Greater Toronto Hockey League

The Implementation of PIPEDA and Amateur Sports – A Case Study

PIPEDA

Personal Information Protection and Electronic Documents Act

Applies to the collection, use, disclosure and security of personal information in the course of commercial activities

Personal information is any information about an identifiable individual

PIPEDA

Requires consent for collection, use and disclosure of personal information

Consent can be Implied versus Expressed Opt in v. Opt Out The distinction between an obvious purpose

and a secondary purpose

What is needed by organizations Chief Privacy Officer Process to inventory/classify

existing personal information Effective Policies and Practices Staff Training and Awareness

on Privacy Retain consent provided on file Continuous process to keep

information up to date/accurate Physical security safeguards

over personal information

Strong IT security and configuration (who can see or use)

Process to communicate Privacy policies and practices

Process to respond to Access requests/corrections/complaints

Complaints review process – initiate changes to policies and practices

Compliance/Monitoring process - internal or external

GTHL – A Case Study – What We Did

GTHL Privacy Policy Grass Roots Up Development Consistent Policy–GTHL–OHF–Hockey Canada Written so that GTHL Clubs/Associations can use in an

easily adaptable form

Chief Privacy Office

GTHL Executive Director and President Jointly accountable to the Board of Directors for

compliance Responsible for the GTHL’s Compliance with

PIPEDA privacy principles Responsible for responding to access requests Responsible for ensuring the GTHL is accountable

for all personal information it it’s possession

Inventory/Classy

Inventoried existing hard copy data Inventoried electronic information Classified what was needed Classified purpose of collection Archived and destroyed data that was not

needed.

Policies/Practices

Established GTHL Policy Ensured Polices and Practices reflected both

the legislation and GTHL Policy

Training

“Internal procedures and employee education is as important as what the privacy policy says”

Trained Staff Trained Volunteers Informed GTHL Clubs and Membership

Consent

Reviewed and revised all forms of personal information collection– Player Cards– Club Executive Forms– Tournament Forms

Statement of rationale for collection Consent to distribute Electronic tracking of consent

Accurate Data

Established Process for the keeping of accurate data

Re-Registration Application process for review Application process for update

Physical Security

IT Security Provisions were implemented including On-Line Registration and On-Line Financial Transactions

Necessary Server Protection “Locked” Security Room was constructed

to protect documents Practices of Transferring data were

reviewed (I.E. Couriers etc.)

IT Security

Password Protection E-Commerce Review to ensure compliance Tiered Access to Information

Communication

Web-site publication of policy Other GTHL documents to participants

Processes

Access Requests Corrections Complaints Review

Questions

??????