Protection of Personal Information
Protection of Personal Information
Ottawa Police Credit Union Limited will adopt the Credit Union Code for the Protection of Personal Information (the Code) prior to January 1, 2004. The requirements of the Code establish Ottawa Police Credit Union Limited’s operational use of personal information as well as use of employee information.
The following ten interrelated privacy principles are specified in the Personal Information Protection and Electronic Documents Act, and form the basis of the Code:
- Accountability – Ottawa Police Credit Union Limited is responsible for personal information under its control and shall designate a Privacy Officer who is accountable for Ottawa Police Credit Union Limited’s compliance with the principles of the Code.
- Identifying Purposes – The purposes for which personal information is collected shall be identified by Ottawa Police Credit Union Limited at or before the time the information is collected.
- Consent – The knowledge and consent of the member are required for the collection, use and disclosure of personal information, except in specific circumstances as described within this Code.
- Limiting Collection – The collection of personal information shall be limited to that which is necessary for the purposes identified by Ottawa Police Credit Union Limited. Information shall be collected by fair and lawful means.
- Limiting Use, Disclosure and Retention – Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the member or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
- Accuracy – Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards – Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Ottawa Police Credit Union Limited will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature.
- Openness – Ottawa Police Credit Union Limited shall make readily available to members specific, understandable information about its policies and practices relating to the management of personal information.
- Individual Access – Upon request, a member shall be informed of the existence, use, and disclosure of their personal information, and shall be given access to that information. A member is entitled to question the accuracy and completeness of the information and have it amended as appropriate on proof of inaccuracy.
- Challenging Compliance – A member shall be able to question compliance with the above principles to the Privacy Officer accountable for Ottawa Police Credit Union Limited’s compliance. Ottawa Police Credit Union Limited shall have policies and procedures to respond to the member’s questions and concerns.
Ottawa Police Credit Union Limited Board of Directors is accountable for credit union compliance with the Code, the creation and review of all Board policies specific to the Code and the designation of a credit union Privacy Officer.
The Board of Directors, in consultation with the General Manager, will designate a Privacy Officer, who has primary day-to-day responsibility for compliance with the Code. The Board of Directors will notify all employees, and any affected third parties, in writing of the appointment.
Board Reporting and Notification
The Privacy Officer will continually review compliance within Ottawa Police Credit Union Limited and its third party suppliers, and will report to the Board of Directors any matters concerning non-compliance with Ottawa Police Credit Union Limited’s Code principles, policies or procedures that are likely to require input from the Board (e.g., any matter that could result in an investigation or audit by the Office of the Privacy Commissioner).
The Privacy Officer will prepare a Quarterly Report for the Board that identifies key activities (e.g., a review of third party contracts, training initiatives, review of policies and procedures) and recommended changes for Board consideration. The report should also include an overview of the number of enquiries, number of access requests, and details regarding challenges to compliance.
The Board will review the steps taken to address any deficiencies or weakness in compliance.
The Privacy Officer will prepare an annual review of the effectiveness of the board policies to ensure compliance with the Code and to recommend any revisions as deemed appropriate. This report is due within four months of the end of each calendar year.
Approval and Documentation of Purposes
The Privacy Officer will document all purposes, including existing and new purposes, for which personal information is collected, used or disclosed. All new purposes must be approved by the Privacy Officer prior to collection of information for the new purpose.
If the proposed purpose is significantly different than existing purposes or involves a new disclosure to a third party, the proposed purpose must be approved by the Board of Directors prior to implementation.
Ottawa Police Credit Union Limited will make reasonable efforts to ensure that members are aware of the purpose for which their personal information is collected, including any disclosure of their personal information to third parties. The primary communication method will be the use of written or electronic statements on applications, forms, contracts and agreements.
Ottawa Police Credit Union Limited will ensure that all employees are aware of the purposes for which employee information is collected, including any disclosure of their personal information to third parties. This will be communicated verbally and in writing at the commencement of employment.
Once member consent is obtained, further member consent will not be required when personal information is supplied to agents of Ottawa Police Credit Union Limited who carry out functions such as data processing, credit bureaus, cheque printing and cheque processing.
Ottawa Police Credit Union Limited Privacy Officer must authorize all instances where a member’s information is collected, used or disclosed without the member’s knowledge and consent.
Express consent in writing, through the use of applications, signed forms and contracts, will be used for obtaining consent for the collection, use or disclosure of personal information.
Implied consent will be used for marketing purposes or to disclose nominative information to an affiliated organization. Implied consent must never contravene the “Act”.
The Privacy Officer must review and approve all methods of obtaining consent.
Limits on Consent to Information Collection
Ottawa Police Credit Union Limited will not, as a condition of the supply of a product or service, require a member to consent to the collection, use, or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes.
Where additional, non-essential information for a product or service is sought from members, this will be identified as optional information, and collected only at the discretion of the member.
Refusal to provide this optional information will not influence the member’s consideration for a product or service.
The Privacy Officer will review the personal information requirements of all products or services to ensure that only information required for the legitimate purpose is collected and used.
Ottawa Police Credit Union Limited will obtain a written request (signed and dated) from a member who seeks to withdraw consent. The written request must acknowledge that the member has been advised that Ottawa Police Credit Union Limited may subsequently not be able to provide the member with a related product, service or information that could be of value to the member.
The withdrawal of consent is subject to any legal or contractual restrictions that Ottawa Police Credit Union Limited may have with the member or other organizations such as: the Income Tax Act; credit reporting; or to fulfill other fiduciary and legal responsibilities.
Ottawa Police Credit Union Limited will not collect personal information indiscriminately. It will specify both the amount and the type of information collected, limited to that which is necessary to fulfill the purposes identified, in accordance with these policies.
