News

  • Inter Kingston was nominated for an International Web Development award! Last spring, Inter Kingston developed a website for the Kingston Junior Chamber, www.kingstonjaycees.com. To the general public the website is a nice brochure website and overview of the organization, for the members it is an invaluable tool. It incorporates a dynamic document storage system, photo album, and always current membership database. The nominations were announced in Copenhagen, Denmark in November and were selected from over 111 countries worldwide.

Articles

How does the new privacy act affect your website?

article by: Lindsey Fair

January 1, 2004 - The Privacy Act extends to the collection, use or disclosure of personal information in the course of any commercial activity within a province.

Definition of Consent: Voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

What is not covered under the act is an employee's name, title, business address or telephone number (which most likely includes work email address but that question has never been officially answered - although not for a lack of trying to find out).

The 10 principles in the act that businesses must follow are:

  • Accountability
  • Identifying purposes
  • Consent
  • Limiting collection
  • Limiting use, disclosure, and retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual access
  • Challenging compliance

  1. Be accountable
  2. Your responsibilities:
    • Comply with all 10 of the principles of Schedule 1.
    • Appoint an individual (or individuals) to be responsible for your organization's compliance.
    • Protect all personal information held by your organization or transferred to a third party for processing.
    • Develop and implement personal information policies and practices.

    How to fulfil these responsibilities when it comes to your electronic communication:

    • Give your designated privacy official senior management support and the authority to intervene on privacy issues relating to any of your organization's operations.
    • Communicate the name or title of this individual internally and externally (e.g. on web sites and in publications).
    • Analyze all personal information handling practices including ongoing activities and new initiatives, using the following checklist to ensure that they meet fair information practices: What personal information do we collect? Why do we collect it? How do we collect it? What do we use it for? Where do we keep it? How is it secured? Who has access to or uses it? To whom is it disclosed? When is it disposed of?
    • Develop and implement policies and procedures to protect personal information: define the purposes of its collection, obtain consent, limit its collection, use and disclosure, ensure information is correct, complete and current, ensure adequate security measures, develop or update a retention and destruction timetable, process access requests, and respond to inquiries and complaints.
    • Make information available explaining these policies and procedures to clients and customers (e.g. in brochures and on web sites).

  3. Identify the purpose
  4. Your organization must identify the reasons for collecting personal information before or at the time of collection.

    Your responsibilities:
    • Before or when any personal information is collected, identify why it is needed and how it will be used.
    • Document why the information is collected.
    • Inform the individual from whom the information is collected why it is needed.
    • Identify any new purpose for the information and obtain the individual's consent before using it.

    How to fulfil these responsibilities when it comes to your electronic communication:

    • Review your personal information holdings to ensure they are all required for a specific purpose.
    • Notify the individual, either orally or in writing, of these purposes.
    • Record all identified purposes and obtained consents for easy reference in case an individual requests an account of such information.

    Grandfathering

    Personal information that your company has collected during the course of its commercial activities is subject to the Act. Since it has already been collected, you don't need to recollect it. However, in order to continue to use or disclose this information, you now require consent. Some organizations have informed all their customers what they do with their information, to whom it is disclosed and given customers the option to object to these ongoing uses or disclosures.

  5. Obtain consent
  6. Your responsibilities:

    • Inform the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data.
    • Obtain the individual's consent before or at the time of collection, as well as when a new use is identified.

    How to fulfil these responsibilities when it comes to your electronic communication:

    • Obtain consent from the individual whose personal information is collected, used or disclosed.
    • Communicate in a manner that is clear and can be reasonably understood.
    • Record the consent received (e.g. note to file, copy of e-mail, copy of checkoff box).
    • Never obtain consent by deceptive means.
    • Do not make consent a condition for supplying a product or a service, unless the information requested is required to fulfil an explicitly specified and legitimate purpose.
    • Explain to individuals the implications of withdrawing their consent.
    • Ensure that employees collecting personal information are able to answer an individual's questions about the purposes of the collection.

  7. Limit collection
  8. Your responsibilities:

    • Do not collect personal information indiscriminately.
    • Do not deceive or mislead individuals about the reasons for collecting personal information.

    How to fulfil these responsibilities when it comes to your electronic communication:

    • Limit the amount and type of the information gathered to what is necessary for the identified purposes.
    • Ensure that staff members can explain why the information is needed.

