HRPA Privacy Policy / Code

Our Privacy Commitment to You:

The Human Resources Professionals Association (HRPA) is committed to keeping the personal information of its members and customers accurate, confidential, secure and private. This Privacy Policy/Code has been designed to inform employees, members, customers, and subcontractors of HRPA of our commitment and recognition to our obligation to meet the spirit and terms of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

This Privacy Policy describes the principles HRPA will use to protect the privacy of personal information in its possession. It addresses the reasons why such information is collected, how it is used, how it’s confidentially protected and outlines customers’ rights with respect to this information. This Privacy Policy incorporates and expands the 10 principles for the protection of personal information, as devised by the Canadian Standards Association (CSA). Disclosure of information shall be consistent with this policy.

This Privacy Code does not apply to information about business customers who carry on business as corporations, partnerships or other forms of association. HRPA does, however, protect the confidentiality of such information in accordance with the law and our own policies.

Bill Greenhalgh
Chief Executive Officer, HRPA

Introduction:

At HRPA, member privacy is a high priority. We have long-standing practices employed that protect the privacy of members and customers in all our business operations. The HRPA Privacy Code is a formal statement of principles and guidelines concerning the minimum requirements for the protection of personal information provided by HRPA to its members, customers and employees. The objective of the HRPA Privacy Code is to promote responsible and transparent practices in the management of personal information, in accordance with the provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA). HRPA will continue to review its Privacy Code to ensure it is relevant and remains current with changing technologies and laws. Most importantly, HRPA wants to ensure it continues to meet the evolving needs of our members, customers and employees.

Gary Monk, CMA
Chief Privacy Officer
Director, Finance & Information Systems

Summary of Principles:

Accountability

HRPA is accountable for the protection of all personal information within the Association’s possession or control, including any personal information that has been transferred to a third party for regulatory, legal or processing purposes. HRPA will require a comparable level of protection of this information from its third party relations.

Gary Monk is designated as HRPA’s Chief Privacy Officer, and has overall responsibility for our protection of personal information and for HRPA’s compliance with this Privacy Policy.

Identifying Purposes

Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form such as a personal e-mail address, credit card numbers, home addresses and so on. It does not include information normally found on a business card, such as name, title, company, business address, business telephone or fax number.

Consent & Disclosure

HRPA will obtain consent before or when it collects, uses or discloses personal information about an individual. An individual can provide consent to the collection, use and disclosure of personal information about them expressly or implicitly. HRPA will collect, use or disclose personal information without an individual’s consent only in limited circumstances as permitted by law, or as outlined in this policy (see Principle 3 – Consent & Disclosure). Subject to certain legal and contractual restrictions and reasonable notice, an individual can refuse or withdraw their consent to the collection, use or disclosure of personal information about them at any time.

All existing members and customers will be informed of what types of personal information have been collected, the purpose for the collection and the procedures available for contacting HRPA with any inquiries. All new members and customers will be provided with a consent form and an accompanying explanation about the collection, use and disclosure of their personal information when requesting service.

Limiting Collection

HRPA limits the amount and type of personal information it collects to that which is necessary for the business of the Association. Each affiliate of HRPA will be responsible for its own collection, use and disclosure of information. Personal information will be collected using procedures which are fair, transparent and lawful.

Limiting Use, Disclosure and Retention

HRPA will only use the personal information for the purpose for which it was collected as identified in principle #2, unless consent is given by the individual to use or disclose it for another purpose.

HRPA will develop explicit retention periods for personal information after which the personal information will be destroyed or made anonymous.

Under certain exceptional circumstances, HRPA may have a legal duty or right to disclose personal information without the individual’s knowledge or consent.

Accuracy

In order to ensure the reliable delivery of products, services and information, all personal information will be kept accurate, complete and up to date.

Individuals may challenge the accuracy and completeness of personal information about them and have it amended, as appropriate.

