The following is an outline of the ten underlying Principles in the Personal information Protection and Electronics Documents Act (PIPEDA).
Principle 1. Accountability
- The firm is accountable for all personal information in its possession or control. This includes any personal information that the firm received directly from clients who are individuals, or indirectly, through clients that are organizations such as corporations, government entities or not-for-profit organizations.
- The firm has:
- Established and put into effect policies and procedures aimed at properly protecting personal information;
- Appointed its Chief Privacy Officer to oversee privacy issues at the firm.
Principle 2. Identify Purposes
The firm collects personal information from our clients and uses and discloses such information, only to provide the professional services that our clients have requested.
Principle 3. Consent
We will not collect, use or disclose your personal information without your consent.
Such personal information could include:
- Home and business addresses;
- Home and business telephone numbers;
- Personal identification numbers (e.g. social insurance number, credit card numbers);
- Financial information (credit ratings, payroll information, personal indebtedness);
- Personal information;
- Other personal information.
Principle 4. Limiting Collection
- The firm collects only that personal information required to perform its professional services and operate its business, and such information is collected by fair and lawful means.
Principle 5. Limiting Use, Disclosure and Retention
- The firm uses or discloses personal information only for purposes for which it has consent, or as required by law. The firm retains personal information only as long as necessary to fulfill those purposes.
- As required by professional standards, rules of professional conduct and regulations, the firm documents the work it performs in records, commonly referred to as working paper files. Such files may include personal information obtained from a client.
- Working paper files and other files containing, for example, copies of personal or corporate tax returns are retained for the time period required by law and regulations or indefinitely for active clients.
- The personal information collected from a client during the course of a professional service engagement may be:
- Shared with the firm’s personnel participating in such engagement;
- Disclosed to partners and employees within the firm to the extent required to assess compliance with applicable professional standards and rules of professional conduct, and the firm’s policies, including providing quality control reviews or work performed.
- The firm regularly and systematically destroys, erases, or makes anonymous personal information no longer required to fulfill the identified collection purposes, and no longer required by laws and regulations.
Principle 6. Accuracy
- The firm endeavours to keep accurate, complete and up-to date, personal information in its possession or control, to the extent required to meet the purposes for which it was collected.
Principle 7. Safeguards
- The firm protects the privacy of personal information in its possession or control by using security safeguards appropriate to the sensitivity of the information.
- Restricted access is maintained over personal information stored in hard copy form. Partners and employees are authorized to access personal information based on client assignment and quality control responsibilities.
- Authentication is used to prevent unauthorized access to personal information stored electronically. Encryption is used to prevent unauthorized access to personal information received or sent over the internet.
- For files and other materials containing personal information entrusted to a third party service provider, the firm obtains appropriate assurance to affirm that the level of protection of personal information by the third party is equivalent to that of the firm.
Principle 8. Openness
- The firm is open about the procedures it uses to manage personal information.
Principle 9. Individual Access
- The firm responds in a timely basis to requests from clients about their personal information which the firm possesses or controls.
- Individual clients of the firm have the right to contact the firm to obtain access to their personal information. Similarly, authorized officers or employees of organizations that are clients of the firm have the right to contact the firm and obtain access to personal information provided by that client. In certain situations, however, the firm may not be able to give clients access to all of their personal information. The firm will explain the reasons why access must be denied and any recourse the client may have, except where prohibited by law.
Principle 10. Challenging Compliance
- The firm has policies and procedures to receive, investigate, and respond to client’s complaints and questions relating to privacy.
When transferring personal information to third parties, ensure that they:
- Name a person to handle all privacy aspects of the contract.
- Limit use of the personal information to the purposes specified to fulfill the contract.
- Limit disclosure of the information to what is authorized by your organization or required by law.
- Refer any people looking for access to their personal information to your organization.
- Return or dispose of the transferred information upon completion of the contract.
- Use appropriate security measures to protect the personal information.
- Allow your organization to audit the third party’s compliance with the contract as necessary.