Town of Riverview Policy on the Protection of Personal Information and Privacy — full text

This is the exact embedded text of the captured official document. Snapshot dd291c3a89af · verified 2026-06-07 · original document · archived snapshot · unofficial consolidation, the official version is held by the municipal clerk.

Protection of Personal Information and Privacy 1 Policy Name: Protection of Personal Information and Privacy Date Approved: November 9, 2015 Date Reviewed: Department: Administration Purpose 1. To outline the responsibilities of the Town's employees and elected officials in relation to personal information. 2. To ensure, through responsible management of personal information, that the Town of Riverview adheres to the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Right to Information and Protection of Privacy Act (RTIPPA). 3. To ensure that the Town of Riverview implements best practices for the management of personal information and protection of privacy consistent with the 10 Privacy Principles outlined in PIPEDA. Applicability This policy applies to all Town of Riverview employees and elected officials involved in the collection, storage, access, use, disclosure, retention or disposition of personal information in the conduct of their duties or activities. Definitions EMPLOYEE - A person who is employed or connected to employment with the Town of Riverview. A Town employee may be considered a full time, part time, casual, contract or term worker, student (paid or unpaid) and/or volunteer. MANAGEMENT OF PERSONAL INFORMATION - Includes all administrative and operational activities carried out by staff or members of Council of the Town of Riverview, which are connected with the collection, storage, accessing, use, disclosure, retention or disposition of personal information. PERSONAL INFORMATION - Recorded information about an identifiable individual in any form. The form or medium in which the information may be recorded includes, for example, images, audio recordings and text whether digital or hard copy. Personal Information can include but is not limited to: a) The individual's name; b) The individual's home address or electronic mail address or home telephone or facsimile number; c) Information about the individual's age, gender, sexual orientation, marital status or family status; Protection of Personal Information and Privacy 2 d) Information about the individual's ancestry, race, colour, nationality or national or ethnic origin; e) Information about the individual's religion or creed or religious belief, association or activity; f) Personal health information about the individual; g) The individual's blood type, fingerprints or other hereditary characteristics; h) Information about the individual's political belief, association or activity; i) Information about the individual's education, employment or occupation or educational, employment or occupational history; j) Information about the individual's source of income or financial circumstances, activities or history; k) Information about the individual's criminal history, including regulatory offences; l) The individual's own personal views or opinion, except if they are about another person; m) The views or opinions expressed about the individual by another person, and n) An identifying number, symbol or other particular assigned to the individual. PIPEDA - A federal law that legislates standards for the management of personal information by organizations engaged in commercial activities. PIPEDA applies to municipalities even though the scope of their commercial activities may be limited. PIPEDA holds municipalities accountable for personal information in their care, custody or control, and requires that reasonable limits be placed on the collection, storage, access, use, disclosure and retention of personal information. In addition, PIPEDA requires openness with regard to a municipality's privacy policies and practices. RTIPPA - New Brunswick's access to information and protection of privacy legislation. The provisions of RTIPPA will apply to all management of personal information. RTIPPA - New Brunswick's access to information and protection of privacy legislation. The provisions of RTIPPA will apply to all management of personal information. TOWN - Town of Riverview employees and elected officials. Privacy Principles This policy is based on and incorporates the 10 Privacy Principles. The 10 Privacy Principles are widely recognized and accepted as the foundation for best information practices. These principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. By applying the 10 Privacy Principles in all areas of personal information management the Town of Riverview uses best practices in appropriately handling personal information and ensuring legislative requirements are met. These principles apply within the Town of Riverview as follows: Protection of Personal Information and Privacy 3 1) Accountability The Town is responsible for personal information under its control, and accountable to the individual to whom the information relates for its protection and safe keeping. This accountability extends to agreements the town enters into with third party service providers that act for or on its behalf with respect to personal information and that may come in contact with personal information while providing services to the Town. The Town will implement appropriate controls, such as contractual agreements with these service providers to ensure that personal information under its control is appropriately protected. 2) Limited Collection No personal information may be collected by the Town or on the Town`s behalf unless: a) The collection of the personal information is authorized or required by or under an Act of the Legislature of New Brunswick or an Act of the Parliament of Canada, b) The information relates directly to and is necessary for an existing program or activity of the Town of Riverview, or c) The information is collected for law enforcement purposes. When personal information is collected as authorized above, the Town will collect only as much personal information about an individual as is reasonably necessary to accomplish the purpose for which it is collected. Personal information must always be collected directly from the person to whom the information pertains, unless another method of collection is authorized by the individual or by law. 3) Identifying Purposes When collecting personal information, the Town shall inform the individual of the purpose(s) for which the personal information is being collected. Where personal information is collected through the completion of a standard form or application, a statement shall be included on that form that outlines: a) The purpose(s) for which the information is being collected (i.e. principally how the information is intended to be used); b) The Town's legal authority to collect the information (which may be provided by RTIPPA and/or another law with which the Town must comply); and c) The title, business address and telephone number of an employee of the Town who can answer questions about the collection (i.e., why it is being collected, how it will be used). All persons collecting personal information are expected to be fully aware of and able to explain to individuals the purpose(s) for which the personal information is being collected and how it may be used and disclosed. Protection of Personal Information and Privacy 4 4) Consent The Town shall obtain consent from the individual when collecting personal information. Consent must be tied to the purpose(s) identified at or before the time of collection in accordance with Privacy Principle #3. 