Limiting Use, Disclosure and RetentionSafeguard Standards
Ottawa Police Credit Union Limited will protect the interests of its members by taking reasonable steps to ensure that:
- orders or demands comply with the laws under which they were issued
- only personal information that is legally required is disclosed
- casual requests for personal information are denied
- all information disclosed to third parties receives the same standards of care as within Ottawa Police Credit Union Limited (see Protection of Member Information with Third Parties).
Ottawa Police Credit Union Limited will make reasonable attempts to notify the member that an order has been received, if not contrary to the security of Ottawa Police Credit Union Limited and if the law allows. Notification may be by telephone, or by letter to the member’s usual address.
Retention & Destruction of Personal Information
The Privacy Officer will ensure that guidelines and procedures with respect to the retention of personal information are maintained within Ottawa Police Credit Union Limited. These guidelines will include minimum and maximum retention periods and will conform to any legislative requirements. The Privacy Officer will ensure that Ottawa Police Credit Union Limited has guidelines and procedures to govern the destruction of personal information.
The Privacy Officer will ensure Ottawa Police Credit Union Limited has guidelines and procedures to ensure member and employee data is as accurate, complete and current as necessary. Ottawa Police Credit Union Limited will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
Credit Union Safeguards
Credit union security safeguards will protect personal information against loss or theft, as well as unauthorized access, use, copying, modification, disclosure or disposal. Ottawa Police Credit Union Limited will protect personal information regardless of the format in which it is held.
The Privacy Officer will:
- collaborate with third parties specializing in security safeguards, as required, to ensure the required level of protection
- conduct regular reviews of organizational and employee practices related to the safeguarding of personal information
- periodically remind employees, officers and directors of the importance of maintaining the security and confidentiality of personal information.
Employees, officers and directors are individually required to sign a Statement of Ethical Conduct annually. The statement must include a commitment to keep members’ personal information secure and strictly confidential.
Destruction of Personal Information Safeguards
Ottawa Police Credit Union Limited will dispose of/destroy personal information in a secure manner to prevent any unauthorized access. The Privacy Officer will periodically review the disposal and destruction methods used by credit union employees.
Ottawa Police Credit Union Limited will make specific and understandable information about its policies and procedures relating to the management of personal information readily available to members.
This information will include the following:
- name or title and address of the Privacy Officer to whom complaints or inquires can be directed
- the means of gaining access to personal information held by Ottawa Police Credit Union Limited
- a description of the type of personal information held at Ottawa Police Credit Union Limited, including a general account of its use
- types of personal information made available to related organizations such as subsidiaries or third party suppliers of services.
The Privacy Officer will review the methods of dissemination, and the form in which the information is presented to ensure that it is easy to locate, understandable and accessible.
All requests for access to personal information must be submitted in writing and include adequate proof of the individual’s identity/right to access, and sufficient information to allow Ottawa Police Credit Union Limited to locate the requested information.
Exceptions to the access requirement will be limited and specific and include the following:
- providing access would reveal personal information about a third party
- information protected by solicitor-client privilege
- providing access would reveal confidential commercial information
- providing access might threaten the life or security of another individual
- information generated in the course of a formal dispute resolution process
- personal information to which the member has requested access has been requested by a government institution for law enforcement, or an investigation related to law enforcement
- information collected without knowledge or consent for purposes related to investigating a breach of an agreement or a contravention of Ontario or Canadian law.
The Privacy Officer must be made aware of any situations involving employees, members or other individuals that would result in legal restrictions on access.
Treatment of Opinions and Judgements
Ottawa Police Credit Union Limited cannot withhold from a member any opinions and judgements formed about the member in determining their eligibility for any products and services. Ottawa Police Credit Union Limited will provide a member, on written request, access to all information that may have been used in making a determination about a member’s eligibility for a service, other than in the specific restrictions mentioned above.
Ottawa Police Credit Union Limited will respond to a member’s request for information within 30 days. This timeframe can be expanded, but only if required, and on written notification to the member.
Cost of Response
At the Privacy Officer’s discretion, Ottawa Police Credit Union Limited may impose a fee at a stated and reasonable hourly rate where collection of the requested information requires exceptional time and effort. The member must be informed of, and agree to, an estimate of costs prior to the commencement of the request.
Any individual, not just a member or a credit union employee, can challenge Ottawa Police Credit Union Limited’s compliance with any of the Code principles. The Privacy Officer will investigate all complaints.
Inquiry & Complaint Handling Process
The Privacy Officer will maintain documented procedures for responding to all questions or concerns.
Inquiries and complaints must be in writing, with a formal process in place to receive and track them. Ottawa Police Credit Union Limited must respond as quickly as possible within 30 days.
Required Measures for Justified Complaints
The Privacy Officer is responsible for ensuring appropriate measures are taken when a complaint is found to be justified. These measures will include:
- written response to the complainant within 30 days
- revision of the challenged personal information
- revision to policies and procedures, if required
- review of any complaint that requires disciplinary action against a credit union employee with the appropriate manager
- reporting non-compliance to the Board of Directors, including the actions proposed or taken to resolve the issue.
Protection of Member Information with Third Parties
Third Party Accountability
Ottawa Police Credit Union Limited will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Personal information disclosed to unrelated third party suppliers is strictly limited to programs endorsed by Ottawa Police Credit Union Limited. The Privacy Officer must be satisfied that the personal information is adequately safeguarded by the third party.
Third Party Agents/Suppliers Safeguards
Third party agents or suppliers will be required to safeguard personal information disclosed to them in a manner consistent with the policies of Ottawa Police Credit Union Limited. Examples include data processors, credit bureaus, cheque printers, and cheque processors.
Ottawa Police Credit Union Limited will not enter into any commercial relationships with organizations that do not agree to abide by acceptable limitations on information uses and appropriate safeguards.