Model Privacy Officer Terms of Reference and Management/Employee Guidelines
British Columbia Drama Association
Privacy Officer Terms of Reference and Management/Employee Guidelines Effective ( Date )
The Privacy Officer and an alternate will be appointed by (Board of Directors). The Privacy Officer may delegate others to act on his or her behalf. In the absence of the Privacy Officer, the alternate will be responsible for acting as the Privacy Officer.
The Privacy Officer reports directly to the Board of Directors.
All employees will be notified of the name of the Privacy Officer and the alternate, and the title will be listed beside the name of the individuals in the internal directory.
The position name or title and contact information for the Privacy Officer and alternate will be published in a manner accessible to members, employees, and the public (e.g. brochures, websites).
Employees will refer members, employees, and the public to the Privacy Officer as appropriate.
Responsibility, Authority, and Duties
The Privacy Officer is responsible for British Columbia Drama Association compliance with the BC Personal Information Protection Act (PIPA) and other applicable confidentiality and privacy laws.
The Privacy Officer has the authority to direct all departments as to compliance with privacy legislation.
The Privacy Officer may consult internal or external legal counsel or any other professional or expert as required to carry out his or her duties.
The privacy Officer may implement or recommend any policies or procedures required to ensure compliance in and areas of the British Columbia Drama Association and may review policies and procedures implemented by managers.
The Privacy Officer may inspect any area of the British Columbia Drama Association and may require managers and employees to prepare information and reports regarding privacy compliance for submission to the Privacy Officers.
The Privacy Officer may delegate his or her duties to other staff but remains ultimately responsible.
The Privacy Officer will:
- Chair/lead the multi-functional implementation team
- Conduct an assessment of personal information held by the British Columbia Drama Association prior to the coming into force of PIPA.
Consent and Opt-out Requests:
- Review all personal information held, collected, used, and disclosed by the British Columbia Drama Association and ensures that appropriate consents are obtained.
- Direct the sending of notices to members and employees to obtain implied consent to collect, use, and disclose information
- Contact organizations, from which the British Columbia Drama Association obtains personal information and ensures that all organizations obtain appropriate consents to collect, use and disclose the information to the British Columbia Drama Association for the intended purpose.
- Handle all opt-out requests and ensure all departments and third parties cease using the information for the purpose.
Policies and Practices:
- Develop privacy policies and a complaint process for approval by the Board.
- Develop and implement operational policies and procedures to ensure compliance with the laws and protection of British Columbia Drama Association records.
- Ensure that all departments review and /or develop appropriate policies and procedures.
- Ensure brochures and information about privacy are readily accessible to members, employees, and the public.
- Provide information about privacy policies and practices and the complaint process to members, employees, and the public on request.
Access to Information and Complaints:
- Deal with all access to and correction of information requests from members, employees, and the public.
- Handle all complaints and inquiries from members, employees, and the public
- Deal with the Privacy Commissioner when necessary. Consult with legal counsel with respect to all matters involving the Privacy Commissioner.
- Approve all marketing uses of information, and ensure that appropriate consents are obtained and opt-out requests are processed.
- Direct the creation of centralized “Do Not Market” lists of members/account holders and the general public who opt-out of all marketing purposes and ensure that the lists are kept up to date.
- Ensure that appropriate consents are obtained from individuals to collect, use and disclose personal information entered into the member master file
- Ensure that all contracts with third parties to whom information is disclosed are reviewed and amended or renewal as considered appropriate.
- Ensure that all contracts with third parties that may have access to the British Columbia Drama Association information or premises are reviewed for appropriate privacy, confidentiality, and non-disclosure clauses upon renewal
- Direct the sending of letters to:
- All third parties whom information is disclosed regarding compliance with the British Columbia Drama Association’s Privacy Policies and asking for Privacy Officer contact information and access to information forms and /or procedures.
- All third parties, from whom information is obtained, asking for evidence that appropriate consent was obtained, Privacy Officer Contact information and access to information forms and /or procedures.
- Follow-up with third parties to ensure responses have been received and Privacy Policies are being complied with: determine the issues created and recommend appropriate action to the Board if there is non-compliance.
Reviews and Reports:
- Annually, or more frequently as determined by the Privacy Officer and/or the Board, review all British Columbia Drama Association activities for compliance with PIPA and other privacy laws including:
- Privacy Policies
- Privacy Officer Terms of Reference and Management/Employee Guidelines
- Privacy practices, procedures, and forms
- Employee communication and training needs
- Handling of employee personal information
- Use of personal information for marketing purposes.
