The Sustainable Infrastructure Society Privacy Code
The Sustainable Infrastructure Society (SIS) Privacy Code sets out our privacy commitment
to the protection of our employees, and customer personal information. This Privacy
Code is built on the ten principles of the Canadian Standards Association (CSA)
Model Code for the Protection of Personal Information which was published in March
1996 as a National Standard of Canada that have now been incorporated into both
federal and provincial privacy laws .
Definitions
"contact information" means information to enable an individual at a place
of business to be contacted and includes the name, position name or title, business
telephone number, business address, business email or business fax number of the
individual
"employee personal information" means personal information about an individual
that is collected, used or disclosed solely for the purposes reasonably required
to establish, manage or terminate an employment relationship between the organization
and that individual, but does not include personal information that is not about
an individual's employment.
"organization" means a person, an unincorporated association, a trade
union, a trust or a not for profit organization, but does not include:
(a) an individual acting in a personal or domestic capacity or acting as an employee;
(b) a public body;
(c) the Provincial Court, the Supreme Court or the Court of Appeal;
(d) the Nisga'a Government, as defined in the Nisga'a Final Agreement or
(e) private trust for the benefit of one or more designated individuals who are
friends or members of the family of the settlor.
"personal information" means information about an identifiable individual
and includes employee personal information but does not include contact information
or work product information.
"SIS" means Sustainable Infrastructure Society.
"work product information" means information prepared or collected by
an individual or group of individuals as part of the individual's or group's responsibilities
or activities related to the individual's or group's employment or business but
does not include personal information about the individual who did not prepare or
collect the personal information.
Introduction
SIS is a British Columbia non-profit organization with a mandate to assist in the
development and application of technology and resources for building the managerial,
financial, and operational capacity of community water suppliers in British Columbia.
Privacy of personal information is a critical employee and customer criteria and
priority.
This Privacy Code is intended to set out our commitment to our customers and employees
regarding the protection of personal information provided by our employees and customers
as reflected in the following principles, policies and procedures. It is also intended
to set out the choices available for individuals regarding our collection, use or
disclosure of their personal information.
The purpose of this Privacy Code is to articulate clearly our privacy practices
respecting the management of personal information collected and used by the SIS
and to ensure compliance with the federal and provincial privacy laws. It is the
intention of this Privacy Code to recognize the needs of the SIS to collect, use
or disclose personal information versus the right of individuals to protect their
personal information. The standard for the collection of personal information by
the SIS is one of what a reasonable person would consider appropriate in the circumstances.
SIS is further committed to a continual review and updating of our Privacy Code
to ensure that we are keeping pace with changes in technology and industry practices
and meets the on-going needs of our employees and customers.
Guiding Principles
The following ten principles are the basis of the SIS Privacy Code and shall guide
SIS's management of personal information and its privacy practices together with
the statutory requirements of the BC Personal Information Protection Act.
1. Accountability – SIS is responsible for personal information under its
control including personal information not in the custody of SIS. SIS shall designate
one or more individuals to be responsible for ensuring that SIS complies with this
Privacy Code and shall make available the position name or title and contact information
of each individual so designated.
2. Identifying Purposes for Collection of Personal Information - SIS shall identify
the purposes for which personal information is collected or before personal information
is collected.
3. Obtaining Consent for Collection, Use or Disclosure of Personal Information -
SIS shall ensure that consent is obtained from each individual for the collection,
use or disclosure of their personal information unless inappropriate. SIS shall
recognize and act on any withdrawal of consent by an individual to collect their
personal information.
4. Limiting Collection of Personal Information - SIS shall limit the collection
of personal information to the purposes identified by SIS and shall only collect
personal information using appropriate, fair and lawful means.
5. Limiting Use, Disclosure and Retention of Personal Information - SIS shall not
use or disclose personal information for purposes other than for the purpose it
was collected unless SIS has the consent of the individual or as provided by law.
SIS shall retain personal information for only as long as necessary to meet the
purposes of the collection of the personal information.
6. Accuracy of Personal Information - SIS shall ensure that personal information
collected, used and disclosed shall be as accurate, complete and up-to date as possible
for the purposes for which it has been collected, used and disclosed.
7. Security Safeguards - SIS shall take all appropriate steps to protect the personal
information collected, used and disclosed and use security measures appropriate
to sensitivity of the personal information.
8. Openness Concerning Policies and Practices -SIS shall ensure that information
is made available to employees and customers regarding this Privacy Code and our
privacy practices regarding personal information.
