Personal Information Protection Policy September, 2004
This policy applies to CUPE Local 1767 and has been adopted pursuant to the
Personal Information Protection Act (BC). This policy was presented, opened for discussion, voted on, and accepted by the delegates at the 2004 CUPE 1767 AGM.
CUPE 1767 as a union is responsible under the Protection of Personal Information Act (BC) (PIPA) to protect what is defined in PIPA as "personal information" and "employee personal information".
- PERSONAL INFORMATION defined: any information about an identifiable individual, including employee personal information, and not including "contact information" and "work product information". Contact information is work contact information only such as name, work position, business title, work email, work phone number, etc. Work product information includes information prepared or collected by the union or its members as part of the union’s responsibilities or activities related to union activity. This would include the handling of a member’s grievance or collective bargaining.
An example of personal information would be a members’ unlisted home phone number.
- EMPLOYEE PERSONAL INFORMATION defined: "personal information" about someone that’s collected, used or disclosed to establish, manage or terminate their employment, but not including "personal information" that’s not connected to their employment.
An example of "employee personal information" would be our Business Agents resume.
Not all information about all individuals is affected by PIPA. Much of the information CUPE 1767 collects and uses about individuals is defined in PIPA as "work product information" about its members, collected and used by CUPE as a collective organization, for purposes connected to promoting the welfare of the group. This information is not subject to PIPA.
Other information collected and used by CUPE 1767 is subject to PIPA. That information includes personal information about its Members, employee(s) as well any information about others in the community who are not CUPE 1767 members.
CUPE 1767 protects the information of its members by ensuring that it is not disclosed to non-members except as necessary to further the interests of the membership as a whole.
Members who are concerned about the disclosure of information about them are encouraged to raise those issues with the CUPE 1767 Executive Board, with final decisions to be made democratically according to our Local’s Constitution and Bylaws.
This policy is designed to cover what is defined in PIPA as "personal information" and "employee personal information", which is included in "personal information". Where applicable, the principles of privacy protection contained in this policy should also be followed with respect to member information as well as the information covered under PIPA. Members are encouraged to use the democratic processes of the union to ensure that privacy is appropriately protected within CUPE 1767 and by CUPE 1767.
Protection of "Personal Information" and "Employee Personal Information"
CUPE 1767 as an organization is responsible for the protection of "personal information" and the proper handling of it at all times, throughout CUPE and in dealings with outside parties. We recognize that our proper handling of "personal information" is both essential to the individuals concerned and to our reputation as a union.
CUPE subscribes to the following principles for the protection of "personal information" and "employee personal information":
CUPE Local 1767 has a Privacy Coordinator to look after the protection of information under PIPA. Individuals who are concerned about information CUPE 1767 possesses, and how it is stored, used and disclosed are encouraged to contact our Privacy Coordinator.
Our Privacy Coordinator is responsible for handling questions and requests for information from the public and our members, as well as making recommendations to the Executive Board for the handling and protection of information. CUPE welcomes suggestions made to the Privacy Coordinator on how we can improve and maintain our protection of privacy.
The Privacy Coordinator will also work with other Privacy Coordinators and resource people within both CUPE BC and CUPE National to ensure that our privacy protection measures are appropriate and effective.
2. Identifying the purpose of collection, use and disclosure
Where PIPA requires it, CUPE will identify the reasons for collecting "personal information" or "employee personal information" before or at the time we collect it. As required, we will document those reasons and inform the individual from whom it is to be collected. Any further use of the information will be subject to a new consent where PIPA requires it.
3. Obtaining consent for collection, use and disclosure
It is our policy to obtain consent for the collection, use and disclosure of "personal information" as required by PIPA.
4. Limiting collection
In general, it is our policy to avoid the unnecessary collection of information. Where "personal information" under PIPA is involved, or may be involved, we will require consultation with the Privacy Coordinator or reference to the written directions of the Privacy Coordinator.
