Home
Spring Meeting
Annual General Meeting
Mission
Resolutions
NOACC Board of Directors
Member Chambers
Corporate Members
2004 Privacy Act
Regional Links
2004 Privacy Act
Conducting your Privacy Audit:

How to Guidelines for Local Chambers and Boards of Trade

Recently, you will have received the Template Privacy Policy, to use as a tool in developing your chamber/board of trade’s privacy policy. As the policy is a written representation of an organization’s actual business practices, the first step to implementing such a policy is to conduct a privacy audit, meaning a review of your organizational practices regarding personal information – how and where your chamber/board of trade collects personal information, stores it and disposes of it.

Why should a local Chamber/Board of Trade develop a privacy policy?

As of January 1, 2004, privacy legislation will apply to private sector activities across Canada. The federal legislation, The Personal Information Protection and Electronic Documents Act or, PIPEDA, will apply to the handling of personal information by federally regulated private sector organizations and provincially regulated entities in provinces that have not enacted their own legislation. This legislation covers organizations – including businesses and trade associations -- when they collect personal information in the course of commercial activity. PIPEDA will apply in the territories, as well as in the provinces of Manitoba, New Brunswick, Newfoundland, Nova Scotia, Ontario, PEI, and Saskatchewan. The provinces of Alberta and British Columbia have legislation underway, and Quebec has had privacy legislation in place since 1994. Note that the Alberta legislation, if enacted as in draft form, specifically covers not-for-profit organizations.

While most chambers and boards of trade are not-for-profit organizations, many do engage in varied commercial activities such as publication sales, events, and document certification services. Recalling that personal information refers to information about an identifiable individual, but does not include work product, or employee personal information (except in the province of Quebec, where employee personal information does count), examples of personal information your chamber/board of trade may collect, especially while engaging in any of the above functions could include:

Ø Credit cards (some people may pay with a personal, as opposed to a corporate, credit card)

Ø Driver’s license or other ID numbers

Ø Home addresses or telephone numbers

Please note that while most clients are corporate clients, and give corporate addresses or other information, in the case of sole proprietorships, or small-office home-office (SOHO) enterprises, corporate information is often also personal.

Here are some factors that the Canadian Chamber of Commerce considered while conducting our own privacy audit and writing our privacy policy that you may wish to consider.

Step 1 - Establishing Accountable Staff

Start your audit by identifying your privacy officer. This individual must make himself or herself familiar with the relevant act. The Canadian Chamber of Commerce recommends appointing a senior level person as the privacy officer. This person will be responsible not only for fielding any questions, complaints and information requests, but will also be accountable for the implementation of the privacy policy.

You must indicate to your customers that you have a privacy officer and how that individual may be contacted. Note that you need only to “designate†– meaning indicate the position title and coordinates - but you do not need to give the name of the individual. When providing contact information, you must also include more than an e-mail address in the event that customers do not have access to the Internet. The Canadian Chamber of Commerce recommends also including postal information and a fax number.

All staff needs to be knowledgeable about and adhere to the privacy policy, so be ready to have your appointed privacy officer brief them.

Step 2 - Taking Stock of Your Personal Information Handling Practices

To establish your information use practices, obtain input from all relevant employees in all departments. The key questions to ask are:

1. What personal information do we as an organization collect?

2. And, what is it used for?

Ask staff to identify the following for their departments:

§ What personal information do they collect?

§ Why do they collect it?

§ How do they collect it (are forms used?)?

§ How long is personal information kept?

§ Where is personal information filed or kept?

§ How it is disposed of? (Shredded, recycled, thrown in the garbage?)

Depending on the size of your chamber or board of trade you may wish to have a team of representatives from each department aid the privacy officer in the audit. For example, representatives involved with finance/accounting or event management may be useful.

The information obtained from each department should be compiled in order to maintain proper documentation. This will allow the privacy officer or team to determine what private information is collected by the organization and whether there are any processes that must be modified or implemented to comply with privacy legislation. As well, compiling the information allows you to review and change your policy in the future, as necessary.

