Ten privacy principles

The Ten Privacy Principles serve as a foundational framework for safeguarding personal information. Derived from the Canadian Standards Association Model Code for the Protection of Personal Information, these principles are integral components of privacy legislation. They provide a clear roadmap for organizations to uphold individuals' privacy rights and ensure the responsible handling of personal information.

A public body organization is responsible for the personal information under its control.

• Designate a Privacy Officer and make sure employees in the organization know who the Privacy Officer is.
• Protect all personal information under the organization’s control, including any personal information transferred to a third party for processing.
• Develop and implement policies and practices for handling personal information, procedures for handling privacy breaches and complaints. 
• Develop a privacy management program.

Identify the purpose for collecting personal information before or at the time of collection.

• Identify and document in writing the purpose for collecting personal information and the legal authority to collect it.
• When collecting personal information directly from someone tell them why you are collecting their information, the legal authority for collecting the information, and the name and contact information of someone who can answer questions about the collection.
• Describe the purpose for collecting someone’s information clearly, in plain language, and be as specific as possible so people understand how their information will be used.
• Ensure the collection of personal information is necessary to fulfil the purpose identified and that it is limited to what a reasonable person would deem appropriate.

The knowledge and consent of the individual is required to use and disclose personal information, except in specific circumstances.

• Obtain consent from the individual before using or disclosing their personal information, if required.
• Consider the sensitivity of personal information, the person’s circumstances, and what a reasonable person would deem appropriate when determining what form of consent to use, such as written, verbal, implied, or opt-in.
• Clearly inform the individual of the purpose for the use or disclosure of personal information when obtaining consent.
• Never obtain consent by deceptive means or by producing false or misleading information.
• If a person withdraws consent, explain the likely consequences of withdrawing consent.

The collection of personal information must be limited to what is needed for the purposes identified by your organization. Information must be collected by fair and lawful means.

• Collect only the personal information you need to fulfil an identified purpose.
• Ensure your staff can explain why your organization needs to collect someone’s personal information.
• Collect personal information directly from someone unless the legislation or person authorizes the collection of personal information from another source.

Use or disclose personal information only for the purpose identified, unless the individual consents to a new purpose, or the use or disclosure is authorized by law.

• Keep personal information only as long as necessary to fulfil the purposes for collecting, using and disclosing it.
• Keep personal information that is used to make a decision about a person for a reasonable period of time, so the person has the opportunity to access it.
• Securely dispose of any personal information in accordance with your organization’s approved records management policies.
• Limit employee access to personal information. Access should be granted to employees on a need-to-know basis for them to carry out their job responsibilities. The employee must only use the personal information for the purpose it was collected, or a consistent use.

Personal information must be as accurate, complete, and up-to-date as possible.

• Keep personal information accurate, complete, and up to date, taking into account its use and the interests of the individual.
• Consider whether using or disclosing out of date or incomplete information could potentially have an adverse impact on the individual.
• Implement practices to minimize the possibility of using incorrect information when making a decision about a person or when disclosing information to third parties.
• Establish policies that govern the types of personal information that need to be updated.

Personal information must be protected by appropriate security measures relative to the sensitivity of the information.

• Protect personal information in a way that is appropriate to its sensitivity.
• Protect all personal information regardless of its format, including paper, electronic, audio, and video data.
• Use reasonable safeguards to provide necessary protection. These include physical safeguards (for example, locked filing cabinets), technological safeguards (for example, encryption, passwords), and administrative controls (for example, security clearance, staff training).
• Review safeguards regularly to ensure they are up to date and that vulnerabilities are addressed through regular audits and/or testing.

Organizations must make their policies and practices relating to the management of personal information available to the public.

• Make your personal information management practices clear and easy to understand and provide them to people when requested.
• Ensure front-line staff are familiar with your procedures for responding to people’s inquiries about their personal information.
• Provide, in easy-to-understand terms:
• The name, title and contact information of the person accountable for your organization’s privacy policies and practices,
• How someone can gain access to their personal information,
• How someone can make a privacy complaint to your organization, and
• Information that explains your organization’s policies and practices for handling personal information including a description of the personal information you collect, why you collect it, how it is used, to whom it is disclosed, and why.

Individuals must be provided with access to their personal information. They must be able to challenge the accuracy and completeness of their information and have it corrected as appropriate.

• When requested, provide individuals with the information you hold about them.
• Help people prepare their request for access to personal information. For example, help the requestor to supply enough information to allow you to locate their personal information.
• Respond to the request as quickly as possible, and no later than 30 days after receiving it. If more time is needed to respond to the request, let the individual know why you need an extension and when they can expect a response.
• Make sure the requested information is understandable to the person requesting it. Explain acronyms, abbreviations, and codes.
• If you refuse to grant access to personal information, explain in writing the reasons and inform the requestor of any recourse available to them.

An individual must be able to challenge your organization’s compliance with the ten privacy principles.

• Develop and implement simple and accessible privacy complaint procedures.
• Investigate all privacy complaints you receive.
• Take appropriate measures to correct information handling practices and policies, as required.
• Tell people how they can file a privacy complaint. Provide them with your organization’s privacy complaint handling process and tell them they can make a complaint to the Ombud.