Principles in Summary
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
This policy complies with both the Alberta Government’s Personal Information Protection Act and Canada’s Personal Information Protection and Electronic Documents Act.
Section 1 - Accountability
1.1 Accountability for WEM’s compliance with the principles rests with the Privacy Compliance Committee ("PCC") even though other individuals may be responsible for the day-to-day collection and processing of personal information. The PCC may delegate others to act on behalf of the PCC.
1.2 The identity of the PCC members shall be made known upon request.
1.3 WEM is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. WEM shall use contractual means to provide a comparable level of protection while the information is being processed by a third party.
1.4 Protection of Personal Information All personal information collected by members of WEM or by its agents, contractors, partners, or otherwise affiliated organizations shall be protected through physical or electronic measures in order to reduce risk of its unauthorized collection, use, disclosure, or destruction.
Such protections shall be appropriate to the sensitivity and may include, by way of example:
- locked cabinets
- restricted access
- file write-protection
1.5 Procedure Governing Receipt and Response to Complaints and Inquiries
All complaints or inquiries received by any member of the WEM organization shall be immediately referred to the Chair of the PCC. All members of the WEM organization may refer any complaint or inquiry to:
Suite 3000, 8882 170 Street
Edmonton, AB T5T 4M2
The Chair of the PCC shall respond in a timely manner to the individual making the complaint or inquiry in compliance with all applicable provisions of the Protection of Personal Privacy Act of Alberta (2004).
1.6 Training Staff
WEM shall incorporate materials outlining this policy and its related procedures into its existing employee training, communications, and resource programs. Such materials may include but shall not be limited to:
- provision of this policy to the employee at time of hire
- ongoing review of this policy in customer service training programs
- awareness of the policy’s posting to company websites
- invitation of ongoing employee comment and review of this policy
- applicable signage in employee rest areas
- regular summaries of this policy and location of further resources in employee
- newsletters; and
- ongoing employee information seminars.
1.7 Explanation of this policy. WEM shall from time to time, develop materials for distribution to employees explaining this policy and its related procedures.
Section 2 - Identifying Purposes
2.1 WEM shall document the purposes for which personal information is collected in order to comply with the Openness and Individual Access Principles outlined in the CSA Model Privacy Code, the Personal Information Protection Act of Alberta (PIPA) and the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA).
2.2 Identifying the purposes for which personal information is collected at or before the time of collection allows WEM to determine the information it needs to collect to fulfill these purposes. The Limiting Collection Principle outlined in the CSA Model Privacy Code and in the PIPA and PIPEDA Acts requires WEM to collect only that information necessary for the purposes that have been identified.
2.3 WEM shall identify purposes at or before the time of collection to the individual from whom the personal information is collected. WEM will endeavour to identify purposes in writing wherever possible. In certain circumstances identification may also be provided orally.
For example, forms may provide information on purposes in writing. Collection of personal information through "on-the-spot" interviews or surveys may be better suited to identifying purposes orally.
2.4 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. For an elaboration on consent, please refer to the Consent Principle.
2.5 Employees collecting personal information shall be able to accurately explain to individuals the purposes for which the information is being collected; or in the alternative shall refer the individual to a member of the Privacy Protection Committee.
Section 3 - Consent
3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when WEM wants to use information for a purpose not previously identified).
3.2 The Consent Principle of the CSA Model Privacy Code, PIPA, and PIPEDA requires "knowledge and consent". WEM shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
3.3 The form of consent sought by WEM may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, WEM shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the name and addresses of subscribers to some special-interest magazines might be considered sensitive.
3.4 In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual requesting to join a WEM mailing list should reasonably expect that WEM, in addition to using the individual’s name and address for a single mailing, would also use that information to send subsequent mailing to the person. In this case, WEM can assume that the individual’s request constitutes consent for the specific purposes of sending out a series of mailings. On the other hand, an individual would not reasonably expect that personal information given to WEM for a mailing list would be used for any other purpose or given to a company selling magazine subscriptions (or other merchandise or services) unless further consent were obtained. Consent shall not be obtained through deception.
3.5 The way in which WEM seeks consent may vary, depending on the circumstances and the type of information collected. WEM shall seek express (written) consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
3.6 Individuals can give consent in many ways. For example:
- an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
- a check-off box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
- consent may be given orally when information is collected over the telephone; or
- consent may be given at the time that individuals use a product or service. 3.7 An individual may withdraw consent at any time, subject to legal or contractual restrictions and with reasonable notice. At the time that an individual requests withdrawal, WEM shall inform the individual of the implications of such withdrawal.
