal employee information, the type of personal information that is involved, the sources from which the information is collected, to whom the information will be disclosed, and the name of the individual in the organization who can answer the employee s questions about the collection, use and disclosure. Any new purpose for which information is to be collected, used or disclosed without consent requires new notification. For example, a transportation company uses the Global Positioning System (GPS) to track the locations of its vehicles in order to schedule additional deliveries. The company would have to give new notification to its employees if it wanted to use the GPS information for any other purpose. When consent may or must be obtained The provisions of sections 15, 18 and 21 are permissive. They permit, but do not require, an employer to collect, use or disclose personal employee information without consent. An employer organization may have a policy that it will collect, use or disclose all or some of its personal employee information only with the consent of its employees. An organization must obtain consent if it wishes to collect, use or disclose personal information about an employee for a purpose other than establishing, managing or terminating the employment relationship between itself and the employee, and none of the other provisions in the Act allowing for the collection, use and disclosure of personal information without consent apply. Information Sheet 5: 6

7 An organization must also obtain consent when, in relation to an employee, it collects personal information about other individuals. For example, an employer may collect the name and telephone number of another individual as the employee s emergency contact information or personal information about the employee s spouse for a benefits program. The personal information in these instances is not personal employee information because it is personal information about individuals who are not in the employment relationship with the employer. Example: A charitable fund-raising program occurs in the workplace. The employer organization will need consent to collect, use and disclose personal information in relation to employees participation in the program. Consent would also be required for the collection, use and disclosure of personal information about employees purchasing Canada Savings Bonds through the workplace. Example: A retail store at which an individual is seeking chequing privileges contacts an organization to confirm the individual s employment with the organization. The organization cannot rely on the personal employee information provisions to disclose the information to the store, as the disclosure is not for the purpose of managing the employment relationship. The organization will need the individual s consent to disclose the personal information. Similarly, an organization would need consent to disclose to a credit union the salary of an employee of the organization who is seeking a mortgage from the credit union. Medical information Certain medical information about employees may be regarded as personal employee information which an organization may collect, use or disclose without consent for purposes of managing its employment relationship. Example: An employer may need to ensure that employee absences are justified or to confirm that an employee is fit to return to work. A doctor s certificate attesting to the need for sick leave or for modified duties upon a return to work may be regarded as personal employee information. While it is generally reasonable for an employer to know what accommodations are needed for an employee to be able to return to work, an employer would rarely need to know the medical diagnosis and treatment. (See PIPA Case Summary P2006-CS-004 and PIPA Investigation Report P2007-IR-001.) Example: Some employers are required by occupational health and safety legislation to have hearing tests conducted on their employees. The employer contracts with an independent physician to conduct the tests. Summaries of the tests are sent to the employer. The summaries would be personal employee information as the employer is required by law to collect the information as part of its obligations as an employer. As personal employee information, the employer can collect the information without consent but the employer must provide prior notice of the collection to the employees. The employer could also collect the information without consent or notice under section 14(b), as the collection is authorized or required by a statute or regulation of Alberta. Other medical information that may be considered personal employee information includes reports of workplace injuries, first aid logs, and return to work requirements. Information Sheet 5: 7

8 Medical information is considered sensitive information and should be safeguarded in a manner appropriate to its sensitivity. This means appropriate physical, technical and administrative security measures are required to protect records containing medical information. For example, medical information should be segregated from other personal employee information and access to the medical information should be limited to those in the organization who have a need to know. Employment references The Act allows an organization to provide, without consent, a reference for a current or former employee to a potential or current private or public sector employer if the personal information being disclosed by the organization was collected by it as personal employee information (i.e. the information was reasonably required by the organization for the purpose of establishing, managing or terminating it s employment relationship with the employee), and the disclosure is reasonable for the purpose of assisting the employer seeking the reference to determine the employee s eligibility or suitability for a position with that employer. (section 21(2)) Example: A current employee of organization A is applying for a position with organization B. When asked by organization B for an employment reference, organization A could provide, without consent of the employee, information about the employee s work responsibilities. However, organization A could not rely on section 21(2) to disclose, without consent, the employee s Social Insurance Number. Although the information was collected by organization A as personal employee information, the disclosure of the Social Insurance Number would not be reasonable for the purpose of assisting organization B to determine the employee s suitability for the position. As section 21(2) is permissive, an organization is not required to give a reference without consent. PIPA does not prevent an organization from establishing a policy that it will only give references with the individual s consent. An organization subject to PIPA can collect, without consent, an employment reference about a job candidate because it is collecting personal information about a potential employee for the purpose of establishing an employment relationship with that candidate. The information collected must be reasonably required for the purpose of determining the individual s eligibility or suitability for the position (section 15(1)). For more information regarding the collection, use and disclosure of employment references, see the General FAQs for Organizations and Individuals Workplace published by Access and Privacy,. Information Sheet 5: 8

