Personal Information Protection and Electronic Documents (PIPEDA)
This document constitutes the policy and procedures for the protection of personal information as required by Bill C-6, Protection of Personal Information and Electronics Documents Act (hereinafter referred to as "the Act") for the WMC.
2.0 Proposed WMC Policy Statement
WMC is committed to protecting any of your personal information in our possession. We will not disclose any of our personal information other than for its intended use, which is to provide labour market solutions for the advanced wood processing sector. We will only use any personal information for identified purposes set out in WMC's mandate and we will not disclose or use this information without obtaining consent from you.
We will work to ensure that any third parties that we do business with are compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA).
WMC protects your electronic and paper based data with security systems to prevent unauthorized access, disclosure or misuse. If you would like to access your personal information, please make your request to the contact listed below.
3.0 Privacy Office within WMC
The staff person responsible within WMC for the protection of all personal information is the Manager of Administrative Services. The Manager of Administrative Services is the defined Privacy Officer in accordance with the Act.
The President, Director of Communications and the Manager of Administrative Services of WMC are the staff members that make up the PIPEDA task force. The task force is set-up to help the Privacy Officer ensure that the WMC office is compliant with the ten principles that organizations must follow.
The President of WMC is ultimately accountable for compliance with the provisions of the Act. It is his/her responsibility to:
- Maintain this document in a current state;
- Develop and maintain staff training programs and materials concerning these policies and practices; and
- Provide information explaining WMC policies and procedures.
4.0 What is Personal Information?
Personal information includes any information about an identifiable individual. For example, name, address, gender, age, ID numbers, income, ethnic origin, employee files, opinions, evaluations, comments, social status, or disciplinary actions, existence of a dispute, intentions (for example, to change jobs). An individual's name need not be attached to the information in order for it to qualify as personal information.
Personal information as defined in the Act does not include an employee's name, title, business address or telephone number or the use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list).
5.0 Personal Information Collected by WMC
The following is a list of personal information collected by WMC.
- Contact lists for information sharing and communications (non-sector council members)
- Information related to employment at WMC
- Information received from persons seeking employment at WMC
- Information received from persons applying for membership with WMC
- Information received from and about persons registered in workshops, seminars, and other programs offered by the WMC and its partners
- Information posted to the WMC web site, including the members only section
- Information received from participants in industry consultation activities
- Information provided to and received from third parties, such as consultants, who are contracted through WMC to do work for WMC and on behalf of WMC members
6.0 General Safeguards to Protect Personal Information
To protect the personal information within the WMC office, the following procedures are in place:
- Main access doors are locked at all times.
- Doors to the accounting office (and files) and the office where the computer servers are located are locked when staff are not in the office.
- The WMC network uses a combination of hardware, software applications and security polices to secure the WMC electronic network. The WMC has in place an Internet firewall, which has a number of features that improve our ability to block-unauthorized access to the WMC network.
- All servers and workstations receive regular software upgrades and security patches that are recommended by our computer vendors are installed.
- A layered Anti-Virus system scans incoming and outgoing e-mails for computer viruses.
7.0 Process for Handling Requests for Personal Information
This process is related to access of information: "A person may request information on the existence, source, use and disclosure (including third parties) of his/her personal information." The following is the process for handling requests for personal information:
- The person makes a request for details about their personal information to WMC.
- This request is sent/directed to the Privacy Officer.
- The Privacy Officer responds to the person in writing.
- The Privacy Officer responds to the request within two weeks of receiving the Form/Letter.
- If the person would like to see a list of personal information WMC has about them, the Privacy Officer will send them a hard copy of the list through the mail, marked confidential.
- If the person would like to see the personal information that WMC has about them the Privacy Officer will schedule a meeting with that person to give them access to this personal information.
- In the letter and/or in the meeting, the Privacy Officer will let the individual know that they are welcome to follow up at any time.
- After sending the letter or holding the meeting with the person, the Privacy Officer will record the letter/meeting information in a hard copy file that is stored in a stored in a locked file cabinet.
8.0 Withdrawal of Consent
A WMC member, employee, or person on a WMC contact list may withdraw consent to hold the information in Section 4 at any time, subject to legal or contractual restrictions. This must be done in writing and with reasonable notice. If consent to hold information is withdrawn, WMC will destroy that information in accordance with the procedures in section 9.0 and carry out any other action related to the implications as necessary.
9.0 Process for Destruction of Personal Information
There are two situations where the destruction of personal information will be necessary. This destruction of personal information will occur when there is a withdrawal of consent or the retention of information is no longer necessary. This could occur when the maximum retention time has been met, or the information is no longer relevant.
The process is as follows for withdrawal of consent:
- The person requests in writing stating that they would like to withdraw their consent for WMC to use their personal information for the purpose(s) stated.
- The Privacy Officer will gather the information to be destroyed (in both paper format and electronic).
- The paper-based information will be shredded, then disposed of in either the trash or recycle bin.
- The electronic information will be deleted from all of the electronic files where it is stored.
- The Privacy Officer will access all of the available electronic drives and files to ensure it is deleted.
- The information will be deleted from all backup records on the WMC server.
- Once the information is destroyed, the Privacy Officer will record the following information and keep it in a labeled destruction of personal information file.
- The file will be stored in a locked file cabinet, only accessible by the President.
10.0 Compliance Challenges
Any individual may address a challenge concerning WMC compliance with the Act with respect to section 4.0 to the Privacy Officer. The complaint procedure is outlined in section 11.0. WMC will investigate all complaints, and if justified, take appropriate measures, including amending these policies and procedures.
11.0 Process for Handling Compliance Challenges
When WMC receives a compliance challenge or complaint, these steps are followed:
- When the challenge or complaint is received in the WMC office, the Privacy Officer is immediately made aware of the situation.
- The contact information for the complainant is recorded and is sent to the Privacy Officer immediately.
- The person is asked to complete the request in writing and return it to the Privacy Officer.
- When the Privacy Officer receives the request in writing, the Privacy Officer reviews it and responds to the complaint within a reasonable amount of time.
- The Privacy Officer informs the complainant that they may contact the Privacy Commissioner about the complaint.
12.0 Review and Assessment
This PIPEDA policy and contents will be assessed, reviewed and updated on an annual basis. As the contents of this policy are dynamic, each WMC staff member will be required to review this policy once a year, to maintain their knowledge of privacy requirements and provide feedback on the content.