Audit and Assessment conducted on November 12, 2020, at 2:30 PM by Shannon Delaney (Digital Innovation Group contractor) with Maggie MacDonald (CVAC Treasurer), Janet Magdanz (CVAC President), Susan Down (CVAC Managing Director).
- Which departments within your organization collect, access, use or disclose personal information?
COVID contact tracing log, memberships, events (vendors, buyers, volunteers), human resources, information technology, purchasing (now digital, but previously used paper receipts).
- List all of the points of contact within your organization involving personal information:
- Customer service telephone numbers
- E-mails and newsletters
- Marketing lists
- Application forms (embedded in website)
- Order forms
- Employment application forms
- Vendor inventory records
- Program/show registrations
- How and where is the collected information managed and stored? Consider records stored in hardcopy, on internal computers, in other electronic media and in online resources (cloud).
Hardcopies are in a locked cabinet in the office. Membership information is on a private online server. Lists are on office computers, which are password protected. Some lists are on home computers, which are also password protected.
- Who has access to the personal information held by the organization and who actually needs to have that access?
Staff members, Board executive, website contractor, instructors.
- Why does the organization collect the personal information? Is the personal information being collected, used or disclosed actually necessary to a particular function or operation?
For financial reasons, bookkeeping, membership communications and discounts, show labelling, COVID contact tracing, advertising and public relations, and for transactional purposes. Yes, it’s necessary.
- Are individuals made aware that the organization is collecting their personal information?
Yes, individuals are the ones providing their own information. They are made aware the information is being collected, and they have the opportunity to opt out in certain cases (for example, they may omit their address or phone number in the artists’ directory).
- Does the organization inform individuals of the purpose for collecting their personal information?
The purpose is implied in the information collection.
- Does the organization obtain consent from individuals before collecting or using their personal information? If so, what processes are used to obtain consent? (verbal statements, paper or electronic notices etc.)
On the artists’ directory, users indicate what they are agreeing to. They can choose to opt out. Formal consent statements are not yet included across all forms or information collecting processes.
- How does the organization use personal information? (for specific business functions, for activities that solicit new business etc.)
For newsletter mailout lists, invitations to members to participate in programs or shows, and for human resources purposes (hiring new employees).
- Does the organization disclose personal information to anyone outside the organization?
Information is kept within the organization. Exceptions include student contact information, which is provided to instructors—who in some cases are not part of the organization, and the bookkeeper.
- If personal information is disclosed outside the organization, are individuals aware of the intended uses and disclosures of their personal information? If so, how are individuals informed?
Not at this time. This could be added to the process for gathering student information shared with instructors or information shared with the bookkeeper.
- Is the personal information the organization holds accurate, complete and up-to-date?
- Does the organization have measures to protect the personal information it holds from unauthorized access, collection, use, disclosure, copying or modification from individuals both within and outside the organization?
Locked filing cabinet and password protection on computers. Areas to consider are home computers and the private information handling practices of the bookkeeper.
- Does the organization contract out any functions or activities involving personal information? Does the organization take any privacy measures to protect this information?
Website service provider, bookkeeper (both have signed confidentiality agreements). Instructors have access to limited personal information of students.
- How long does the organization retain personal information?
Six years in hardcopy. Thirty days for COVID contact tracing log. After the hiring process for employee applications.
- How does the organization destroy or dispose of personal information?
Hardcopies are shredded. Digital files are deleted.
Self Assessment Questions
These questions can be answered with a simple yes or no. A no will indicate an area in need of improvement.
- Has your organization assigned a privacy officer? No.
- Has your organization developed and implemented policies and practices for the proper handling of personal information? No. There are practices in place that will be formalized.
- Does your organization use contracts or other means to ensure that any contractors providing services on your behalf provide privacy protection equal or superior to your own? Looking into it.
- Has your organization developed and implemented a complaint process to handle complaints about personal information practices? No.
- Does your organization identify why personal information is needed and how it will be used, taking into account primary and secondary purposes? No.
- Does your organization inform individuals, either verbally or in writing, of the purposes for collecting their personal information before or at the time when information is collected? No.
- Before using personal information for a new purpose, does your organization inform individuals of the new purpose and obtain consent prior to its use? No.