9 Unsolicited resumés Organizations often receive unsolicited resumés from individuals. The receipt of a resumé is a collection of personal information by the organization, but it is a collection with consent as the individual voluntarily submitted the resumé to the organization. The organization can use the personal information only for the purpose for which it was sent, i.e. to consider the individual for a position within the organization. The organization could not use the personal information for other purposes, such as marketing. An organization should include in its policies and practices a statement as to how it will handle unsolicited resumés; for example, it will treat the resumés as transitory records and will destroy them immediately in a secure manner, or it will retain the resumés for a period of six months, after which time the resumés will be destroyed in a secure manner. Monitoring employees Organizations increasingly monitor the activities of their employees in the workplace through video surveillance, recorded telephone calls, electronic security passes, and monitoring computer usage and . The same rules regarding the collection, use and disclosure of personal employee information without consent apply to these activities. The first rule is that the information must be reasonably required for establishing, managing or terminating the employment relationship with that individual employee and it is reasonable to collect, use or disclose the information for the particular purpose. The organization should consider whether the information is necessary to fulfill the stated need and whether the information could be obtained in a less privacy-intrusive manner. It may not be reasonable to collect the same type of personal information about all employees in the organization. For example, it may not be reasonable to require the same level of security screening for a researcher working on highly sensitive information and a receptionist who will have no access to sensitive information. When determining whether monitoring is reasonable in a particular situation, an organization should consider the following three-part test established by the Information and Privacy Commissioner of Alberta: Are there legitimate issues that the organization needs to address through surveillance? Is the surveillance likely to be effective in addressing these issues? Was the surveillance conducted in a reasonable manner? [PIPA Investigation Report P2005-IR-004] It may be reasonable for an employer to use non-surreptitious video surveillance in the workplace where there are substantial security issues, but it will be more difficult to justify the use of surveillance for productivity issues. In PIPA Investigation Report P2005-IR-004, the Commissioner s Office applied the test stated above and found that the organization s use of visible video surveillance cameras in common areas of the shop and office was reasonable in the circumstances to address issues of theft and employee safety. However, it was not reasonable to use the cameras for monitoring employee performance. Information Sheet 5: 9

10 The second rule is that the organization must notify current employees that the information is going to be collected, used or disclosed and of the purposes for the collection, use or disclosure of the information. For example, the organization must notify employees of its policy of monitoring computer usage and the purposes for which the organization is collecting, using or disclosing that information. It may also be beneficial for the organization to state in its notification the purposes for which the information will not be collected, used or disclosed. For example, if the information is being collected for security purposes, the notification should state that the information collected will not be used for productivity or disciplinary matters. The notification must occur before the collection, use or disclosure takes place. The third rule is that the information is subject to the provisions in PIPA regarding accuracy, security, retention, destruction, access and correction. Other legislation and labour relations and human rights decisions may also have an impact on the ability of an organization to collect, use and disclose this type of information. Outsourcing An organization must consider PIPA when it outsources certain of its human resource functions to another organization (e.g. payroll, pension plan administration). The transfer of personal employee information by the employer organization to the service provider is considered a use rather than a disclosure under PIPA. The transfer of information would be permitted without consent under section 18 as it is a use for the management of the employment relationship. The employer organization is responsible for ensuring that the service provider complies with the provisions of PIPA in the same manner as the employer is required to (section 5(2)). This should be addressed in the contract or agreement between the parties. An employer organization that uses a service provider outside Canada has certain obligations under PIPA with respect to policies and notification. For more information about these obligations, see PIPA Information Sheet 12: Service Providers Outside Canada: Notification, Policies and Practices, published by Access and Privacy,. Consider other provisions in PIPA The Act provides that personal information may be collected, used and disclosed without consent in certain circumstances. These provisions also apply to personal information about employees. Sections 14, 17 and 20 Employer organizations may collect, use or disclose, without consent, personal information about their employees or other individuals in the limited circumstances enumerated in sections 14, 17 or 20. Information Sheet 5: 10

11 When personal information about employees is collected, used or disclosed under sections 14, 17 and 20, the notification provisions for current employees under section 15, 18 and 21 do not apply. Example: The Maintenance Enforcement Act requires an employer to provide, upon request, certain information about an employee to the Director of the Maintenance Enforcement for the purpose of enforcing a maintenance order. The employer can disclose the information to the Director of Maintenance Enforcement, without the consent of the employee, under section 20(b) of PIPA, as this provision permits disclosure without consent where the disclosure is authorized or required by a statute of Alberta. Trade unions An employer organization that is subject to a collective agreement under section 128 of the Labour Relations Code, may disclose, without consent, personal information about its employees to the union when the disclosure is necessary to comply with the collective agreement (section 20(c.1)). If the collective agreement is silent on or does not require the organization to provide personal information about an employee to the union and there is no Alberta or federal statute or regulation that otherwise authorizes the disclosure, the organization can provide the information only with the consent of the employee. Example: One of the terms of a collective agreement under the Labour Relations Code is that the employer will provide the union with the names, home addresses and telephone numbers of all employees subject to that agreement. The employer may disclose this information to the union without the consent of the employees. Although notification may not be required in this circumstance, it is a good practice for an organization to set out in its employee information policy that the organization will be disclosing this information in accordance with the collective agreement. Investigations Sections 14(d), 17(d) and 20(m) permit an employer organization to collect, use or disclose personal information without consent when it is reasonable for the purposes of an investigation. Section 1(1)(f) defines an investigation as an investigation related to a breach of an agreement, a contravention of an enactment of Alberta or Canada or other another province of Canada, or circumstances or conduct that may result in a remedy or relief being available at law if the breach, contravention, circumstances or conduct in question has or may have occurred or is likely to occur, and it is reasonable to conduct an investigation. A breach of an agreement includes a breach of an employment contract. It does not include a breach of a policy that is not expressly included in the contract. Information Sheet 5: 11

