Personal information protection policy

BACKGROUND

The Protection of Personal Information and Electronic Data Act (PIPEDA) is federal legislation intended to protect the privacy of individuals’ personal information. OGHC must adhere to this act when collecting information from individuals who are interested in becoming co-op members, both at the time they apply for membership and when they later become co-op residents.

DEFINITIONS

  • Personal information” means any information about an identifiable individual (see Appendix A for details).
  • File” means the information collected in the course of processing an application for membership, as well as information collected during residence in the co-op.
  • Express consent” means authorization, in writing, by a person allowing identified officers and agents of the board to collect, use, and disclose the individual’s personal information for the purposes set out in the application and/or forms.
  • “Third Party” means a person or company that provides services to the co-op such as a property management company, credit bureau, auditor, lawyer, or collection agency.

PURPOSE OF THE POLICY

  1. To state the purpose for which applicants’ and residents’ personal information will be collected and
  • with whom it will be shared,
  • how it will be protected from inappropriate disclosure, and
  • how long it will be retained.
  1. To state how applicants and residents may access their co-op file in order to review, clarify or correct their personal information.
  2. To demonstrate that the co-op is in compliance with relevant federal and provincial privacy legislation.

ADMINISTRATION

  1. The board of directors will appoint a Personal Information Protection (PIP) Officer from a list of members who are willing to serve in this capacity. The initial appointment will be for a one-year term, renewable by mutual agreement.
  2. The PIP Officer will report to the co-op board and general membership at least twice a year.
  3. The PIP Officer is responsible for:
    1. analyzing and documenting the co-op’s present personal information handling practices and identifying any deficiencies.
    2. ensuring that the co-op complies with federal and provincial privacy legislation.
    3. ensuring compliance with PIPEDA by any third party which handles applicants’ or residents’ personal information on the co-op’s behalf.
    4. answering questions about the co-op’s protection of personal information policy and practices from applicants/residents.
    5. investigating complaints from applicants/residents about inappropriate handling or disclosure of personal information.
    6. regularly reviewing this policy
  4. Complete terms of reference for this position will be approved by the Board, provided to the individual who is appointed as PIP Officer, and to all members of the co-op (password protected).

IMPLEMENTATION

In implementing the Personal Information Protection Policy, OGHC will follow the principles outlined in PIPEDA, as they apply to the business activities of the Co-op, namely renting housing units to co-op members.

1. Being Accountable

  1. The co-op will appoint a PIP Officer.
  2. Every applicant/resident shall be given the PIP officer’s contact information and this information will be posted on the OGHC website.

2. Identifying the Purpose

Before information is collected, the applicant/resident must be told the purpose for collecting the information, how it will be used, protected and retained.

3. Obtaining Informed Consent

  1. The applicant/resident must expressly consent to the collection of information, either in writing or electronically. If the applicant/resident is incapable of giving written informed consent, this may be obtained from the individual’s legal guardian or the person holding power of attorney.
  2. If personal information is to later be used for a different purpose, another signed consent statement must be obtained from the applicant/resident or his/her legal guardian or the person holding power of attorney.
  3. An applicant/resident can choose not to provide some or all of the personal information requested. If an applicant/resident refuses to provide information which is necessary for the board or its agents to carry out their duties, the applicant/resident must be informed of the consequences of that refusal, which may include rejection of their application for residence at the co-op or other measures deemed appropriate by the board or its agents.
  4. Consent to use or disclose information that has already been collected may be withdrawn by the applicant/resident if there are no legal restrictions, and the request is in writing. If that withdrawal affects the member’s status in the co-op, s/he will be informed accordingly.

4. Limiting Collection of Personal Information

The co-op will limit the amount and/or type of personal information collected from applicants/residents to the minimum that is necessary for the identified purpose.

5. Limiting Use, Disclosure and Retention of Personal Information

 5.1 Limiting Use

The co-op will only use personal information for the purposes to which the individual has consented, except in the following circumstances (as permitted under PIPEDA):

  • the use is clearly in the individual’s interest, and consent is not available in a timely way;
  • an emergency exists that threatens an individual’s life, health or security;
  • the use is for research where the identity of individuals cannot be determined. The co-op retains the right to use and disclose statistical data as it considers appropriate.
 5.2 Limiting Disclosure
  1. Personal information will only be disclosed on a need-to-know basis to members of the board of directors, members of co-op committees, agents of the board, and co-op employees, except as provided in (b) below.
  2. PIPEDA permits the co-op to disclose personal information to third parties, without an individual’s knowledge and consent, in order to:
  • collect a debt owed to the co-op by the resident;
  • provide information to a lawyer representing the co-op;
  • comply with a subpoena, warrant or court order made by a body with appropriate jurisdiction;
  • comply with a federal or provincial law.
5.3 Limiting Retention
  1. The co-op will keep personal information about applicants/residents only as long as necessary to satisfy the purpose for which the information was collected.
  2. Personal information that was used to make a decision about an applicant/resident will be kept for sufficient time to allow the individual to appeal the decision, if this is permitted.
  3. The co-op will adhere to any legal or contractual requirements to retain specific types of financial information, eg. proof of household income, receipt of rent subsidy etc.
  4. Information that is not needed will be returned to the individual. If the individual cannot be located, it will be destroyed or erased so that no breach of an individual’s privacy can occur when it is disposed of.

