1、PLUS 8300 Making the CSA Privacy Code Work for You A workbook on applying the CSA Model Code for the Protection of Personal Information to your organization (CAN/CSA-Q830) PLUS 8300 Making the CSA Privacy Code Work for You A workbook on applying the CSA Model Code for the Protection of Personal Info
2、rmation (CAN/CSA-Q830) to your organization Published in December 7 996 by Canadian Standards Asssociation 7 78 Rexdale Boulevard, ftobicoke, Ontario, Canada M9 W 7 R3 Acknowledgments This Publication was developed under the guidance of the Technical Committee on Privacy and, in particular, the foll
3、owing individuals: M. Long - Ottawa - Publication Coordinator and Prime Author C. Bennett - Victoria - Associate Professor, University of Victoria T. Campbell - Toronto - Contributor A. Coles - Edmonton - Contributor D. McKendry - Ottawa - Contributor R. Roy - Ottawa - Contributor Note on tailoring
4、the Code Organizations may choose to develop an organization-specific code based on the CIA Code. The commentaries which accompany each of the Code principles may be tailored to provide organization-specific examples. The principles themselves are interrelated and must be applied in their entirety a
5、nd without alteration (see CSA Code, General Requirements, Clauses 3.7.7 and 3.7 -2, and Appendix D of this Publication). Note on registering with the Quality Management Institute - a division of CSA A separate publication is attached which gives details of tbe steps to be undertaken should you wish
6、 to register your organizations adoption of the Code with the Quality Management Institute (OW. ISBN 0-921 347-57-X 0 Canadian Standards Association - 1996 All rights reserved. No part of this Publication, other than sections indicated bejow, may be reproduced in any form, in an electronic retrieval
7、 system or otherwise, without express prior permission of the publisher. This workbook contains forms which may be used to document personal information management practices and procedures. These forms are clearly identified and may be reproduced without perm iss ion. Technical Editor: Robin Haighto
8、n Managing L ditor: Gary Burford Making the CSA Privacy Code Work for You Contents Introduction The purpose of this workbook Chapter 1 The importance of u national voluntary informa tion protection code Chapter 2 Significonce of the ten prhciples Chapter 3 How to implement the CSA Code in your orgun
9、lzution Stage 1: Establishing an implementation ream and plan Stage 2: Assessing your current information use policies and practices Stage 3: Bringing poIicies and practices in line with the CSA Code Step 7. Step 2. How to identify information purposes Ways to explain purposes and obtain consent Ste
10、p 3. What to do when you want to use information for new purposes Step 4. Step 5. How long you should keep information How to make sure personal information is secure Step 6. How to address individuol concerns about personal information use Stage 4: Documenting policies and procedures Stage 5: Truin
11、ing employees and implementing Q communications plan Stage 6: Periodic review and auditing Appendices A - Privacy publications and information sources B - QMI recognition program C - Information on safeguards and security D - Tailoring the Code: report to CSA Technical Committee on Privacy Page V 1
12、7 21 23 26 34 34 37 42 45 48 54 61 64 69 75 ai 83 87 E - Health information December 1996 89 PLUS 8300 iV December 7 996 In trod u ction The purpose o this workboo k HE PUBLICATION CAN/CSA-Q830, A Mode/ Code for the Protection of Personal information, T referred to as the CSA Code, (a) provides the
13、principles for the management of personal information; (b) specifies the minimum requirements for the adequate protection of personal information held by pa rtic i pati n g organizations; (c) makes the Canadian public aware of how personal information should be protected; and (d) provides standards
14、by which the international community can measure the protection of personal information in Canada. This workbook is designed to provide practical, useful advice to help organizations understand and apply CSAs Model Code for the protection of personal information. The workbook is intended to be used
15、in conjunction with the CSA Code, but it is not a replacement. The text of the CSA Code in its entirety should be referred to, when required, as the final authority on matters of.interpretation. The workbook was developed and reviewed by the CSA Technical Committee on Privacy, to provide guidance on
16、 how to apply the CSA Code effectively, Organizations will find it a valuable tool, particularly for those individuals directly responsible for implementing the CSA Code. However, the use of the workbook is not mandatory. The CSA Code can be applied in all types of organizations, from small sole pro
17、prietorships to large corporate enterprises; from service clubs and charities to universities and hospitals; from organizations that hold very little personal information to those that specialize in information collection and use. While CSA has produced only one workbook to cover this vast range of