12 In some cases, it is the organization that is conducting the investigation (e.g. an organization s own investigation into a workplace accident or a breach of the employment contract). In other cases, an organization will be collecting, using or disclosing the personal information to assist another body with its investigation (e.g. a client of a temporary employment agency conducts an investigation to determine if monies were misplaced or were stolen by an employee of the agency). In either case, the organization may collect or disclose only as much personal information as is reasonable. An organization may also disclose personal information to a public body or a police service to assist with an investigation leading to a law enforcement proceeding or from which a law enforcement proceeding is likely (section 20(f)). For example, a police service may request an individual s name and home address from the employee file to assist with an investigation into a motor vehicle accident that is not related to the individual s employment with the organization. For a more detailed discussion of an organization s ability to collect, use and disclose personal information for the purposes of an investigation, see PIPA Information Sheet 2: Investigations, published by Access and Privacy, Service Alberta. Acquisition of a business Section 22 of PIPA allows parties involved in a purchase, sale, lease, merger, amalgamation, etc. of all or part of an organization or of a business asset to collect, use and disclose personal information without consent for the purpose of determining whether to proceed with the transaction and subsequently to carry on the business acquired. This means that a vendor organization can disclose, without consent, personal information about its employees to a prospective purchaser for the purposes of a due diligence investigation. The information must be necessary for the parties to determine whether to proceed with the transaction or to complete the transaction, and the parties must first agree that the information will only be used for this purpose. This is not a disclosure or collection of personal employee information as the vendor is not disclosing the information for the purposes of managing its employment relationship with the employees and the purchaser is not collecting the information for purposes of recruitment. If the transaction is completed, the purchaser must agree to use and disclose the personal information only for the purpose for which it was originally collected by the vendor. If the transaction is not completed, the information must be destroyed by the prospective purchaser or returned to the vendor. An organization cannot rely on section 22 to disclose personal information without consent where the purchase, sale, lease, etc. of personal information is the primary purpose of the transaction. Information Sheet 5: 12

13 Employee information collected before 2004 Organizations will have collected personal information about their former, current or prospective employees prior to PIPA coming into force on January 1, Section 4(4) of PIPA deems that this personal information was collected with consent. Most of the personal information collected by an organization about its employees will be personal employee information. An organization may use or disclose this personal employee information without the consent of employees for reasonable purposes related to the employment relationship, provided that current employees are given notice of the purposes for which their information is going to used or disclosed. An organization may, however, have collected other personal information about its employees that does not fall within the definition of personal employee information (e.g. the organization has collected information about an employee s hobbies, charity work, or favourite sports and the information is not reasonably required for the employment relationship). Section 4(4) permits the organization to continue to use or disclose this information for the purpose(s) for which it was originally collected, as long as the use or disclosure is for a reasonable purpose and is limited to what is needed to fulfill that purpose. However, a better practice would be to obtain the consent of the employee for the continued use or disclosure of this information. An organization should evaluate the information it has about its employees to determine what is reasonably required to establish, manage or terminate the employment relationship. Personal information on file that is not required for these purposes should be disposed of, unless consent is obtained. For further discussion of use and disclosure of personal information collected by an organization prior to January 1, 2004, see PIPA Information Sheet 4: Personal Information Collected Before 2004, published by Access and Privacy,. Accuracy, security, retention and destruction The Act requires organizations to ensure that personal information that is collected, used or disclosed is accurate and complete (section 33), is protected by reasonable security measures (section 34) and is retained only for as long as it is reasonably required for business or legal purposes (section 35). Once the information is no longer required for business or legal purposes, an organization must strip the information of all personal identifiers or destroy the records containing the information (section 35). These provisions apply to personal employee information. An organization must ensure that the personal information it is using or disclosing about an employee is as accurate and complete as is reasonably required for the purposes for which the information is being collected, used or disclosed. Decisions being made about an employee should not be based on incomplete or wrong information. For example, an organization should ensure it has accurate information about an employee s family status if dependents are entitled to certain benefits under the employer s group medical plan. Information Sheet 5: 13

14 Organizations may also be required by other legislation to keep certain employee records up-to-date (e.g. Employment Standards Code). An organization is required to use reasonable safeguards (physical, administrative and technical) to protect personal information from unauthorized collection, use, disclosure, copying, modification, loss, destruction or access. The level of protection must be appropriate to the sensitivity of the information. Financial and medical information is generally considered to be very sensitive in nature. Therefore, everyone in the organization should not have access to such information as payroll, leave taken or eligibility for benefits. Access to this type of information should be limited to the few individuals within the organization who have a need to know. For example, an organization can use passwords to prevent access to computer records and limit employees access to filing cabinets. An organization may keep personal employee information for as long as it is reasonably required for business or legal purposes. An organization should develop a retention schedule for personal employee information records that takes into account financial, operational, audit, archival, and legal (including statutory) requirements. For example, an organization is legally required by the Employment Standards Code to retain certain employment records for at least 3 years from the date each record is made. When personal employee information that is no longer required for legal or business purposes, the organization must, within a reasonable period of time, destroy the records containing the information or render the information nonidentifying. Destruction must be done in a secure manner to prevent unauthorized parties from gaining access to the information (e.g. shredding records instead of placing them in a garbage bin or recycling box). When personal employee information is de-identified, it must not be possible to re-identify the remaining information (e.g. personal employee information in a database or spreadsheet cannot simply be hidden ). Access and correction An employee has the right under PIPA to request access to and correction of his or her own personal information that is in a record in the custody or under the control of the employer organization (sections 24 and 25). This includes personal employee information. Access An employee s right of access to his or her own personal information is not unconditional. The Act allows an organization to take into consideration what is reasonable when providing access. The Act also specifies circumstances where access must or may be refused. For some of these exceptions to access, the Act requires an organization to remove or sever the information from the record. If the information can reasonably be severed, the individual must be given access to the remainder of the record. Information Sheet 5: 14

