|
Association of Municipalities
of Ontario (AMO)
Personal Information Protection Policy
(January 28, 2005)
Personal Information Protection
Policy
Purpose:
This Policy governs the collection, use and
disclosure of Personal Information by the Association from and about
Members, Program Participants, Purchasers of AMO products and services,
and Employees of the AMO or from other individuals who may access the
Association’s Website(s).
This Policy has been developed in accordance with
the principles set out in the Personal Information Protection and Electronic Documents Act,
Statutes of Canada 2000, Chapter 5 (PIPEDA).
Summary of Policy Sections:
1. Definition of Personal Information
2. Collecting and Retaining Personal Information – Membership
3. Collecting and Retaining Personal Information – Education and
Training
4. Collecting and Retaining Personal Information – Purchase of AMO
Products and Services
5. Collecting and Retaining Personal Information – Employees and
Prospective Employees
6. Collecting and Retaining Personal Information – AMO
Website(s)
7. Monitoring of Computer Resources, Premises and E-mail Activity
8. Exchange of Personal Information with Other Organizations
9. Disclosure of Personal Information – Special Circumstances
10. Maintaining Accuracy of Personal Information
11. Security of Information
12. Accessing and Updating Personal Information
13. Questions Regarding the Association’s Privacy Policy
14. Revisions to Policy
15. Effective Date
Policy:
1. Definition of Personal
Information
For the purposes of this policy, Personal
Information is defined as “any information about an identified
individual, recorded in any form, that can be used to distinguish,
identify, evaluate or contact the individual or which can be used to
infer or determine the identity of an individual.”
Personal Information collected by the Association
includes:
a) Home address, home telephone number and
personal e-mail address information;
b) Business e-mail address information (included in Policy pending clarification
from Government of
Canada with respect to PIPEDA
exclusions);
c) Employee information required for payroll and
employee benefit purposes including date of birth, marital status,
social insurance number, banking information and beneficiary and
dependent information;
d) Information gathered from current or
prospective employees for recruitment and retention purposes including
resumes, application letters, employment references, disciplinary
records and performance evaluations;
e) Financial information, such as credit card
numbers, provided by Members, Program Participants, and Purchasers of
AMO products and services for membership, conference or program
registration, and merchandise or service acquisition
purposes.
For greater certainty, as set out in Regulations
accompanying the PIPEDA legislation, Personal Information does not
include an individual’s name, job title, employer name, business
address or business telephone number.
2. Collecting and Retaining Personal
Information – Membership
The Association collects and retains Personal
Information from new and existing Members in order to:
a) Establish a point of contact for future
membership mailings and distribution of Association
communications;
b) Process membership fee payments.
The Association may disclose the Personal
Information collected from Members to organizations that assist the
Association with the distribution of Association communications.
Personal Information will only be provided to such organizations if they
agree to use such information solely for the purpose of distributing
Association communications under the instruction of the Association and,
with respect to that information, to act in a manner consistent with the
principles articulated in this Policy.
Member consent to the collection and retention of
this Personal Information is presumed to be given at the time of
submitting the information to the Association. Forms utilized to gather
this Personal Information will clearly indicate the purposes for which
the information is being collected and retained.
Personal Information, excluding financial
information, collected from Members is retained:
a) For the duration of the individual’s
membership in the Association;
b) Until such Personal Information is superceded,
in which case any “obsolete” Personal Information is
destroyed;
c) For a period of ten (10) years following an
individual’s termination of their membership in the Association,
except where the individual is deceased prior to the conclusion of the
ten (10) year period, in accordance with the provisions of the
Association’s records retention policy. In the case of deceased
individuals, disposal of any Personal Information retained will occur
within no more than thirty (30) days following the date upon which the
Association becomes aware that the individual is deceased.
Financial information collected from Members is
retained:
a) As required to comply with audit, statutory or
other legal purposes.
3. Collecting and Retaining Personal
Information – Education and Training
The Association conducts various education and
training programs throughout the year.
These programs include seminars, workshops, and
conferences. The Association collects and retains Personal Information
from Program Participants in the Association’s education and
training programs in order to:
a) Establish a point of contact for future
distribution of program materials and registration
confirmations;
b) Process fee payments for registration in
education and training programs.
The Association may collect Personal Information
from organizations and individuals who assist the Association with the
offering of the Association’s education and training
programs.
The Association will use such information solely
for the purposes of:
a) Gathering evidence of the successful completion
of the education and training programs;
A Program Participant’s consent to the
collection and retention of this Personal Information is presumed to be
given at the time of submitting the information to the Association.
Forms utilized to gather this Personal Information will clearly indicate
the purposes for which the information is being collected and
retained.
Personal Information, excluding financial
information, collected from Program Participants is retained:
a) For the duration of the individual’s
enrolment in the education or training program;
b) Until such Personal Information is superceded,
in which case any “obsolete” Personal Information is
destroyed;
c) For a period of five (5) years following an
individual’s completion of the education or training program, in
accordance with the provisions of the Association’s records
retention policy.
