Privacy and Protection of Personal Information Policy (By-law No. 64-2023) — full text

This is the exact embedded text of the captured official document. Snapshot 78d00b6b505b · verified 2026-06-10 · original document · archived snapshot · unofficial consolidation, the official version is held by the municipal clerk.

The Corporation of the Township of North Huron By-law No. 064-2023 Being a By-law to Adopt a Privacy and Protection of Personal Information Policy for the Corporation of the Township of North Huron. This accessible version of this by-law is printed under the authority of the Council of the Township of North Huron. Printing Date: September 21, 2023 Disclaimer: The following version is an electronic reproduction made available for information only. It is not an official version of the by-law. The format may be different, and plans, pictures, other graphics or text may be missing or altered. The Township of North Huron does not warrant the accuracy of this electronic version. This consolidation cannot be distributed or used for commercial purposes. It may be used for other purposes only if you repeat this disclaimer and the notice of copyright. Official versions of all by-laws can be obtained from the Clerk's Department by calling 519-357-3550. The Corporation of the Township of North Huron By-law No. 64-2023 Being a By-law to Adopt a Privacy and Protection of Personal Information Policy for the Corporation of the Township of North Huron WHEREAS Section 5(3) of the Municipal Act, 2001, S.O. 2001, c. 25, as amended, provides that municipal power shall be exercised by by-law; AND WHEREAS under Section 253(1) of the Municipal Act, 2001, S.O. 2001, c.25, subject to the Municipal Freedom or Information and Protection of Privacy Act, any person may, at all reasonable times, inspect any of the records under the control of the Clerk; AND WHEREAS under Section 14(1) of the Municipal Freedom of Information and Protection of Privacy Act states that the head as designated for the purposes of the Act shall refuse to disclosure personal information to any person other than the individual to whom the information relates unless specific conditions as established in the Act are met; AND WHEREAS the Council of the Corporation of the Township of North Huron deems it expedient to establish a policy for privacy and the protection of personal information under the custody and control of the Township of North Huron; NOW THEREFORE the Council of the Corporation of the Township of North Huron ENACTS as follows: 1. That the Privacy and Protection of Personal Information Policy attached hereto as Schedule "A" is hereby adopted and shall form part of this by-law. 2. That this by-law shall come into force and takes effect on the day of the final passing thereof. Read a first and second time this 18th day of September, 2023. Read a third time and passed this 18th day of September, 2023. __________________________________ Paul Heffer, Reeve CORPORATE SEAL __________________________________ Carson Lamb, Clerk Schedule "A" to By-law No. 064-2023 Privacy and Protection of Personal Information Policy Page 1 of 6 Approval Date: September 18, 2023 Township of North Huron Privacy and Protection of Personal Information Policy Schedule "A" to By-law No. 064-2023 Privacy and Protection of Personal Information Policy Page 2 of 6 Approval Date: September 18, 2023 1. POLICY STATEMENT 1.1. The Township of North Huron will protect the privacy and confidentiality of information in accordance with "privacy by design" principles, obligations under Township policies, the Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M.56 (MFIPPA) and the Municipal Act, 2001, S.O. 2001, c. 25, by ensuring appropriate treatment regarding how information is collected, retained, used, disclosed, and disposed. 2. PURPOSE 2.1. The purpose of this policy is to strengthen the Township of North Huron's ability to protect personal information under its control or custody. This policy establishes a risk-based approach to privacy protection, sets clear accountabilities, and outlines roles and responsibilities for processes, systems, and programs that collect, use, or manage personal information. 2.2. This policy incorporates the principles and requirements set out in the MFIPPA to ensure the Township's compliance with this legislation. 3. SCOPE 3.1. This policy applies to staff, volunteers, and contract staff hired by the Township of North Huron or by third party organizations hired under an agreement or contract. 4. INTERPRETATION 4.1. Any reference in this Policy to any statute or any section of a statute shall, unless expressly stated, be deemed to be reference to the statute as amended, restated, or re-enacted from time to time. Any references to a By-law or Township policy shall be deemed to be a reference to the most recent passed policy or By-law and any replacements thereto. 5. DEFINITIONS 5.1. Access by Design - a methodology that encourages public institutions to take a proactive approach to releasing information, making the disclosure of government-held information an automatic process where possible, as outlined by the Information and Privacy Commissioner. 5.2. Clerk - the Clerk or designate of the Township of North Huron, duly appointed by By-law. 5.3. Disclosure - the act of making internally held records or information available to external person(s). 