Section 4 - Limiting Collection
4.1 WEM shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified. WEM shall specify the type of information collected as part of its information-handling policies and practices, in accordance with the Openness Principle of the CSA Model Code, PIPA, and PIPEDA.
4.2 WEM shall collect personal information only by fair and lawful means and shall not collect information by misleading means or by deceiving individuals about the purpose for which information is being collected.
Section 5 - Limiting Use, Disclosure and Retention
5.1 When WEM uses personal information for a new purpose, WEM shall document this purpose.
5.2 WEM shall develop guidelines and implement procedures with respect to the retention of personal information. These guidelines shall include both minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. WEM may be subject to legislative requirements with respect to retention periods and shall recognize the development and implementation of sound records management practices as complimentary to the CSA Model Code, PIPA and PIPEDA.
5.3 Personal information that is no longer required to fulfill the identified purposes shall be destroyed, erased, or made anonymous. WEM shall develop guidelines and implement procedures to govern the destruction of personal information.
Section 6 - Accuracy
6.1 The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
6.2 WEM shall not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
6.3 Personal information that is used on an ongoing basis, including information that is disclosed to third parties, shall be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Section 7 - Safeguards
7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. WEM shall protect personal information regardless of the format or storage media in which it is held.
7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, and format of the information, and the method of storage. More sensitive information shall be safeguarded by a higher level of protection.
7.3 The methods of protection should include:
- physical measures, for example, locked filing cabinets and restricted access to offices;
- organizational measures, for example, security clearances and limiting access on a "need-to-know" basis; and
- technological measures, for example, the use of passwords and encryption.
7.4 WEM shall make its employees aware of the importance of maintaining the confidentiality of personal information.
7.5 Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. Disposal or destruction of personal information shall not be undertaken by any employee without the prior written authorization of the Privacy Protection Committee outlining the preferred method of destruction, the specific information authorized for destruction, and date of destruction. Once personal information has been destroyed the employee(s) who carried out the destruction shall complete a Certificate of Destruction and return same to the Privacy Protection Committee.
Section 8 - Openness
8.1 WEM shall be open about its policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about WEM’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
8.2 The information made available shall include:
- the name, title, and address of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
- the means of gaining access to personal information held by WEM;
- a description of the type of personal information held by WEM, including a general account of its use;
- a copy of brochures or other information that explain WEM’s policies, standards, or codes; and
- that personal information which is made available to related organizations (e.g., subsidiaries).
8.3 WEM shall make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of WEM’s business and other considerations. For example, WEM may choose to make brochures available on the mall common area, mail information to its clients or tenants, provide online access, or establish a toll-free telephone number.
Section 9 - Individual Access
9.1 Upon request, WEM shall inform an individual whether or not WEM holds personal information about the individual. WEM shall, wherever appropriate, indicate the source of this information. WEM shall allow the individual access to this information. In addition, WEM shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.
9.2 An individual may be required to provide sufficient information to permit WEM to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.
9.3 In providing an account of third parties to which it has disclosed personal information about an individual, WEM shall be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, WEM shall provide a list of organizations to which it may have disclosed information about the individual.
9.4 WEM shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if WEM uses abbreviations or codes to record information, an explanation of such abbreviations or codes shall be provided. All such requests should be submitted in writing to:
Suite 3000, 8882 170 Street
Edmonton, AB T5T 4M2
9.5 When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, WEM shall amend the information as required or may delete the record of personal information in its entirety but only with the prior written authorization of the Privacy Protection Committee. Depending upon the nature of the information challenged, amendment may involve the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
9.6 When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by WEM. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.
Section 10 - Challenging Compliance
10.1 The individual accountable for WEM’s compliance is discussed in Section 1 above.
10.2 WEM shall put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint process should be easily accessible and simple to use.
10.3 WEM shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint mechanisms.
10.4 WEM shall investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, WEM shall take appropriate measures, including, if necessary, amending its policies and practices.
10.5 WEM may, at its sole discretion, charge a reasonable fee to individuals making requests for searches for personal information under this section. All charges, together with an explanation of the charges, shall be presented to individuals making personal information requests for their approval in advance of WEM’s undertaking any search for personal information.