Purpose of the Privacy Policy and Principles Document
The objective of this Privacy Policy and Principles document (the “Policy”) is to ensure the protection of personal information residing within the Greater Toronto Airports Authority (‘GTAA’) or under its control and to provide guidelines on the collection, use, disclosure, and disposal of such information. Personal information can relate to employees, the public and other individuals.
This Policy applies to all employees of the GTAA. Adhering to the Policy is essential to preserve GTAA’s reputation, integrity and legal compliance with privacy legislation. Employees who handle, collect, use or disclose personal information will receive privacy training as appropriate.
Background
In April 2000, the Personal Information Protection and Electronic Documents Act, (the “Act” or “PIPEDA”) was passed. It sets out rules for the management of personal information by private sector organizations in respect of their commercial activities and is based on the Canadian Standards Association Model Code for the Protection of Personal Information. In doing so, the Act strives to achieve a balance between:
- the right of privacy of individuals with respect to their personal information; and
- the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Definition of Personal Information
Personal Information is defined in the Act, as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization”. This is a very broad definition and will encompass most types of information held such as race, medical, criminal, employment and financial history. The legislation applies to information collected, used or disclosed in the course of commercial dealings and to personal information about employees with the exception of an individual’s name, title or business address or telephone number. The Regulations to the Act specify information that is publicly available and which may be collected, used and disclosed without consent as being:
- personal information consisting of the name, address and telephone number of a subscriber that appears in the telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;
- personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory that is available to the public, where the collection, use and disclosure of the personal information relates directly to the purpose for which the information appears in the directory;
- personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry;
- personal information that appears in a record of a judicial or quasi-judicial body to which public access is permitted, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record;
- personal information that appears in a publication, including a magazine, book, or newspaper that is available to the public, where the individual has provided the information.
For the purposes of this Policy 'collection' pertains to the gathering, acquiring, recording, or obtaining personal information from any source by any means.
Structure
The Policy Privacy Policy. The second section elaborates on the 10 principles outlined within the Policy.
Maintenance
The Policy will be reviewed and updated on an ongoing basis under the direction of the Chief Privacy Officer. All changes or amendments will be communicated to all GTAA employees and made available to the public on a timely basis.
Other legislation and GTAA Policies
Where this Policy conflicts with existing policies or legislation applicable to the GTAA, adherence to the stricter legislation or policy should be followed.
Section One: Privacy Policy
The objective of the Privacy Policy is to ensure the protection of personal information collected, used, disclosed, stored, shared or destroyed while under the control and responsibility of the GTAA. This includes personal information residing within the GTAA and personal information provided to third parties in the conduct of its commercial activities. To attain this goal the GTAA must comply with the following:
The GTAA respects the rights of all individuals to have their personal information treated with care and respect. The GTAA has implemented this Policy to ensure that information about all individuals is afforded appropriate protection in accordance with legislation, regulations and industry and professional best practices.
Principle 1
The GTAA is responsible and accountable for personal information under its control and will treat such information in accordance with legislation, regulations and industry and professional best practices where appropriate. A designated Chief Privacy Officer is accountable for GTAA's compliance with the Policy.
Principle 2
The GTAA will inform individuals’ of the purposes for which personal information is collected at or before the time the information is collected in accordance with the Act.
Principle 3
The GTAA will seek the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where consent is not required, or is implied.
Principle 4
The GTAA will only collect personal information that is necessary for the purposes identified and will only use fair and lawful means to collect personal information.
Principle 5
The GTAA will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The GTAA will only retain personal information as long as necessary for the fulfillment of such purposes.
Principle 6
The GTAA endeavours to ensure that personal information is as accurate, complete, and up-to-date as deemed necessary for the purposes for which it is to be used.
Principle 7
The GTAA protects personal information that it collects, uses, stores, transmits and discloses through the establishment, operation and maintenance of security safeguards appropriate to the sensitivity of the information.
Principle 8
Upon request, the GTAA shall make readily available to individuals specific information about its Policy and practices relating to the management of personal information.
Principle 9
Upon request and within a reasonable timeframe, the GTAA will inform individuals of the existence, use, and disclosure of any personal information retained by the GTAA about them and will give access to the information, in accordance with the Act. The GTAA will amend personal information as deemed appropriate to ensure continued accuracy and completeness.
Principle 10
The GTAA will provide a means for individuals to challenge compliance with the Policy and will investigate and respond to challenges within a reasonable period of time.
Section Two: Privacy Policy Responsibilities
Principle 1: Accountability
The GTAA is responsible and accountable for personal information under its control and will treat such information in accordance with legislation, regulations and industry and professional best practices where appropriate. A designated Chief Privacy Officer is accountable for the GTAA's compliance with the Policy.
1.1 Accountability for ensuring compliance with the GTAA’s Privacy Policy rests with the Chief Privacy Officer. Additional individuals within the GTAA may be delegated to act on behalf of the Chief Privacy Officer or to take responsibility for the day-to-day collection and processing of personal information.
1.2 The GTAA is responsible for personal information in its possession or custody. Where personal information is provided to a third party for processing, the GTAA will use appropriate means to provide a level of protection comparable to its own.
1.3 The GTAA will implement procedures and training to give effect to the Policy.
Principle 2: Identifying Purposes
The GTAA will inform individuals’ of the purposes for which personal information is collected at or before the time the information is collected in accordance with the Act.
2.1 The GTAA may collect personal information for purposes related to its business activities, including managing Toronto Pearson International Airport, and to ensure the safe and secure operation of the airport.
2.2 Unless implied, the GTAA will specify orally or in writing the identified purposes to the individual at or before the time personal information is collected. The GTAA collects only information necessary for the purposes identified.
2.3 Unless required by law, the GTAA will not use or disclose, for any new purpose, personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the individual.