- Does your organization obtain consent from individuals whose personal information is collected, used or disclosed? No for some; however, this is built into the membership directory and fine art show applications.
- When obtaining consent, does your organization inform individuals of the purposes for the collection, use or disclosure of their personal information in a manner that is clear and can be reasonably understood? No.
- Does your organization obtain individual consent before or at the time of collection, as well as when a new use is identified? No.
- Does your organization obtain consent without using deceptive means or false or misleading information about how the personal information will be used? Yes.
- Does your organization ensure that consent is not a condition for supplying a product or a service unless the collection, use or disclosure of the personal information is necessary to provide the product or service? Yes.
- When determining what form of consent to use (e.g. written, verbal, implied, opt-in or opt-out), does your organization consider both the sensitivity of the personal information and what a reasonable person would expect and consider appropriate? Yes.
- Does your organization permit individuals to withdraw consent to the collection, use or disclosure of their personal information (unless withdrawing consent would conflict with a legal obligation)? Yes.
- After receiving a notice to withdraw consent, does your organization explain the likely consequences of withdrawing consent? Yes.
- Does your organization collect personal information for a purpose that a reasonable person would deem appropriate? Yes.
- Does your organization limit the amount and type of personal information collected to what is necessary to fulfill the purpose identified before or when it was collected? Yes.
- Does your organization collect personal information directly from the individual unless authorized to collect personal information from another source? Yes.
Use, Disclosure, and Retention
- Does your organization use or disclose personal information for purposes that a reasonable person would deem appropriate? Yes.
- Does your organization keep personal information for only as long as necessary to fulfill the purpose identified before or when it was collected? Yes.
- Does your organization keep personal information that is used to make a decision about an individual for at least one year after using it so the individual has a reasonable opportunity to access it? No.
- Does your organization destroy, erase or make anonymous any personal information as soon as it is no longer required for a legal or business purpose? Yes.
- Does your organization make reasonable efforts to ensure that the personal information you collect is accurate and complete? Yes.
- Does your organization minimize the possibility of using incorrect or incomplete information when making a decision that affects an individual or when disclosing an individual’s information to another organization? Yes.
- Does your organization make reasonable security arrangements to protect personal information under your control, including physical measures, technical tools and organizational controls where appropriate? Yes.
- Does your organization safeguard personal information from unauthorized access, collection, use, disclosure, copying, modification or disposal by individuals from within and outside your organization? Yes.
- Does your organization protect all personal information regardless of its format, including paper, electronic, audio, and video data? Yes.
- Does your organization make the following information readily available to customers and employees upon request?
- The title and contact information of your privacy officer—in order to explain personal information policies and practices or answer questions about the purpose for collecting personal information?
- The process an individual can follow to gain access to his or her personal information and the title and contact information of the employee an individual can contact to make such a request?
- Information that explains your organization’s personal information policies and practices?
- The process for making a complaint about your organization’s personal information practices?
- If all or part of an access request is allowed, does your organization provide the individual with:
- Access to their personal information in the form of a copy of the information requested, within 30 business days (unless an extension of time is permitted in the legislation)?
- An explanation of how their personal information is or has been used?
- A list of any individuals or organizations to whom their personal information has been disclosed?
- If all or part of an access request is refused, does your organization provide the applicant with:
- A response that includes the legal reason(s) for the refusal, within 30 business days?
- The title and contact information of your privacy officer if the applicant has questions about the refusal?
- Information on how to request a review by the Information and Privacy Commissioner?
- For access requests to correct personal information, does your organization:
- Correct any personal information discovered to be inaccurate or incomplete?
- If a correction is made, does your organization send a copy of the corrected personal information to each organization for which the incorrect or incomplete information was disclosed in the past year?
- If no correction is made, does your organization annotate the personal information to indicate that a correction was requested but not made?
- Has your organization developed and implemented simple and accessible complaint handling procedures? No.
- Does your organization Investigate all complaints received? Yes.
- Does your organization take appropriate measures to correct information handling practices and policies? Yes.
- Does your organization inform complainants of their avenues of recourse, including your organization’s own complaint process and the Information and Privacy Commissioner’s complaint process? No.