Ministry HomeGovernment of British ColumbiaPrivate Sector PrivacyPrivate Sector Privacy
 
Freedom of Information and Protection of Privacy Home
PIPA Tools TOC

Personal Information Protection
Private Sector Privacy Legislation

PIPA Implementation Tool 4

 Ten Principles for the Protection of Privacy

Principle 1 - Be accountable

To comply with this principle, an organization should:

  • Ensure that it complies with the ten principles for the protection of privacy.

  • In complying with the principles, consider 'what a reasonable person would consider appropriate in the circumstances'.

  • Be responsible, by contractual or other means, for all personal information under its control, including personal information that is not in its custody. This includes personal information transferred to another organization for processing. (See Privacy Protection Schedule Template).

  • Appoint an individual (or individuals) to be responsible for its compliance (see 'What is a Privacy Officer?') and communicate the name or title and contact information to staff and the public. 

  • Develop and implement policies and practices for the handling of personal information and make this information available to the public on request.

  • Develop and implement a complaint process to handle complaints about its personal information practices and make this information available to the public on request.

Principle 2 - Identify the purpose

To comply with this principle, an organization should:

  • Identify the purpose(s) for which personal information is needed and how it will be used and disclosed before or at the time personal information is collected. 

  • Ensure that the collection of personal information is necessary to fulfill the purpose(s) identified.

  • Ensure that the purpose(s) is limited to what a reasonable person would consider appropriate in the circumstances.

  • Inform the individual from whom the information is collected, either verbally or in writing, before or at the time of collection why the personal information is needed and how it will be used. 

  • On request by the individual, provide the name or title and contact information of a person within the organization who is able to answer questions about the collection of personal information.

  • When using an individual's personal information that has already been collected for a new purpose not previously identified, inform the individual of the new purpose and obtain consent prior to its use. 

Principle 3  - Obtain consent

To comply with this principle, an organization should:

  • Obtain consent from the individual whose personal information is collected, used or disclosed. 

  • Obtain the individual's consent before or at the time of collection, as well as when a new use is identified. 

  • In determining what form of consent to use (e.g., written, verbal, implied, opt-in or opt-out), consider both the sensitivity of the personal information and what a reasonable person would expect and consider appropriate in the circumstances.

  • When obtaining express consent, inform the individual of the purposes for the collection, use or disclosure of personal information in a manner that is clear and can be reasonably understood. 

  • Never obtain consent by deceptive means or by providing false or misleading information about how the personal information will be used or disclosed. 

  • Never make consent a condition for supplying a product or a service unless the collection, use or disclosure of the personal information is necessary to provide the product or service. 

  • Should an individual wish to withdraw consent, explain the likely consequences of withdrawing consent. 

  • Never prohibit an individual from withdrawing consent to the collection, use or disclosure of personal information unless it would frustrate the performance of a legal obligation.

Principle 4 - Limit collection

To comply with this principle, an organization should:

  • Only collect personal information for purposes that a reasonable person would consider appropriate in the circumstances. 

  • Limit the amount and type of personal information collected to what is necessary to fulfill the identified purposes. 

  • Before or at the time of collection, comply with Principles 2 and 3 by informing the individual of the purposes for collection and obtaining consent.

  • Collect personal information directly from the individual it is about unless the Act or the individual authorizes the collection of personal information from another source.

Principle 5 - Limit use, disclosure and retention

To comply with this principle, an organization should:

  • Use or disclose personal information only for the purpose(s) for which it was collected, unless the individual consents to the new purpose, or the use or disclosure is otherwise authorized by the Act. 

  • Only use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. 

  • Keep personal information only as long as necessary to fulfill the purpose(s) for which it was collected.

  • Keep personal information that is used to make a decision about an individual for at least one year after using it so the individual has a reasonable opportunity to obtain access to it. 

  • Destroy, erase or render anonymous personal information as soon as it is no longer serving the purpose for which it was collected and is no longer necessary for a legal or business purpose.

Principle 6 - Be accurate

To comply with this principle, an organization should:

  • Minimize the possibility of using incorrect or incomplete information when making a decision that affects an individual or when disclosing an individual's information to another organization by making reasonable efforts to ensure that the personal information it collects is accurate and complete.

Principle 7 - Use appropriate safeguards

To comply with this principle, an organization should:

  • Make reasonable security arrangements to protect personal information in its custody or under its control. Such arrangements should include physical measures, technical tools, and organizational controls where appropriate.

  • Safeguard personal information from unauthorized access, collection, use, disclosure, copying, modification or disposal by both individuals outside the organization as well as within.

  • Protect personal information regardless of the format in which it is held (e.g., paper, electronic, audio, video). 

Principle 8 - Be open

To comply with this principle, an organization should:

  • Make the following information available to customers, clients and employees on request:

  • brochures or other information that explain its personal information policies and practices;

  • name or title and contact information of the person who is accountable for its personal information policies and practices;

  • name or title and contact information of the person who can answer questions about its purposes for collecting personal information;

  • how an individual can gain access to his or her personal information and the name or title and contact information of the person to whom access requests should be sent; and,

  • the process for making a complaint about its personal information practices. 

Principle 9 - Give individuals access

To comply with this principle, an organization should:

For Access to Personal Information requests

  • Upon request, provide applicants with:

  • access to their personal information;

  • an explanation of how their personal information is or has been used; and,

  • a list of any individuals or organizations to whom their personal information has been disclosed. 

  • Provide a copy of the information requested or a response that includes reasons for not providing access, subject to the exceptions set out in the Act, within 30 business days unless an extension of time is permitted under the Act.

If all or part of the requested information is refused, provide the applicant with a response that includes:

  • reasons and the provision of the Act on which the refusal is based;

  • the name or title and contact information of someone who can answer the applicant's questions about the refusal; and,

  • information on how to request a review by the Information and Privacy Commissioner.

For Correction of Personal Information requests

  • Upon request, correct personal information that the organization verifies is inaccurate or incomplete.

  • If a correction is made, send a copy of the corrected personal information to each organization to which the incorrect or incomplete information was disclosed in the past year. 

  • If no correction is made in response to an individual's request, annotate the personal information in (i.e., make a note) to indicate that a correction was requested but not made.

Principle 10 - Provide recourse

To comply with this principle, an organization should:

  • Develop and implement simple and easily accessible complaint handling procedures.  (See Setting Up a Complaint Handling Process).

  • Inform complainants of avenues of recourse. These include the organization's own complaint process and the Information and Privacy Commissioner. 

  • Investigate all complaints received. 

  • Take appropriate measures to correct information handling practices and policies. 

Privacy comments or questions?  E-mail us at CPIAADMIN@gems5.gov.bc.ca

This page was last updated October 24, 2003

Return to Top Copyright Disclaimer Privacy Statement FeedbackFooter Image Map