As of January 1, 2004, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) was implemented in the Canadian legislature. PIPEDA and equivalent provincial legislation govern the collection, use and disclosure of personal data by all Canadian organizations participating in a commercial activity.
Inside Out is committed to protecting the privacy of the personal information of its members, customers and other stakeholders. We value the trust of those we deal with, and of the public, and recognize that maintaining this trust requires that we be transparent and accountable in how we treat the information that you chose to share with us.
During the course of our various projects and activities, we frequently gather and use personal information. Anyone from whom we collect such information should expect that it will be carefully protected and that any use of or other dealing with this information is subject to consent. Our privacy practices are designed to achieve this.
Defining Personal Information
Personal information is any information that can be used to distinguish, identify or contact a specific individual. This information can include an individual's opinions or beliefs, as well as facts about, or related to, the individual. Exceptions include business contact information and certain publicly available information, such as names, addresses and telephone numbers as published in telephone directories - these are not considered personal information.
Where an individual uses his or her home contact information as business contact information as well, we consider that the contact information provided is business contact information, and is not therefore subject to protection as personal information.
The Canadian Standards Association (CSA) Model Code for the Protection of Personal Information was developed for use as a voluntary code by businesses and organizations. This code contains ten principles to be respected and forms the backbone of PIPEDA and other privacy legislation. Canadian legislation now requires adherence to these standards
Inside Out is responsible for all personal information under its control and remains responsible when personal information is processed by third parties on their behalf.
The Corporate Privacy Officer (CPO) for Inside Out is Scott Ferguson, Executive Director. This is communicated both internally and externally for public knowledge. The CPO is responsible for understanding the broad impact of privacy, for the implementation of policies and procedures, and handling any complaints.
Inside Out is responsible for personal information in its possession or custody, including information that has been received by a third party and requiring their adherence to privacy legislation.
Inside Out will identify the purposes for which personal information is collected, at or before the time the information is collected.
The primary purposes for the collection of personal information is to deliver services and to keep individuals informed and up-to-date on the activities of Inside Out, including programmes, services, special events, funding needs, opportunities to volunteer or to give and more through periodic contacts.
When personal information that has been collected is to be used for a purpose not initially identified, the new purpose shall be identified prior to use.
Knowledge and consent by the individual for the collection, use and disclosure of personal information will be obtained by Inside Out.
An Inside Out privacy statement, in most cases, of implied consent will be provided in a prominent manner with specific information about the nature of the proposed information uses, along with convenient options to allow for the opportunity to opt-out at any time (subject to legal or contractual restrictions and reasonable notice).
The consent will be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
The collection of personal information shall be limited to that which is necessary for the purposes identified by Inside Out. All personal information shall be collected by fair and lawful means.
Inside Out shall not collect personal information indiscriminately. Both the amount and type of information collected shall be limited to that which is necessary to fulfill the purposes identified.
Any new purposes for the use of an individual's personal information will require the individual's consent.
The requirement that personal information be collected by fair and lawful means is intended to prevent Inside Out from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection, use or disclosure must not be obtained through deception.
Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Personal information will be stored in confidence and accessed only by authorized Inside Out employees and agents or consultants retained by Inside Out.
Personal information will be retained only as long as necessary for the fulfilment of those purposes. Personal information that is no longer required will be destroyed, erased or made anonymous in accordance with current Inside Out policies.
Cookies used by Inside Out do not give it access to anything on your hard drive and cannot do anything to your computer. Cookies are encrypted for security purposes to make any information in the cookie unreadable to anyone outside of Inside Out. Inside Out uses two types of cookies: session cookies (temporary) or persistent cookies (longer–term continuing use).
- Session cookies may be used to support on–line feedback/discussion, forms and registration and ‘e–commerce/shopping cart’ transactions. They are used only during your online session and expire when you close your browser. Without session cookies, moving around the Site could be much slower.
- Persistent cookies are different from session cookies because they are stored on your computer’s hard drive for some length of time. They are usually used if you want us to remember information about your Web preferences and passwords for automatic log–in purposes.sum
Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is used by Inside Out, taking into account its use and the interests of the individuals.
Personal information shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information be used to make a decision about the individual.