9. Customer and Employee Access to Personal Information - SIS shall inform an individual
of the collection, use and disclosure of his/her personal information at the individual's
request and shall grant access to the individual to such personal information. An
individual shall be entitled to challenge the accuracy and completeness of the personal
information collected, used or disclosed by SIS and have it amended and or corrected
as necessary or appropriate.
10. Challenging Compliance - This Privacy Code and our privacy practices shall include
a clear process for responding to complaints that may arise with respect to our
handling and managing of personal information of customers and employees. A customer
or employee may make a complaint regarding SIS's compliance with its privacy policies
and practices to the designated individual in accordance with our complaint process.
Application of the Privacy Code
1.1 SIS meets the definition of organization for the purposes of the BC Personal
Information Protection Act. Our Privacy Code is therefore subject to the requirements
and regulations of the BC Personal Information Protection Act and our Code applies
to personal information of our customers and employees collected, used and disclosed
by SIS and to our practices in managing such personal information whether collected,
used or disclosed orally, electronically or in writing.
1.2 This Privacy Code does not protect contact information or work product information
as defined above.
1.3 There is certain personal information in which this Privacy Code does not apply
to:
(a) personal information collected, used or disclosed for personal or domestic purposes,
(b) journalistic, artistic or literary purposes,
(c) for federal act purposes,
(d) for provincial Freedom of Information and Protection of Privacy Act purposes,
(e) personal information in a note, communication or draft decision of decision
maker in an administrative proceedings or personal information that relates to the
exercise of functions of member or officer of Legislature or Legislative Assembly,
(f) personal information from a document related to a prosecution if all proceedings
related to the prosecution have not been completed,
(g) collection of personal information collected before BC Personal Information
Protection Act.
1.4 This Privacy Code does not apply to the following prescribed sources of public
information:
(a) an individual's name, address, telephone number and other personal information
that appears in a telephone directory or is available through Directory Assistance
provided the directory or directory assistance is available to the public and the
individual can refuse to have their personal information included the directory
or made available by directory assistance;
(b) an individual's personal information that appears in a professional or business
directory, listing or notice available to the public and the
individual can refuse to have such personal information included in the directory;
(c) an individual's personal information appearing in a registry in which the public
has access provided such personal information is collected by an appropriate authority
in accordance with municipal, provincial or federal laws;
(d) an individual's personal information appearing in a printed or electronic publication
available to the public, such as a magazine, book or newspaper in printed or electronic
form.
Accountability
2.1 In order to meet its responsibilities for personal information under its possession
or control, SIS appoints the President and or his/her designate to be accountable
for SIS's compliance with this Privacy Code and its statutory requirements under
the Personal Information Protection Act. The President and or his/her designate
may appoint one or more persons to act on their behalf with respect to the responsibility
for day-to-day management, collection and processing of personal information.
2.2 The contact information of persons designated to be accountable for SIS's compliance
shall be made known upon request.
2.3 SIS shall put in place procedures and practices to give effect to this Privacy
Code and shall include:
2.3.1 Procedures and practices to protect personal information and to oversee compliance
with this Privacy Code;
2.3.2 Procedures and practices to receive and respond to requests for personal information,
inquiries and complaints
2.3.3 Methods and means for training and communicating our privacy procedures and
practices to employees; and
2.3.4 Methods and means for communicating our privacy procedures and practices to
our customers and the public.
Purposes of Collection
3.1 SIS shall only collect, use and disclose personal information of customers and
employees for purposes that a reasonable person would consider appropriate in the
circumstances and that fulfill the purposes that SIS has disclosed to the individual.
3.2 SIS shall identify and specify orally, electronically or in writing to the employee
or customer the purposes for which personal information is collected, used and disclosed
at or before the time the personal information is collected.
3.3 SIS collects, uses, and discloses personal information only for the following
purposes:
• Internal employment purposes such as payroll, Canada Customs and Revenue
Agency, benefit administration, employment insurance, employment contract terms
etc.
• Client and partner information for communication purposes.
• Legal and other contracts and agreements between SIS and/or the University
of Victoria, and other individuals and/or organizations that are internal and/or
external to the University of Victoria.
• Applications and other correspondence tied to the various issues associated
with the filing of the different types of intellectual property protection, such
as the filing of patents, copyright, or trademarks etc.
• Corporate legal and other documentation as well as other administrative and
government required applications and correspondence associated with the incorporation,
post-incorporation process and ongoing management of SIS spin-off companies (to
which SIS is actively involved).
3.4 Designated persons collecting personal information on behalf of SIS shall upon
request, advise an individual of the purposes for such collection or refer the individual
to the President and or his/her designate to provide an explanation.
