greater toronto hockey league the implementation of pipeda and amateur sports – a case study
TRANSCRIPT
Greater Toronto Hockey League
The Implementation of PIPEDA and Amateur Sports – A Case Study
PIPEDA
Personal Information Protection and Electronic Documents Act
Applies to the collection, use, disclosure and security of personal information in the course of commercial activities
Personal information is any information about an identifiable individual
PIPEDA
Requires consent for collection, use and disclosure of personal information
Consent can be Implied versus Expressed Opt in v. Opt Out The distinction between an obvious purpose
and a secondary purpose
What is needed by organizations Chief Privacy Officer Process to inventory/classify
existing personal information Effective Policies and Practices Staff Training and Awareness
on Privacy Retain consent provided on file Continuous process to keep
information up to date/accurate Physical security safeguards
over personal information
Strong IT security and configuration (who can see or use)
Process to communicate Privacy policies and practices
Process to respond to Access requests/corrections/complaints
Complaints review process – initiate changes to policies and practices
Compliance/Monitoring process - internal or external
GTHL – A Case Study – What We Did
GTHL Privacy Policy Grass Roots Up Development Consistent Policy–GTHL–OHF–Hockey Canada Written so that GTHL Clubs/Associations can use in an
easily adaptable form
Chief Privacy Office
GTHL Executive Director and President Jointly accountable to the Board of Directors for
compliance Responsible for the GTHL’s Compliance with
PIPEDA privacy principles Responsible for responding to access requests Responsible for ensuring the GTHL is accountable
for all personal information it it’s possession
Inventory/Classy
Inventoried existing hard copy data Inventoried electronic information Classified what was needed Classified purpose of collection Archived and destroyed data that was not
needed.
Policies/Practices
Established GTHL Policy Ensured Polices and Practices reflected both
the legislation and GTHL Policy
Training
“Internal procedures and employee education is as important as what the privacy policy says”
Trained Staff Trained Volunteers Informed GTHL Clubs and Membership
Consent
Reviewed and revised all forms of personal information collection– Player Cards– Club Executive Forms– Tournament Forms
Statement of rationale for collection Consent to distribute Electronic tracking of consent
Accurate Data
Established Process for the keeping of accurate data
Re-Registration Application process for review Application process for update
Physical Security
IT Security Provisions were implemented including On-Line Registration and On-Line Financial Transactions
Necessary Server Protection “Locked” Security Room was constructed
to protect documents Practices of Transferring data were
reviewed (I.E. Couriers etc.)
IT Security
Password Protection E-Commerce Review to ensure compliance Tiered Access to Information
Communication
Web-site publication of policy Other GTHL documents to participants
Processes
Access Requests Corrections Complaints Review
Questions
??????