15 An organization must refuse an employee access in the following cases. The disclosure of the information could reasonably be expected to threaten the life or security of another individual. Threaten means to expose to risk or harm. Example: An organization fired an employee for uttering threats to his supervisor. The employee is considered to be volatile. The employee requests access to his personnel file. The organization refuses to give the employee access to records containing the statements of colleagues who witnessed the threats made against the supervisor because of the reasonable expectation that the colleagues would be exposed to harm from the employee. If the organization can reasonably sever this information from the records, it must give the employee access to the remainder of the records. Personal information about another individual would be revealed. Example: The employee requests access to the record containing information about his parking permit. The record contains a list of every individual in the organization who has a parking permit. The organization must sever the information about the other individuals from the record before giving the employee access to it. The identity of an individual who gave an opinion in confidence would be revealed against his or her wishes. Example: An employer obtains opinions from clients about the employer s customer service representative. The employee who is the customer service representative asks for access to the records containing the opinions. The written opinions were submitted in confidence and the authors do not wish their identities to be revealed. The employer removes the names of the authors and any other information from the records that would identify the authors before giving the employee access to the records. (See PIPA Order P for a discussion of the meaning of opinion and as an example of where the identifying information could not reasonably be severed because of the specificity and nature of the opinions.) In other situations, the Act permits, but does not require, an organization to refuse access. The information is protected by legal privilege. Example: The information is subject to solicitor-client privilege because it is the opinion obtained by the employer from its solicitors regarding an employee s wrongful dismissal action. Information Sheet 5: 15

16 The information was collected for an investigation or legal proceeding. Example: The records contain the information compiled by the organization during its investigation into an employee s misuse of the company credit card. The information would reveal confidential commercial information and it is not unreasonable to withhold that information. Example: The record shows how an employee s time was expensed against a research and development project. Granting the employee access to the record would reveal confidential information about the project. If the organization can reasonably sever the confidential information from the record, it must give the employee access to the remainder of the record that contains his or her personal information. The information was collected by a mediator or arbitrator appointed under an agreement, by a court, or under a statute or regulation. Example: The record contains submissions by parties to an arbitrator appointed under the contract to resolve a dispute about the contract. The information is of a type that may no longer be provided if it is disclosed and it is reasonable for the information to be provided to the organization. Example: Individuals may stop providing references to an organization if the organization discloses the comments of the referees. Business information that is created or received by an employee in the performance of his or her employment duties as a representative of the organization will not normally contain the personal information of the employee, apart from business contact information. Business information and business contact information that is collected, used and disclosed for the purpose of enabling an individual to be contacted in relation to his employment responsibilities is outside the scope of an access request under the Act. The organization is not required to provide the information to the individual but may choose to do so. For further information regarding access requests, see PIPA Information Sheet 3: Personal Information, published by Access and Privacy, Service Alberta. Correction Employees may also request that their employers correct an error or omission in the personal employee information that is under the control of the employer. The employer organization will make the correction if it determines an error or omission has occurred. The employer organization must also notify all other organizations to whom it may have disclosed the incorrect information of the correction, if it is reasonable to do so. Information Sheet 5: 16

17 If the employer organization determines an error or omission has not occurred, it must annotate the relevant record with the request for the correction. The Act prohibits an organization from correcting or otherwise altering an opinion, including a professional opinion. This means that an employer organization cannot change an opinion that is given in a reference letter, a performance evaluation, or other record. Fees An organization is not permitted to charge an individual a fee for processing an access request for personal employee information (section 32(1.1)) or a request for correction of personal information (section 32(2)). An organization may charge an employee a reasonable fee for processing an access request for personal information that is not personal employee information (section 32(1)). For example, an employee of a department store may also be a customer of the store. The store may charge a reasonable fee for processing the employee s request for access to the records containing the employee s personal information as a customer. Review by the Commissioner Whistleblower protection An employee has the right to make a complaint to the Information and Privacy Commissioner regarding the employer organization s collection, use or disclosure of the employee s personal information, including personal employee information. An employee may also ask the Commissioner to review a decision of the employer regarding access to or correction of his or her personal information. An organization is prohibited from taking any adverse employment action against an employee or denying an employee a benefit where the employee, acting in good faith and with reasonable belief, informs the Commissioner that the organization or another person has contravened the Act or is about to contravene the Act, refuses to do anything that is in contravention of the Act, does something that is required to be done in order to avoid having any person contravene the Act, or where the organization believes the employee will do any of the above (section 58). Example: Mary informs the Office of the Information and Privacy Commissioner of Alberta that her employer shredded certain records about an employee after the employee requested access to those records. The employer has committed an offence under the Act by destroying the records with an intent to evade the request for access (section 59(1)(c)). The employer cannot fire, demote or take any other adverse action against Mary for advising the Commissioner of its activities. It is an offence for an employer organization to take any adverse employment action against an employee who acted in good faith (section 59(1)(e.2)). Information Sheet 5: 17

18 Other resources A Guide for Businesses and Organizations on the Personal Information Protection Act provides an overview of the Act with examples and tips for incorporating good privacy practices in the work place. The Personal Information Protection Act, A Summary for Organizations summarizes of the key obligations of organizations. PIPA Information Sheet 3: Personal Information discusses the concept of personal information in greater detail. PIPA Information Sheet 4: Personal Information Collected Before 2004 discusses the use and disclosure of personal information collected by an organization prior to January 1, PIPA Information Sheet 12: Service Providers Outside Canada: Notification, Policies and Practices outlines an organization s obligations when it uses a service provider outside Canada for collecting, using, disclosing or storing personal information on its behalf. General FAQs for Organizations and Individuals Workplace provides more information about collection, use and disclosure of employment references. Publications are available online from: Access and Privacy pipa.alberta.ca The website of the Office of the Information and Privacy Commissioner also contains resources, at This document is an administrative tool intended to assist in understanding the Act. It is not intended as, nor is it a substitute for, legal advice. For the exact wording and interpretation of the Act, please read the Act in its entirety. This Information Sheet is not binding on the Office of the Information and Privacy Commissioner of Alberta. Information Sheet 5: 18