3.5 SIS shall not collect, disclose or use personal information for any purpose
not identified or specified to an individual without obtaining their consent.
Consent
4.1 Subject to the exceptions in 2.2 and 2.3 above and 4.3 below, SIS will obtain
consent from an individual when collecting, using or disclosing personal information
from its customers or employees for the purposes outlined above.
4.2 Consent may be explicit (orally or in writing) or implied. Consent may be implied
by SIS where at the time consent is deemed:
4.2.1 the purpose would be considered obvious to a reasonable person;
4.2.2 the individual has voluntarily provided the personal information for that
purpose; or
4.2.3 SIS has given notice of the collection of personal information for a specified
period in a form that can be reasonably understood of its intention to collect,
use or disclose the personal information and the individual is given a reasonable
period of time to decline and does not decline and it is reasonable to collect,
use or disclose having regard to the sensitivity of the personal information.
4.3 Consent is not required for the following personal information which is permitted
to be collected and used from an individual or from a source other than an individual
without limitations:
4.3.1 is clearly in the interest of the individual and consent cannot be obtained
in a timely way;
4.3.2 is necessary for medical treatment of the individual and individual is unable
to give consent;
4.3.3 it is reasonable to expect that the collection or use with the consent of
individual would compromise the availability or accuracy of the personal information
and the collection is reasonable for an investigation or a proceeding;
4.3.4 where collection or use occurs by observation at a performance, a sports meet
or a similar event at which individual voluntarily appears and is open to the public;
4.3.5 is necessary to determine individual's suitability to receive an honour, award
or similar benefit such as honorary degree, scholarship or bursary or selected for
an athletic or artistic purpose;
4.3.6 organization is credit reporting agency and collection is for a credit report
and individual consents at the time the original collection occurs;
4.3.7 is required or authorized by law;
4.3.8 personal information is necessary to facilitate collection of debt owed or
payment of debt to an organization; and
4.3.9 collection or use of employee personal information is reasonable for establishing,
managing or terminating an employment relationship
4.4 With respect to the disclosure of personal information, SIS shall obtain consent
from an individual, with the exception of the following personal information which
is permitted to be disclosed from an individual or from a source other than an individual
without limitations:
4.4.1 is clearly in the interest of the individual and consent cannot be obtained
in a timely way;
4.4.2 is necessary for medical treatment of the individual and individual is unable
to give consent;
4.4.3 it is reasonable to expect that the disclosure with the consent of individual
would compromise the availability or accuracy of the personal information and the
collection is reasonable for an investigation or a proceeding;
4.4.4 where disclosure occurs by observation at a performance, a sports meet or
a similar event at which individual voluntarily appears and is open to the public;
4.4.5 is necessary to determine individual's suitability to receive an honour, award
or similar benefit such as honorary degree, scholarship or bursary or selected for
an athletic or artistic purpose;
4.4.6 organization is credit reporting agency and disclosure is for a credit report
and individual consents at the time the original collection occurs;
4.4.7 is required or authorized by law;
4.4.8 personal information is necessary to facilitate collection of debt owed or
payment of debt to an organization;
4.4.9 personal information is disclosed in accordance with a provision of a treaty
that authorizes or requires its disclosure or is made under an enactment of BC or
Canada;
4.4.10 disclosure is for the purpose of complying with a subpoena, warrant or order
issued or made by a court, person or body with jurisdiction to compel the production
of personal information;
4.4.11 the disclosure is to a public body or a law enforcement agency in Canada,
concerning an offence under the laws of Canada or a province, to assist in an investigation,
or in the making of a decision to undertake an investigation;
4.4.12 there are reasonable grounds to believe that compelling circumstances exist
that affect the health and safety of any individual and if notice of disclosure
is mailed to the last known address of the individual to who the personal information
relates;
4.4.13 the disclosure is for the purpose of contacting next of kin or a friend of
an injured, ill or deceased individual;
4.4.14 the disclosure is to a lawyer who is representing the organization;
4.4.15 the disclosure is to an archival institution if the collection of personal
information is reasonable for research or archival purposes; and
4.4.16 disclosure of employee personal information is reasonable for establishing,
managing or terminating an employment relationship.
4.5 When obtaining consent from a customer or employee, SIS shall use reasonable
efforts to ensure that the individual is advised and reasonably understands the
purpose for which the personal information is being collected, used or disclosed.
4.6 Wherever possible, SIS shall seek consent to collect, use or disclose personal
information from a customer or employee at the time in which the personal information
is collected. In the event that this is not possible, SIS will seek consent after
the personal information is collected but prior to it being used or disclosed for
a different purpose that has not been identified or specified.
