In this Policy, the following terms have the following meanings:
“Personal Information” refers to any information about an identifiable individual that is collected, used, disclosed or processed by the BCPA in connection with its services, operations or administration.
“Staff” means employees, contractors and volunteers of the BCPA.
“Client” means any individual that accesses services or programs administered by the BCPA, including members of the BCPA.
Other terms not specifically defined in this section will have the meanings given to them elsewhere in this Policy or as otherwise defined.
This Policy applies to the Personal Information of Staff and Clients.
PURPOSES OF COLLECTION
The BCPA collects, uses, discloses, processes, and maintains Personal Information about Staff for legitimate business reasons, for the purposes of establishing, managing and ending the employment relationship and for other purposes permitted under PIPA, including for:
- recruiting and hiring, including for purposes of verification of qualifications and conducting reference and background checks as reasonably required;
- improving and evaluating the BCPA’s programs and services, including by establishing training and development programs;
- staffing, scheduling and to administer vacations and other leaves;
- business, program and service delivery purposes;
- performance evaluation and monitoring;
- promotion, demotion and discipline;
- investigating specific incidents involving Staff;
- monitoring compliance with policies and addressing security and internal control issues;
- payroll and benefits administration;
- ensuring safety in the workplace, including but not limited to preventing the spread of COVID-19 and other viruses;
- determining and implementing workplace accommodations;
- communicating with Staff, such as with respect to important upcoming dates, changes to benefits, health and safety-related alerts and new program rollout information; and
- complying with the BCPA’s legal and regulatory obligations.
The BCPA collects, uses, discloses and maintains Personal Information about Clients for legitimate business reasons and for other purposes permitted under PIPA, including for:
- accessing, improving and evaluating the BCPA’s programs and services;
- enrolment of individuals in BCPA programming;
- maintaining and processing referrals;
- delivery of the BCPA’s programs and services;
- identifying Client preferences;
- the safety and security of Clients;
- responding to Client complaints and concerns;
- providing requested product, program or service information;
- determining Client eligibility for the BCPA’s programs and services; and
- informing Clients of new products, programs or services that may interest them.
TYPES OF PERSONAL INFORMATION COLLECTED ABOUT STAFF AND CLIENTS
The information that the BCPA may collect for the above purposes includes information such as:
- an individual’s name, contact information, social insurance number (SIN), and emergency contact information;
- information about an individual’s employment history, education and qualifications;
- background check information, including criminal, credit, or citizenship information;
- an individual’s financial and banking information needed for payroll and benefits administration;
- information about an individual’s workplace performance and conduct;
- information to investigate workplace incidents;
- medical, dietary or physical restrictions or preferences;
- health information for the purposes of accommodation and benefits administration; and
- health information for the purposes of coordinating a response to a pandemic, epidemic or workplace illness.
The BCPA seeks to limit the scope of the Personal Information that it collects, uses and discloses about Staff and Clients to what is reasonable and necessary in the circumstances.
We collect, use and disclose Personal Information with the knowledge and consent of Staff and Clients, except in circumstances in which PIPA permits or requires the BCPA to collect, use and disclose Personal Information without consent.
If the BCPA seeks to use Personal Information for other purposes that are not identified in this Policy, the BCPA will ask for consent before doing so, unless otherwise permitted under PIPA. Where required, individual consent will be obtained either in person, through writing, email or by phone.
Consent may be implied in some situations while express consent is required for the collection, use, and sharing of sensitive Personal Information. “Implied consent” exists when an individual is “deemed” to consent to collection, use, or disclosure of Personal Information if the individual voluntarily provides it for a purpose that would, at the time, be considered obvious to a reasonable person. “Express consent” signifies that an individual, knowing what Personal Information is being collected and for what purposes, willingly agrees to the information being collected, used, and disclosed as notified. It may be given in writing or verbally.
Consent may be withdrawn at any time, on reasonable notice, subject to legal or contractual restrictions. The BCPA will inform individuals of the implications of withdrawal of consent, including where certain services or benefits may become unavailable as a result of the withdrawal.