  9. Limit use, disclosure and retention
  10. Your responsibilities:

    • Use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
    • Keep personal information only as long as necessary to satisfy the purposes.
    • Put guidelines and procedures in place for retaining and destroying personal information.
    • Keep personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress.
    • Destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement.

    How to fulfil these responsibilities when it comes to your electronic communication:

    • Document any new purpose for the use of personal information.
    • Dispose of information that does not have a specific purpose or that no longer fulfils its intended purpose.
    • Dispose of personal information in a way that prevents improper access. Shredding paper files or deleting electronic records are ideal.
    • Establish policies setting out the types of information that need to be updated. An organization can reasonably expect an individual to provide updated information in certain circumstances (e.g. change of address for a magazine subscription).

  11. Accuracy
  12. Use appropriate safeguards
  13. Your responsibilities:

    • Protect personal information against loss or theft.
    • Safeguard the information from unauthorized access, disclosure, copying, use or modification.
    • Protect personal information regardless of the format in which it is held.

    How to fulfil these responsibilities when it comes to your electronic communication:

    • Develop and implement a security policy to protect personal information.
    • Use appropriate security safeguards to provide necessary protection:
      • technological tools (passwords, encryption, firewalls, anonymizing software)
      • organizational controls (security clearances, limiting access on a "need-to-know" basis, staff training, confidentiality agreements)
    • Make your employees aware of the importance of maintaining the security and confidentiality of personal information.
    • Review and update security measures regularly.

  14. Be open
  15. Your responsibilities:

    • Inform customers, clients and employees that you have policies and practices for the management of personal information.
    • Make these policies and practices understandable and easily available.

    How to fulfil these responsibilities when it comes to your electronic communication:

    • Ensure front-line staff is familiar with the procedures for responding to individual inquiries.
    • Make the following available:
      • name or title and address of the person who is accountable for your organization's privacy policies and practices
      • name or title and address of the person to whom access requests should be sent
      • how an individual can gain access to his or her personal information
      • how an individual can complain to your organization
      • brochures or other information that explain your organization's policies, standards or codes
      • a description of what personal information is made available to other organizations (including subsidiaries) and why it is disclosed.

  16. Individual Access
  17. Challenging Compliance

Exceptions to consent in Section 7 Organizations may collect personal information without the individual's knowledge or consent only:

  • if it is clearly in the individual's interests and consent is not available in a timely way
  • if knowledge and consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or contravention of a federal or provincial law
  • for journalistic, artistic or literary purposes
  • if it is publicly available as specified in the regulations.

Organizations may use personal information without the individual's knowledge or consent only:

  • if the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation
  • for an emergency that threatens an individual's life, health or security
  • for statistical or scholarly study or research (the organization must notify the Privacy Commissioner before using the information)
  • if it is publicly available as specified in regulations
  • if the use is clearly in the individual's interest and consent is not available in a timely way
  • if knowledge and consent would compromise the availability or accuracy of the information and collection was required to investigate a breach of an agreement or contravention of a federal or provincial law.

Organizations may disclose (including for sale or rent or just to share) personal information without the individual's knowledge or consent only:

  • to a lawyer representing the organization
  • to collect a debt the individual owes to the organization
  • to comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction
  • to a government institution that has requested the information, identified its lawful authority, and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law; or suspects that the information relates to national security or the conduct of international affairs; or is for the purpose of administering any federal or provincial law
  • to an investigative body named in the Regulations of the Act or government institution on the organization's initiative when the organization believes the information concerns a breach of an agreement, or a contravention of a federal, provincial, or foreign law, or suspects the information relates to national security or the conduct of international affairs
  • if made by an investigative body for the purposes related to the investigation of a breach of an agreement or a contravention of a federal or provincial law
  • in an emergency threatening an individual's life, health, or security (the organization must inform the individual of the disclosure) for statistical, scholarly study or research (the organization must notify the Privacy Commissioner before disclosing the information) to an archival institution
  • 20 years after the individual's death or 100 years after the record was created
  • if it is publicly available as specified in the regulations
  • if required by law.

for more information go to e-com.ic.gc.cal - Electronic Commerce in Canada or www.privcom.gc.ca - Guide for Businesses and Organizations to Canada's Personal Information Protection and Electronic Documents Act

Lindsey Fair is a project manager with Inter Kingston Web Design.