Canadian Standards Association (CSA) International
March, 1996
Republished with permission.

Living in today's information society benefits Canadians in many ways. But with increasing technological advances come increasing concerns about the collection, use and disclosure of personal information such as medical records, financial transactions, credit reports and employment records. As it becomes easier to link and exchange personal data, information collected for a specific purpose may be used for other purposes without an individual's knowledge and consent.

Recent opinion surveys show that Canadians want greater control over the use of their personal information. They also want to feel confident that the organizations they deal with are handling their information fairly.
 

Now Canada has a national, voluntary code that sets basic principles for safeguarding personal data. CSA International's Model Code for the Protection of Personal Informational aims to strike a balance between the legitimate information requirements of business, industry and institutions operating in the information age and the privacy rights of individuals.

Published in March 1996, the Code establishes 10 basic principles for all organizations that collect or use personal information. Retailers, direct marketers, financial institutions, telecommunications companies, product manufacturers, service providers, schools, universities, hospitals, personnel departments and government agencies are potential users.

By choosing to adopt the voluntary Code, organizations demonstrate that they are following fair, nationally-accepted principles. The Code is also an important resource for consumers, employees, patients and other "data subjects," says Professor Jim Savary, former vice-president, Policy and Issues, Consumers' Association of Canada. "The Code is a vehicle for challenging an organization's behaviour. You can refer to these principles if you are uneasy about the information you are asked to supply or how it will be used."

1. Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

3. Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the stated purposes.

6. Accuracy
Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.

7. Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness
An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals.

9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

Broad support for the Code

Canada is the first country in the world to establish a voluntary, national standard for the protection of personal information. CSA International's Model Code for the Protection of Personal Information is the result of a collaborative effort by representatives from all key groups concerned with privacy in Canada. The 45-member committee that developed the Code included representatives from:

• the financial services, telecommunications, cable television and direct marketing industries
• federal and provincial governments
• consumer advocates; organized labour
• experts in security and information technology


Making the Code Work

To help organizations put the Code into practice, CSA International has published a handbook, Making the CSA Privacy Code Work for You. This guide explains the application of the principles in more detail, focusing on the practical issues organizations face in building a comprehensive in-house program for personal information protection.

The CSA Code is voluntary, and at present, organizations are not required by law to implement it. However, Quality Management Institute (QMI), a division of CSA International, offers a program whereby organizations can demonstrate their compliance with the Code to customers, employees, trading partners or fellow members of their industry. Under this program, organizations can choose any one of the three tiers of recognition.

• At the Tier 1 level called Declaration, organizations self-declare their compliance with the standard. They are required to sign a code of ethics or statement of their data protection principles.
• The Tier 2 Verification level requires organizations to submit documented policies and procedures to QMI for review. Following this review, QMI conducts on-site audits to verify compliance with the standard.
• The Tier 3 Registration level offers organizations the option of combining registration to the CSA Code with registration to the international quality management system standard ISO 9001 or 9002. QMI reviews the organization's documented systems and conducts an audit to establish compliance with both the CSA Code and with ISO 9001 or 9002.

Take Control
 

Be aware that others may collect, use or trade information about you without your knowledge or consent, advises Ann Cavoukian, Assistant Commissioner of the Information and Privacy Commission of Ontario. "Speak up, ask questions, be cautious, but most of all, don't just passively give away your personal information. Take control of your information. Take control of your privacy." ¹


1. What legislation exists to safeguard personal information?

Canada's laws mainly govern the public sector -- the management of personal data by federal and provincial governments. Most provinces have legislation concerning credit data. This legislation covers:

• the type of information that may be collected;
• the purposes for which an individual is permitted to access this information;
• whether there is a requirement for the individual's consent or notification before information is disclosed;
• the retention period for the information; and
• the individual's right to access, challenge, verify and have corrected any information held by a credit bureau.


Quebec is the only province with legislation covering the protection of personal information in the private sector. Quebec's Bill 68 meets the international Guidelines on the Protection of Privacy and Transborder Flows of Personal Data developed by the Organization for Economic Cooperation and Development (OECD). Canada and many other countries have signed an agreement to abide by these guidelines, and CSA International's Code is based on them.