HOW AND WHEN THE BCPA SHARES PERSONAL INFORMATION
The BCPA shares Personal Information internally only on a need-to-know basis and information shared between Staff must be limited only to that which is necessary for the purposes of fulfilling applicable job duties. The BCPA may also share Personal Information externally with, for example, its service providers, professional advisors (including but not limited to legal counsel, auditors, accountants and insurers), employment and taxing authorities, or law enforcement officials as necessary for the purposes set out in this Policy.
The BCPA uses web-based third-party service providers such as ADP, Scorpio Consulting, Mehrdad Molanorouzi, and Higher Logic to perform specialized services on its behalf such as data processing, payroll and benefits administration, and human resource management. Sometimes the BCPA’s service providers come into contact with Personal Information. The BCPA only provides service providers with limited access to the information that is necessary for the applicable service to be performed. Some of these service providers may be located outside of Canada and may, from other jurisdictions, collect, use, disclose, store, process or access the Personal Information of Staff or Clients. The BCPA takes steps to require service providers to keep Personal Information confidential and expects service providers to protect Personal Information in a manner that is consistent with this Policy, PIPA and the BCPA’s security practices.
PROTECTION OF PERSONAL INFORMATION
The BCPA implements security safeguards to protect Personal Information against risks such as loss or theft, as well as unauthorized access, disclosure, copying, use, storage or modification. These security safeguards will vary depending on the sensitivity of the information as well as the format in which the information is held and may include:
- Physical security measures such as locked filing cabinets and restricted access;
- Organizational measures such as security clearances, access only on a “need to know” basis, processing of and imposing internal limits on data to restrict access and disclosure, and Staff training;
- Technological measures such as the use of passwords, multi-factor authentication, firewalls, data disconnection from the internet, and regular backups;
- Contractual measures such as taking reasonable steps to ensure that a comparable level of protection is implemented by service providers used by the BCPA; and
- Investigatory measures such as investigating non-compliance with this Policy and PIPA where the BCPA has reasonable grounds to believe that there has been an actual or suspected privacy breach or where Personal Information is otherwise being inappropriately collected, used, stored or disclosed.
The BCPA is responsible for the Personal Information under its control. The BCPA has a designated Privacy Officer who is accountable for the BCPA’s compliance with this Policy and with PIPA. The BCPA’s Privacy Officer can be contacted at: firstname.lastname@example.org
The BCPA may make available to Staff, for work purposes, information technology resources including, but not limited to, data systems, network facilities, business and educational applications, computers, laptops, tablets, smart phones, email and other communications platforms, wireless communications devices, electronic storage media (such as flash drives and USB memory sticks), telephone and voicemail systems, cameras and recording devices, and supporting technological infrastructure (collectively, “IT Resources”).
While the BCPA does not engage in ongoing or continuous monitoring of Staff use of IT Resources, monitoring may occur for legitimate reasons, including for trouble-shooting; monitoring and addressing network security and performance; addressing system maintenance needs; and evaluating and improving the BCPA’s technology systems.
The IT Resources, and all use of or information contained or stored by the IT Resources, may also be monitored or accessed from time to time by the BCPA in order to:
- assess, protect and preserve the integrity, security or functionality of such IT Resources;
- evaluate Staff performance or customer service;
- manage Staff transitions following the termination, departure or leave of Staff;
- investigate incidents, complaints or allegations if there are reasonable grounds to believe Staff misconduct has occurred or is occurring, including any violation of BCPA policies, rules, agreements or applicable laws;
- measure the allocation of BCPA resources;
- determine the optimum technical management of IT Resources;
- ensure that the IT Resources are being used in compliance with laws and other rules, including PIPA, this Policy and other BCPA policies; and
- for other purposes where the BCPA is authorized or required by PIPA or other applicable laws to access or monitor IT Resources
Accordingly, Staff should not expect absolute privacy when using the BCPA’s IT Resources. Staff should be aware that the BCPA has access to and may inspect any information or materials stored, transmitted or created using IT Resources. The monitoring described in this Policy, and any ensuing collection, use or disclosure of information obtained from such monitoring, will be conducted by the BCPA in accordance with PIPA.