4.7 When seeking consent from customers, SIS will require consent as a condition
of using its website and or supplying products and or services provided such consent
is required for a purpose that has been identified or specified.
4.8 When determining whether express or implied consent is required, SIS shall take
into account the sensitivity of the personal information and the reasonable expectations
of its customers and employees.
4.9 SIS will, generally, imply consent to collect, use or disclose personal information
for its purposes, where a customer uses its products and or services or an employee
accepts employment or receives benefits.
4.10 When seeking consent for the collection of personal information from customers
or employees, SIS shall set out the choices available to individuals regarding SIS's
collection, use or disclosure of the personal information at the time of collection
or prior to the use or disclosure of such personal information.
4.11 Upon obtaining consent, SIS shall record such consent such as via phone, by
mail, the Internet, a note to file, copy of an email, copy of a check off box or
entry in database field.
Withdrawal of Consent
5.1 SIS will honour a request of an individual to withdraw its consent to the collection,
use or disclosure of personal information where it receives reasonable notice and
stop collecting, using or disclosing that personal information unless it meets one
of the exceptions noted above or would frustrate the performance of a legal obligation
or consent was given to a credit reporting agency.
Limiting Collection of Personal Information
6.1 When collecting personal information of a customer or employee, SIS shall disclose
to the individual verbally or in writing, the purposes for the collection of the
personal information and shall limit the collection to the identified and specified
purposes.
6.2 SIS shall only collect personal information by reasonable, fair and lawful means.
6.3 SIS, generally, collects personal information from its customers and employees
although in certain circumstances, SIS may collect personal information from third
parties, such as credit bureaus, employers or personal references but only from
those third parties that represent that they have a right to disclose such personal
information.
Limiting Use, Disclosure and Retention of Personal Information
7.1 Other than where SIS has consent of the individual or by operation of law, SIS
shall not use or disclose personal information for purposes other than those identified
and specified.
7.2 SIS shall only retain personal information of an individual for the period necessary
to fulfill the purposes identified and specified, by operation of law or where making
a decision regarding a customer or employee as long as is reasonable to give customer
or employee the opportunity to access the personal information concerning the making
of the decision.
7.3 SIS shall limit the access of its employees to personal information to those
who are participating in the collection, use or disclosure of personal information
as part of their duties or to those who have a need to know within the SIS.
7.4 SIS shall maintain the means via reasonable controls, systems and practices
whereby personal information that no longer is necessary to retain is destroyed,
erased or rendered anonymous.
Accuracy and Security of Personal Information
8.1 SIS shall make all reasonable effort to ensure that personal information collected
is accurate and complete for the purposes in which it is collected particularly
where the personal information is likely going to affect the individual to who the
personal information relates or is likely to be disclosed to another organization.
8.2 All personal information used by SIS shall be as accurate and complete as possible
and where such personal information is being used to make a decision that directly
affects an individual shall be retained by SIS for one year in order to provide
a reasonable opportunity for access by the individual.
8.3 SIS shall take reasonable security arrangements to prevent the unauthorized
access, collection, use, disclosure, copying, modification or disposal of personal
information in its custody and control in whatever form it is held. Such security
arrangements shall include protection from loss or theft and physical measures,
such as locking filing cabinets, restricting access to offices and alarm systems,
technological tools, such as passwords, encryption, firewalls and anonymizing software,
and organizational tools, such as security clearances, limiting access on a need
to know basis, staff training and confidentiality agreements.
8.4 SIS shall destroy its documents containing personal information or remove the
means by which personal information can be associated with the individual as soon
as the purpose for which the personal information was collected is no longer being
served by its retention or retention is no longer necessary for legal or business
purposes.
8.5 SIS shall not use deceptive or coercive means to collect personal information
and shall not dispose of personal information with an intent to evade a request
for access to personal information.
8.6 SIS shall protect personal information by ensuring that confidentiality provisions
bind both third parties in which personal information is disclosed and employees
who have access to personal information.
8.7 SIS shall regularly review and update security measures for personal information
where applicable.