2. What is a model code?

CSA's Code is a "model" Code, setting common principles that apply to all types of organizations. It provides a national standard that can be applied on a company-specific or an industry basis.

3. How can you use the 10 principles?

Read the principles to learn about such key issues as consent, disclosure and access. If you are asked to provide personal information and you have some concern about providing the information, ask for an explanation. An organization should always be able to give you a specific reason for collecting the information. If it intends to use it for another purpose, or to disclose it to a third party, you should have the opportunity to give your permission. You should have access to your personal records, except where restrictions apply, and be able to have any inaccuracies corrected. The organization should explain any restrictions to access.

Ask companies if they comply with CSA International's Code. Companies may have a brochure or statement confirming that they are following the Code or explaining their policies in this area.

4. What are other general ways of safeguarding personal information?
 

• Choose to do business with companies that have put policies and practices in place that control the amount, use, accuracy and disclosure of your personal information.
• Be cautious in giving credit card information over the phone. Do not give credit card information over the Internet as information is not secure, unless the service is protected by encryption.
• Always provide the minimum amount of personal information unless you are provided with a satisfactory explanation about why it is required. When filling in a warranty card, for example, consider whether you want to answer questions about your income or the size of your household.
• Take advantage of "opting out" opportunities. In some cases, a company will give you the opportunity to "say no" to having information about you used in a certain way. It will invite you, for example, to check off a box, send a reply card, or call a toll-free number if you do not want your name and address passed on to a third party or added to various mailing lists.
• Don't automatically give out your Social Insurance Number (SIN). Apart from buying an interest-generating product from a financial institution, or opening a bank account, there are few occasions when you are required to provide your SIN. Contact the Privacy Commissioner of Canada for more information.
• Warn children and other family members not to broadcast personal information over the Internet. Children may navigate cyberspace with ease, but may not understand the potential problems of revealing their name, address and age to the world at large.
• Periodically check your file at your local credit bureau or contact the national reporting systems, Equifax Canada Inc. and Trans Union of Canada. There is no charge to obtain a copy of your credit report. These central systems may also have records of property or automobile insurance transactions on file. Challenge anything that is inaccurate and check back later to make sure your file has been corrected.


5. If I suspect information on me is not being handled fairly, what should I do?

First of all, contact the organization and ask for the name of the individual responsible for handling consumer or privacy complaints and register your complaint. If you can't resolve your complaint, you may wish to contact the head office of the organization, the appropriate trade association, or the body that may have authority over the company such as a professional or industry association, government regulator, Privacy Commissioner, etc.

Contact QMI to see if the company is registered to QMI's Privacy Recognition Program. If it is, QMI staff will be able to direct you to the appropriate person within that organization.

If you feel that the company has failed to comply with the Code and they are registered through the QMI Program, you can register a complaint with QMI. While QMI cannot act as a mediator to resolve your complaint, they will investigate your case for compliance with the code.

CSA International is an independent, not-for-profit organization which operates nationally and internationally. It is the leader in the field of standards development and the application of these standards through product certification, quality and environmental management systems registration, and information products. CSA International's primary goals are improving public safety and helping manufacturers become more competitive in global markets. QMI, a division of CSA International, registers companies to quality and environmental standards.

This pamphlet is published by the Consumer Services Program, CSA International, 178 Rexdale Blvd., Etobicoke, ON., M9W 1R3  Canada.

For extra copies or further information about consumer privacy issues, contact:
CSA International Consumer Services
Phone (416) 747-2624, Fax (416) 747-2473 or e-mail bankj@csa.ca
Visit CSA International's Web site at: http://www.csa.ca

Government Departments

Yukon
Government of Yukon
Box 2703, Whitehorse, YK  Y1A 2C6
Tel: (867) 667-5811

Northwest Territories
Department of Public Works and Services
P.O. Box 1320, Yellowknife, NT  X1A 2L9
Tel: (867) 873-7114
Fax: (867) 873-0264

British Columbia
Office of the Information and Privacy Commissioner for British Columbia
P.O. Box 9038, Stn. Prov. Govt., Victoria, BC  V8W 9A4
Tel: (250) 387-6121  Fax: (250) 387-1696  Toll-free: 1-800-663-7867
Vancouver: (604) 660-2421