Financial information collected from Program
Participants is retained:
a) As required to comply with audit, statutory or
other legal purposes.
4. Collecting and Retaining Personal
Information – Purchase of AMO Products and Services
The Association collects and retains Personal
Information from Purchasers of AMO products and services in order
to:
a) Establish a point of contact for distribution
and delivery of products purchased;
b) Process payments for products and services
purchased.
Consent to the collection and retention of this
Personal Information is presumed to be given by the Purchaser at the
time of submitting the information to the Association. Forms utilized to
gather this Personal Information will clearly indicate the purposes for
which the information is being collected and retained.
Personal Information collected from Purchasers of
AMO products and services is retained:
a) As required to comply with audit, statutory or
other legal purposes.
5. Collecting and Retaining Personal
Information – Employees and Prospective Employees
The Association collects and retains Personal
Information from Employees in order to:
a) Administer payroll and benefit
plans;
b) Process Employee work-related claims, such as
WSIB claims, insurance claims and disability claims;
c) Establish training and/or development
requirements;
d) Assess qualifications for a particular
assignment, job or task;
e) Gather evidence, as applicable and necessary,
for pay for performance programs or disciplinary action;
f) Establish a contact point in case of
emergency;
g) Comply with applicable labour or employment
statutes.
The Association may disclose the Personal
Information collected from Employees to organizations that assist the
Association with the administration of the Association’s employee
benefit plans or have been retained for labour relations purposes.
Personal
Information will only be provided to such
organizations if they agree to use the information solely for the
purpose of providing services to the Association and under the
instruction of the Association and, with respect to that information, to
act in a manner consistent with the principles articulated in this
policy.
Employee consent to the collection and retention
of this Personal Information shall be made in writing at the time of
submitting the information to the Association. Forms utilized to gather
this Personal Information will clearly indicate the purposes for which
the information is being collected and retained.
Personal Information, excluding financial
information, collected from Employees is retained:
a) For the duration of the individual’s
employment with the Association;
b) Until such Personal Information is superceded,
in which case any “obsolete” Personal
Information is destroyed;
c) For a period of six (6) years following an
individual’s termination of their employment with the Association,
in accordance with the provisions of the Association’s records
retention policy.
Financial information collected from Employees is
retained:
a) As required to comply with audit, statutory or
other legal purposes.
The Association also collects and retains Personal
Information from Prospective Employees through a recruitment process in
order to:
a) Determine eligibility for initial employment,
including the verification of references and qualifications;
b) Assess qualifications for a particular
assignment, job or task.
A Prospective Employee’s consent to the
collection and retention of this Personal Information is presumed to be
given at the time of submitting the information to the Association.
Published and verbal requests for this Personal Information will clearly
indicate the purposes for which the information is being collected and
retained.
Personal Information collected from Prospective
Employees, not selected through a recruitment process, is
retained:
a) For the duration of the recruitment process, up
to and including the date upon which an offer of employment is accepted
by the selected applicant.
Unsolicited Personal Information received from
Prospective Employees is not retained by the Association and is
discarded upon receipt.
6. Collecting and Retaining Personal
Information – AMO Website(s)
The Association collects and retains Personal
Information submitted by individuals accessing the Members and/or
Subscribers Only portions of the AMO Website(s). The collection and
retention of this information is handled in accordance with the
applicable sections of this Policy with respect to the collection and
retention of Personal Information for various Association
purposes.
The Association does not collect any Personal
Information from individuals accessing the public portions of the AMO
Website(s). The Associations’ Website(s) operating system(s) may
automatically record certain general, and non-personal, information
regarding an individual’s access to the AMO Website(s). Further
information regarding the non-personal information collected is
contained in the Association’s Website(s) Privacy Policy
document.
The Association’s Website(s) does provide
links to other websites. Once an individual links to another site, the
individual is subject to the privacy and security policies of the new
site. The Association does not retain any responsibility with respect to
the collection and retention of Personal Information by other
organizations through these linked websites.
7. Monitoring of Computer Resources, Premises
and E-mail Activity
The Association provides its Employees with
computers, telephones and related office and communications equipment,
as well as software applications.
The Association may monitor its computer resources
to ensure that damage to these resources is limited and that illegal use
is prohibited. The Association may also monitor its physical premises to
ensure that only authorized personnel access the Association’s
offices or certain areas within these offices. Such monitoring is
undertaken to ensure the efficient use of the Association’s
systems and equipment, to protect the Association’s property and
to ensure compliance with applicable laws and Association
policies.
In the course of conducting business, the
Association may monitor Employee e-mail activities. E-mail applications
will normally contain all e-mails that have been sent and received by
Association Employees. Back-ups and archives may also contain copies of
emails that Employees have deleted. The e-mail system utilized by the
Association is the property of the Association but Employees may send
and receive personal e-mail on the understanding that such e-mails are
neither private nor confidential. The Association reserves the right to monitor the e-mail system, including
all e-mail sent, received or created. Access rights to Employee e-mail
boxes and logs will be restricted to those individuals with the
responsibility for administering the Association’s information
technology systems. Such access will be as limited as
possible.