Safeguards

In executing its responsibilities with respect to the confidentiality of personal information, HRPA will employ a number of safeguards, appropriate to the sensitivity of the information, to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Such safeguards will include physical measures, for example locked filing cabinets, restricted access to offices, security clearances and limiting access on a “need to know” basis, and use of passwords and encryption. Procedures for implementing these measures will be communicated to all employees and third parties to ensure compliance with this principle.

Openness

HRPA will make its policies and practices relating to the protection of personal information available to its members and customers. HRPA will keep its members and customers informed of these policies and practices and members and customers shall be provided access to all related policies and procedures via HRPA’s web page. The information will be available in a format that is easy to understand.

Individual Access

Any member or customer of HRPA can have access to the personal information about them that HRPA has in its possession or control. Any member or customer may request that their personal information be amended for purposes of accuracy and completeness.

Customers can make their requests by telephone, via e-mail, or in writing. Contact information is provided under point #10, page six.

Response to an individual’s request will be made in a timely and efficient manner.

Challenging Compliance

Any member or customer of HRPA may challenge HRPA’s compliance with this Privacy Policy by contacting our Chief Privacy Officer directly. HRPA has policies and procedures to receive, investigate and respond to individuals’ complaints and questions. If the member or customer is not satisfied with the way HRPA has responded to a complaint, the customer can contact the Privacy Commissioner of Canada.

Contact Information for HRPA’s Chief Privacy Officer:

Mr. Gary Monk, Director, Finance & Information Systems
HRPA
2 Bloor Street West, Suite 1902
Toronto, ON M4W 3E2

Mr. Monk’s direct contact information:

Phone: 1-800-387-1311 ext. 307
Fax: 1-647-288-4326
E-mail: gmonk@hrpao.org

If using e-mail as a point of contact, please ensure that you identify “Privacy” in your subject line.

Scope and Application:

The ten principles, which form the basis of the HRPA Privacy Code, are interrelated and HRPA shall adhere to the ten principles as a whole. Each principle must be read in conjunction with the accompanying commentary. As permitted by the Personal Information Protection and Electronic Documents Act (PIPEDA), the commentary in the HRPA Privacy Code has been tailored to reflect personal information issues specific to HRPA.

The scope and application of the HRPA Privacy Code are as follows:

The Code applies to personal information about HRPA members, customers and employees that is collected, used or disclosed by HRPA.

The Code applies to the management of personal information in any form whether oral, electronic or written.

The Code does not impose any limits on the collection, use or disclosure of the following information by HRPA:

a member or customer’s name, address, telephone number and e-mail address, when listed in a directory or available through directory assistance;
an employee’s name, title, business address (including e-mail address) or business telephone or fax number; or
other information about the member, customer or employee that is publicly available and is specified by regulation pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Code does not apply to information regarding HRPA’s corporate customers; however, such information is protected by other HRPA policies and practices and through contractual arrangements.

The application of the HRPA Privacy Code is subject to the requirements and provisions of Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), the regulations enacted thereunder, and any other applicable legislation or regulations.

Definitions:

Collection – the act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.

Consent – voluntary agreement with the collection, use and/or disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing, but is always unequivocal and does not require any inference on the part of HRPA. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.

Member – a member of HRPA.

Customer – an individual who uses, or applies to use, HRPA’s products or services.

Disclosure – making personal information available to a third party.

Employee – an employee of HRPA.

Personal Information – information about an identifiable member, customer or employee, but does not include aggregated information that cannot be associated with a specific individual.

For an employee, such information includes information found in personal employment and training files, performance appraisals, and medical and benefits information, but does not include the employee’s name, title, business address (including e-mail address) or business telephone or fax numbers.

HRPA – HRPA and its affiliate companies including Chapters, as they may exist from time to time.

Third Party – an individual or organization outside HRPA.

Use – the treatment, handling, and management of personal information by and within HRPA.

