PIPA Implementation Tool 6
Privacy Compliance Assessment Tool For a printable version click here: (PDF xxKB)
Note: The "submit results" functionality of this tool is currently under development.
Is the Organization Accountable for its Information Practices?
To find out if the organization is accountable for its information practices, answer the following questions:
1. Has the organization designated an individual (or individuals) to be responsible for its compliance with the Personal Information Protection Act (PIPA)?
Yes No
2. Has the organization developed and implemented the necessary policies and practices to meet its obligations for the proper handling of personal information?
3. Does the organization use contracts and/or other means to ensure that contractors providing services on its behalf that involve the collection, use or processing of personal information provide privacy protection equal to or superior to its own?
4. Has the organization developed and implemented a complaint process to handle complaints about its personal information practices?
Does the Organization Identify Purposes?
To find out if the organization complies with the requirement to identify collection purposes, answer the following questions:
1. Does the organization identify the purpose(s) for which personal information is needed and how it will be used, taking into account both primary and secondary purposes (i.e., audit, marketing, etc.)?
2. Does the organization inform the individual, either verbally or in writing, of the purposes for collecting the personal information before or at the time that it collects personal information?
3. Before using personal information for a new purpose, not previously identified, does the organization inform the individual of the new purpose and obtain consent prior to its use?
Does the Organization Obtain Consent?
To find out if the organization complies with the requirement to obtain consent for the collection, use and disclosure of personal information, answer the following questions:
1. Does the organization obtain consent from the individual whose personal information is collected, used or disclosed?
2. Does the organization, when obtaining consent, inform the individual of the purposes for the collection, use or disclosure of personal information in a manner that is clear and can be reasonably understood?
3. Does the organization obtain the individual's consent before or at the time of collection, as well as when a new use is identified?
4. Does the organization obtain consent without using deceptive means or false or misleading information about how personal information will be used?
5. Does the organization ensure that consent is not a condition for supplying a product or a service unless the collection, use or disclosure of the personal information is necessary to provide the product or service?
6. Does the organization, in determining what form of consent to use (e.g., written, verbal, implied, opt-in or opt-out), consider both the sensitivity of the personal information and what a reasonable person would expect and consider appropriate in the circumstances?
7. Does the organization permit an individual to withdraw consent to the collection, use or disclosure of personal information unless it would frustrate the performance of a legal obligation?
8. Does the organization, upon receipt of a notice to withdraw consent, inform the individual of the likely consequences of withdrawing consent?
Does the Organization Limit its Collection of Personal Information?
To find out if the organization complies with the requirement to limit collection of personal information to that which is necessary and reasonable, answer the following questions:
1. Does the organization only collect personal information for purposes that a reasonable person would consider appropriate in the circumstances?
2. Does the organization limit the amount and type of personal information it collects to only that which is necessary to fulfill the purpose(s)?
3. Does the organization collect personal information directly from the individual it is about unless the Act authorizes the collection of personal information without consent from another source?
Does the Organization Limit Its Use, Disclosure and Retention of Personal Information?
To find out if the organization complies with the requirement to limit its use, disclosure and retention of personal information to that which is necessary to fulfill identified purpose(s), answer the following questions:
1. Does the organization use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances?
2. Does the organization use or disclose personal information only for the purpose(s) for which it collected it, unless the individual consents to a new purpose, or the use or disclosure is otherwise authorized by the Act?
3. Does the organization retain personal information only as long as necessary to fulfill the purpose(s) for which it was collected or a related business or legal purpose?
4. Does the organization retain personal information that is used to make a decision about an individual for at least one year after using it so the individual has a reasonable opportunity to obtain access to it?
5. Does the organization destroy, erase or render anonymous personal information as soon as it is no longer serving the purpose for which it was collected and is no longer necessary for a legal or business purpose?
Does the Organization Ensure that Personal Information is Accurate and Complete?
To find out if the organization complies with the requirement to ensure that personal information is accurate and complete, answer the following questions:
1. Does the organization make reasonable efforts to ensure that the personal information it collects about an individual is accurate and complete if it is likely to be used to make a decision that affects the individual?
2. Does the organization make reasonable efforts to ensure that the personal information it collects about an individual is accurate and complete if it is likely to disclose the personal information to another organization?
Does the Organization Secure Personal Information?