Inside Out will update an individual's personal information only when necessary to fulfill the specific purposes for which it was collected.
Inside Out will take steps to protect personal information from theft and loss, as well as unauthorized access, disclosure, copying, use or modification.
The methods of protection will include:
- Physical measures (locked filing cabinets, restricted access to files and offices);
- Technological measures (passwords, encryptions, firewalls, and audits);
- Organizational measures (security clearances, "need-to-know" access, etc.); and
- Staff and volunteer training that includes the sharing of all Inside Out privacy policies and procedures.
Inside Out will make readily available to individuals specific information about Inside Out's policies and practices relating to the management of personal information.
Inside Out will make these policies and practices understandable and easily available through a variety of forms. Information about these policies and practices may be made available in person, in writing, by telephone, in publications and on the Inside Out website.
The information made available will include:
- The name or title and business address of the person who is accountable for Inside Out's privacy policies and practices and to whom complaints or inquiries can be forwarded;
- The means of gaining access to personal information held by Inside Out;
- A description of the type of personal information held by Inside Out, including a general description of its use and disclosure.
Upon request, Inside Out shall inform the individual of the existence, use and disclosure of his or her personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Individuals have the right to be given access to their personal information (except where it contains references to other individuals or if it cannot be disclosed for legal, security or commercial proprietary reasons). Inside Out will advise the individual of the reason for denying the access request.
Inside Out will respond to an individual's request within a reasonable time - no more than 30 days - and at minimal or no cost to the individual related to retrieval, photocopying and delivery.
In providing an account of third parties to which it has disclosed personal information about an individual, Inside Out will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, Inside Out will provide a list of organizations to which it may have disclosed information about the individual.
An individual can challenge Inside Out's compliance with the above principles through the Corporate Privacy Officer.
Inside Out shall put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaints procedures will be easily accessible and simple to use.
Inside Out shall investigate all complaints. If a complaint is found to be justified, Inside Out will take appropriate measure, including, if necessary, amending its policies and procedures.
If you have any specific questions or comments about our privacy compliance, please contact Inside Out's Corporate Privacy Officer, Scott Ferguson, by email at email@example.com, by phone at 416-977-6847 or by mail at:
401 Richmond St. West
Further information on privacy and your rights in regard to your personal information may be found on the website of the Privacy Commissioner of Canada at www.privcom.gc.ca
Appendix A - Privacy Statement
Corporate Privacy Officer
Inside Out Lesbian and Gay Film Festival Inc.
219 - 401 Richmond St. West
Toronto, Ontario M5V 3A8
General mailbox: firstname.lastname@example.org
Please allow 15 business days to allow us to update our records accordingly.
Appendix B - Definition of Information in the "Public Domain"
The following is taken from the Privacy Commissioner of Canada's website's "Regulations for PIPEDA" to define "publicly available information":
Regulations Specifying Publicly Available Information
1. The following information and classes of information are specified for the purposes of paragraphs 7(1)(d), (2)(c.1) and (3)(h.1) of the Personal Information Protection and Electronic Documents Act:
(a) personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;
- (b) personal information including name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice;
- (c) personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry;
- (d) personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and
- (e) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.
Appendix C - Duties & Responsibilities of a Corporate Privacy Officer (CPO)
The role of a corporate privacy officer is multi-disciplinary. This role involves the interpretation of privacy law and the creation of privacy programmes that ensure the protection of personal data and compliance with the current legislation across the organization.
This individual can be expected to be responsible for ensuring that some or all of the following duties are addressed as is appropriate to Inside Out:
- conduct privacy risk assessments and audits;
- develop and implement corporate privacy policies and procedures;
- create and deliver educational, training and orientation programmes;
- monitor systems development and operations for security and privacy compliance;
- ensure compliance related to privacy, security and confidentiality;
- audit and administer privacy programmes;
- provide counsel relating to business contracts and partnerships;
- track and report on compliance related to privacy, security and confidentiality; resolve allegations of non-compliance;
- maintain current knowledge of federal and provincial privacy legislation and regulations;
- manage public perception of data protection and privacy practices for Inside Out;
- liaise with government agencies and the privacy commissioner's office.