1、Q830-03(reaffirmed 2014)Model Code for the Protection of Personal InformationLegal Notice for StandardsCanadian Standards Association (operating as “CSA Group”) develops standards through a consensus standards development process approved by the Standards Council of Canada. This process brings toget
2、her volunteers representing varied viewpoints and interests to achieve consensus and develop a standard. Although CSA Group administers the process and establishes rules to promote fairness in achieving consensus, it does not independently test, evaluate, or verify the content of standards.Disclaime
3、r and exclusion of liabilityThis document is provided without any representations, warranties, or conditions of any kind, express or implied, including, without limitation, implied warranties or conditions concerning this documents fitness for a particular purpose or use, its merchantability, or its
4、 non-infringement of any third partys intellectual property rights. CSA Group does not warrant the accuracy, completeness, or currency of any of the information published in this document. CSA Group makes no representations or warranties regarding this documents compliance with any applicable statut
5、e, rule, or regulation. IN NO EVENT SHALL CSA GROUP, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES, DIRECTORS, OR OFFICERS, BE LIABLE FOR ANY DIRECT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED, INCLUDING BUT NOT LIMITED TO
6、 SPECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM ACCESS TO OR POSSESSION OR USE OF THIS DO
7、CUMENT, EVEN IF CSA GROUP HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES.In publishing and making this document available, CSA Group is not undertaking to render professional or other services for or on behalf of any person or entity or to perform any duty owed
8、 by any person or entity to another person or entity. The information in this document is directed to those who have the appropriate degree of experience to use and apply its contents, and CSA Group accepts no responsibility whatsoever arising in any way from any and all use of or reliance on the in
9、formation contained in this document. CSA Group is a private not-for-profit company that publishes voluntary standards and related documents. CSA Group has no power, nor does it undertake, to enforce compliance with the contents of the standards or other documents it publishes. Intellectual property
10、 rights and ownershipAs between CSA Group and the users of this document (whether it be in printed or electronic form), CSA Group is the owner, or the authorized licensee, of all works contained herein that are protected by copyright, all trade-marks (except as otherwise noted to the contrary), and
11、all inventions and trade secrets that may be contained in this document, whether or not such inventions and trade secrets are protected by patents and applications for patents. Without limitation, the unauthorized use, modification, copying, or disclosure of this document may violate laws that prote
12、ct CSA Groups and/or others intellectual property and may give rise to a right in CSA Group and/or others to seek legal redress for such use, modification, copying, or disclosure. To the extent permitted by licence or by law, CSA Group reserves all intellectual property rights in this document.Paten
13、t rightsAttention is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. CSA Group shall not be held responsible for identifying any or all such patent rights. Users of this standard are expressly advised that determination of the validity of any
14、such patent rights is entirely their own responsibility.Authorized use of this documentThis document is being provided by CSA Group for informational and non-commercial use only. The user of this document is authorized to do only the following:If this document is in electronic form:sLOADTHISDOCUMENT
15、ONTOACOMPUTERFORTHESOLEPURPOSEOFREVIEWINGITsSEARCHANDBROWSETHISDOCUMENTANDsPRINTTHISDOCUMENTIFITISIN0$ (b) provide an explanation of circumstances surrounding the actual field condition; and (c) be phrased where possible to permit a specific “yes” or “no” answer. Committee interpretations are proces
16、sed in accordance with the CSA Directives and guidelines governing standardization and are published in CSAs periodical Info Update, which is available on the CSA Web site at www.csa.ca. Q830-03 2003 CSA Group viii November 2003 Introduction Canada is part of a global economy based on the creation,
17、processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve the quality of our lives. This technology also gives rise to concerns about the protection of privacy rights and the individuals right to control the use and exchange
18、 of personal information. By implementing recognized fair-handling practices for personal information, organizations can materially demonstrate their commitment to the protection of personal information. Organizations should balance their need for personal information with an individuals desire for
19、a certain measure of anonymity. This document is a voluntary national standard for the protection of personal information. The Standard addresses two broad issues: the way organizations collect, use, disclose, and protect personal information; and the right of individuals to have access to personal
20、information about themselves, and, if necessary, to have the information corrected. Ten interrelated principles form the basis of the Standard. Each principle is accompanied by a commentary that elaborates on the principle. A workbook on the implementation of the principles is available to organizat
21、ions intending to adopt this Standard. Organizations will be able to tailor specific privacy codes using the workbook as a guide. This Standard will (a) provide principles for the management of personal information; (b) specify the minimum requirements for the adequate protection of personal informa
22、tion held by participating organizations; (c) make the Canadian public aware of how personal information should be protected; and (d) provide standards by which the international community can measure the protection of personal information in Canada. Canada committed itself to privacy protection in
