C007-01
Privacy Policy
Policy statement
1 This policy is to establish the authority and responsibilities for the collection, use, disclosure, access, retention and disposition of personal information.
Purposes of this policy
2 (1) In order to operate and provide City services, the City needs to collect, use, protect and disclose personal information regarding its employees, citizens and customers.
(2) The purpose of this policy is to
(a) establish the authority and responsibilities for the collection, use, disclosure, access, retention and disposition of personal information,
(b) develop, implement and maintain the privacy program and procedures,
(c) provide the framework for the City staff privacy training,
(d) provide the framework for the management and control of the city records, and
(e) investigate and resolve privacy complaints, unauthorized disclosures and breaches.
Application
3 This policy applies to all
(a) employees acting in various roles within the City, and
(b) personal information within the control and custody of the City regardless of its location, medium or format.
Interpretation
4 (1) The Interpretation Bylaw applies to this policy.
(2) Unless contrary intention appears in this policy, words and phrases used in this policy have the same meanings as in the Freedom of Information and Protection of Privacy Act.
Definitions
5 In this policy
"city record" has the same meaning as record in the Freedom of Information and Protection of Privacy Act;
"contact information " means the information to enable a person to be contacted at their place of business and may include a
(a) person's' name,
(b) person's title,
(c) business telephone number,
"control" means the power of authority to manage a city record throughout its life cycle, including
its use or disclosure.
"custody" means having physical possession of a city record in addition to some right to deal with the city record and some responsibility for its care and protection, and normally includes
(a) responsibility for access,
(f) providing security of the city record.
"head" has the same meaning as in the Officer Designation and Delegation of Authority Bylaw
"information-sharing agreement" or "ISA" has the same meaning as in section 69 of the Freedom of Information and Protection of Privacy Act ;
"personal information" means any information that can identify a person other than business contact information and may include but is not limited to
(a) a person's name,
(d) an employee identification number,
(f) medical/health information,
(n) personal recommendations/evaluations,
(o) a social insurance number, and
"personal information bank" has the same meaning as in section 69 of the Freedom of Information and Protection of Privacy Act ;
"privacy impact assessment" has the same meaning as in section 69 of the Freedom of Information and Protection of Privacy Act ;
"records management" means the systematic control of the creation, receipt, maintenance, use and disposition of city records in the conduct of the operational and administrative functions and activities of the City.
Collection, use, disclosure
6 (1) The City will collect personal information only for the purposes necessary for a program, activity or service unless another method of collection is authorized under the Freedom of Information and Protection of Privacy Act .
(2) The City will use personal information for the purpose it was collected, or purpose to which the person has provided consent, or a purpose that has a reasonable and direct connection to its original collection.
(3) The City will disclose personal information in its custody or under its control only as permitted under the Freedom of Information and Protection of Privacy Act .
(4) The City will protect personal information in its custody or under its control by making reasonable arrangements for its security, access, collection, use, disclosure and disposal.
(5) The City will make every effort to ensure that personal information that is in the custody or under the control of the City is accurate.
Privacy rights
7 (1) The City respects the privacy rights of all persons.
(2) A person who believes there is an error or omission in personal information may request a correction by contacting the City.
Record keeping
8 (1) The City will retain personal information that is used to make a decision that directly affects the person in accordance with the Records Bylaw.
(2) The City will manage the disposition of personal information in accordance with the Records Bylaw.
Compliance
9 (1) The City will review and resolve all privacy complaints in accordance with the procedures and best practices prescribed by Freedom of Information and Protection of Privacy Act.
(2) The City will review and resolve unauthorized disclosure or privacy breaches in accordance with the Freedom of Information and Protection of Privacy Act.
Privacy management
10 (1) The City will not share personal information with another organization except in accordance with an information-sharing agreement.
(2) Each information-sharing agreement will specify and prescribe the terms and conditions to which both parties will be subject.
(3) The City will complete privacy impact assessments for all new programs, initiatives, and relevant information technology projects that will collect, use, disclose or store personal information.
(4) The City will maintain a listing of personal information banks as prescribed by Freedom of Information and Protection of Privacy Act.
(5) The City will provide privacy training to staff when their employment commences and annually thereafter.
Roles and responsibilities
11 (1) The head will
(a) provide consultative and advisory services for the City staff and agencies,
(b) report and investigate privacy complaints, unauthorized disclosures and breaches,
(c) develop, implement, and maintain the City's privacy program,
(d) establish a City-wide privacy program in the Freedom of Information and Protection of Privacy Act,
(e) provide privacy training and support to City staff,
(f) report and investigate privacy complaints, unauthorized disclosures and breaches,
(g) assist staff with the completion of a privacy impact assessment and information-sharing agreement,
(h) may represent the City during Information and Privacy Commissioner Investigations and audits, and
(i) provide consultative and advisory services to City staff.
(2) The Information Technology Director will
(a) assist the head to provide guidance and assistance on developing, implementing, operating and maintaining the City's privacy program as it relates to the collection, storage, use, disclosure, security and retention of personal information in electronic data formats
(b) report any privacy complaints, authorized disclosures or privacy breaches,
(c) assist with the investigation and risk assessment of privacy breaches, and, in the event of theft or criminal activity, work with the head to communicate to the appropriate agencies, and
(d) provide consultative and advisory services.
(a) ensure their staff adhere to the policy and privacy procedures,
(b) ensure their departmental policies, procedures and processes are consistent with this policy and privacy legislation,
(c) report any privacy complaints, unauthorized disclosures or privacy breaches, and
(d) participate in ongoing privacy training, as required.
(4) All City staff will
(a) adhere to this policy and privacy procedures,
(b) report any privacy complaints, unauthorized disclosures or privacy breaches,
Waiving of requirements
12 Subject to applicable enactments, council may waive this policy or authorize an exemption on a case-by-case or class basis.