All monitoring will be done on an “as
required” basis and will be in proportion to the risks that the
Association faces. The Association will conduct any monitoring in the
least intrusive way possible.
8. Exchange of Personal Information with Other
Organizations
Unless detailed in this Policy, the Association
does not sell, trade, barter or exchange for consideration any Personal
Information collected from Members, Program Participants, Purchasers of
products and services or Employees of the AMO.
9. Disclosure of Personal Information –
Special Circumstances
Circumstances may arise where the use and/or
disclosure of Personal Information may be justified or permitted or
where the Association is obliged to disclose the information without
consent. Such circumstances would include, but not be limited
to:
a) Where required by law or by order of a court,
administrative agency or other governmental tribunal;
b) Where the Association believes, upon reasonable
grounds, that disclosure is necessary to protect the rights, privacy,
safety or property of an identifiable person or group;
c) Where required to determine or administer
Employee pay or benefits;
d) Where it is alleged that the person concerned
is: guilty of a criminal offence, civilly liable in a legal action; or
guilty of professional misconduct;
e) Where disclosure is necessary to permit the
Association to pursue available remedies or limit any damages that it
may sustain;
f) Where the information is otherwise deemed to be
public information.
Where obliged or permitted to disclose Personal
Information without consent, the Association will not disclose more
information than is required.
10. Maintaining Accuracy of Personal
Information
To the best of its ability, the Association will
ensure that any Personal Information in its possession is as accurate,
current and complete as necessary for the purposes for which the
Association has collected the information.
11. Security of Information
The Association will maintain adequate physical,
procedural and technical security with respect to its offices and
information storage facilities so as to prevent any loss, misuse,
unauthorized access, disclosure, or modification of Personal Information
collected and retained.
As part of these precautions, the Association will
restrict access to an individual’s Personal Information to those
employees or organizations that the Association determines require
access to the information in order to fulfill their respective
responsibilities to the Association.
If an employee or organization misuses the
Personal Information to which they have access, this will be considered
a serious offence. In the case of an employee, disciplinary action will
be taken which, depending upon the degree of misuse, may include
termination of employment. If an organization providing services to the
Association misuses this Personal Information, action will be taken, up
to and including termination of the service agreement between the
Association and the organization.
12. Accessing and Updating Personal
Information
Upon request, the Association will provide
Members, Program Participants, Purchasers of AMO products and services,
and Employees access to the Personal Information collected and retained
about them. If the Member, Program Participant, Purchaser, or Employee
believes that the Personal Information about them is not correct, they
may, depending upon the nature of the Personal Information, make or
request an amendment to that information. The Association reserves the
right to not change the Personal Information but will append any
alternative information, which the individual concerned believes to be
appropriate.
Requests for access to Personal Information will
be addressed within a reasonable time and no later than thirty (30) days
following the date of the request.
To guard against fraudulent requests for access or
corrections, the Association may request sufficient information to allow
the Association to confirm that the individual making the request is
authorized to do so, before granting access or making
corrections.
The Association reserves the right to decline to
provide access to Personal Information, upon the request of an
individual, where the information requested:
a) Would disclose Personal Information, including
opinions, about another individual or about a deceased
individual;
b) Would disclose confidential information about
the Association or a third party that may harm the Association or third
party or interfere with contractual or other negotiations of the
Association or a third party;
c) Is subject to solicitor-client or litigation
privilege;
d) Is not reasonably retrievable and the burden or
cost of providing the information would be disproportionate to the
nature or value of the information;
e) Does not exist, is not held, or cannot be found
by the Association;
f) Could reasonably result in serious harm to the
treatment or recovery of an individual concerned, serious emotional harm
to the individual or another individual, or serious bodily harm to
another individual;
g) May harm, or interfere with, law enforcement
activities and other investigative or regulatory functions of a body
authorized by statute to perform such functions.
Where information will not or cannot be disclosed,
the individual making the request will be provided with the reasons for
non-disclosure.
The Association reserves the right to not respond
to repetitious or vexatious requests for access.
13. Questions Regarding the Association’s
Privacy Policy
In the event that a Member, Program Participant,
Purchaser of AMO products and services, or Employee of the Association
has questions about:
a) Access to Personal Information collected and
retained by the Association;
b) The collection, use, management or disclosure
of Personal Information;
c) The contents of the Association’s Privacy
Policy. the individual will be directed to contact the Privacy Officer
appointed by the Association’s Board of Directors.
14. Revisions to Policy
The Association may, from time to time, review and
revise its privacy practices and this Policy. In the event of a policy
amendment, the Association’s Members, Program Participants,
Purchasers of products and services, and Employees and other individuals
who may access the Association’s Website(s) will receive
appropriate notice as soon as possible following the amendment. Policy
changes will apply to Personal Information
collected from the date of the revised Policy as well as existing
Personal Information, which the Association has already collected and
retained.
15. Effective Date
This Policy shall be in effect as of January 1st,
2004.
| 