5.4. Freedom of Information (FOI) - a presumptive right of access to official information submitted through a formal request under the MFIPPA. 5.5. Personal Information - as defined in the MFIPPA means recorded information about an identifiable individual, including: (a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual; Schedule "A" to By-law No. 064-2023 Privacy and Protection of Personal Information Policy Page 3 of 6 Approval Date: September 18, 2023 (b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved; (c) any identifying number, symbol or other particular assigned to the individual; (d) the address, telephone number, fingerprints or blood type of the individual; (e) the personal opinions or views of the individual except if they relate to another individual; (f) correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the individual; (h) the individual's name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual. 5.6. Privacy breach - an incident involving the improper or unauthorized access, collection, use, disclosure, or retention and/or disposal of personal information. 5.7. Privacy by design - a methodology for proactively embedding privacy into information technology, business practices, and networked infrastructures, as outlined by the Information and Privacy Commissioner. 5.8. Privacy Impact Assessment - a process to identify, assess and mitigate potential privacy risks that may arise from a new or existing project, system, initiative, strategy, policy or business relationship. 5.9. Township - The Corporation of the Township of North Huron. 6. POLICY OBJECTIVES This Policy is designed to: 6.1. Increase constituents trust and confidence in the Township of North Huron. 6.2. Ensure statutory and regulatory compliance with, and effective application of, applicable privacy legislation. 6.3. Establish rules and procedures for managing privacy breaches, investigations, audits, consultations, and other privacy matters. 6.4. Communicate and identify roles and responsibilities for staff, volunteers, contract staff, and parties related to the management of Personal Information. 6.5. Integrate privacy by design and access by design principles into all new or modified architectures, technologies, and programs, to mitigate personal information privacy risks in Township programs and activities that involve the collection, use, disclosure, and disposition of personal information. 6.6. Establish rules and procedures to strengthen data privacy by ensuring security controls for the confidentiality, integrity, and availability of information. 7. RESPONSIBILITIES 7.1. The Clerk has the authority and responsibility to: Schedule "A" to By-law No. 064-2023 Privacy and Protection of Personal Information Policy Page 4 of 6 Approval Date: September 18, 2023 (a) Develop and implement policies, programs, and services for the management and protection of personal information in compliance with the MFIPPA and other applicable codes, policies, and guidelines. (b) Administer the Freedom of Information (FOI) process/program while protecting personal information from being improperly released, as per the MFIPPA. . (c) Review departmental practices for the collection, use, disclosure, and authorized disposition of personal information. (d) Consult with Township departments to ensure programs meet privacy requirements as identified in this Policy, applicable legislation, privacy standards, and procedures. (e) Establish privacy standards, guidelines, and procedures to support this Policy. (f) Investigate complaints of information misuse and/or privacy breaches and communicate findings and recommendations (where applicable) to the complainant and the relevant Department Head and/or the CAO. (g) Produce investigation reports in response to privacy breaches and communicate recommendations and mitigation strategies to Department Heads. (h) Sign-off on the privacy impact assessment report for any technology, system, program, or service involving the collection or use of personal information or personal health information. (i) Authorize the disposal of personal information that was collected without the appropriate authority, notice of collection statement, or other mandatory legislative requirements. 7.2. Department Heads in collaboration with the Clerk, have the authority and responsibility to: (a) Implement this Policy and communicate requirements to staff under their direction. (b) Ensure compliance with this Policy and that personal information is collected, used, disclosed, and disposed of in accordance with legislation, associated regulations, standards, and other applicable Township policies. (c) Incorporate privacy protection concepts and principles into departmental and organizational strategies and plans. (d) Restrict access to personal information to those individuals who require it in order to perform their duties and where access is necessary for the administration of their operations. (e) Inform staff of the legal and administrative consequences of any inappropriate or unauthorized access to, or collection, use, disclosure, or disposition of personal information related to a particular program or activity. (f) Consult with the Clerk during the planning stages, before any procurement, and prior to the implementation of any technology, system, program, or