The HRPA Privacy Code in Detail:

Principle 1 – Accountability

HRPA is responsible for personal information under its control and as such designated Mr. Gary Monk, Director, Finance & Information Systems, as our Chief Privacy Officer accountable for HRPA’s compliance with the following principles:

Responsibility for ensuring compliance with the provisions of the HRPA Privacy Code rests with the Chief Privacy Officer. The Chief Privacy Officer may however delegate to other HRPA employees to act on their behalf for certain responsibilities.

HRPA shall make known, upon request, the title of the person(s) acting on behalf of the Chief Privacy Officer, and for what responsibilities.

HRPA is responsible for personal information in its possession or control. HRPA shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).

HRPA shall implement policies and procedures to give effect to the HRPA Privacy Code, including:

implementing procedures to protect personal information and to oversee HRPA’s compliance with the HRPA Privacy Code;

establishing procedures to receive and respond to inquiries or complaints;

training and communicating to staff about HRPA’s policies and procedures; and

developing public information to explain HRPA’s policies and practices.

The HRPA Privacy Code in Detail:

Principle 2 – Identifying Purposes

HRPA shall identify the purposes for which personal information is collected at or before the time the information is collected.

HRPA collects personal information only for the following purposes:

to establish and maintain responsible relations with members and customers and to provide ongoing service;

to understand member and customer needs and preferences;

to develop, enhance, market or provide products and services;

to manage and develop HRPA’s business and operations, including personnel and employment matters; and

to meet legal and regulatory requirements

Further references to “identified purposes” mean the purposes identified in this Principle.

HRPA shall specify orally, electronically or in writing the identified purposes to the member, customer or employee at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within HRPA who shall explain the purposes.

Unless required by law, HRPA shall not use or disclose for any new purpose personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the customer or employee.

The HRPA Privacy Code in Detail:

Principle 3 – Consent & Disclosure

The knowledge and consent of a member, customer or employee are required for the collection, use or disclosure of personal information, except where inappropriate. In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual.

For example, HRPA may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as where the individual is seriously ill or mentally incapacitated.

HRPA may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information, such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law.

HRPA may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.

HRPA may disclose personal information without knowledge or consent to a third party representing HRPA, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required or authorized by law.

In obtaining consent, HRPA shall use reasonable efforts to ensure that a customer or employee is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the customer or employee.

Generally, HRPA shall seek consent to use and disclose personal information at the same time it collects the information. However, HRPA may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose.

HRPA will require customers to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.

In determining the appropriate form of consent, HRPA shall take into account the sensitivity of the personal information and the reasonable expectations of its customers and employees.

The HRPA Privacy Code in Detail:

In general, the use of products and services by a member or customer, or the acceptance of employment or benefits by an employee, constitutes implied consent for HRPA to collect, use and disclose personal information for all identifiable purposes.

A member, customer or employee may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Members, customers and employees may contact HRPA for more information regarding the implications of withdrawing consent.

In circumstances of member discipline, HRPA shall disclose to our members, via the Association’s website, the disciplinary sanction(s) imposed upon our members. In such circumstances the member information disclosed shall be limited to:

the member’s name;
the member’s number;
an overview of the infraction(s); and
the sanction(s) imposed.

Disclosure of such information shall not require the consent of the member.

Information disclosed shall reside on the Association’s website, for a period of 12 months.

Principle 4 – Limiting Collection

HRPA shall limit the collection of personal information to that which is necessary for the purposes identified by HRPA. HRPA shall collect personal information by fair and lawful means.

HRPA collects personal information primarily from its members, customers or employees.

HRPA may also collect personal information from other sources including credit bureaus, employers or personal references, or other third parties who represent that they have the right to disclose the information.

The HRPA Privacy Code in Detail:

Principle 5 – Limiting Use, Disclosure and Retention

HRPA shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. HRPA shall retain personal information only as long as necessary for the fulfillment of those purposes.

HRPA may disclose a customer’s or member’s personal information to:

a person who in the reasonable judgment of HRPA is seeking the information as an agent of the member or customer;

a company or individual employed by HRPA to perform functions on its behalf, such as research or data processing;

another company or individual for the development, enhancement, marketing or provision of any of HRPA’s products or services;

a third party or parties, where the member or customer consents to such disclosure or disclosure is required by law.

