1.1) Linda Carlson is hereby appointed as the personal information compliance officer.
1.2) All persons, whether employees, volunteers, or board or committee members who collect, process, or use personal information shall be accountable for such information to the officer.
1.3) This policy shall be made available upon request.
1.4) Any personal information transferred to a third party for processing is subject to this policy. The officer shall use contractual or other appropriate means so protect personal information at a level comparable to this policy while a third party is processing this information.
1.5) Any person who believes the organization uses personal information collected, retained, or used for purposes other than those that person approved may contact the officer to register a complaint or to make any related inquiry.
1.6) Upon receiving a complaint from any person regarding the collection, retention or use of personal information, the officer shall promptly investigate the complaint and notify the person who complained about his/her findings and corrective action taken, if any.
1.7) Upon receiving the response from the officer, the person who filed the complaint may, if he/she is not satisfied, appeal to the organization's [board of directors or the trustees] to review and determine the disposition of the complaint at issue.
1.8) The determination of the [board of directors or the trustees] shall be final and the officer shall abide by and implement any of the recommendations.
1.9) The officer shall communicate and explain this policy and give training regarding it to all employees who might be in a position to collect, retain, or use personal information.
2. Identifying Purposes
2.1) The officer shall document the purpose for which personal information is collected to comply with the openness and individual access principles outlined below.
2.2) The officer shall ensure that a person collecting personal information will be able to explain to the individual why this is being done.
2.3) The officer shall ensure that limited collection, limited use, disclosure, and retention principles are respected in identifying why personal information is to be collected.
3.1) Sometimes personal information can be collected, used, or disclosed, without the individual's knowledge and consent. For example, legal, medical, or security reasons might make seeking consent impossible or impractical. When information is being collected to detect and prevent fraud, seeking the individual's consent might be impossible or inappropriate when the individual is a minor, seriously ill, or mentally handicapped.
3.2) The officer shall ensure that the individual can reasonably understand why and how the information will be used.
3.3) The officer shall ensure that no condition is attached to supplying benefits, because of the organization's activities, requiring the individual to give consent for the collection, use, or disclosure of the information beyond that required to fulfill the explicitly specified and legitimate purposes.
3.4) The officer shall ensure that express consent is obtained wherever possible and appropriate. In rare circumstances where, in the officer's opinion, having regard to the purpose and intent, implied consent might be acceptable. (Implied consent might exist when a church baptizes a new member, and it is generally understood that personal information necessarily obtained in that context will be assumed if the church would pass on the personal information to a para-church organization that is not an integral part of the denomination.)
3.5) In obtaining consent, the officer shall ensure that the individual's reasonable expectations are respected. (For example, a person giving his/her name and address to a charity to receive it's newsletter or magazine reasonable expects that it will use that information to send other information about itself.
3.6) The officer shall ensure that the individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The individual shall promptly be informed of the withdrawal's implications.
4. Limiting Collection
4.1) The officer shall ensure that information is collected only by fair and lawful means without misleading or deceiving individuals as to the reason.
4.2) The officer shall ensure that the identifying purposes and consent principles are followed in identifying why personal information is to be collected.
5. Limiting Use, Disclosure, and Retention
5.1) The officer shall ensure that all personal information is destroyed, erased, or made anonymous as soon as the purpose for which it was collected is no longer relevant, or as permitted by law. There shall be an automatic review of the need to continue retaining personal information annually. Except as required to be retained by law, all personal information shall be deleted, erased, or made anonymous no later than seven years after the purpose for which it was collected has been completed.
6.1) The Officer shall reasonably ensure that the personal information is accurate, complete, and up to date, to fulfil the purposes for which the information was collected.
7.1) The officer shall ensure that the organization has security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. He/she shall do this regardless of the format in which the organization holds the information.
7.2) The officer shall ensure that the protection methods include,
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) technological measures, for example, the use of passwords and encryption.
7.3) The officer shall ensure that all employees know the importance of keeping personal information confidential.
7.4) The officer shall ensure that care is taken when personal information is disposed of or destroyed to prevent unauthorized parties from gaining access to it.
7.5) The officer shall ensure that the organization is open about it's policies and practices regarding the management of personal information. The policies and information about the related practices shall be available without unreasonable effort in a form generally understandable.
8.2) The officer shall ensure that the information available shall include,
(a) the name or title and address of the officer who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded.
8.3) The officer shall ensure the information that must be provided according to 8.2 is available either in a brochure at the locations the organization operates, online, or through the mail.
9. Individual Access
9.1) The officer shall ensure that the organization responds to an individual's request to access personal information. The requested information shall be made available in a generally understandable form. For example, the organization shall explain abbreviations or codes it uses to record information.
9.2) The officer shall ensure that when a challenge is not resolved to the individual's satisfaction, the organization shall record the unresolved challenge's substance. When appropriate, the unresolved challenge's existence shall be transmitted to third parties having access to the information in question.
10. Challenging Compliance
10.1) The officer is authorized to address a challenge concerning compliance with the above principles.
10.2) The officer shall investigate all complaints. If a complaint is found to be justified, the officer shall take appropriate measures, including, if necessary, amending the policies and practices.