18、information users, the principles of the CSA Code are universal and can, accordingly, be applied to all types of organizations whether they are large or small, locally based or multinational, and whether they use the simplest of information management methods or are at the leading edge of electronic
19、 information use. What differs principally between organizations is the amount and variety of information collected, its sensitivity, and its relative value, both to the individuals providing it and the organizations using it. The workbook addresses these differences with examples drawn from a range
20、 of organizational experiences and with practical, commonsense solutions. Whatever type of organization you are involved with, this workbook will provide you with basic information you need to implement the CSA Code in an appropriate way. December 7 996 V PLUS 8300 The CSA Code was developed as a na
21、tional voluntary standard for personal information protection. As you apply the CSA Code, remember that its ultimate success depends upon an underlying commitment to integrity and fairness in the use of personal information. Organizations must always balance their need for information collection, us
22、e, and disclosure with the privacy rights of the i nd ivid u a I. Implementing the CSA Code may be a time-consuming task; however, once implemented, the ongoing maintenance of systems and procedures to meet the Standard should become a routine operation. In support of the CSA Code, the Quality Manag
23、ement Institute (QMI) is offering three levels or tiers of recognition as follows: Tier 1 - Declaration of the organizations intent to apply the CSA Code. Tier 2 - Verification by QMI that the CSA Code has been implemented to an acceptable standard. Tier 3 - Registration with QMI. For more details o
24、n these tiers and the role of the Quality Management Institute, see Appendix 8. CSA has also published (August 7 995) the background research report, Implementing Privacy Codes of Practice: A Report to the Canadian Standards Association (PLUS 8830), written by Colin Bennett of the University of Vict
25、oria. Readers who seek further background information about the functions and implementation of Privacy Codes in Canada and overseas might also want to obtain this publication. December 7 996 Chapter 3 The importance of a national voluntary information protection code S NUMEROUS SURVEYS and polls ha
26、ve indicated, Canadians have become increasingly A concerned about their privacy and the protection of their personal data. In 1990, the Canadian Standards Association embarked on the development of a Model Code for the Protection of Personal Information that would provide useful guidance to organiz
27、ations, increase consumer confidence, and establish a process whereby individuals and organizations could resolve privacy concerns. CSA has a long history in the development of voluntary standards. Development of the CSA Code was, therefore, a natural outgrowth of CSA activities in business manageme
28、nt, reflecting CSA interests in safety, consumer concerns, and international harmonization. The finai CSA Code, subsequently approved by the Standards Council of Canada as a National Standard of Canada, and published in March 1996, provides a common standard for the protection of personal informatio
29、n that can be employed throughout all levels of public and private enterprise, supported by the broad resources of the Ca n ad i a n St and a rd s Association . The Code is based on the Organization for Economic Co-operation and Development (OECD) “Guidelines on the Protection of Privacy and Transbo
30、rder Flows of Personal Data“ to which the Government of Canada made a commitment in 1984. However, with the rapid increase in electronic data communications and the new interactive world of the information highway, the OECD privacy principles have been reformulated to better reflect the Canadian con
31、text and the new challenges of data protection in the information society. The ten principles of the CSA Code, when taken together, constitute a fair and equitable balance between the privacy rights of individuals and the legitimate personal information requirements of private and public rector orga
32、nizations. They also reflect excellent business practices that can considerably improve the confidence of consumers who provide their personal information to o rg a n iza ti o n s. Adhering to the CSA Code will improve the quality of personal information management within an organization. This can c
33、ontribute to competitive advantages such as a stronger relationship with customers, better employee relations, and more cost-effective management of personal information. December 1996 7 PLUS 8300 In inter-firm transactions, other organizations may prefer to deal with entities that also adhere to th