HRPA may disclose personal information about its employees:

for normal personnel and benefits administration;

in the context of providing references regarding current or former employees in response to requests from prospective employers; or

where the employee consents to such disclosure or disclosure is required by law.

The HRPA Privacy Code in Detail:

Only HRPA’s employees with a business need to know, or whose duties reasonably so require, are granted access to personal information about members, customers and employees.

HRPA shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a member, customer or employee, HRPA shall retain, for a period of time that is reasonably sufficient to allow for access by the member, customer or employee, either the actual information or the rationale for making the decision.

HRPA shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.

Principle 6 – Accuracy

Personal information shall be accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Personal information used by HRPA shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a customer or employee

HRPA shall update personal information about members, customers and employees as and when necessary to fulfill the identified purposes or upon notification by the individual.

The HRPA Privacy Code in Detail:

Principle 7 – Safeguards

HRPA shall protect personal information by security safeguards appropriate to the sensitivity of the information.

HRPA shall protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. HRPA shall protect the information regardless of the format in which it is held

HRPA shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.

All of HRPA’s employees with access to personal information shall be required to respect the confidentiality of that information.

Principle 8 – Openness

HRPA shall make readily available to members, customers and employees specific information about its policies and practices relating to the management of personal information.

HRPA shall make information about its policies and practices easy to understand, including:

the title and address of the person or persons accountable for HRPA’s compliance with the HRPA Privacy Code and to whom inquiries or complaints can be forwarded;

the means of gaining access to personal information held by HRPA; and

a description of the type of personal information held by HRPA including a general account of its use.

HRPA shall make available information to help members, customers and employees exercise choices regarding the use of their personal information.

The HRPA Privacy Code in Detail:

Principle 9 – Individual Access

HRPA shall inform a member, customer or employee of the existence, use and disclosure of his or her personal information upon request and shall give the individual access to that information. A member, customer or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Upon request, HRPA shall afford members, customers and employees a reasonable opportunity to review the personal information in the individual’s file. Personal information shall be provided in understandable form within a reasonable time, and at minimal or no cost to the individual.

In certain situations, HRPA may not be able to provide access to all the personal information that it holds about a member, customer or employee. For example, HRPA may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor – client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, HRPA shall provide the reasons for denying access upon request.

Upon request, HRPA shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, HRPA shall provide a list of organizations to which it may have disclosed personal information of the individual when it is not possible to provide an actual list.

In order to safeguard personal information, a member, customer or employee may be required to provide sufficient identification information to permit HRPA to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.

HRPA shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, HRPA shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.

The HRPA Privacy Code in Detail:

Members and customers can seek access to their personal information by contacting a designated representative at HRPA’s business offices.

Employees can seek access to their personal information by contacting their immediate supervisor within HRPA.

Principle 10 – Challenging Compliance

A customer or employee shall be able to address a challenge concerning compliance with the above principles to the Chief Privacy Officer of HRPA who is accountable for HRPA’s compliance with the HRPA Privacy Code.

HRPA shall maintain procedures for addressing and responding to all inquiries or complaints from its members, customers and employees about HRPA’s handling of personal information

HRPA shall inform its members, customers and employees about the existence of these procedures as well as the availability of complaint procedures.

The Chief Privacy Officer may seek external advice where appropriate before providing a final response to individual complaints.

HRPA shall investigate all complaints concerning compliance with the HRPA Privacy Code. If a complaint is found to be justified, HRPA shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A customer or employee shall be informed of the outcome of the investigation regarding his or her complaint.

A member, customer or employee may seek advice from the Office of the Privacy Commissioner of Canada at 1-800-282-1376 or info@privcom.gc.ca and, if appropriate, file a written complaint with that office. However, the member customer or employee is encouraged to use HRPA’s internal information and complaint procedures first.

For more information on HRPA’s privacy practices, visit our website at www.hrpa.ca or call 1-800-387-1311.