After each review, the Privacy Officer will take or recommend any appropriate action.
- Annually, or more frequently if requested, prepare reports to the Board regarding compliance of departments/functions of the British Columbia Drama Association including:
- Compliance with PIPA and other privacy legislation and British Columbia Drama Association policies.
- Opt-out requests.
- Access to information and correction of information request.
- Inquiries and complaints.
- Communications and training.
- Adequacy of policies and procedures.
- Act as resource for staff with regard to dealing with members and the public and answering questions about the purpose for collection of information.
- Act as resource for the HR Department, department managers, and staff with respect to employee personal information.
- Act as resource to all departments with respect to handling personal information, including using information for marketing purposes, obtaining consents, and removing information from British Columbia Drama Association premises.
- Ensure adequate communications and training as necessary are provided for all staff.
Management and Employee Guidelines
Department Manager’s Responsibilities
All department managers (or other persons responsible for functional areas of Theatre BC will cooperate and collaborate with the Privacy Officer and are responsible for privacy compliance in their responsibility areas, including:
- Assisting the Privacy Officer with the assessment of personal information
- Ensuring appropriate provisions for consent, confidentiality, protection of information, correction of information, access to information, return of information, etc. are incorporated into all contracts with third parties.
- Assisting the Privacy Officer to send letters to third parties to whom information is disclosed and from whom information is obtained
- Assisting the Privacy Officer to respond to access to information requests and requests to correct information.
- Protecting and managing contents of printed and electronic files and information including downloading and removal of information from Theatre BC.
- Implementing procedures that assure accuracy of information and procedures for correcting the information, if requested.
- Developing, documenting, and implementing departmental policies and procedures, as necessary.
- Ensuring departmental staffs are knowledgeable about privacy policies and practices and have access to resources.
- Reviewing procedures, policies, forms, printed materials, websites, etc. to ensure that required consents are obtained and privacy information is appropriately communicated.
- Cooperating with the Privacy Officer to monitor privacy compliance, including providing reports and other information.
Departments or functional areas are to provide an initial information assessment to the Privacy Officer, the form and content to be determined by the Privacy Officer, and any changes to the information provided, including:
- What personal information is held; whether consent has been obtained or not; and the scope of any consents
- Purposes and uses of the information
- Classes of individuals about which information is held
- Whether personal information is used other than for original purpose for which it was collected.
- To whom information is disclosed.
- Sources of information.
- What measures are in place to ensure the protection of information, including information removed from Theatre BC premises, downloaded to laptops, etc.
- What measures are in place to ensure the accuracy of information
- What procedures are followed for retention and destruction of information?
- What procedures are followed for correction of information?
- Whether information is retrievable in event of an access to information request.
Departments will consult with the Privacy Officer before collection, using or disclosing information for marketing purposes, including market surveys and analysis, to ensure appropriate consents are obtained and the necessary administrative procedures are in place to deal with opt-out requests and complaints.
All employees will:
Consult the centralized “Do Not Market” lists before contacting a member, account holder or member of the general public for marketing purposes.
Promptly refer any opt-out requests to the Privacy Officer so that contact/mailing lists and “Do Not Market” lists can be updated.
Consult with the Privacy Officer before collecting, using, or disclosing any contact or referral lists, names business cards, etc. from other sources (e.g. trade shows, seminars, website queries) ensure the appropriate consent has been obtained and can be connected to the information and use/purpose and disclosure, and that the Theatre BC has policies and practise in place to deal with opt-out requests.
Departments will use and disclose personal information only for the original purpose for which it was collected (e.g. providing the product) or as set out in the notice to existing members, as applicable, or as consented to by the individual.
If a department intends to collect, use, or disclose personal information for a purpose not identified in the original consent or without consent, the department will consult with the Privacy Officer prior to any such use.
If any information is routinely updated, departments will consult with the Privacy Officer to determine whether the routine updating of information should be limited and, if so, will recommend a change in procedure to the department.
Retention and Destruction
Departments will retain all documents and records used to make a decision affecting an individual for at least one year (e.g. declined applications and related information.
Departments will follow Theatre BC’s Retention Schedule for recommended retention and destruction periods. Departments should destroy, erase, or anonymize information as soon as possible after the destruction date.
Information that is the subject of an access to or correction of information request, litigation, or is otherwise required for business of legal reason must not be destroyed.
Access to and Correction of Information
All employees will refer all requests from members or other individuals for access to or correction of information to the Privacy Officer.
