Ten Guiding Principles for the Protection of Privacy

1
Ten Guiding Principles for the Protection of
Privacy

• Mary Carlson
• Director, Policy Compliance
• Office of the Information and Privacy
  Commissioner of BC

2
What is Privacy?

• The extent to which we are known to others, the
  extent to which others have physical access to
  us, and the extent to which we are the subject of
  others attention.
• The claim of individuals to determine for
  themselves when, how and to what extent
  information about them is communicated to
  others.
• The right to be left alone.

3
Principle 1Identify the purpose

• Identify the purpose for which personal
  information is collected
• Collect only information necessary for that
  purpose
• Inform the person you are collecting information
  from the reasons why
• When using that information for a new purpose,
  obtain consent prior to its use

4
Principle 2Obtain Consent

• Obtain consent before or at time of collection
• In determining what form of consent to use (i.e.
  written, verbal, opt-in, opt-out) consider the
  sensitivity of the information
• Never obtain consent by deceptive or coercive
  means
• Never make consent a condition for supplying a
  product/service unless the personal information
  necessary to provide the service or product

5
Principle 3Limit Collection

• Only collect personal information that a
  reasonable person would consider appropriate in
  the circumstances
• Limit the amount and type of personal information
  to what is necessary to fulfill the identified
  purposes

6
Principle 4Limit use, disclosure and retention

• Use or disclose personal information only for the
  purposes for which it was collected, unless the
  individual consents to the new purpose or unless
  it is permitted by law
• Keep personal information only as long as is
  necessary to fulfill the purposes for which it
  was collected
• Keep personal information for one year if it was
  used in a decision that affected that person
• Destroy, erase or render anonymous personal
  information as soon as it is no longer serving
  the purpose for which it was collected

7
Principle 5Be accurate

• Minimize the possibility of using incorrect or
  incomplete information when making a decision
  that affects an individual or when disclosing an
  individual's information to another organization
  by making reasonable steps to ensure that the
  personal information is accurate and complete

8
Principle 6Use appropriate safeguards

• Make reasonable security arrangements to protect
  personal information in your custody or under
  your control, i.e. physical measures, technical
  controls and organizational controls.
• Safeguard personal information from unauthorized
  access, collection, use, disclosure, copying,
  modification or disposal

9
Principle 7Give individuals access

• Upon request, provide applicants with
• Access to their personal information
• An explanation of how their personal information
  is or has been used and
• A list of individuals or organizations to whom
  their personal information has been disclosed
• If part or all of an access request is refused,
  the reasons for the refusal

10
Principle 8Provide Recourse

• Develop and implement simple, understandable
  complaint handling procedures
• Inform complainants of avenues of recourse
• Investigate and attempt to resolve all complaints

11
Principles 9 10Openness and Accountability

• Ensure that your organization complies with all
  privacy principles
• Appoint a person responsible for privacy
  compliance
• Develop, implement and publish policies and
  practices for privacy compliance
• Publish your practices around the management of
  personal information, including who to contact,
  how a person can access their information, how
  they can file a complaint