As your organization proceeds to writing your privacy policy or filling in the Template you recently received from the Canadian Chamber of Commerce, remember to compare your practices to the Ten Canadian Standards Association principles mentioned in that document. Once your privacy policy is completed, your organization must implement it by having your privacy officer or privacy team present it to all staff and oversee adherence to it.

Below are some key factors, which we consulted and found useful to consider in greater detail.

Step 3 - Establishing Purpose, Getting Consent and Limiting Collection

The hallmark of PIPEDA is consent: an organization cannot collect, use or disclose to someone else, any personal information unless the person it is about gives knowledgeable consent. Volunteering information to you is a form of consent (for example when someone gives you their credit card number to pay for a publication, they are consenting). To ensure consent being given is “knowledgeable†you should include a statement of purpose on all and any forms you use to collect personal information.

What is purpose?

PIPEDA requires that organizations can collect only personal informal information only as appropriate to what you use it for. This is governed by the “reasonable person†test – you can collect only what a reasonable person would consider appropriate for the business purpose. Essentially, you need to have a clear and limited idea of what you use personal information for. This purpose will govern what, generally, you collect. As you must identify this purpose to people you collect personal information from, either prior to or at collection, you should then describe your purpose in your privacy policy. The description does not have to be exact, but should be specific enough to give an accurate and understandable description. For example:

Chamber X may collect personal information in order to administer chamber membership and for any of the below:

- Registration for events

- Manage subscription to Chamber X magazine

And any other purpose as identified by us to you at or before the time we request your personal information.

Step 4 - Establishing Guidelines for Use and Disposal

Personal information must be stored and disposed of in a way that is secure and would not compromise the privacy of the individual. Especially for more sensitive information, this means locked cabinets or rooms, or adequate security for computer files or records. In terms of storage, you should explore and develop internal guidelines on:

§ Who has access to records

§ Copying of forms/records

§ How long forms are kept

§ Where forms are kept

In terms of disposal, the chamber/board of trade is responsible for ensuring that privacy for an individual in maintained even when you are disposing of the information. Sensitive financial information needs to be destroyed – i.e. shredded – or anonymised (card number blacked out). A certification of destruction may be obtained from a supplier if a third party is performing the service for your organization.

When considering your use of personal information, you also need to review any arrangements you may have with third parties either to process personal information for administrative purposes, or for special events or provision of any specialty services. Under the legislation, the original collecting organization (whether it collected the information directly, or hired a firm to collect for it) is responsible for how the information is used. This means that if you use external service providers to administer information for you in any way, review the contracts to ensure they a) provide adequate protection for any information they store and b) do not use the information for any new purpose for which you did not seek consent.

In practical terms, this means that organizations that engage in list sales of personal information are prohibited from doing so if they do not have consent for this use. To aid you in developing relationships with service providers, the Canadian Chamber has developed the document Model Clause for transfer of Personal Information to a Data Processor that you may use in your contracts.

Step 5 – Record-Keeping for Transparency

One of the Act’s most important principles is that of transparency. Basically, how you use your clients’ information should be obvious to your clients and, if not, they must have clear and simple means to contact you and find out, including getting access to their records and correcting them as necessary. To facilitate this, review your record keeping policies to ensure accuracy of information and facilitate accessibility to files. Inform your staff that clients have a legal right to see their records, to make changes to them and/or to withdraw their consent for your organization’s use of their personal information.

As always: the purpose of this brief is to give chambers/boards of trade and idea of how to comply with incoming privacy legislation. It is not meant to be comprehensive or exhaustive. The Canadian Chamber of Commerce urges you to consult legal counsel for detailed advice on the legislation.

October 17, 2003




Northwestern Ontario Development Network Northwestern Ontario Municipal Association
Ontario Chamber of Commerce Canadian Chamber of Commerce
Aguasabon | Atikokan | Dryden | Emo | Fort Frances | Geraldton | Kenora
Nipigon | Sioux Lookout | Thunder Bay

The Northwestern Ontario Associated Chambers of Commerce