Title: Privacy of Personal Information
Policy Number: H4
Effective Date: 12 December 2003
Last Revision Date: May 2014
Approved by: Chief Executive Officer
Assessment Strategies Inc. (ASI) is committed to protecting the privacy of all individuals with whom they collect information from whether personal or business related information. ASI collects uses and discloses Personal Information for purposes consistent with its mission, vision and values. In recognition that individuals have rights and interests with respect to their information, ASI issues this policy statement to ensure that the Personal Information that it collects uses and discloses is protected accordingly.
This Policy explains how ASI collects, uses and discloses Personal Information concerning its clients and other individuals, including contractors and employees of agencies with whom ASI is doing business and to clients and suppliers of ASI.
Personal Information: The term “Personal Information” refers to any information about an identifiable individual or any information that allows an individual to be identified. In general, personal information does not include business contact information, such as a person’s name, title or position, business address, business telephone or fax number in a person’s capacity as an employee of an organization. During a person’s relationship with ASI, that person may be asked to provide certain personal information concerning that person and/or other individuals (such as family members, adverse parties, employees, directors, officers, shareholders, investors, business partners, customers, examination candidates, etc.). Examples of such information include name, date of birth, home address, financial and credit information, billing and account information and other information relating to the provision services by ASI.
Privacy: the right or interest in controlling or limiting the access of others to oneself.
Confidentiality: the duty of someone who has received confidential information in trust to protect that information and disclose it to others only in accordance with permissions, rules or laws authorizing its disclosure.
Security: safeguards to ensure that information is processed (accessed, used, disclosed) only as authorized and to prevent unauthorized processing.
ASI is accountable to those whose Personal Information comes under its custody and control for ensuring that their information is protected in a manner consistent with this policy. ASI will use reasonable means to hold its employees and those to whom it discloses Personal Information accountable for protecting Personal Information that comes under its custody in conformity with the provisions in this policy. Accountability for ASI’s compliance with the policy rests with ASI’s Finance Officer (“FO”), or delegate. As the FO is accountable for ASI’s compliance, she/he has decision-making authority regarding the interpretation and application of the policy, subject to the Complaints section.
Identifying PurposesASI identifies the purposes for which it collects uses and discloses Personal Information prior to the time ASI collects the information. ASI only collects uses or discloses Personal Information for purposes consistent with operationalizing its mandate and core functions, which purposes include: the provision of personnel services and benefits, testing tools (e.g. nominal rolls, marks), statistical analysis, research, reporting and policy developments. ASI supports the principle of data providers informing individuals about the purposes at or before the time of collecting Personal Information.
Consent for Collection, Use or DisclosureKnowledge and consent of an individual are required for the collection, use or disclosure of Personal Information, except where legally permissible. Individuals with a direct relationship with ASI may withdraw their consent and can do so by contacting ASI.
CollectionASI limits the collection of Personal Information to that which is necessary for the purposes it has identified. ASI collects Personal Information by fair and lawful means.
Use and RetentionASI does not use Personal Information for purposes other than those identified prior to collection, except with the consent of the individual or as required by law. “Use” includes processing Personal Information in such a way that it no longer allows an individual to be identified. ASI allows only authorized staff to access and use specific data holdings of Personal Information on a “need-to-know” basis, that is, when required to perform their duties. Personal Information is retained only as long as necessary for the fulfillment of purposes identified at collection. For purposes of longterm analysis and reporting, ASI may retain Personal Information indefinitely. Personal Information that is no longer required to fulfill the identified purposes is destroyed, erased, or made anonymous in a secure manner.
DisclosureASI may only disclose or publish non-identifiable (e.g. aggregated) information derived from Personal Information having used reasonable precautions to ensure that individuals cannot forseeably be identified by linking this information with other information. ASI may also take into consideration the potential that even nonidentifiable information derived from Personal Information can reflect upon groups or communities. ASI may disclose Personal Information only when: a) The recipient is the data provider that originally provided the Personal Information to ASI, or b) The disclosure is required by legislation, or c) ASI has obtained the consent of the individuals concerned and the recipient has signed an agreement that: prohibits linking the information received with other information, unless authorized to do so; limits the purposes for which the Personal Information may be used or disclosed to those identified prior to its collection; adequately safeguards the Personal Information; limits publication or disclosure to aggregated data, which do not allow identification of any individual, unless authorized to identify the individual; and permits ASI to conduct on-site compliance audits. ASI may charge a cost-recoverable fee to fulfill requests for or access to Personal Information.
AccuracyPersonal Information will be as accurate, complete and up-to-date as necessary for the purposes for which ASI collects uses or discloses it. ASI updates Personal Information when necessary to fulfill the purposes for which the information is collected, used or disclosed. ASI uses educational programs, data quality programs, data coding standards to foster the collection and use of Personal Information for its purposes. Data providers are responsible for ensuring the Personal Information they provide to ASI is accurate, complete and up-to-date for the purpose specified.
SafeguardsASI protects Personal Information with security safeguards appropriate to the sensitivity and identifying nature of the information. The security safeguards protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. ASI protects Personal Information that it holds or transmits regardless of the format in which it is held. The nature of the safeguards depends on the sensitivity of the information that has been collected, the amount, distribution and format of the information and the method of storage. A higher level of protection safeguards more sensitive information. Examples of such measures include restricted access to offices, training of personnel, limiting access to information on a “need-to-know” basis, using passwords and well-defined internal policies and practices.Care is used in the disposal or destruction of Personal Information to prevent unauthorized parties from gaining access to the information. ASI makes its employees aware of the importance of maintaining the confidentiality of Personal Information. To the extent ASI employs third-party service providers to store, handle or process Personal Information on ASI’s behalf (e.g. data processing or office services), ASI will use contractual and other means to provide a comparable level of protection while the information is being stored, handled or processed by them.
Transparency and OpennessThose whose Personal Information ASI collects, uses and discloses are entitled to know what ASI’s practices and policies are in connection with this information and to challenge those practices and policies. ASI is committed to ensuring that its practices and policies relating to Personal Information are transparent, explicit and open for scrutiny. ASI makes readily available information about its practices and policies in order to promote transparency, explicitness and scrutiny.
Individual Access to and Amendment of Personal InformationUpon request, ASI informs an individual what Personal Information it has collected, used or disclosed about him or her, and from whom it has been collected and to whom it has been disclosed. In providing an account of third parties from which it has collected or to which it has disclosed Personal Information about an individual, ASI will be as specific as possible. ASI responds to an individual’s request to amend his or her Personal Information within a reasonable time and at minimal or no cost to the individual. Subject to certain exceptions prescribed by law, an individual will be given reasonable access to his or her Personal Information and will be entitled to challenge the accuracy and completeness of that information and, to the extent that such individual has proven such inaccuracy or incompleteness, have it amended as appropriate. Examples of such exceptions include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, and information that is subject to solicitorclient or litigation privilege.
Contact InformationIn writing:
Finance Officer Assessment Strategies Inc.
210-1400 Blair Place Ottawa ON K1J 9B8
Facsimile: (613) 237-6684
Telephone: (613) 237-0241