Alberta
Information & Privacy Commissioners' Office
Suite 410, 9925-109th St., Edmonton, AB   T5J 3W7
Tel: (780) 422-6860

Saskatchewan
Information and Privacy Commissioner
500 - 2220 12th. Ave., Regina, SK   S4P 0M8
Tel:(306) 787-8350

Manitoba
Office of the Provincial Ombudsman
750-500 Portage Ave., Winnipeg, MB   R3C 3X1
Tel: (204) 982-9130 Fax: (204) 942-7803

Ontario
Information & Privacy Commissioner of Ontario
Suite 1700, 80 Bloor St. West, Toronto, ON   M5S 2V1
Tel: (416) 326-3333 Fax: (416) 325-9195 Toll-free: 1-800-387-0073; TDD (416) 325-7539

Quebec
Commission d'accès à l'information (Commission on Access to Information)
(which oversees Bill 68)
575, rue St-Amable, Bureau 1.10, Quebec, QC  G1R 2G4
Tel: (418) 528-7741  Fax: (418) 529-3102  Toll-free: 1-888-528-7741

New Brunswick
Office of the Ombudsman
P.O. Box 6000, 767 Brunswick St., Fredericton, NB   E3B 5H1
Tel: (506) 453-2789 Fax: (506) 453-5599

Nova Scotia
Freedom of Information and Protection of Privacy
Department of Justice
P.O. Box 7, 5151 Terminal Rd., Halifax, NS  B3J 2L6
Tel: (902) 424-4030

General Provincial Enquiries: (902) 424-5200 (ask to be connected to the specific Freedom of Information Officers in the department relevant to your inquiry)

Newfoundland
Securities Administration Division
P.O. Box 8700, Confederation Building, Second Floor, West Block, St. John's, NF
A1B 4J6
Tel: (709) 729-4189  Fax: (709) 729-6187

Prince Edward Island
Consumer Affairs
P.O. Box 2000, Shaw Building, Fourth Floor, 95 Rochford Street, Charlottetown, PE
C1A 7N8
Tel: (902) 368-4581  Fax: (902) 368-5283

Canada
Privacy Commissioner of Canada
3rd Floor, 112 Kent St., Ottawa, ON   K1A 1H3
Tel: (613) 995-2410  Fax: (613) 947-6850
Toll-free: 1-800-267-0441  TDD (613) 992-9190

Office of Consumer Affairs
235 Queen St., Ottawa, ON   K1A OH5
Tel: (613) 952-9449  Fax: (613) 952-6927
Online "Consumer Connection": http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/Home

Canadian Radio-television & Telecommunications Commission
(regarding unsolicited fax messages and live phone calls)
Ottawa, ON   K1A 0N2
Tel: (819) 997-0313  Fax: (819) 994-0218  TDD: (819) 994-0423
Toll-free: 1-877-249-CRTC

Associations/Agencies

Canadian Bankers Association
P.O. Box 348, Commerce Court West, 199 Bay Street, 30th Floor, Toronto, ON
M5L 1G2
Toll-free: 1-800-263-0231

Canadian Marketing Association
(to request that your name be removed from tele-marketing and mailing lists held by CMA members)
Suite 607, 1 Concorde Gate, Don Mills, ON   M3C 3N6
Tel: (416) 391-2362  Fax: (416) 441-4062
e-mail: kbrash@cdma.org

Medical Information Bureau (to check accuracy of medical or other personal information held by the Bureau)
Suite 501, 330 University Avenue, Toronto, ON   M5G 1R7
Tel: (416) 597-0590

To Check your Credit Record:

Equifax Canada Inc.
Consumer Relations Dept. Box 190 Jean Talon Station, Montreal, QC  H1S 2Z2
Tel: (514) 493-2314  Fax (514) 355-8502  Toll-free: 1-800-465-7166

Trans Union of Canada
Consumer Relations Dept. PO Box 338- LC D1   Hamilton, ON   L7L 7W2
Toll-free: 1-800-663 9980

¹ (Source: Who Knows - Safeguarding your Privacy in a Networked World, Ann Cavoukian and Don Tapscott, Toronto: Random House of Canada, 1995.)