Thursday, June 21, 2012
Saskatchewan Arts Alliance
Principle 1 — Accountability
Saskatchewan Arts Alliance (SAA) is responsible for personal information under its control and designates the Executive Director to be accountable for SAA’s compliance with these privacy principles, even though other individuals within the SAA may be responsible for the day-to- day collection and processing of personal information. Other executive positions may be delegated to act on behalf of the designated executive position(s).
SAA shall make known, upon request, the identity or title of the executive position(s) designated to oversee the SAA’s compliance with the principles.
SAA is responsible for personal information in its possession or custody. SAA shall use appropriate means to provide a comparable level of protection when personal information is transferred to third parties.
SAA shall have policies and practices to give effect to the principles, including procedures to protect personal information, and to receive and respond to complaints and inquiries.
Principle 2 — Identifying Purposes
SAA shall document the purposes for which personal information is collected in compliance with the Openness principle and the Individual Access principle.
SAA shall determine the information it needs to collect and will collect only that information necessary for the purposes that have been identified.
SAA shall specify, orally or in writing, the purpose at or before the time of collection to the individual from whom the personal information is collected. Persons collecting personal information shall be able to explain to individuals the purposes for which the information is being collected.
Personal information shall be retained in accordance with documented guidelines and procedures established by the SAA. Unless a law requires a new purpose, SAA shall document the new purpose and seek consent of the individual before the information is used.
Principle 3 — Consent
SAA shall not require an individual to consent to the collection, use, or disclosure of personal information beyond that required to fulfil the explicitly specified, and legitimate purposes.
SAA shall seek express consent when collected personal information is likely to be considered sensitive. In cases where this information is less sensitive, SAA will consider implied consent appropriate.
SAA will consider consent is given in many ways. For example:
(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) consent may be given orally when information is collected over the telephone; or
(d) consent may be given at the time that individuals use a product or service.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Principle 4 — Limiting Collection
SAA shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified.
Principle 5 — Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. SAA shall retain personal information only as long as necessary for the fulfilment of those purposes.
SAA will follow its guidelines and procedures with respect to the retention and destruction of personal information.
Personal information that is no longer required to fulfill the identified purposes shall be destroyed, erased or made anonymous according to the guidelines and procedures to govern the destruction and disposal of personal information.
Principle 6 — Accuracy
SAA shall update personal information as necessary to fulfil the purposes for which the information was collected.
Members and associates shall be responsible for informing SAA about changes to personal information as appropriate.
Principle 7 — Safeguards
SAA shall protect personal information with security safeguards appropriate to the sensitivity of the personal information.
Methods of protection may include
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, limiting access on a "need-to-know" basis; and
(c) technological measures, for example, the use of passwords and firewalls.
SAA shall protect personal information disclosed to third parties by agreements or understandings stipulating the confidentiality of the information and the purposes for which it is to be used.
SAA shall provide information to its executive and employees on its policies and procedures for protecting members’ personal information and the importance of maintaining the confidentiality of personal information.
Principle 8 — Openness
SAA shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Information shall include
(a) the name/title and address of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description of the type of personal information held by the organization, including a general account of its use;
(d) a copy of information that explains the organization's policies, standards, or codes; and
(e) what personal information is made available to related organizations.
Principle 9 — Individual Access
Upon request, an individual will be informed about whether or not SAA holds personal information about the individual and shall allow the individual access to this information.
Upon request, SAA shall provide an account of the use of personal information and an account of the third parties to which it has been disclosed. When not possible to provide a list of organizations to which personal information was actually disclosed, SAA shall provide a list of organizations to which it may have disclosed the information. Note: SAA shall limit exceptions where it may not be able to provide access to all the personal information it holds about an individual and shall give specific and reasons for denying access to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
SAA will make every effort to respond to requests within a reasonable time and at minimal or no cost to the individual and in a form that is generally understandable.
SAA shall amend personal information when an individual successfully demonstrates its inaccuracy or incompleteness. When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the SAA. When appropriate, the existence of the unresolved challenge should be transmitted to third parties having access to the information in question.
Principle 10 — Challenging Compliance
SAA shall have procedures in place to receive and respond to complaints or inquiries about SAA’s policies and practices relating to the handling of personal information.
SAA shall inform its members of the existence of these procedures as well as the availability of complaint procedures under the Act.
SAA shall investigate and respond to all complaints concerning compliance with these principles. If a complaint is found to be justified, SAA shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and practices.