CSA-Q830-03 pdf download – Model Code for the Protection of Personal Information.
1. Scope 1.1 This model code describes the minimum requirements for the protection of personal information. Any applicable legislation is to be considered in implementing these requirements. 1.2 This Standard may be applied to all personal information. Provided the minimum requirements are met, organizations may tailor this Standard to meet their specific circumstances. For example, policies and practices may vary, depending upon whether the personal information relates to members, employees, customers, or other individuals. 1.3 The objective of this Standard is to assist organizations in developing and implementing policies and practices to be used when managing personal information. 2. Definitions 2.1 The following definitions apply in this Standard: Collection — the act of gathering, acquiring, or obtaining personal information from any source, including third parties, by any means. Consent — voluntary agreement with what is being done or proposed. Note: Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual. Disclosure — making personal information available to others outside the organization. Organization — a term used in the model code that includes associations, businesses, charitable organizations, clubs, government bodies, institutions, professional practices, and unions. Personal information — information about an identifiable individual that is recorded in any form. Use — refers to the treatment and handling of personal information within an organization.
3. General Requirements 3.1 The ten principles that make up this Standard are interrelated. Organizations adopting this Standard shall adhere to the ten principles as a whole. 3.1.1 Organizations may tailor this Standard to meet their particular circumstances by (a) defining how they subscribe to the ten principles; (b) developing an organization-specific code; and (c) modifying the commentary to provide organization-specific examples. 3.1.2 Each of the principles is followed by a commentary on the principle. The commentaries are intended to help individuals and organizations understand the significance and the implications of the principles. Where there is also a note following a principle (see principles 3 and 9), it forms an integral part of the principle. 3.1.3 Although the following clauses use prescriptive language (i.e., the word “shall” or “must”), this document is a voluntary standard. Should an organization choose to adopt the principles and general practices contained in this Standard, the clauses containing prescriptive language become requirements. The use of the word “should” indicates a recommendation.
4. Principles 4.1 Principle 1 — Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles. 4.1.1 Accountability for the organization’s compliance with the principles rests with the designated individual(s), even though other individuals within the organization may be responsible for the day-to- day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s). 4.1.2 The identity of the individual(s) designated by the organization to oversee the organization’s compliance with the principles shall be made known upon request. 4.1.3 An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. 4.1.4 Organizations shall implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information;(b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures. 4.2 Principle 2 — Identifying Purposes The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.CSA-Q830-03 pdf download.