Both Alberta and British Columbia have their own Personal Information Protection Acts (PIPA). Our policies refer to the BC Privacy Legislation as it parallels that of Alberta; however, if any resident or employee is making enquiries about privacy matters, they must refer to the appropriate provincial laws to ensure they are dealing with the applicable sections within their respective provincial PIPA.
PIPA governs how we are able to collect; use and disclose personal information about our employees, tenants, contractors and those with whom we provide or receive services from.
We collect, retain and use tenant information for legitimate purposes only. Information is not shared with outside parties except to the extent necessary to complete the lease process for tenant or payroll providers in the case of employees.
There are 10 principles that, while not explicitly stated in BC or Alberta PIPA, are apparent from the content of the legislation.
1. Accountability – an organization that collects personal information must appoint one person to oversee its legislative compliance. This person is responsible for analyzing the handling practices and what personal information is collected and why; how it is collected; what it is being used for; how it is being stored and secured; who has access to it; to whom it is being disclosed and for what purpose; and how it is being disposed of.
2. Identifying the purpose of collection – an organization must let an individual know why it is collecting personal information and for what purpose it is being used.
3. Consent – with limited exceptions, the individual to whom the personal information relates must consent to its collection. Consent must be voluntarily given and the individual must be aware of why information is being collected. Although consent must usually be express, it may be implied in some instances; such as when an individual applies for a position of employment. Prior to conducting reference checks, an employer should ensure that it is documented when consent is given. There are certain circumstances in which consent is not required, such as when information is publicly available, it is a medical emergency, or obtaining consent may compromise the availability or accuracy of the information which is relevant to an investigation of a breach of an agreement or a contravention of law.
4. Limited Collection – the organization can only collect information that is necessary for its stated purpose. For example; in the course of conducting a credit check, an organization would not need to collect information related to an individual's religious affiliation.
5. Limited use, disclosure and retention – information that was collected cannot be used for any purpose other than that which was stated. If there is information required apart from that for which consent was given, new consent authorizing disclosure must be obtained. For example, information regarding dependents gathered for life insurance purposes cannot be transferred to a medical insurer for the purpose of obtaining medical coverage without obtaining a specific new consent. There are certain circumstances in which additional consent may not be required, such as in an emergency where information is publicly available.
6. Accuracy – if use or disclosure of out-of-date or incomplete information would harm the individual, the employer should ensure that the information is accurate and current. Employees should be given the opportunity to correct information contained in his or her personnel file.
7. Provide safeguards – an organization should protect personal information against theft, loss or unauthorized access. For example, written information should be kept in locked drawers with keys accessible only to those who need access.
8. Be open – privacy policies and procedures should be readily available to customers, clients, employees and suppliers. Front line supervisors should be familiar with them.
9. Give individuals access – subject to specified exceptions, organizations must provide individuals with details about the personal information being held about them and the means to gain access to it upon request. There are exceptions to what an individual should have access to but if there is information in a file that contains personal information about another individual, the third-party identifiers should be removed. Also, if information was collected as part of an investigation into a breach of an agreement or law or information was generated in the course of a formal dispute resolution process. Where access is denied, the organization should advise the individual in writing, provide reasons, and explain what recourse is available.
10 – Provide recourse – there should be a procedure in place to deal with complaints about access to information or compliance with privacy legislation. If an organization refuses to provide information or denies its existence, an individual may file a complaint with the privacy commissioner.