The purpose of Arctic Co-operatives Limited policy on privacy is to ensure adherence to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) that took effect on January 1, 2001.
Arctic Co-operatives Limited must obtain an individual’s consent when collecting, using, or disclosing the individual’s personal information. Individuals have a right to access their own personal information held by Arctic Co-operatives Limited and to challenge its accuracy if need be. Personal information can only be used for the purposes for which it was collected. If the information is going to be used for another purpose, consent must be obtained from the individual. Individuals should also be assured that specific safeguards protect their information, including measures such as locked cabinets or computer passwords are in place.
Consent – voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is consent given directly by the individual, either orally or in writing. Express consent is
unequivocal and does not require an inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Disclosure – making personal information available to others. Personal Information – any factual or subjective information, recorded or not, about an identifiable individual.
This includes information in any form such as:
• Name, age, ID numbers, income, or ethnic origin;
• Opinions, evaluations, comments, social status, or disciplinary actions;
• Employee files, credit records, loan records, medical records, existence of a dispute between an employee and the organization or between a vendor and the Co-operative System.
Personal information does not include the name, title, business address, or business telephone number of an employee, vendor, or Co-operative.
1. Accountability – All employees of the Arctic Co-operatives Limited are accountable for the proper management of personal information. Employees who are unsure should talk to their Division Manager.
2. Identifying Purposes of Collecting Information -What do we need the personal information for? How will it be used?
3. Consent – Do we have consent of the individual to use their personal information for the purpose it is being used for?
4. Limiting Collection – Limit the collection of information to what is required for the purposes identified.
5. Limiting Use, Disclosure, and Retention – Information will be used only for what was collected for, disclosed only to those who require it, and disposed of when it is no longer required.
6. Accuracy – We should not use information if we question the accuracy of it.
7. Safeguards – Secure information between collection and disposal. Protect information against loss or theft. Identify minimum and maximum retention periods.
8. Openness – Let individuals know why we are collecting their personal information and what it will be used for.
9. Individual Access -Allow individuals to view their own information upon their request.
10. Challenging Compliance – See Complaints section of the policy.
The Vice President, Human Resources is designated as the individual who will be accountable for ensuring that Arctic Co-operatives Limited complies with the ten privacy principles (Chief Compliance Officer). Other individuals within the organization may be accountable for the day-to-day collection and processing of personal information or to act on behalf of the Chief Compliance Officer.
1. Identify the personal information required and why.
2. Obtain consent from the individual.
3. Document the personal information. Ensure it is correct, complete, and current.
4. Ensure the information is saved and filed in a secure place such as a locked filing cabinet, a locked office, or in password protected files.
5. When asked for personal information, ensure you know who is asking and why.
6. Enable individuals to access their own personal information.
7. Check that the information requested is consistent with the reason the information was collected.
8. Respond to inquiries and complaints. Contact the Vice President, Human Resources, if you require assistance.
9. Ensure any information provided to others is provided in a confidential manner and secured in a way that ensures individuals’ privacy cannot be breached.
10. Shred any confidential information that is not longer required.
Arctic Co-operatives Limited will disclose personal information only if you consent to its disclosure, or it is required by law. (For example, to comply with a warrant, or an order made by a court, person, or entity with jurisdiction to compel the production of information).
All complaints regarding compliance with this policy, as well as the provisions of the Personal Information and Electronics Documents Act, shall be directed in writing to the attention of the Chief Compliance Officer. If the complaint is regarding a situation in Human Resources, the individual may report the complaint directly to the Arctic Co-operatives Limited Chief Executive Officer.
1. Investigation – The Chief Compliance Officer or designate will investigate all complaints and render a decision in writing within 45 days of receipt of the complaint.
2. Complaint Justified – Arctic Co-operatives Limited will take appropriate measures to address the complaint including, where necessary, an amendment to this policy or any practice.
3. Complaint Not Justified – Arctic Co-operatives Limited will inform the complainant in writing of its decision and will inform the complainant of their right to complain to the Privacy Commissioner.
All inquiries regarding Arctic Co-operatives Limited policies and practices relating to the management of personal information must be directed to the Chief Compliance Officer or designate. The Chief Compliance Officer or designate will respond to such an inquiry as soon as practical.