1.For the purpose of carrying out its objects, the Association has the authority to collect, use and disclose personal information. The Association shall not collect, use or disclose more personal information than is reasonably necessary to carry out its regulatory activities.
2. Personal information that the Association collects, uses or discloses shall be as accurate, complete, and up to date as is necessary for the purposes of the collection, use or disclosure, as the case may be.
3. The Association shall take reasonable steps to ensure that personal information in its custody or under its control is protected against unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or destruction. What constitutes reasonable steps shall be determined in light of all the circumstances, including the sensitivity of the information, the amount of information and the format in which it is stored.
These measures shall include the following:
a) Providing a copy of this Privacy and Access Code to staff of the Association upon its approval and upon the hiring or retaining of new staff.
b) Training staff in the confidentiality of personal information. Access is on a need-to-know basis.
c) Training staff in the methods of maintaining security of personal information.
d) Requiring staff to sign a confidentiality statement.
e) Requiring that personal information that is not in a secure area be locked or otherwise protected from unauthorized access.
f) Requiring personal information in paper form to be shredded or otherwise destroyed before it is disposed of.
g) Requiring the use of password protection and other recognized security measures for electronic information.
h) Requiring that electronic data be destroyed before the hardware holding the data is discarded.
4.The Association shall, a) make readily available to individuals information about its policies and practices relating to the collection, use and disclosure of personal information including providing a written copy upon request and posting a copy on the Association’s website, and b) designate an individual or individuals who will be accountable for the Association's policies and practices mentioned in clause (a).
5. The contact person shall receive and investigate complaints from individuals about the Association's alleged contravention of the requirements set out in this part of the by-law, including requests for access to or correction of personal information.
The complaints process shall be as follows:
a) The contact person shall investigate the complaint, prepare a written report of his or her findings and provide it to the person making the complaint and to the Council of the Association.
b) The report shall be provided within 30 days of the complaint. If the contact person is unable to complete the report within 30 days, the contact person shall advise both the person making the complaint and the Council of the delay and the anticipated date of completion of the report.
c) If the person making the complaint disagrees with the report, he or she can ask the Council of the Association to review and reconsider the report by filing a written request setting out the grounds for the request with the Association. The contact person shall have 30 days to provide to the Council and the person making the request a response to the request. The Council shall review the written submissions and shall make a decision on behalf of the Association. The decision of the Council is final.
d) If the report of the contact person recommends that certain action be taken by the Association or if there is a review and the Council directs that certain action be taken by the Association, the staff of the Association shall report to the Council within 30 days, and at such other times as directed by the Council, as to whether the action has been taken.
6. Subject to section 7, the Association shall not retain a record of personal information after the purpose for which the Association collected the information has been fulfilled unless, a) another law requires or authorizes the Association to retain the record, b) the Association reasonably requires the record for purposes related to its regulatory activities, or c) the record is transferred to its archive for the purposes of permanent preservation or historical research.
7. If the Association has used a record of personal information about an individual to make a decision about the individual, it shall retain the record long enough after making the decision to allow the individual a reasonable opportunity to request access to the information. This requirement does not apply if the individual has already been given access to the information prior to the making of the decision.
8. The Association may disclose personal information about an individual without the consent of the individual, a) if done for purposes related to its regulatory activities, b) if otherwise required or authorized by law to make the disclosure.
9. The Association shall permit an individual to obtain access to records of personal information about the individual that are in the custody or under the control of the Association, subject to those rules and limitations that may be necessary or appropriate to enable the Association to carry out its regulatory activities.
For example, the Association may decline to provide access to personal information where granting access could reasonably be expected to interfere with the regulatory activities of the Association, including:
a) access may reasonably interfere with a regulatory process of the Association including an inquiry, investigation or hearing;
b) access may reasonably reveal a confidential source of information or otherwise breach a confidence that is reasonably necessary for the Association to protect;
c) access may reasonably reveal personal information about another person who has not consented to the access;
d) access may reasonably interfere with the regulatory or enforcement activities of another statutory regulatory body or a law enforcement agency;
e) access may reasonably place the health or safety of a person at risk;
f) access is reasonably available from another, more appropriate source;
g) access may reasonably reveal legally privileged information; or
h)access is prohibited by another Act. 10. Subject to section 11, the Association shall permit an individual who has access to personal information to have the Association correct statements of fact in records of the personal information about the individual that are in the custody or under the control of the Association and that are inaccurate or incomplete, subject to those rules and limitations that may be necessary or appropriate to enable the Association to carry out its regulatory activities.
a) For example, the Association may decline to correct personal information where correcting the personal information could reasonably be expected to interfere with the regulatory activities of the Association, including:
i. the person requesting the correction does not provide sufficient information to enable the Association to assess the request to make the correction;
ii.the fact that the statement was made, whether it is correct or not, is relevant to the regulatory activities of the Association;
iii.correction may reasonably interfere with a regulatory process of the Association including an inquiry, investigation or hearing;
iv. correction may reasonably interfere with the regulatory or enforcement activities of another statutory regulatory body or a law enforcement agency;
vi. correction is prohibited by another Act Where the Association agrees to correct a record of personal information, the correction shall be made so as not to obliterate the original entry.
Where the Association agrees to correct a record of personal information, the Association shall provide written notice to every person to whom the original record was provided within the previous 12 months unless to do so is impractical or would reasonably interfere with the regulatory activities of the Association. Where the Association refuses a request to correct a record of personal information, it shall file any statement of disagreement provided by the individual to whom the information relates of less than 500 words with the record unless to do so is impractical or would reasonably interfere with the regulatory activities of the Association.
An individual or the individual's clients are not entitled to have the Association make a correction under section 10 if the Association determines that it does not have sufficient knowledge, expertise or authority to make the correction. Where the consent of an individual or an action of an individual is required or authorized under this part of the by-law, and the individual is incapable of giving the consent or taking the action, the Association may accept the consent or action of a personal representative or other reasonable substitute for the individual.