6. Ensuring Accuracy

  1. The co-op will contact all residents annually to ensure that the personal information in an individual’s active file is accurate, current and complete.
  2. Applicants/residents are requested to notify the co-op office promptly of any changes in their personal information.
  3. Applicants approved for membership, whose names are on the External Waiting List for units, will be contacted annually to ensure their personal information is up-to-date.

7. Using Appropriate Safeguards

OGHC will use physical, organizational, and technological measures to safeguard the personal information of applicants/residents.

 7.1 Organizational Safeguards:
  1. Personal information provided by applicants/residents will only be disclosed to a limited number of authorized people (see 5.2)
  2. People given access to personal information on applicants/residents are not permitted to copy or retain any information. Once the purpose for being provided with this information has been fulfilled, they must return the documents to the co-op office for destruction.
  3. Members of the board of directors, members of co-op committees, and co-op employees who have access to applicant/residents’ personal information are required to sign a confidentiality agreement annually (see Appendix B). Signed agreements are retained by the secretary of the board
 7.2 Physical Safeguards:
  1. Active files are stored in locked filing cabinets when not in use. Access to these files will be restricted to members of the board of directors, members of co-op committees, and co-op employees, on a need-to-know basis.
  2. Access to work areas where electronic files may be in use is restricted to designated members of the board of directors or co-op committees, to designated co-op employees and authorized third parties.
7.3 Technological Safeguards:
  1. The co-op’s Internet router or server has firewall protection sufficient to protect personal and confidential business information against unauthorized intrusion.
  2. The co-op’s computer is password protected. Personal information contained in the co-op’s computer and electronic databases is also password protected. Passwords are changed at least annually, and only shared on a need-to-know basis.

8. Being Open

  1. The co-op will distribute copies of the Personal Information Protection policy to all residents, and will make it available to applicants by posting it on the publically-accessible area of the co-op’s website.
  2. The co-op will develop plain language materials for applicants/residents that explain how to contact the PIP Officer to request access to their file, or to make a complaint

9. Giving Individuals Access

  1. An applicant/resident shall make a written request to the co-op’s PIP Officer for access to his/her file in order to a) verify that the personal information held by the co-op is accurate and/or b) to review to whom the information has been disclosed (as permitted by PIPEDA).
  2. Within 7 days of this request, the PIP Officer will set up a meeting at which the individual can review his/her file (in paper or electronic form). The file must be reviewed in the co-op office.
  3. Errors will be corrected promptly. However, the PIP Officer may refuse to make corrections unless the individual can provide documentary evidence to verify the correct information. This refusal will be recorded in the applicant/resident’s file, noting the requested correction and giving the reason it was not made.
  4. Requests to the PIP Officer for copies of personal information on file (if not restricted by confidentiality regulations) will be accommodated within 7 working days. Proof of identity and proof of right of access to the information may be required. Copies will be made without charge, but the cost of delivery by courier must be borne by the requestor.

10. Dealing with Complaints

  1. If an applicant/resident has a concern about the co-op’s personal information handling practices, a written complaint should be made to the co-op’s PIP Officer who will act promptly to investigate.
  2. If the Officer decides that the individual’s complaint is well founded, he/she will take the necessary steps to correct the offending practice and/or to revise relevant co-op policies and procedures. The Officer will provide a written report of the investigation’s findings to the individual, with a copy to the co-op’s board of directors.
  3. Where the PIP Officer determines that the individual’s complaint is not well founded, the individual will be notified of this in writing.
  4. If the individual is not satisfied with the PIP Officer’s findings and corresponding action taken, he/she may take the matter to the co-op’s Member Relations Committee (see OGHC Dispute Resolution Policy).
  5. The individual should also be informed that s/he may bring a complaint about the co-op’s personal information handling practices to the Office of the Privacy Commissioner of Canada, www.privcom.gc.ca.

OGHC PERSONAL INFORMATION PROTECTION POLICY

APPENDIX A

If collected, the following information about applicants and co-op residents is considered personal information:

Household size and composition
Age and gender of household members under 18 years.
E-mail address, telephone number, & mailing address of adult household members
Household annual income (applicants)
Reference information from previous landlords (applicants)
Medical information related to housing requirements
Record of Member Share payment
Record of MHRC annual approval of occupancy charge subsidy
Information about household pets, record of annual rabies vaccination
Licence plate numbers of household vehicle and bicycles
Proof of purchase of home insurance policy
Record of occupancy charge payments
Record of financial agreements with the co-op
Record of request to correct personal information on file
Record of damage to co-op property
Record of complaints filed by others against members of the household

 

APPENDIX B

Confidentiality Agreement for Committee Members

Confidential information is

  • personal and financial information about applicants, members and their household,
  • personal and financial information about co-op employees, and
  • information about present or future co-op business.

I have read the co-op’s Personal Information Protection Policy, and I understand the actions I must take to protect applicants’ and members’ personal information from inappropriate disclosure.

 

I agree that I will keep confidential any information that I know through my position with the co-op, unless authorized by the board of the co-op, or required by law.

 

This agreement applies while I am a member of the committee and afterwards.

 

NAME:             _____________________________________________________

 

POSITION / COMMITTEE:                                ____________________________________________

 

_________________________________________________________________

 

 

Signed:             _____________________________________

 

Date:               _____________________________________