All requests from employees should be directed to the Privacy Officer or the (HR Manager) who will respond under the direction of the Privacy Officer.
Complaints or Inquiries
Employees will refer all inquiries or complaints from members, employees, or the public regarding privacy to the Privacy Officer.
Employees will direct all inquiries from members, employees, or the public about purpose of collection information to the (department or branch manager) or the (Privacy Officer).
British Columbia Drama Association Privacy Policies
Commitment Theatre BC is committed to ensuring the confidentiality and privacy and protecting the personal information of all members and other individuals whose personal information is held or controlled by Theatre BC.
Privacy Officer Theatre BC will designate a Privacy Officer and an alternate to oversee the protection of personal information in compliance with the BC Personal Information Protection Act.
Policies Theatre BC will develop policies and practices necessary for compliance with the Personal information Protection Act and a process to respond to complaints that may arise, and make information available on request about the policies and practise and the complaint process.
Consent Theatre BC will obtain consent for the collection, use, and disclosure of personal information, expect in circumstances permitted by the Personal Information Protection Act or other law.
Conditions Theatre BC will not, as a condition of providing a product or service, require an individual to consent to the collection, use, or disclosure of personal information beyond what is necessary to provide the product or service.
Express Consent Theatre BC will obtain express written or oral consent to the collection, use and disclosure of personal information, expect in circumstances when the Personal information Protection Act authorizes the collection, use, or disclosure without consent or deems the collection, use, or disclosure to be consented to.
Implicit Consent Implied consent may be relied on when the purpose would be considered obvious to a reasonable person and the individual voluntarily provides the personal information for that purpose.
Deemed Consent Theatre BC may obtain consent to collect, use, or disclose personal information for specified purposes, if Theatre BC sends notice to the individual that it intends to collect, use, or disclose personal information for those specified purposes and gives the individual a reasonable opportunity to decline to have the personal information collected, used, or disclosed for those purposes, the individual does not decline the collection, use, or disclosure for those purposes, and the collection, use or disclosure is reasonable having regard to the sensitivity of the personal information in the circumstance.
Withdrawal An individual may withdraw consent at any time, subject to legal or contractual restrictions, provided that reasonable notice of withdrawal of consent is given to the Co-op. On receipt of notice of withdrawal of consent Theatre BC will inform the individual of the likely consequences of the withdrawal of consent, which may include the inability of Theatre BC to provide certain product or services, if the information is necessary to provide the products and services.
Purposes When collecting information, Theatre BC will state the purpose of collection and provide on request the position or title and contact information for an officer who can answer the individual’s questions about the collection.
Collection Theatre BC will limit the collection of information to information that is necessary to provide a product or service or that is necessary for the purpose consented to by the individual or to information otherwise permitted to be collected by the Personal Information Protection Act or other law.
Use Theatre BC will not use personal information for purposes other than those for which it was collected, except with the consent of the member or as required or authorized by law.
Disclosure Theatre BC will not disclose personal information for the purposes other than those for which it was collected, except with the consent of the member, account holder, or other individual or as required or authorized by law.
When disclosing personal information Theatre BC will take all reasonable steps to protect the interests of its members and other individuals.
Sharing Theatre BC may share personal information with its subsidiaries and other carefully selected organizations with the consent of the member or as required or authorized by law.
Access Member ad account holder information, such as copies of statements, transaction slips, and account agreements, will be provided upon request, Theatre BC may charge a fee for doing so.
For other information, upon written request, Theatre BC will provide the individual with the personal information under the control of the Theatre BC information about the ways in which the personal information requested has been and is being used, and the names of individuals and organizations to whom the personal information requested has been disclosed, The Theatre BC may charge a minimal fee for providing information. Theatre BC will provide an estimate of the fee upon receiving the access to information request. Theatre BC may require a deposit for all or part of the fee.
Assistance Theatre BC will assist individuals to complete an access to information request to ensure that the information wanted or needed is provided accurately, completely, and promptly.
An applicant may be required to provide sufficient information to permit Theatre BC to provide an account of the existence, use and disclosure of personal information it holds. The additional information provided will only be used for this purpose.
Exceptions Theatre BC may not provide information that it is not required to disclose and will not disclose information that it is required to disclose by law, such as information that would reveal the identity of another individual without his or her consent.
Time Limit Theatre BC will endeavour to respond to an access to information request within 30 days. If additional time is required because sufficient detail has not been provided by the applicant, a large amount of material is requested or must be retrieved, or more time is needed to consult with other organizations Theatre BC may apply to the BC Privacy Commissioner for an extension under the Personal Information Protection Act.