service involving the collection, use, disclosure, or disposition of personal information. Schedule "A" to By-law No. 064-2023 Privacy and Protection of Personal Information Policy Page 5 of 6 Approval Date: September 18, 2023 (g) In collaboration with the Clerk, require that vendors, contractors, or anyone acting as an agent on behalf of the Township comply with this Policy and that the privacy rules, concerns, and requirements are embedded in all documents governing the service provision, procurement, or relationship between the Township and the aforementioned. (h) Require that staff, vendors, contractors, and agents maintain a level of privacy awareness appropriate with their responsibilities through agreements, training, policy, and supporting reference materials. (i) Receive formal privacy investigation reports from the Clerk and make final decisions about the handling of a complaint. (j) Be accountable for privacy risk treatment and acceptance within their respective departments. (k) Understand the repercussions for accepting high or critical privacy risks including prosecution, fines, and/or reputational damage. (l) Report back to the Clerk on privacy risk mitigation/treatment actions outlined in privacy and security assessments conducted on their projects and initiatives. 7.3. All Employees, Third Parties (including Vendors and Contractors) and Volunteers have the responsibility to: (a) Comply with the MFIPPA and other applicable legislation that governs the collection, use, disclosure, and disposition of Personal Information under their control. (b) Complete provided privacy awareness and training for the appropriate handling of Personal Information to understand their responsibilities to protect privacy in executing their operational duties. (c) Manage personal information that is part of a Township record in accordance with the Township's Records Management and Retention Policy, as amended from time to time, and in accordance with all applicable legislation, associated regulations, standards, and other applicable Township policies. (d) Review and understand their responsibilities when developing any information collection tool or process that may be used to collect personal or confidential information. (e) Cooperate with the Clerk, the relevant Department Head, the CAO, or anyone else appointed to investigate privacy breaches or non-compliance with legislation. 8. PRINCIPLES 8.1. The Township acknowledges and incorporates into this policy the ten Privacy Protection Principles which have been adopted by various jurisdictions, including the Information and Privacy Commissioner, as guiding principles for the collection, use, and disclosure of Personal Information. 8.2. Adherence to these principles assists the Township in achieving positive outcomes by protecting and managing Personal Information. The principles are: (a) Accountability - Employees are responsible for managing personal information in their care, custody or control in accordance with these principles. The Clerk, designated the powers and duties of the head for the purposes of Schedule "A" to By-law No. 064-2023 Privacy and Protection of Personal Information Policy Page 6 of 6 Approval Date: September 18, 2023 MFIPPA, holds overall responsibility for the implementation and administration of this policy. (b) Identifying Purposes - The purpose for which personal information is collected will be identified by the Township before or during the times the information is collected. (c) Consent - The consent of an individual is required for the Township to collect, use or disclose of personal information, except where inappropriate. (d) Limiting Collection - The Township shall limit the collection of personal information to that which is necessary for the administration of Township programs and services, and for the purpose(s) identified at the time of collection. Individuals shall not be asked for personal information beyond what is necessary for the identified purpose(s). (e) Limiting Use, Disclosure, and Retention - Personal information will not be used or disclosed for purposes other than those for which the Township collected it, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes or as required by law. Personal information will be disposed of in accordance with retention and disposition schedules as set out in the Township's Records Management and Retention Policy, as well as all applicable Township policies and procedures. (f) Accuracy - The Township shall take reasonable measures to ensure that personal information in its care, custody or control is as accurate, complete and up to date as is necessary for the purpose(s) for which it is to be used. (g) Safeguards - The Township will protect and safeguard personal information in its custody or under its control appropriate to the sensitivity of the information. (h) Openness - The Township shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. (i) Individual Access - Upon request, an individual shall be entitled to access and review their personal information held by the Township, and to request revisions related directed to the accuracy and completeness of the personal information. (j) Challenging Compliance - An individual may address a concern with the Township's compliance with the above principles or this policy in general to the Clerk.