5) Limiting Use, Disclosure and Retention The use and disclosure of personal information must be limited in scope to the original purpose for the collection, or to purposes reasonably connected to the original purpose. If the Town intends to use or disclose personal information for a different purpose, it must obtain the written consent of the individual prior to using or disclosing the information for this new purpose, except as permitted by law or otherwise authorized by legislation. The principle of "need to know" must guide all collection, use and disclosure of personal information, such that the Town only collects, uses, or discloses the minimum amount of personal information required for the immediate, valid purpose and only grants access to and discloses personal information to the extent needed to fulfill that purpose. The retention of personal information is subject to both legal requirements and the Town of Riverview's record retention and disposition schedules and will be retained only as long as necessary for the fulfillment of the identified and authorized purposes or as required by law. Personal information that is no longer required will be securely destroyed, erased or de- identified. The Town will develop guidelines and implement procedures to govern the secure destruction of personal information, to ensure that unauthorized parties do not gain access to the information. 6) Accuracy The Town shall take reasonable measures to ensure that personal information in their care, custody or control is as accurate, complete and current as necessary for the purpose(s) for which it is to be used. Processes will be identified by which individuals may be able to challenge the accuracy and completeness of the information collected from them and have it corrected as appropriate. 7) Protection The Town shall ensure that personal information in their care, custody or control is: a) Stored in a manner that prevents unauthorized access or destruction; b) Accessed, used and disclosed in a manner that is consistent with the identified purpose(s) and does not extend beyond the intended access, use and disclosure; c) Disposed of in a manner that prevents disclosure. Protection of Personal Information and Privacy 5 The level of protection will be in proportion and appropriate to the sensitivity of the information and the circumstances of its collection, use and disclosure. 8) Openness and Assistance The Town will be open about its policies and practices with respect to the management of personal information and will make specific information readily available to the general public, including: a) The title, business address, and telephone number of the appropriate individual, to whom complaints or inquiries can be forwarded; b) The means of gaining access to personal information held by the Town; and c) A description of the type of personal information held by the Town, including a general account of its use. The Town shall, upon request, provide a copy of this policy and, if required, additional information about Town policies, procedures and practices related to the management of personal information. For the purpose of providing the policy and any additional information, referral to an online source is acceptable. 9) Individual Access and Revision Individuals are entitled to request access to their personal information and to examine or receive a copy of personal information maintained by the Town, subject only to limited exceptions outlined in RTIPPA. Where access is denied, the individual will be provided with the reasons for denying access and informed of his or her right to complain about the Town's decision to the Access to Information and Privacy Commissioner. 10) Complaints Any individual shall be able to address a challenge concerning compliance with the above principals to the designated Town employee accountable for compliance by submitting a complaint to the Town in writing or by voicing a concern. All complaints will be reviewed by the Town Clerk, who will ensure that an investigation is conducted and send a response of the outcome of the investigation to the sender as expeditiously as possible. The individual will be notified in writing of the Town's receipt of the complaint and an approximate time frame for sending the response. Access to Personal Information Individuals wishing to review their personal information shall request access to the relevant records through the appropriate department or the Town Clerk's office. All reviews of personal information shall be in compliance with Privacy Principle #7. Protection of Personal Information and Privacy 6 Revision of Personal Information Subsequent to reviewing personal information, an individual may request revisions related to the accuracy and completeness of the personal information. Sufficient documentation (i.e. marriage certificate, driver's licence) may be requested to determine if the revisions are appropriate. Revisions must be completed by an employee of the Town of Riverview who shall determine what revisions are appropriate to ensure accuracy and completeness of the personal information. The individual and, as necessary, the Town Clerk may be consulted in making this determination. Within 30 days of receiving the request, any approved revisions shall be made, at no cost to the individual, and a response to the individual shall be made advising them of the revision; or if the decision was made not to revise, a summary of the reasons for this decision. Notice will also be given of the individual's right to challenge this decision under the "Procedure for Challenges and Appeals" section of this policy. Procedure for Challenges and Appeals Challenges Individuals are entitled to challenge the Town's compliance with: a) This policy; and b) Applicable federal and provincial privacy and information legislation. Individuals who wish to file a challenge may submit in writing a statement outlining the substance of their concern to the Town Clerk. The Town Clerk shall, upon receipt of the challenge: 1) Investigate the concern in consultation with the individual, and, as appropriate, any other concerned parties, and decide what further measures, if any, are to be taken to address the challenge; and 2) Provide a written report (email is acceptable) to the individual within 30 days indicating: a) What actions were taken to investigate and process the challenge, and b) Further measures, if any, that have been or will be taken to address the challenge. 3) The individual may appeal the Town Clerk's decision as provided for below. Appeal Process Individuals are entitled to appeal specific decisions rendered by the Town Clerk concerning challenges as outlined above. Individuals who wish to appeal shall contact the Access to Information and Privacy Commissioner (RTIPPA) or the Privacy Commissioner of Canada (PIPEDA) to file a complaint. Accountabilities The Town Council of Riverview has named the Chief Administrative Officer as Head of the public body, pursuant to the Right to Information and Protection of Privacy Act. The CAO in turn has delegated accountability for overseeing the management of private information to the Town Clerk. Protection of Personal Information and Privacy 7 Employees and elected officials are responsible to comply with this Policy. The Town will monitor compliance. The Town Clerk's office is located in the Town Hall, 30 Honour House Court, Riverview, NB E1B 3Y9. Questions concerning this policy may be directed to (506) 387-2136 or [email protected].