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable

More information

Personal Information Protection Act (PIPA) Privacy & Landlord - Tenant Matters Frequently Asked Questions

Personal Information Protection Act (PIPA) Privacy & Landlord - Tenant Matters Frequently Asked Questions Personal Information Protection Act (PIPA) Privacy & Landlord - Tenant Matters Frequently Asked Questions Are landlords in Alberta bound by privacy law? Yes. The Personal Information Protection Act (PIPA)

More information

PERSONAL INFORMATION PROTECTION ACT

PERSONAL INFORMATION PROTECTION ACT Province of Alberta Statutes of Alberta, Current as of December 17, 2014 Office Consolidation Published by Alberta Queen s Printer Alberta Queen s Printer 7 th Floor, Park Plaza 10611-98 Avenue Edmonton,

More information

Credit Union Code for the Protection of Personal Information

Credit Union Code for the Protection of Personal Information Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve

More information

Personal Information Protection Policy for Small and Medium-Size Businesses

Personal Information Protection Policy for Small and Medium-Size Businesses Personal Information Protection Policy for Small and Medium-Size Businesses Why does a small business need a policy? Alberta s Personal Information Protection Act, which came into force on January 1, 2004,

More information

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,

More information

Direct Recruitment Privacy Policy

Direct Recruitment Privacy Policy Direct Recruitment Privacy Policy Direct Recruitment manages personal information in accordance with the Privacy Act 1988 and Australian Privacy Principles (APP). This policy applies to information collected

More information

Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA)

Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA) Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA) This document provides answers to some frequently asked questions about the The Personal Health

More information

PROTECTION OF PERSONAL INFORMATION

PROTECTION OF PERSONAL INFORMATION PROTECTION OF PERSONAL INFORMATION Definitions Privacy Officer - The person within the Goderich Community Credit Union Limited (GCCU) who is responsible for ensuring compliance with privacy obligations,

More information

Personal Information Protection Act. Information Sheet 12: 1. Service Providers Outside Canada: Notification, Policies and Practices

Personal Information Protection Act. Information Sheet 12: 1. Service Providers Outside Canada: Notification, Policies and Practices : Notification, Policies and Practices Personal Information Protection Act Information Sheet 12 Introduction Organizations in Alberta operate in an increasingly global business environment. Large and small

More information

PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL]

PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL] [Insert Date of Policy] PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS of [ABC SCHOOL] Address Independent schools in British Columbia are invited to adopt or adapt some or all of this

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

ROHIT GROUP OF COMPANIES PRIVACY POLICY This privacy policy is subject to change without notice. It was last updated on July 23, 2014.

ROHIT GROUP OF COMPANIES PRIVACY POLICY This privacy policy is subject to change without notice. It was last updated on July 23, 2014. ROHIT GROUP OF COMPANIES PRIVACY POLICY This privacy policy is subject to change without notice. It was last updated on July 23, 2014. The Rohit Group of Companies ( Rohit Group, Company, our, we ) understands

More information

3. Consent for the Collection, Use or Disclosure of Personal Information

3. Consent for the Collection, Use or Disclosure of Personal Information PRIVACY POLICY FOR RENNIE MARKETING SYSTEMS Our privacy policy includes provisions of the Personal Information Protection Act (BC) and the Personal Information Protection and Electronic Documents Act (Canada),

More information

Taking care of what s important to you

Taking care of what s important to you A v i v a C a n a d a I n c. P r i v a c y P o l i c y Taking care of what s important to you Table of Contents Introduction Privacy in Canada Definition of Personal Information Privacy Policy: the ten

More information

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS Note: This document provides a general overview of the Personal Health Information Protection Act, 2004,

More information

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK REVISED August 2004 PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK Introduction

More information

Personal Information Protection Act Information Sheet 11

Personal Information Protection Act Information Sheet 11 Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

INFORMATION PRIVACY POLICY FOR WORKERS

INFORMATION PRIVACY POLICY FOR WORKERS INFORMATION PRIVACY POLICY FOR WORKERS February 2015 INFORMATION PRICACY FEBRUARY 2014 Information Privacy Policy for Workers SITA Australia Pty Ltd (ACN 002 902 650) This Information Privacy Policy for

More information

Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance

Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance Information Privacy and IT Security & Compliance The information in this module in addition to the

More information

Hong Leong Asia Ltd.

Hong Leong Asia Ltd. Hong Leong Asia Ltd. Personal Data Protection Policy The protection of your Personal Data is important to us. This Personal Data Protection Policy ( PDP Policy ) outlines how we manage your personal data,

More information

PUBLIC INTEREST DISCLOSURE (WHISTLEBLOWER PROTECTION) ACT

PUBLIC INTEREST DISCLOSURE (WHISTLEBLOWER PROTECTION) ACT Province of Alberta Statutes of Alberta, Current as of June 1, 2013 Office Consolidation Published by Alberta Queen s Printer Alberta Queen s Printer 7 th Floor, Park Plaza 10611-98 Avenue Edmonton, AB

More information

The Manitoba Child Care Association PRIVACY POLICY

The Manitoba Child Care Association PRIVACY POLICY The Manitoba Child Care Association PRIVACY POLICY BACKGROUND The Manitoba Child Care Association is committed to comply with the legal obligations imposed by the federal government's Personal Information

More information

Protecting Personal Information. A Workbook for Non-Profit Organizations Discussion Draft, March 2010

Protecting Personal Information. A Workbook for Non-Profit Organizations Discussion Draft, March 2010 Protecting Personal Information A Workbook for Non-Profit Organizations Discussion Draft, March 2010 The Office of the Information and Privacy Commissioner of Alberta and Access and Privacy, Service Alberta,

More information

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1 Personal Information Protection Act ( PIPA ) Tips for Protecting Customers Personal Information 1 More than ever before, retailers have to be prepared to deal with customers who ask questions about the

More information

PIPA and the Hiring Process

PIPA and the Hiring Process PIPA and the Hiring Process April 10, 2006 INTRODUCTION Any private sector employer who collects, uses or discloses personal information about employees or job applicants has to comply with British Columbia

More information

Index All entries in the index reference page numbers.

