What Type of Information Do We Collect?
Personal information has been defined as any recorded information about an identifiable individual, but does not include the individual’s name, business title, business address, business telephone number, membership status, right to use the CHRP, CHRL, or CHRE designations or the whether the individual is authorized for independent practice as these are required under the Registered Human Resources Professionals Act, 2013 to be listed on the Public Register.
It should be noted that most of HRPA’s activities are not subject to privacy law. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), being the privacy law applicable to the private sector in Ontario, applies to the collection, use and disclosure of personal information in the course of commercial activities. Since the core activities of HRPA are not commercial in nature, PIPEDA does not apply to most of our activities. PIPEDA only applies to the limited forms of commercial activity that HRPA engages in outside of our core activities. Please review the HRPA Communications & Canada’s Anti-Spam Legislation (CASL) section of this policy for further details.
HRPA has developed a comprehensive Data Retention and Destruction Policy for all staff to adhere to. The policy has a robust guide on how long each type of data is retained, the purposes for which it was collected, and how to destroy the data securely once the retention period is over.
All HRPA employees have undergone training regarding Canadian Privacy Law, CASL and Privacy Breaches as we believe that these practices are of utmost importance. All employees also abide by the Security and Data Breach Policy, which also has a comprehensive Crisis Communications Plan included to not just mitigate the risks of a potential breach occurring but provide easily accessible, and fast-acting steps for protecting your data. Protecting the confidentiality of your personal information is more than just a best practice – it is part of our job.
Consent and PCI Compliance
Consent is obtained at the time personal information is collected. The specific use for which it is intended is identified at that time. Those uses include, but are not limited to, the following:
- to fulfil the regulatory mandate
- to provide services to registrants
- to employ staff
- to purchase products or services
- to advise of HRPA products or services
- to respond to enquiries and to communicate with registrants
To ensure the integrity and privacy of the personal and credit card information you pass to us via the Internet when you make an online transaction, HRPA has implemented safeguard and security measures that are industry standard and Payment Card Industry (PCI) compliant. All information collected within a secure page is encrypted while being transmitted to our secure server. The server is protected by a firewall that is regularly updated when new patches and fixes are released. HRPA does not store credit card numbers in our electronic databases.
Our partners, vendors and suppliers, as part of their contracts with the HRPA, commit to maintain the confidentiality of your information and not use it for any unauthorized purpose. For all disclosures, we disclose only the information that is legally required.
Third-Party Service Providers & Affinity Program Partners
HRPA may provide your personal information to our third-party service providers responsible for administering our marketing and promotional activities or providing the products and services you have requested. HRPA may also provide your personal information to our affinity program partners so that you are eligible to receive their products and services at favourable rates. We require these organizations to have privacy policies or to abide by our policies in relation to the personal information we share with them, including a requirement to use the information only for the purposes for which it was provided.
Compliance with the European Data Protection Regulation (GDPR)
HRPA fully complies with the requirements of the GDPR, including such matters as consent and the right to removal of member data from a website. Currently, the only vendor that is under the jurisdiction of GDPR is the Hire Authority hosting website, Madgex, where it applies to resumes uploaded on the Hire Authority website, which can be removed at any time, as they are stored in a server in the EU.
Limitations on Use
Any individual from whom information is collected may request that such information be used for no purpose other than that for which it was collected. This request may be made at any time by contacting our Privacy Officer. Such a limitation does not bar HRPA from using such information as permitted or required by law.
Access and Accountability
HRPA has undertaken a comprehensive review of practices to ensure proper safeguards for personal information in its custody and control and has implemented physical, organizational, contractual, and technological security measures to protect such information from loss, theft, unauthorized access, disclosure, copying, use or modification, both in hard-copy and on-line. Only staff whose duties require access to personal information are granted such access, and only to the extent necessary.
Individuals from whom information is collected may access that information at any time, and they may challenge the accuracy and completeness of the information and have it amended as appropriate. HRPA endeavours to ensure the information collected is accurate, through updates requested annually upon membership renewal and at other times as required by by-law.
HRPA Communications & Canada’s Anti-Spam Legislation (CASL)
Canada’s Anti-Spam Legislation (CASL) restricts the ability of organizations to send commercial electronic messages without the consent of the recipient. As it relates to the activities of a professional association, the Privacy Commissioner’s Fact Sheet states: “Collecting membership fees, organizing club activities, compiling a list of members’ names and addresses, and mailing out newsletters are not considered commercial activities.”
The HRPA sought legal advice to further clarify what is “commercial activity” as it pertains to HRPA, and found that emails pertaining to the HRPA Annual Conference, Chapter Events and Professional Development Events are exempt from CASL as the activity is deemed to further one of the statutory objects of the Association, so these activities would not be deemed to be of commercial nature. As spelled out in the Registered Human Resources Professionals Act, 2013, the statutory objects of the Association are:
- to promote and protect the public interest by governing and regulating the practice of members of the Association and firms in accordance with this Act and the by-laws, including,
• establishing, maintaining, developing and enforcing standards of qualification,
• establishing, maintaining, developing and enforcing standards of practice,
• establishing, maintaining, developing and enforcing standards of professional ethics,
• establishing, maintaining, developing and enforcing standards of knowledge, skill and proficiency, and
• regulating the practice, competence and professional conduct of members of the Association and firms;
- to promote and increase the knowledge, skill and proficiency of members of the Association, firms and students;
- to promote and protect the welfare and interests of the Association and of the human resources profession;
- to promote inter-professional collaboration with other professional bodies;
- to address any other matter that relates to the regulation of its members that the Board considers appropriate.
Association communications that are not “commercial electronic messages” and thus not subject to CASL include:
- Communications relating to association governance (notices of elections, notices of general and special meetings of the membership, notices regarding changes in by- laws, etc.)
- Communications relating to professional regulation (communications regarding registration, certification, complaints, discipline, Rules of Professional Conduct, practice standards and guidelines, regulatory processes and procedures, etc.)
- Communications relating to activities that further the statutory objects of the association, including, but not limited to, membership, annual conference, professional development and mentoring offerings, chapter events, and the exchange of information, knowledge and ethical standards related to professional practice.
There may be some HRPA communications, however, which would not relate to the objects of the association. These would be deemed “commercial electronic messages” and subject to CASL. Such commercial electronic messages will include an “unsubscribe” option or can be unsubscribed from using the Preference Centre.
Questions or Concerns
Privacy practices for HRPA’s various activities are reviewed regularly and updated as necessary. Any questions or concerns regarding this policy or its implementation should be directed to the Privacy Officer via email.