34、e Code, as a quality assurance measure. Privacy Tip: the meaning of “personal information” Personal information is any information about a specific, identifiable individual, including such commonly available details as name, address, and telephone number. Despite the fact that some personal informat
35、ion is widely available (eg, through telephone directories or public databases), this does not, in any way, lessen the responsibility to apply the Codes principles to its collection, use, and disclosure. The CSA Code incorporates the principles that every element of personal information should only
36、be used for purposes that are defined and explained in advance to the individual, and that use or disclosure for any other purposes requires further knowledge and consent. (See Principal 3, page 11, for methods to obtain consent.) The CSA Code also provides a national standard for personal informati
37、on protection that can be applied on an organization-specific or sectoral basis to address concerns about transborder data flow. Data protection laws, giving governments the authority to block data flow to jurisdictions without adequate data protection, have been passed by members of the European Un
38、ion, as well as New Zealand. Canadians now face the very real prospect that transborder flow of personal data between Canada and other countries may be prohibited, unless we adopt adequate data protection standards. The CSA Model Code for the Protection of Personal Information is expected to become
39、a standard upon which Canadians will judge the effectiveness of personal information protection in all types of organizations. Adopting the Code as a responsible, proactive measure makes good business sense. Impacts of privacy loss in the information age Many Canadians feel they have lost control ov
40、er the use of their personal information. Personal data provided to organizations for specific reasons may end up being used for completely unrelated purposes -often without any form of consent or knowledge by the individual concerned. In addition, data profiling - the use of computer data-matching
41、capabilities to create profiles of individuals - allows previously separate pieces of personal information to be compiled in ways never intended by the individual. A data profile is a powerful information or marketing tool that can be used by organizations to target clients or, conversely, limit and
42、 deny access to services. No one would deny the immense benefits of computerization in improving organizational efficiency and providing more personalized service. However, without proper safeguards to prevent the collection, use, or disclosure of erroneous data, or to prevent the use or disclosure
43、of information without consent, there can be unintended consequences. Stories are reported regularly in the media about individuals whose privacy, dignity, and even freedom have been eroded because incomplete, incorrect, or irrelevant data was entered into a file. While people may have the opportuni
44、ty to correct such erroneous data, the burden of proof is usually on the individual - and it can be a frustrating, demoralizing, or even insurmountable challenge to locate the source of “bad data,” convince others that it is indeed wrong, and have it corrected. Individuals also pay the price when pe
45、rsonal information - correct or otherwise - is purposely or inadvertently disclosed without their permission. There is no means of regaining privacy once it has been lost. 2 December 7 996 Making the C5d Privacy Code Work for You Moreover, organizations themselves pay a high price for failing to ade
46、quately safeguard personal data that has been entrusted to them. The consequences of such failures are measured in public anger and cynicism, diminished consumer confidence, lost business opportunities, and the high cost of correcting mistakes after they have been made. The following stories illustr
47、ate just how high the cost can be, for both individuals and organizations, due to inadequate personal information protection practices. A telecommunications company regularly donated computer printouts to local day care centres as drawing paper. On one occasion, the printouts included details of cal
48、ling card customer names and numbers. With the disclosure of this sensitive data, the company was forced to recall and reissue all of its customer calling cards, at a cost of more than $500,000 and considerable public embarrassment. Adequate procedures in the disposal of company records might have p
49、revented this disclosure. A woman received a phone call from a funeral home offering its services shortly after a hospital visit in which she was diagnosed with terminal cancer. The patient and her family were outraged by the insensitivity of this call and, upon further investigation, learned that a member of the hospital staff had provided the funeral home with details of the womans illness. The incident was widely reported in the media and a lawsuit subsequently was launched against both the hospital and the funeral home. While it is always more difficult to guard against such deliberat