Access to and Correction of Personal Information
9.1 Where SIS has collected, used or disclosed personal information of an individual,
an individual shall have the right to access and correct their personal information
in accordance with the following access and correction procedure:
9.1.1 the individual may, in writing, make a request to the President of SIS or
his/her designate concerning his or her personal information under the control of
SIS;
9.1.2 SIS shall provide information concerning the ways in which personal information
of the individual has been and is being used by SIS or has been disclosed by SIS;
9.1.3 the names of individuals and organizations to whom the personal information
has been requested;
9.1.4 With the exception of the following personal information, SIS will provide
access to an individual's personal information
(i) personal information is protected by solicitor-client privilege;
(ii) disclosure would reveal confidential commercial information that if disclosed
could in the reasonable opinion of a reasonable person harm the competitive position
of SIS;
(iii) personal information was collected where consent is not required for the purposes
of an investigation or where proceedings have not been completed;
(iv) where personal information was collected by a credit organization 12 months
prior to the request from the individual;
(v) where the disclosure would threaten the safety, physical or mental health of
an individual, cause immediate or grave harm to the safety or physical or mental
health of an individual, or would reveal personal information about another individual;
9.1.5 having reviewed the personal information requested, the individual may request
SIS to correct an error or omission in that personal information that is: (i) about
the individual and (ii) is under the control of SIS;
9.1.6 SIS shall respond to an individual's request no later than 30 days from the
date of an individual's request unless the individual has not given sufficient detail
to enable SIS to identify the personal information being requested or more time
is needed given the large volume of personal information being requested which would
unreasonably interfere with SIS' operation or there is a need for more time to consult
with another organization or public body to determine whether to give access to
the requested document. In those circumstances, SIS may extend the time an additional
30 days or seek a longer period of time to respond from the privacy commissioner
and will advise the individual of the extension in time, the time period of the
extension and the rights of the individual to complain about the extension;
9.1.7 In responding to an individual's request, SIS shall advise the individual
when access to personal information in whole or in part is being refused, the reasons
for the refusal and the contact information of the officer or employee of SIS who
can answer the individual's questions concerning the refusal;
9.1.8 SIS shall make a reasonable effort to assist each applicant to respond accurately
and completely as is reasonably possible to their request;
9.1.9 SIS shall make the correction as soon as reasonably possible or send the corrected
personal information to each organization which the personal information was disclosed
during the year prior to the date the correction was made, where SIS is satisfied
that there are reasonable grounds for the request;
9.1.10 Where SIS does not make a correction it shall annotate the personal information
under its control that a request was made but the request was not implemented.
Challenging Compliance
11.1 SIS shall maintain a process for addressing and responding to complaints or
inquiries regarding its compliance with this Privacy Code including where appropriate
a process for seeking external advice prior to responding to individual complaints
or inquiries.
11.2 A customer or employee may make a complaint or inquiry regarding SIS' compliance
with this Privacy Code as follows:
11.2.1 An individual shall file a written complaint or inquiry to the President
of the SIS and or his/her designate outlining the failure of SIS to comply with
this Privacy Code and the specified section and or principle.
11.2.2 SIS shall investigate all written complaints or inquiries regarding its compliance
with this Privacy Code.
11.2.3 Where an investigation determines that a complaint is justified or action
is required regarding an inquiry, SIS shall take all appropriate steps to resolve
the complaint or take appropriate action to address the inquiry including where
applicable amending the practices and procedures of this Privacy Code.
11.2.1 Wherever possible, SIS shall respond to a written complaint within 30 days
provided the written complaint or inquiry provides sufficient information to respond
to. This response shall include details regarding the outcome of the investigation
and individual's complaint or inquiry.
11.2.2 In the event that SIS seeks external advice, the period to respond may be
extended for a reasonable period necessary to obtain such external advice.
11.3 In the event that an individual is not satisfied with handling of its complaint
by SIS, the individual may seek the assistance of the BC Privacy Commissioner. The
contact information for the Privacy Commissioner may be found at:
www.oipc.bc.ca
Transparency of Privacy Policies, Practices and Procedures
12.1 SIS shall make its privacy policies, practices and procedures available on
its website and readily available to individuals in person, in writing, by telephone,
in SIS publications.
12.2 SIS shall also make its policies, practices and procedures understandable for
its customers, employees and the public by identifying who within SIS is responsible
for compliance with this Privacy Code, how personal information can be accessed
by individuals, what personal information is held by SIS and how it is used.
The contact information for the President of SIS is as follows:
Sustainable Infrastructure Society
PO Box 3075 STN CSC
R Hut McKenzie Ave
Victoria, BC V8W 3W2
Telephone: (250) 472-4327
Fax: (250) 721-6497
E-mail: contact1@sustainis.org
Current contact information can also be found on SIS's website at:
www.sustainis.org.
For further information on SIS's Privacy Code, practices and procedures, contact
Vernon Rogers (250) 472-4327. To review the BC Personal Information Protection Act,
access to the Act can be found at: www.oipc.bc.ca