PIPEDA


Personal Information & Electronic Documents Protection
Policy (January, 2004)

1. Collection of personal information.
The collection of personal information from CATA members is used only for meeting the purposes and obligations for which the information is intended and is reasonable within the scope and function of the organization.

2. Obtaining consent for collecting, using and disclosing personal information.

  • Implied consent - personal information (membership information, demographic data) that is collected to carry out the business of the organization and for the purposes of membership are considered implied and reasonable.
  • Express consent - for specific areas of business within the organization a member will provide consent in writing or verbally. The written consent may be given electronically (by fax or e-mail) and a copy of that consent is recorded by the organization.
  • Opt-out consent - for certain functions within the organization a member will be provided with the choice of opting out of providing consent.

3. Limits regarding collection, use and disclosure of personal information.
The CATA limits its collection, use and disclosure of personal information to what is necessary for carrying out the organization's obligations.

4. Ensuring that personal information is correct, complete and current.
To ensure that personal information is correct, complete and current all such information is collected directly from the individual. A website database provides access for members to provide revisions and additions to personal information, plus personal information is accepted verbally, by fax or e-mail by the organization.

5. Ensuring that adequate security measures are in place.
Security measures involve three safeguards; physical, administrative and technical.

Physical safeguards include:

  • Locking filing cabinets,
  • Allowing only employees who need access to storage areas or filing cabinets to have access to them
  • Clearing files and records containing personal information off office desks at the end of day
  • Shredding papers containing personal information rather than in a garbage can or recycling bin.

Administrative safeguards include:

  • Training employees so that they know policies or rules for protecting personal information and the consequences of not following them. Policies in place to protect personal information that may be accessed or used by a branch of the organization (example; Regional Chapter Database Access)

Technical safeguards include:

  • Using screensavers so visitors cannot see information on
  • computers
  • Using firewalls and anti-virus programs on computers.
  • Using passwords to make sure that only employees have access to information on computers and changing the passwords often
  • Erasing computer hard drives if they have been sold or donated

6. Timetable for keeping and destroying information.
The CATA retention periods or schedules for information is based on financial, legal, audit and operational requirements. Safe business practices and care (shredding, bonded recycling) is taken in disposing of or destroying personal information to prevent unauthorized parties from gaining access to the information.

7. Processing access requests.
Access requests will be received by the CATA National Office and the CATA Board of Directors and will be handled according to Personal Information Protection Act (S.A. 2003, C. P -6.5) - Part 3, Division 1: Access and Correction, Sections 23-27.

8. Responding to enquiries and complaints.
Response to enquiries and complaints will be handled by the CATA National Office and by the CATA Board of Directors and will be handled according to Personal Information Protection Act (S.A. 2003, C. P -6.5) - Part 3, Division 1: Access and Correction, Sections 28-32.