2.4 GTAA employees who collect personal information are able to provide information that explains the purpose for which it is being collected.
Principle 3: Consent
The GTAA will seek the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where consent is not required, or is implied.
3.1 In obtaining consent, the GTAA will make reasonable efforts to ensure that an individual is advised of the identified purpose(s) for which personal information is used or disclosed. Purposes will be stated in a manner that can be reasonably understood by the individual.
3.2 In determining the appropriate form of consent, the GTAA will take into consideration the sensitivity of the personal information and the reasonable expectations of the individual.
3.3 Personal information may be collected without consent during emergency events, security investigations or as identified in the Act.
3.4 An individual may withdraw consent at any time subject to legal or contractual restrictions and reasonable notice. The GTAA will inform individuals of the implications of such withdrawal.
Principle 4: Limiting Collection
The GTAA will only collect personal information that is necessary for the purposes identified and will only use fair and lawful means to collect personal information.
4.1 The GTAA does not collect personal information indiscriminately. Both the amount and type of personal information collected are limited to what is necessary to fulfill the GTAA's purposes.
Principle 5: Limiting Use, Disclosure and Retention
The GTAA will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The GTAA will only retain personal information as long as necessary for the fulfillment of such purposes.
5.1 The GTAA may share personal information with third parties for purposes such as processing security pass applications, and employee compensation.
5.2 The GTAA retains personal information in accordance with this Policy and as required by law.
Principle 6: Accuracy
The GTAA endeavours to ensure that personal information is as accurate, complete, and up-to-date as deemed necessary for the purposes for which it is to be used.
6.1 The GTAA endeavours to ensure that Personal information used will be sufficiently accurate, complete and current to minimise the possibility that inappropriate information may be used.
6.2 The GTAA will update personal information as it is made available by an individual.
6.3 Individuals are responsible for advising the GTAA about changes to their personal information.
6.4 The GTAA does not routinely update personal information except where necessary to fulfill the purposes for which the personal information is collected.
Principle 7: Safeguards
The GTAA protects personal information that it collects, uses, stores, transmits and discloses through the establishment, operation and maintenance of security safeguards appropriate to the sensitivity of the information.
7.1 The GTAA protects personal information through appropriate security measures against risks such as loss or theft, unauthorised access, disclosure, copying, use, modification or destruction.
7.2 The GTAA will protect personal information regardless of the format in which it is held.
7.3 The GTAA will employ the following methods for the protection of personal information:
- Physical measures, such as locked filing cabinets and restricted access to offices;
- Organizational measures, such as employee confidentiality agreements, security clearances and limiting access to a need-to-know basis; and
- Technological measures, such as password protection.
7.4 The GTAA will employ contractual means to provide a level of protection comparable to its own when personal information is outsourced for processing.
7.5 The GTAA employees who are granted access to personal information will be required to respect its confidentiality. The GTAA provides appropriate training programs and information about this Policy to its employees.
7.6 The GTAA will dispose of or destroy personal information with care to prevent unauthorised parties from gaining access to the information.
Principle 8: Openness
Upon request, the GTAA shall make readily available to individuals specific information about its Policy and practices relating to the management of personal information.
8.1 The GTAA is open about its Policy and information management practices.
8.2 The GTAA makes information about its Privacy Policy readily available to individuals through written materials. Copies are made available to individuals on request.
8.3 Inquiries, comments, requests and complaints may be addressed to:
Chief Privacy Officer
Office of the General Counsel
Greater Toronto Airports Authority
3111 Convair Drive
Toronto AMF, Ontario L5P 1B2
privacy@gtaa.com
Principle 9: Access to Personal Information
Upon request and within a reasonable timeframe, the GTAA will inform individuals of the existence, use, and disclosure of any personal information retained by the GTAA about them and will give access to the information, in accordance with the Act. The GTAA will amend personal information as deemed appropriate to ensure continued accuracy and completeness.
9.1 Individuals may request access to personal information held about them by the GTAA in accordance with the Act and this Policy.
9.2 In order to permit the GTAA to account for the existence, use and disclosure of personal information and to authorize access to an individual’s file, he or she will be required to provide sufficient identification for this purpose.
9.3 Upon request, the GTAA will inform an individual whether or not it holds personal information about him or her in accordance with the Act.
9.4 The GTAA will assist any individual who informs it that he or she requires assistance in preparing a request for access.
9.5 The GTAA will endeavour to respond to a request for access within thirty days of receipt of a request prepared in accordance with applicable procedures.
9.6 The GTAA will provide individuals with their personal information in a form that is generally understandable and at minimal or no cost to the individual.
9.7 Where an individual demonstrates the inaccuracy or incompleteness of his or her personal information, the GTAA will amend it as required. An amendment may involve the correction, deletion or addition of personal information. Where a challenge is not resolved to the satisfaction of the individual, his or her personal information will not be changed. The GTAA will maintain a record of such unresolved challenge. Where appropriate, third parties will be notified of the unresolved challenge.
9.8 On request, the GTAA will endeavour to provide a list of organizations to which it has disclosed or may have disclosed personal information about an individual, in accordance with the Act.
Principle 10: Challenging Compliance
The GTAA will provide a means for individuals to challenge compliance with its Policy and will investigate and respond to challenges within a reasonable period of time.
10.1 The GTAA has procedures in place to receive and respond to inquiries and complaints about its policy and practices relating to its personal information management system.
10.2 Upon request, the GTAA will inform individuals about these procedures and the complaint process.
10.3 The GTAA will investigate all complaints concerning compliance with its Privacy Policy. If a complaint is found to be justified, the GTAA will take the measures appropriate to address it. The individual will be informed of the outcome of the investigation, including measures taken as a result of the findings.