mirror of
https://github.com/alexandrebobkov/CanadianPayroll.git
synced 2025-10-10 15:03:03 +00:00
compliance
This commit is contained in:
@@ -347,8 +347,96 @@ Information.
|
||||
The Privacy Principles
|
||||
-----------------------
|
||||
|
||||
The Canadian Standards Association (CSA) Model Code is a set of principles that was
|
||||
developed with input from organizations, governments, consumer associations and other
|
||||
privacy stakeholders. They are incorporated in Federal private sector privacy legislation and
|
||||
have become the generally accepted framework for evaluating privacy processes and systems
|
||||
in Canada2.
|
||||
Principle 1. Accountability
|
||||
An organization is responsible for personal information under its control and shall designate
|
||||
an individual or individuals to be accountable for the organization's compliance with the
|
||||
following principles.
|
||||
Principle 2. Identifying Purposes
|
||||
The purposes for which personal information is collected shall be identified by the
|
||||
organization at or before the time the information is collected.
|
||||
Principle 3. Consent
|
||||
The knowledge and consent of the individual are required for the collection, use, or
|
||||
disclosure of personal information, except where inappropriate. Note: In certain
|
||||
circumstances, personal information can be collected, used, or disclosed without the
|
||||
knowledge and consent of the individual. For example, legal, medical, or security reasons
|
||||
may make it impossible or impractical to seek consent.
|
||||
Principle 4. Limiting Collection
|
||||
The collection of personal information shall be limited to that which is necessary for the
|
||||
purposes identified by the organization. Information shall be collected by fair and lawful
|
||||
means.
|
||||
Principle 5. Limiting Use, Disclosure, and Retention
|
||||
Personal information shall not be used or disclosed for purposes other than those for which it
|
||||
was collected, except with the consent of the individual or as required by law. Personal
|
||||
information shall be retained only as long as is necessary for the fulfillment of those
|
||||
purposes.
|
||||
Principle 6. Accuracy
|
||||
Personal information shall be as accurate, complete, and up-to-date as is necessary for the
|
||||
purposes for which it is to be used.
|
||||
Principle 7. Safeguards
|
||||
Personal information shall be protected by security safeguards appropriate to the sensitivity
|
||||
of the information.
|
||||
Principle 8. Openness
|
||||
An organization shall make readily available to individuals specific information about its
|
||||
policies and practices relating to the management of personal information.
|
||||
Principle 9. Individual Access
|
||||
Upon request, an individual shall be informed of the existence, use and disclosure of his or
|
||||
her personal information and shall be given access to that information. An individual shall be
|
||||
able to challenge the accuracy and completeness of the information and have it amended as
|
||||
appropriate. In certain situations, an organization may not be able to provide access to all the
|
||||
personal information it holds about an individual. Exceptions to the access requirement
|
||||
should be limited and specific. The reasons for denying access should be provided to the
|
||||
individual upon request. Exceptions may include information that is prohibitively costly to
|
||||
provide, information that contains references to other individuals, information that cannot be
|
||||
disclosed for legal, security, or commercial proprietary reasons, and information that is
|
||||
subject to solicitor–client or litigation privilege.
|
||||
Principle 10. Challenging Compliance
|
||||
An individual shall be able to address a challenge concerning compliance with the above
|
||||
principles to the designated individual or individuals accountable for the organization's
|
||||
compliance.
|
||||
|
||||
The Personal Information Protection and Electronic Documents Act (PIPEDA)
|
||||
--------------------------------------------------------------------------
|
||||
The federal government drew upon the CSA Privacy Principles in its drafting of the federal
|
||||
Personal Information Protection and Electronic Documents Act (PIPEDA) and the spirit and
|
||||
much of the wording of the principles can be found throughout PIPEDA.
|
||||
The mandate of the Office of the Privacy Commissioner of Canada (OPC) is overseeing
|
||||
compliance with both the Privacy Act, which covers the personal information-handling
|
||||
practices of federal government departments and agencies (including employee data), and the
|
||||
Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private
|
||||
sector privacy law.
|
||||
PIPEDA has applied to federally regulated organizations such as banks, telecommunications
|
||||
and transportation companies since January 2001 and applies to the collection, use or
|
||||
disclosure of personal information in the course of any commercial activity within a province
|
||||
that does not have its own privacy legislation, since January 2004.
|
||||
While this protection of personal information legislation has a significant impact on how
|
||||
organizations collect, use and disclose personal information relating to commercial
|
||||
transactions (for example, customer/client lists and information), it is the effect of this
|
||||
legislation on employee personal information that concerns the payroll and human resources
|
||||
departments.
|
||||
Employers collect personal employee information to conduct and protect their business, and
|
||||
to comply with government legislation (for example, Employment/Labour Standards and
|
||||
statutory deductions relating to CPP/QPP contributions, EI and QPIP premiums along with
|
||||
income tax). As well, many employers provide benefits such as dental, medical and pension
|
||||
plans that require the collection of even greater amounts of personal data.
|
||||
|
||||
.. note::
|
||||
|
||||
Notice
|
||||
PIPEDA does not require that employers obtain consent from prospective employees, current
|
||||
employees, or terminated employees to collect, use, and disclose information about that
|
||||
person where the information is necessary for the creation, maintenance, and termination of
|
||||
the employment relationship. It is, however, the case that the employer will provide notice to
|
||||
the employee so that they are knowledgeable with respect to the information that the
|
||||
employer collects, uses, and discloses.
|
||||
This notice should be provided to prospective employees as part of the recruitment process
|
||||
and also as part of the on-boarding process. In addition, if there are changes to personal data
|
||||
practices for employee information, employees should be informed about such changes in a
|
||||
timely manner.
|
||||
|
||||
Pension Benefits Standards Act
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Reference in New Issue
Block a user