The BCPA views any security breach involving Personal Information as a serious matter. In the event of a privacy breach or unauthorized access, use or disclosure of Personal Information, the BCPA’s response will include the following steps:
- The BCPA will endeavor to contain the breach as soon as possible and/or stop the unauthorized activities, as applicable;
- The BCPA will designate an appropriate individual to lead an initial investigation into the breach and/or unauthorized activities;
- The BCPA will notify individuals of any breach of security safeguards involving their Personal Information under the BCPA’s control if such notification is required by PIPA; and
- The BCPA will keep a record of any breach of security safeguards involving Personal Information under its control.
All Staff are expected to provide their full cooperation with any investigation into unauthorized collection, access, use or disclosure or response to a privacy breach incident.
Staff must immediately report actual or suspected privacy breach incidents to the BCPA’s Privacy Officer. If there is any question about whether a privacy breach has occurred or may occur, individuals are directed to immediately consult with the BCPA’s Privacy Officer.
ACCURACY AND CORRECTION OF PERSONAL INFORMATION
The BCPA makes reasonable efforts to ensure that Personal Information is as accurate, complete and current as required for the purposes for which it was collected. In some cases, the BCPA relies on Staff and Clients to ensure that certain information about them (such as contact information) is current, complete, and accurate. Individuals are expected to inform the BCPA of any updates to their Personal Information as soon as reasonably possible.
Individuals may, under PIPA, challenge the accuracy and completeness of their Personal Information by contacting the BCPA’s Privacy Officer. If the BCPA is satisfied that an individual’s request for correction is reasonable, the BCPA will amend the information as appropriate. If the BCPA is not satisfied that the request for correction is reasonable, the BCPA will annotate the information, noting that a correction was requested but not made.
The BCPA will retain Personal Information for a duration that is reasonably required for operational, administrative, legal, regulatory or statutory purposes. Once Personal Information is no longer required for such purposes, it will be securely destroyed, erased, or made anonymous.
For example, Personal Information that has been used to make a decision about an individual will be retained for at least one year after the decision was made in accordance with PIPA.
RIGHT OF ACCESS
Staff and Clients have the right to request access to their Personal information that the BCPA maintains within its control by PIPA. This right to access Personal Information is subject to certain legal restrictions, such as:
- where the requested information is privileged.
- where requested records contain the Personal Information of third parties; or
- where the requested records contain the BCPA’s confidential commercial information.
Staff and Clients should contact the BCPA’s Privacy Officer to request access to their Personal Information. The Privacy Officer will assist the individual with the access request and will respond in a manner consistent with PIPA. The BCPA will take reasonable steps to verify the individual’s identity and right to access the requested information.
The BCPA’s policies and practices relating to the management of Personal Information are available at:
Questions, concerns or complaints about this Policy or the BCPA’s Personal Information privacy practices should be directed to the BCPA’s Privacy Officer at email@example.com
The BCPA will investigate and respond to any complaints or inquiries relating to its compliance with PIPA or this Policy. Complaints or inquiries are to be in writing and forwarded to the BCPA’s Privacy Officer. The BCPA’s Privacy Officer will make efforts to investigate and respond to any complaints or inquiries within the timeframe required under PIPA.
Individuals who are not satisfied with the Privacy Officer’s response may file a complaint with the British Columbia provincial Privacy Commissioner at https://www.oipc.bc.ca/for-the-public/how-do-i-make-a-complaint/
Individuals may also write to the Office of the Information and Privacy Commissioner for British Columbia as follows:
Office of the Information and Privacy Commissioner for British Columbia
PO Box 9038, Stn. Prov. Govt. Victoria, British Columbia, V8W 9A4
Phone: (250) 387-5629
Fax: (250) 387-1696
CHANGES TO THIS POLICY
The BCPA reserves the right to make changes to this Policy at any time. Such changes will be effective when posted. Please review this Policy from time to time to become aware of any changes that have been made.
Date: December 5th, 2023
This Policy will be reviewed annually.