Index All entries in the index reference page numbers. Index All entries in the index reference page numbers. A Audit of organizations, 37-38, Access to personal information 162-163 by individual, 22, 31, 151-154 B assistance by organization, Biometrics, 123-125

More information

Privacy Guidelines For Landlords and Tenants

Privacy Guidelines For Landlords and Tenants Privacy Guidelines For Landlords and Tenants Purpose of the Guidelines In British Columbia, landlords and property managers acting on their behalf must adhere to the privacy rules contained in the BC Personal

More information

Personal Information Protection and Electronic Documents Act (PIPEDA)

Personal Information Protection and Electronic Documents Act (PIPEDA) Introduction Personal Information Protection and Electronic Documents Act (PIPEDA) Policy and The Insurance Brokers Association of Alberta is committed to respect the privacy rights of individuals by ensuring

More information

Zinc Recruitment Pty Ltd Privacy Policy

Zinc Recruitment Pty Ltd Privacy Policy 1. Introduction Zinc Recruitment Pty Ltd Privacy Policy We manage personal information in accordance with the Privacy Act 1988 and Australian Privacy Principles. This policy applies to information collected

More information

June 2015. Privacy Guidelines for Strata Corporations and Strata Agents

June 2015. Privacy Guidelines for Strata Corporations and Strata Agents June 2015 Privacy Guidelines for Strata Corporations and Strata Agents Page 2 TABLE OF CONTENTS Overview...2 Collection, use and disclosure of personal information...5 Retention and protection of personal

More information

ADMINISTRATIVE MANUAL Policy and Procedure

ADMINISTRATIVE MANUAL Policy and Procedure ADMINISTRATIVE MANUAL Policy and Procedure TITLE: Privacy NUMBER: CH 100-100 Date Issued: April 2010 Page 1 of 7 Applies To: Holders of CDHA Administrative Manual POLICY 1. In managing personal information,

More information

Privacy Policy. 30 January 2015

Privacy Policy. 30 January 2015 Privacy Policy 30 January 2015 Table of Contents 1 Overview 3 Purpose 3 Scope 3 2 Collection 3 What information do we collect? 3 What if you do not give us the information we request? 4 3 Use of information

More information

Responsibilities of Custodians and Health Information Act Administration Checklist

Responsibilities of Custodians and Health Information Act Administration Checklist Responsibilities of Custodians and Administration Checklist APPENDIX 3 Responsibilities of Custodians in Administering the Each custodian under the Act must establish internal processes and procedures

More information

NOTE: SERVICE AGREEMENTS WILL BE DRAFTED BY RISK SERVICES SERVICE AGREEMENT

NOTE: SERVICE AGREEMENTS WILL BE DRAFTED BY RISK SERVICES SERVICE AGREEMENT NOTE: SERVICE AGREEMENTS WILL BE DRAFTED BY RISK SERVICES SERVICE AGREEMENT Between: And: XXXXXX (the Contractor") Langara College 100 West 49 th Avenue Vancouver, BC V5Y 2Z6 (the College") The College

More information

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 This Notice sets forth the principles followed by United Technologies Corporation and its operating companies, subsidiaries, divisions

More information

The Ten privacy principles and our commitment to them are as follows:

The Ten privacy principles and our commitment to them are as follows: Your Privacy is Our Concern Federated Insurance Company of Canada 1 is committed to protecting your personal information, whether you are a customer of Federated or not, and, no matter how we came to be

More information

Central LHIN Governance Manual. Title: Whistleblower Policy Policy Number: GP-003

Central LHIN Governance Manual. Title: Whistleblower Policy Policy Number: GP-003 Central LHIN Governance Manual Title: Whistleblower Policy Policy Number: GP-003 Purpose: Originated: September 25, 2012 Board Approved: September 25, 2012 To set out the LHIN s obligations under the Public

More information

Managing Contracts under the FOIP Act. A Guide for Government of Alberta Contract Managers and FOIP Coordinators

Managing Contracts under the FOIP Act. A Guide for Government of Alberta Contract Managers and FOIP Coordinators Managing Contracts under the FOIP Act A Guide for Government of Alberta Contract Managers and FOIP Coordinators ISBN 978-0-7785-6102-6 Produced by Access and Privacy Service Alberta 3rd Floor, 10155 102

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

PRIVACY BREACH POLICY

PRIVACY BREACH POLICY Approved By Last Reviewed Responsible Role Responsible Department Executive Management Team March 20, 2014 (next review to be done within two years) Chief Privacy Officer Quality & Customer Service SECTION

More information

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario PRIVACY COMPLIANCE ISSUES FOR LAW FIRMS IN ONTARIO By Sara A. Levine 1 Presented at Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario Ontario Bar Association, May 6,

More information

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information: Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal

More information

Boys and Girls Clubs of Kawartha Lakes B: Administration B4: Information Management & Policy: Privacy & Consent Technology

Boys and Girls Clubs of Kawartha Lakes B: Administration B4: Information Management & Policy: Privacy & Consent Technology Effective: Feb 18, 2015 Executive Director Replaces: 2010 Policy Page 1 of 5 REFERENCE: HIGH FIVE 1.4.3, 2.2.4, 2.5.3, PIDEDA POLICY: Our Commitment Boys and Girls Clubs of Kawartha Lakes (BGCKL) and the

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Data Protection and Privacy Policy

Data Protection and Privacy Policy Data Protection and Privacy Policy 1. General This policy outlines Conciliation Resources commitments to respect the privacy of people s personal information and observe the relevant data protection legislation.