23、1984 by signing the Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Guidelines (see Appendix A) were used as the basis for the development of this Standard. The protection of personal information i
24、s increasingly important at the international level. 2003 CSA Group Model Code for the Protection of Personal Information November 2003 ix Principles in Summary Ten interrelated principles form the basis of the CSA Model Code for the Protection of Personal Information. Each principle must be read in
25、 conjunction with the accompanying commentary. 1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organizations compliance with the following principles. 2. Identifying Purposes The
26、purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. 3. Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropri
27、ate. 4. Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. 5. Limiting Use, Disclosure, and Retention Personal information shall not be used o
28、r disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. 6. Accuracy Personal information shall be as accurate, complet
29、e, and up-to-date as is necessary for the purposes for which it is to be used. 7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. Openness An organization shall make readily available to individuals specific information
30、about its policies and practices relating to the management of personal information. 9. Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able
31、to challenge the accuracy and completeness of the information and have it amended as appropriate. 10. Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization
32、s compliance. 2003 CSA Group Model Code for the Protection of Personal Information November 2003 1 Q830-03 Model Code for the Protection of Personal Information 1. Scope 1.1 This model code describes the minimum requirements for the protection of personal information. Any applicable legislation is t
33、o be considered in implementing these requirements. 1.2 This Standard may be applied to all personal information. Provided the minimum requirements are met, organizations may tailor this Standard to meet their specific circumstances. For example, policies and practices may vary, depending upon wheth
34、er the personal information relates to members, employees, customers, or other individuals. 1.3 The objective of this Standard is to assist organizations in developing and implementing policies and practices to be used when managing personal information. 2. Definitions 2.1 The following definitions
35、apply in this Standard: Collection the act of gathering, acquiring, or obtaining personal information from any source, including third parties, by any means. Consent voluntary agreement with what is being done or proposed. Note: Consent can be either express or implied. Express consent is given expl
36、icitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual. Disclosure making personal informatio
37、n available to others outside the organization. Organization a term used in the model code that includes associations, businesses, charitable organizations, clubs, government bodies, institutions, professional practices, and unions. Personal information information about an identifiable individual t
38、hat is recorded in any form. Use refers to the treatment and handling of personal information within an organization. Q830-03 2003 CSA Group 2 November 2003 3. General Requirements 3.1 The ten principles that make up this Standard are interrelated. Organizations adopting this Standard shall adhere t
39、o the ten principles as a whole. 3.1.1 Organizations may tailor this Standard to meet their particular circumstances by (a) defining how they subscribe to the ten principles; (b) developing an organization-specific code; and (c) modifying the commentary to provide organization-specific examples. 3.1
40、.2 Each of the principles is followed by a commentary on the principle. The commentaries are intended to help individuals and organizations understand the significance and the implications of the principles. Where there is also a note following a principle (see principles 3 and 9), it forms an integ
41、ral part of the principle. 3.1.3 Although the following clauses use prescriptive language (i.e., the word “shall” or “must”), this document is a voluntary standard. Should an organization choose to adopt the principles and general practices contained in this Standard, the clauses containing prescrip
42、tive language become requirements. The use of the word “should” indicates a recommendation. 4. Principles 4.1 Principle 1 Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization
43、s compliance with the following principles. 4.1.1 Accountability for the organizations compliance with the principles rests with the designated individual(s), even though other individuals within the organization may be responsible for the day-to- day collection and processing of personal informatio
44、n. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s). 4.1.2 The identity of the individual(s) designated by the organization to oversee the organizations compliance with the principles shall be made known upon request. 4.1.3 An o
45、rganization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processe
46、d by a third party. 2003 CSA Group Model Code for the Protection of Personal Information November 2003 3 4.1.4 Organizations shall implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to
47、receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organizations policies and practices; and (d) developing information to explain the organizations policies and procedures. 4.2 Principle 2 Identifying Purposes The purposes for which
48、personal information is collected shall be identified by the organization at or before the time the information is collected. 4.2.1 The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Individual
49、Access principle (Clause 4.9). 4.2.2 Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have