To find out if the organization complies with the requirement to protect personal information by making reasonable security arrangements, answer the following questions:
1. Does the organization make reasonable security arrangements (including physical measures, technical tools, and organizational controls where appropriate) to protect personal information in its custody or under its control?
2. Does the organization, in determining what level of security arrangements are reasonable, take into account the sensitivity of the personal information in its custody or under its control?
3. Does the organization implement safeguards that protect personal information from unauthorized access, collection, use, disclosure, copying, modification or disposal by individuals both outside the organization as well as within?
4. Does the organization have in place security measures that protect personal information regardless of the format in which it is held (e.g., paper, electronic, audio, video).
5. Does the organization dispose of or destroy personal information in a way that prevents unauthorized parties from gaining access to it?
Is the Organization Open about its Information Practices?
To find out if the organization complies with the requirement to be open about its personal information practices, answer the following questions:
1. Does the organization make the following information available to customers, clients and employees on request?
(a) brochures or other information that explain its personal information policies and practices? Yes No (b) name or title and contact information of the person who is accountable for its personal information policies and practices? Yes No (c) name or title and contact information of the person who can answer questions about its purposes for collecting personal information? Yes No (d) how an individual can gain access to his or her personal information and the name or title and contact information of the person to whom access requests should be sent? Yes No (e) the process for making a complaint about its personal information practices (e.g., the process for making internal complaints as well as complaints to the Information and Privacy Commissioner)? Yes No
(a) brochures or other information that explain its personal information policies and practices?
(b) name or title and contact information of the person who is accountable for its personal information policies and practices?
(c) name or title and contact information of the person who can answer questions about its purposes for collecting personal information?
(d) how an individual can gain access to his or her personal information and the name or title and contact information of the person to whom access requests should be sent?
(e) the process for making a complaint about its personal information practices (e.g., the process for making internal complaints as well as complaints to the Information and Privacy Commissioner)?
Does the Organization Allow Individuals Access to Their Personal Information and a Right to Request Corrections?
To find out if the organization complies with the requirement to permit individuals access to, and a right to request correction of, their personal information, answer the following questions:
For Access to Personal Information requests
1. Does the organization, upon request, provide applicants with:
(a) access to their personal information, subject to limited exceptions? Yes No (b) an explanation of how their personal information is or has been used? Yes No (c) a list of any individuals or organizations to whom their personal information has been disclosed? Yes No
(a) access to their personal information, subject to limited exceptions?
(b) an explanation of how their personal information is or has been used?
(c) a list of any individuals or organizations to whom their personal information has been disclosed?
2. Does the organization provide a copy of the information requested or a response that includes reasons for not providing access:
(a) within 30 business days unless an extension of time is permitted under the Act? Yes No (b) for minimal or no cost? Yes No
(a) within 30 business days unless an extension of time is permitted under the Act?
(b) for minimal or no cost?
3. Does the organization, if all or part of the requested information is refused, provide the applicant with a response that includes:
(a) reasons and the provision(s) of the Act on which the refusal is based? Yes No (b) the name or title and contact information of someone who can answer the applicant's questions about the refusal? Yes No (c) information on how to request a review by the Information and Privacy Commissioner? Yes No
(a) reasons and the provision(s) of the Act on which the refusal is based?
(b) the name or title and contact information of someone who can answer the applicant's questions about the refusal?
(c) information on how to request a review by the Information and Privacy Commissioner?
For Correction of Personal Information requests
1. Does the organization, upon request, correct personal information that is found to be inaccurate or incomplete?
2. Does the organization, if a correction is made, send a copy of the corrected personal information to each organization to which the incorrect or incomplete information was disclosed in the past year?
3. Does the organization, if no correction is made in response to an individual's request, annotate the personal information in dispute (i.e., make a note) to indicate that a correction was requested but not made?
Does the Organization Have a Process for Handling Complaints?
To find out if the organization complies with the requirement to have a process it place for responding to complaints about the organization's personal information practices, answer the following questions:
1. Does the organization have a process in place for receiving and responding to complaints or inquiries about its personal information practices?
2. Does the organization investigate all complaints?
3. Does the organization, where a complaint is justified, take appropriate measures to rectify the situation including correcting information handling practices and policies where necessary?
Privacy comments or questions? E-mail us at CPIAADMIN@gems5.gov.bc.ca
This page was last updated October 20, 2003
(PDF xxKB)