More information

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

SCHEDULE C to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL (AHS AND

More information

Disclosure is the action of making new or secret information known.

Disclosure is the action of making new or secret information known. /PURPOSE OF POLICY Pty Limited (Momentum) is required and committed to comply with the Australian Privacy Principles (APPs) in the Privacy Act 1998 (Cth) (Privacy Act). The APPs regulate the manner in

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

HUMAN RESOURCES MANAGEMENT 53 Personnel Records

HUMAN RESOURCES MANAGEMENT 53 Personnel Records 1.0 RATIONALE Sturgeon School Division believes in managing personnel information as a strategic resource, in compliance with provincial legislation and in the best interests of the division and its employees.

More information

Privacy Law in Canada

Privacy Law in Canada Privacy Law in Canada Federal and provincial privacy legislation has a profound impact on the way virtually all organizations carry on business across the country. Canada s privacy laws, while likely the

More information

The Winnipeg Foundation Privacy Policy

The Winnipeg Foundation Privacy Policy The Winnipeg Foundation Privacy Policy The http://www.wpgfdn.org (the Website ) is operated by The Winnipeg Foundation (the Foundation ). The Winnipeg Foundation Privacy Policy Foundation is committed

More information

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that

More information

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal

More information

STATUTORY INSTRUMENTS. S.I. No. 623 of 2006 EUROPEAN COMMUNITIES (EUROPEAN PUBLIC LIMITED-LIABILITY COMPANY) (EMPLOYEE INVOLVEMENT) REGULATIONS 2006

STATUTORY INSTRUMENTS. S.I. No. 623 of 2006 EUROPEAN COMMUNITIES (EUROPEAN PUBLIC LIMITED-LIABILITY COMPANY) (EMPLOYEE INVOLVEMENT) REGULATIONS 2006 STATUTORY INSTRUMENTS. S.I. No. 623 of 2006 EUROPEAN COMMUNITIES (EUROPEAN PUBLIC LIMITED-LIABILITY COMPANY) (EMPLOYEE INVOLVEMENT) REGULATIONS 2006 (Prn. A6/2135) 2 [623] S.I. No. 623 of 2006 EUROPEAN

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance About Canada Dispute Resolution Forms of Business Organization Aboriginal Law Competition Law Real Estate Securities and Corporate Finance Foreign Investment Public- Private Partnerships Restructuring

More information

Office of Personnel Management. Policy Policy Number: Definitions. Communicate: To give a verbal or written report to an appropriate authority.

Office of Personnel Management. Policy Policy Number: Definitions. Communicate: To give a verbal or written report to an appropriate authority. Citation: Arkansas Code Annotated 21-1-601 through 608, 21-1-610; 21-1-123 and 124 Office of Personnel Management Policy 1 Forms: Fraud Reporting Complaint Form Definitions Adverse action: To discharge,

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Daltrak Building Services Pty Ltd ABN: 44 069 781 933. Privacy Policy Manual

Daltrak Building Services Pty Ltd ABN: 44 069 781 933. Privacy Policy Manual Daltrak Building Services Pty Ltd ABN: 44 069 781 933 Privacy Policy Manual Table Of Contents 1. Introduction Page 2 2. Australian Privacy Principles (APP s) Page 3 3. Kinds Of Personal Information That

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

Business Contact Information

Business Contact Information Number 13 Revised March 2009 Business Contact Information CONTENTS Introduction 1 Types of business contact information Business is personal information Disclosure of business under section 40(1)(bb.1)

More information

Pacific Smiles Group Privacy Policy

Pacific Smiles Group Privacy Policy Pacific Smiles Group Privacy Policy Pacific Smiles Group Limited and its related bodies corporate (PSG, we, our, us) recognise the importance of protecting the privacy and the rights of individuals in

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

The Health Information Protection Act

The Health Information Protection Act 1 The Health Information Protection Act being Chapter H-0.021* of the Statutes of Saskatchewan, 1999 (effective September 1, 2003, except for subsections 17(1), 18(2) and (4) and section 69) as amended

More information

We will not collect, use or disclose your personal information without your consent, except where required or permitted by law.

We will not collect, use or disclose your personal information without your consent, except where required or permitted by law. HSBC Privacy Notice HSBC's Privacy Principles HSBC Bank Canada is a subsidiary of HSBC Holdings plc which, together with its subsidiaries and affiliates, is one of the world s largest banking and financial

More information

PHYSICIANS REIMBURSEMENT FUND, INC. A Risk Retention Group. APPLICATION MD & DO Locum Tenens. 1. First Name: Middle Initial: Last Name:

PHYSICIANS REIMBURSEMENT FUND, INC. A Risk Retention Group. APPLICATION MD & DO Locum Tenens. 1. First Name: Middle Initial: Last Name: PHYSICIANS REIMBURSEMENT FUND, INC. A Risk Retention Group APPLICATION MD & DO Locum Tenens Applicant Information: 1. First Name: Middle Initial: Last Name: CA Medical License #: Expiration Date: Date

