Code of Privacy
The CPI-AC Code of Privacy and the Canadian Standards Association (CSA) Model Code of Personal Information Privacy Ten interrelated principles form the basis of the CSA Model Code for the Protection of Personal Information. Each principle is a core element in the Council of Private Investigators – Atlantic Canada (CPI-AC) Code of Privacy.
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
1. Accountability – ↑ Top of Page ↑
Each organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
2. Identifying Purposes – ↑ Top of Page ↑
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
The purpose for which Members collect personal information is to facilitate the investigation of contraventions of the law and breaches of agreements.
Personal information collected as part of the investigation of a contravention of the law may include information pertaining to individuals involved in criminal activity, individuals suspected of involvement in criminal activity, individuals with knowledge of criminal activity, and individuals who may advance an investigation by providing information relating to the identity of those involved or suspected of criminal activity.
Personal information collected in the investigation of the breach of an agreement may pertain to individuals who are party to an agreement, individuals who have knowledge of the terms and conditions of an agreement, individuals who have knowledge of the breach of an agreement, or individuals who may advance an investigation by providing information relating to a breach of an agreement.
3. Consent – ↑ Top of Page ↑
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. In most instances, obtaining the knowledge and consent of individuals would defeat the purpose of an investigation. Personal information will only be collected, used and disclosed by Members without consent in accordance with section 7 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (PIPEDA).
4. Limiting Collection – ↑ Top of Page ↑
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Members will collect information about individuals only if there are reasonable grounds to believe that the information relates to dishonest conduct, breaches of agreements or contraventions of the laws of Canada, a province, or a foreign jurisdiction. Members of the CPI-AC will only collect the personal information that is required for the preventative and investigative purposes set out above.
5. Limiting Use, Disclosure, and Retention – ↑ Top of Page ↑
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Members may only use or disclose personal information for the purposes for which it was collected. Members may only keep personal information for as long as may be necessary to satisfy such purpose. Members may disclose personal information only to law enforcement agencies, other investigative bodies or their clients for the purpose for which the personal information was collected.
Members will destroy personal information in its possession once it is no longer required for the purpose for which it was collected.
6. Accuracy – ↑ Top of Page ↑
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Members will ensure to the best of their ability that the personal information they collect, use, and disclose is accurate, complete, current, and relevant to the stated purpose.
7. Safeguards – ↑ Top of Page ↑
Security safeguards appropriate to the sensitivity of the information shall protect personal information.
Members will ensure that personal information is stored in secure electronic and hard copy files. Hard copy files will be stored in locked file cabinets with restricted access. Electronic files will be stored in secure systems that include power-on password protection and a secure firewall. Electronic files will be encrypted with an industry standard encryption program before being transferred electronically. Distribution of personal information will be on a need-to-know basis.
8. Openness – ↑ Top of Page ↑
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Members will make available to the public easily understandable information about the Member Company, its privacy policies, this Code of Privacy, both in hard copy and on its website.
9. Individual Access – ↑ Top of Page ↑
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
In accordance with paragraph 9(3)(c.1) of PIPEDA, if such disclosure does not defeat the purposes for which the information was collected, each Member will, upon request by an individual, advise the individual whether the Member has personal information concerning him or her, what that information is, what it is being used for and to whom their information has been disclosed.
If the individual can provide proof of an error in the personal information held by the Member, the Member will amend the information and send the corrected information to others who have used the incorrect information. If the individual challenges certain information but cannot disprove its accuracy, the Member will note the challenge so that those using the information will be aware of the unresolved challenge.
If a Member denies an individual’s request for access, it will state the reasons for the denial and advise the individual of his/her right to appeal to the Office of the Privacy Commissioner of Canada or Ontario as the case may be.
10. Challenging Compliance – ↑ Top of Page ↑
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s privacy compliance.
Individuals may send complaints with respect to a Member’s compliance with its own privacy policies and procedures to the CPI-AC’s Ethics Committee. The CPI-AC Ethics Committee will investigate the complaint and respond to the individual. If the CPI-AC Ethics Committee finds that the Member is in violation of the CPI-AC Code of Privacy, the Member will have thirty days in which to change its policies or procedures. If the individual is still not satisfied, he/she will be advised by the CPI-AC Ethics Committee of his or her right to appeal to the Office of the Privacy Commissioner of Canada or the member’s Provincial Privacy Commissioner whichever the case may be.