Refusals If Theatre BC refuses access to personal information, Theatre BC’s response to the access to information request will provide the reasons for refusal and provide the name, position/title, address, and telephone number of an officer of Theatre BC who can answer the applicant’s questions about the refusal. Theatre BC may refuse to confirm or deny the existence of personal information collected as part of an investigation.
Accuracy Theatre BC will make a reasonable effort to ensure that personal information it is using or disclosing is accurate and complete.
Corrections If an individual demonstrates the inaccuracy or incompleteness of personal information, Theatre BC will amend the information as required. If appropriate, Theatre BC will send the amended information to third parties to whom the information has been disclosed.
When a challenge regarding the accuracy of personal information is not resolved to the satisfaction of the individual, Theatre BC will annotate the personal information under its control with a note that the correction was requested but not made.
Protection Theatre BC will protect the personal information in its custody or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
Theatre BC will take reasonable steps, through contractual or other reasonable means, to ensure that a comparable level of personal information protection is implemented by the suppliers and agents who assist in providing services to members, account holders, and other individuals.
Retention Theatre BC will keep personal information used to make a decision that affects the individual for at least one year after using it to make the decision.
Theatre BC will, in accordance with its retention schedule, destroy, erase, or make anonymous documents containing personal information, as soon as it is reasonable to assume that the original purpose is no longer being served by retention of the information and retention is no longer necessary for legal or business purposes.
Theatre BC may retain personal information about members and account holders with their consent in order to assist in the provision of future products and services and for marketing purposes, such as sending information about products and services that may be of interest, and may update the information as necessary to provide products an services applied for.
Theatre BC will take due care with the destruction of personal information so as to prevent unauthorized parties from gaining access to the information so as to prevent unauthorized parties from gaining access to the information.
Safeguarding Theatre BC will employ electronic and physical security safeguards appropriate to the sensitivity level of personal information, including:
Physical measures such as locked fire resistant filing cabinets and restricted access to offices
Organizational measures such as restricting employee access to files and databases
Electronic measures such as passwords and encryption
Investigative measures if Theatre BC has reasonable grounds to believe that personal information is being inappropriately collected, used or disclosed.
Questions Members and other individuals may direct any inquiries or complaints regarding their personal information to the Theatre BC Privacy Officer. Contact information will be available by inquiring at any office or call centre of Theatre BC.
Complaint Process Theatre BC will, on request, inform members and other individuals of its complaint procedures, which will be accessible and simple to use.
Theatre BC will ensure that inquiries, concerns, and complaints regarding personal information receive prompt attention and are resolved in a timely manner.
Where appropriate, members and other individuals will be informed of their right to file a complaint with the BC Privacy Commissioner and will be provided contact information.
An applicant may complain to Theatre BC about how personal information has been collected, used, or disclosed, how a request for access to or correction of information was handled, the amount of a fee, a breach of time limit requirements, or other matters
PIPA, s.5, requires Theatre BC develop a process to respond to complaints that may arise respecting the application from PIPA and make information available on request about the complaint process.
The compliant procedures can be provided by the Privacy Officer on request. Staff should direct all complaints related to privacy to the Privacy Officer.
The following is suggested Complaint Process for compliance with s.5:
• Individuals may contact the Privacy Officer by telephone, email, or letter to the privacy officer
• The Privacy officer will explain the complaint process to the individual
• The individual will be requested by the Privacy Officer to make the complaint in writing. The Privacy officer may request additional details and documentation from the individual in respect of the complaint
• The Privacy Officer will respond promptly to all complaints and attempt to resolve the complaint to the satisfaction of the individual and Theatre BC.
• If the Privacy Officer does not resolve the complaint to the individual’s satisfaction, the Privacy Officer should indicate that the individual may take the compliant to the Executive Director and if the Executive Director is unable to resolve the complaint, the individual may escalate the complaint to the Theartre BC.’s Board of Directors. The Executive Director and Board will make every effort to respond to the complaint promptly
• Staff will refer all complaints and disputes about protection of information, access to information, correction of information, or other complaints and disputes about privacy to the Privacy Officer
• The Privacy officer will take any necessary remedial action, such as recommending changes to procedures to prevent similar valid complaints
• Department managers will cooperate with the Privacy Officer to provide documents and information, resolve disputes, and amend department procedures as required
• The Privacy Officer will keep files and records on complaints, and prepare reports for management about the quantity, nature or types of complaints, resolution or non-resolution, and any actions taken to prevent similar valid complaints