More information

GOODS AND SERVICES AGREEMENT BETWEEN SOUTHERN CALIFORNIA PUBLIC POWER AUTHORITY AND COMPANY/CONTRACTOR NAME

GOODS AND SERVICES AGREEMENT BETWEEN SOUTHERN CALIFORNIA PUBLIC POWER AUTHORITY AND COMPANY/CONTRACTOR NAME GOODS AND SERVICES AGREEMENT BETWEEN SOUTHERN CALIFORNIA PUBLIC POWER AUTHORITY AND COMPANY/CONTRACTOR NAME This GOODS AND SERVICES AGREEMENT ("Agreement") is entered into and effective [DATE], by and

More information

LEAD PROVIDER FRAMEWORK CALL OFF TERMS AND CONDITIONS

LEAD PROVIDER FRAMEWORK CALL OFF TERMS AND CONDITIONS LEAD PROVIDER FRAMEWORK CALL OFF TERMS AND CONDITIONS 1 LEAD PROVIDER FRAMEWORK - CALL OFF TERMS AND CONDITIONS - SUMMARY Where an Order Form is issued by the Authority that refers to the Framework Agreement,

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Trans Canada Trail Ontario

Trans Canada Trail Ontario TABLE OF CONTENTS Section PAGE 1.0 Purpose and Scope of Policy 1 2.0 Introduction and Regulations 1 3.0 Recruitment and Selection 1 4.0 Probation 2 5.0 Hours of Work 3 6.0 Performance Appraisal 3 7.0 Employee

More information

It is hereby notified that the President has assented to the following Act which is hereby published for general information:-

It is hereby notified that the President has assented to the following Act which is hereby published for general information:- PRESIDENT'S OFFICE No. 967. 14 June 1996 NO. 29 OF 1996: MINE HEALTH AND SAFETY ACT, 1996. It is hereby notified that the President has assented to the following Act which is hereby published for general

More information

Data Protection and Data security Policy

Data Protection and Data security Policy Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us

More information

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates Guidelines on Requirements and Good Practices For Protecting Personal Health Information Disclaimer

More information

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

Privacy Policy Last Modified: April 3, 2015 1

Privacy Policy Last Modified: April 3, 2015 1 Privacy Policy Last Modified: April 3, 2015 1 Introduction Jamberry Nails, LLC, a Utah limited liability company, U.S.A., (referred to herein as Jamberry, we, us and our ) understands the importance of

More information

LONG ISLAND UNIVERSITY RECORDS RETENTION POLICY

LONG ISLAND UNIVERSITY RECORDS RETENTION POLICY LONG ISLAND UNIVERSITY RECORDS RETENTION POLICY Statement of Policy Long Island University requires the retention of University records for specific periods of time, regardless of format, taking into account

More information

Protecting your privacy

Protecting your privacy Protecting your privacy Table of Contents Answering your questions about privacy Your privacy... 1 Your consent... 1 Answering your questions about privacy... 2 About cookies... 9 Behavioural Advertising/Online

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

2010THE LEGISLATIVE ASSEMBLY FOR THEAUSTRALIAN CAPITAL TERRITORY. WORKPLACE PRIVACY BILL 2010EXPLANATORY STATEMENT Circulated by Amanda Bresnan MLA

2010THE LEGISLATIVE ASSEMBLY FOR THEAUSTRALIAN CAPITAL TERRITORY. WORKPLACE PRIVACY BILL 2010EXPLANATORY STATEMENT Circulated by Amanda Bresnan MLA 2010THE LEGISLATIVE ASSEMBLY FOR THEAUSTRALIAN CAPITAL TERRITORY WORKPLACE PRIVACY BILL 2010EXPLANATORY STATEMENT Circulated by Amanda Bresnan MLA OVERVIEW The objects of this Bill are to ensure that employers

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

7. PROTECTION OF PRIVACY

7. PROTECTION OF PRIVACY 7. PROTECTION OF PRIVACY Overview This chapter covers the obligations of public bodies regarding the collection, use and disclosure of personal information; the accuracy of personal information; the retention

More information

COLLECTION AND DEBT REPAYMENT PRACTICES REGULATION

COLLECTION AND DEBT REPAYMENT PRACTICES REGULATION Province of Alberta FAIR TRADING ACT COLLECTION AND DEBT REPAYMENT PRACTICES REGULATION Alberta Regulation 194/1999 With amendments up to and including Alberta Regulation 57/2014 Office Consolidation Published

More information

Guide for Developing Personal Information Sharing Agreements. Revised October 2003 (updated to reflect A.R. 186/2008)

Guide for Developing Personal Information Sharing Agreements. Revised October 2003 (updated to reflect A.R. 186/2008) Guide for Developing Personal Information Sharing Agreements Revised October 2003 (updated to reflect A.R. 186/2008) ISBN 0-7785-3104-X Produced by: Access and Privacy Service Alberta 3rd Floor, 10155

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Privacy Policy. Federal Insurance Company, Singapore Branch Singapore Personal Data Protection Privacy Policy. 1. Introduction

Privacy Policy. Federal Insurance Company, Singapore Branch Singapore Personal Data Protection Privacy Policy. 1. Introduction Privacy Policy 1. Introduction Federal Insurance Company, Singapore Branch ( we, our or us ) recognise the importance of protecting the privacy and the rights of individuals in relation to their personal

More information

Paychex Accounting Online Terms of Use

Paychex Accounting Online Terms of Use Paychex Accounting Online Terms of Use Paychex recommends that Client read the Terms of Use prior to using the Paychex Accounting Online Software ( Software ). If Client does not accept and agree with

More information