The URL can be used to link to this page

CLERK-010 - Privacy Policy_2012PRIVACY POLICY FOR THE CITY OF SAINT JOHN (P SAINT ]MIEN Title: Privacy Policy Subject: Privacy Policy Category: Policy Policy No.: COS -CC -010 M&C Report No.: N/A Effective Date: August 27th, 2012 Next Review Date: (3 years) Area(s) this policy applies to: All City Service Areas Office Responsible for review of this Policy: The Office of the Common Clerk Related Instruments: Policy Sponsors: Common Clerk Revision History: Document Pages: This document consists of 7 -revised April 2, 2019 pages. Common Clerk's Annotation for Official Record I certify that the Privacy Policy was approved by Common Council on August 27th, 2012 April 2nd, 2019 Common Clerk Date Contact: Common Clerk Telephone: 658-2862 Email: commonclerk@saintjohn.ca PRIVACY POLICY FOR THE CITY OF SAINT JOHN TABLE OF CONTENTS 1. PURPOSE 2. POLICY STATEMENT 3. SCOPE. 4. POLICY CONTEXT 5. LEGISLATION AND STANDARDS..............................................................................................................4 6. ROLES AND RESPONSIBILITIES................................................................................................................5 7. COMPLIANCE.........................................................................................................................................5 8. MONITOR AND REVIEW.........................................................................................................................6 9. IMPLEMENTATION.................................................................................................................................6 10. AUTHORIZATION..................................................................................................................................6 11. GLOSSARY............................................................................................................................................6 12. INQUIRIES............................................................................................................................................7 2 1 P PRIVACY POLICY FOR THE CITY OF SAINT JOHN 1. PURPOSE The purpose of the Privacy Policy (the "Policy') for The City of Saint John (the "City') is to outline generally accepted privacy principles with which employees of the City will comply to ensure that the City is in compliance with applicable legislation including the Right to Information and Protection of Privacy Act (RTIPPA) and to demonstrate that protecting individuals' personal information is a priority for the City. 2. POLICY STATEMENT The City is committed to protecting the privacy of its employees and citizens. The City will ensure compliance with all applicable legislation related to the collection, use, retention, disclosure and disposition of personal information. All activities concerning the handling of records and information within the City are in accordance with City policies and supporting procedures. 3. SCOPE This Policy applies to all City employees handling records and information while conducting City business. 4. POLICY CONTEXT Citizens and employees entrust their personal information to the City and expect that it will be protected. The City will ensure that the personal information in its care, custody, and control will be collected, used, retained, disclosed and disposed of in compliance with the following generally accepted privacy principles. The following privacy principles are essential to the proper handling of personal information and alignment with the requirements of legislation. Accountability The City is responsible for personal information under its control and has assigned ultimate accountability for compliance to the Common Clerk by designating the Common Clerk "Head" for the purposes of RTIPPA. Identifying Purposes The purpose for which personal information is collected will be identified by the City before or during the time the information is collected. Consent The consent of an individual is required for the City to collect, use or disclose of personal information, except where inappropriate. Limiting Collection The collection of personal information will be limited to that which is necessary for the purposes identified by the City. Information will be collected by fair and lawful means. 3 1 P „ PRIVACY POLICY FOR THE CITY OF SAINT JOHN Limiting Use, Disclosure and Retention Personal information will not be used or disclosed for purposes other than those for which the City collected it, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfilment of those purposes or as required by law. Personal information will be securely disposed of in accordance with approved records retention schedules, information disposal practices and all applicable information security policies and procedures. Accuracy Personal information collected by the City will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Safeguards The City will protect and safeguard personal information in its possession appropriate to the sensitivity of the information. Openness The City will make readily available to individuals specific information about policies and practices related to the handling of personal information. Individual Access Upon request, the City will provide an individual with information on the existence, use and disclosure of his/her personal information and will give access to that information. An individual will be able to challenge the completeness and accuracy of the information and provide updates, as appropriate. Challenging Compliance An individual will be able to address a concern regarding compliance with these principles to the Common Clerk. 5. LEGISLATION AND STANDARDS The City acknowledges the following laws that relate to records and information management: • Archives Act, S.N.B. 1977, c.A-11.1 as amended • Community Planning Act, R.S.N.B. 2017, c. 19 as amended • Electronic Transactions Act, S.N.B. 2011, c.145 as amended • Evidence Act, R.S.N.B. 1973, c.E-11 as amended • Personal Health Information Privacy and Access Act, S.N.B. 2009, c. P-7.05 • Local Governance Act.S.N.B. 2017, c. 18 as amended • Official Languages Act, S.N.B. 2002, c.0.0.5 as amended • Personal Information Protection and Electronic Documents Act, R.S.C. 2000, c.5 as amended • Public Records Act, S.N.B. 2011, c.212 as amended • Right to Information and Protection of Privacy Act, S.N.B, 2009, c.R-10.6 as amended. The City acknowledges the following standards, guidelines and best practices that relate to privacy: • CAN/CSA-Q830 Model Code for the Protection of Personal Information 4 1 P „ PRIVACY POLICY FOR THE CITY OF SAINT JOHN • CAN/CSA-PLUS-8300 Workbook on Applying the CSA Model Code • CAN/CSA-PLUS-8830 Implementing Privacy Codes of Practice. 