5. Limiting use, disclosure and retention
"Personal information" should only be used for the purpose for which it was collected, and should not be retained after its purpose is finished according to PIPA. There are uses for which the purpose may only seem to be completed, however. Members and employees must refer to the Privacy Coordinator for direction before destruction of "personal information" pursuant to PIPA to ensure that destruction is appropriate. Instead of destruction, the information may sometimes be altered to remove identifying information if appropriate.
The Privacy Coordinator will coordinate regular reviews with the Executive Board and any Employee(s) of CUPE 1767 to ensure that "personal information" is not retained unnecessarily.
6. Maintaining accuracy
CUPE 1767 will take every reasonable step to ensure that information used in decision making or disclosed to third parties is accurate and complete. Before making such decisions or disclosures, "personal information" must be checked.
7. Using appropriate safeguards
"Personal information" under PIPA must be protected from theft or unwarranted disclosure. All members and employees of CUPE 1767 will be advised of this requirement.
The Privacy Coordinator is responsible for ensuring that CUPE maintains adequate safeguards against theft or unauthorized access, use or disclosure. These measures will be reasonably strict depending on the sensitivity of the information involved and will be reviewed on a regular basis by the Privacy Coordinator. Any situation(s) of concern where there is a lack or seemingly a lack of safeguards shall be brought in writing to the attention of the Privacy Coordinator.
CUPE will make all reasonable efforts to inform the public, its members and its Employee(s) of this policy and any subsequent policy with respect to "personal information" under PIPA.
It is our intention to protect "personal information" as defined in PIPA, and to be as open to suggestion, criticism, complaint and inquiry as we can. The Policy Coordinator will be responsible for dealing as quickly as possible with the public, members and employees who have concerns they wish to raise and with the Privacy Commissioner under PIPA.
Complaints and requests under PIPA will be handled by the Privacy Coordinator, who will be happy to assist in drafting them.
9. Giving individuals access
Under PIPA, individuals have rights to access their "personal information". Requests for access should be made to the Privacy Coordinator, who will respond to them as quickly and effectively as possible subject to PIPA's requirements. If correction of the "personal information" is appropriate, the Privacy Coordinator will receive and act on a request for correction according to PIPA's requirements. If there is a disagreement about accuracy of the "personal information", PIPA requires CUPE 1767 to make a note of the requested correction attached to the document where the disputed information appears.
Fees may be charged under PIPA for access to "personal information", and may include the costs to CUPE 1767 of finding and copying such information. We will keep any such fees to a minimum, covering only our costs. Before doing the work, an estimate of any fees to be charged will be given.
Any decision of the Privacy Coordinator may be appealed to the Executive Board. CUPE 1767 will make every reasonable effort to resolve disputes without the need to involve the Privacy Commissioner under PIPA.
Respectfully Submitted In Solidarity and Trust
On January 1, 2004, the Personal Information Protection Act (PIPA) came into effect. PIPA will regulate the way private sector organizations collect, use, keep secure and disclose personal information.
PIPA will ensure that organizations that hold information about individuals handle that personal information responsibly. It also gives individuals control over the way information about them is handled and a right to request access to and correction of their personal information.
History and Reasons for PIPA
The following is a condensed version for the reasons for PIPA and the path it has taken to come into effect. Private sector privacy is increasingly a public priority across Canada. Surveys have shown a consistently high level of public concern over privacy issues - and a reluctance to fully embrace electronic commerce because of a fear of exchanging personal information over the Internet. Privacy and data protection issues are also an international priority. As early as 1980, the Organization for Economic Cooperation and Development (OECD) issued the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Canada became a signatory to these guidelines in 1984. In October of 1998, the European Union took a significant additional step in regulating private sector privacy through its Data Protection Directive. The European Union directive regulates all data transfers to and/or from European Union states. This would prevent data sharing with jurisdictions, including Canada, which did not have an equal level of data protection. From within Canada, there were pressures for private sector privacy from a range of interests and sectors. Most jurisdictions now have in place strong privacy legislation for personal information held by the public sector. However, neither the federal government nor the provinces, with the exception of Quebec, have privacy regulations for the private sector.
David Robertson (chair)