6. ROLES AND RESPONSIBILITIES The Common Clerk is responsible for the City's Access and Privacy Program and is accountable for the Privacy policy. All employees are responsible for ensuring personal and confidential information is properly managed and safeguarded. The Common Clerk is responsible for the day to day implementation of the Policy; ensuring that privacy implications are considered in all the City's activities; advising the City on the appropriate privacy safeguards when the City is collecting, using, retaining, disclosing and disposing of personal information; providing training and awareness sessions; and monitoring and compliance. In the event of a privacy breach incident, the Common Clerk is responsible for notifying the Office of the Ombud and ensuring the city complies with s.4.2(4) of the New Brunswick Regulation 2010-111 under the Right to Information and Protection of Privacy Act. The Common Clerk and the Chief Information Officer are jointly responsible for identifying the personal information holdings within the City's electronic information repositories. The Common Clerk is responsible for ensuring personal information in any format is retained for a reasonable period of time. The Common Clerk is responsible for authorizing the secure disposition of personal information according to the Right to Information and Protection of Privacy Act and the City's Information Security Policy and procedures. The Chief Information Officer is responsible for securely maintaining the City's electronic information repositories, according to the City's Information Security Policy and procedures, such that the integrity and authenticity of the City's information is assured. Service Area Managers are responsible for ensuring employees comply with the Policy, procedures and applicable legislation. Program Area Commissioners provide management support and leadership. City employees are responsible for protecting all information within their realm of responsibility as defined by City policies, procedures and applicable legislation. 7. COMPLIANCE Violations or non-compliance with the Policy may carry potentially significant consequences for the City. Violations may constitute theft, fraud, destruction or alteration of corporate information, a privacy breach, unauthorized disclosure of information assets and/or loss of intellectual property. Violations of the Policy may cause employee disciplinary action, up to and including dismissal. 8. MONITOR AND REVIEW The Policy is subject to review within two years from approval date. The review will be conducted by a committee established by the Office of the Common Clerk. The committee may be comprised of a cross - functional internal membership or an independent third party. 5 1 P „ PRIVACY POLICY FOR THE CITY OF SAINT JOHN 9. IMPLEMENTATION The Policy will be implemented upon approval by Common Council. 10. AUTHORIZATION This Policy has been approved by Common Council on August, 27th, 2012. 11. GLOSSARY Disposition The range of processes associated with implementing records retention, destruction or transfer decisions which are documented in authorities or other instruments. Employee An employee is an individual or corporation hired by the City to perform work under either a contract for services or a contract of service. Information Data presented in readily comprehensible form to which meaning has been attributed within the context of its use. Unless the context otherwise requires, this means information contained in a record. Information Security The protection of information and information systems from a wide range of risks including unauthorized access, use, disclosure, disruption, modification or destruction in order to provide authenticity, integrity, confidentiality and availability. Personal Information Recorded information about an identifiable individual, including but not limited to, (a) the individual's name, (b) the individual's home address or electronic mail address or home telephone or facsimile number, (c) information about the individual's age, gender, sexual orientation, marital status or family status, (d) information about the individual's ancestry, race, colour, nationality or national or ethnic origin, (e) information about the individual's religion or creed or religious belief, association or activity, (fl personal health information about the individual, (g) the individual's blood type, fingerprints or other hereditary characteristics, (h) information about the individual's political belief, association or activity, (i) information about the individual's education, employment or occupation or educational, employment or occupational history, (j) information about the individual's source of income or financial circumstances, activities or history, (k) information about the individual's criminal history, including regulatory offences, (1) the individual's own personal views or opinions, except if they are about another person, (m) the views or opinions expressed about the individual by another person, and (n) an identifying number, symbol or other particular assigned to the individual. Privacy Breach Unauthorized access to, or collection, use or disclosure of personal information. Privacy Principles The Canadian iteration of these privacy principles was first published in 1996 by the Canadian Standards Association as is known as the Model Code for the Protection of Personal Information. 6 1 P PRIVACY POLICY FOR THE CITY OF SAINT JOHN Record Recorded information, regardless of medium or characteristics, made or received by an organization that is evidence of its operations, and has value requiring its retention for a specific period of time. Records Retention and Disposition Schedule A schedule which gives the City the authority to dispose of (transfer or destroy) records it no longer requires. This schedule identifies the period of time that personal information in the custody of the City is to be retained. 12. INQUIRIES For more information on this Policy, please contact the Office of the Common Clerk. 7 1 P „