OMCA has implemented policies and practices in order to fully comply with the principles as set out in Part I of the Personal Information Protection & Electronic Documents Act (PIPEDA) effective January 1, 2004 including:
- Implementing procedures to protect personal information
- Establishing procedures to receive and respond to inquiries and complaints
- Training staff and communication to staff about the Association’s policies and practices, and
- Developing information to explain the Association’s policies and procedures
It should be noted that under the Act, “personal information” does not include the name, title, business address or business telephone number of an employee, including employees and contractors of OMCA.
The Provisions of the Act require compliance in 10 areas. We have listed those areas below, as well as information on how OMCA complies with each requirement.
PRINCIPLE #1 – ACCOUNTABILITY
OMCA is responsible for personal information under its control and has designated the President as the person who is accountable for the Association’s compliance with the following principles:
- Accountability for OMCA’s compliance with the PIPEDA is that of the President, even though other persons within the Association may be responsible for day to day collection and processing of personal information. In addition, other persons within OMCA may be delegated to act on behalf of the President.
- OMCA is responsible for personal information that is in its possession or custody, including information that has been transferred to a third party for processing. OMCA uses contractual and other means to provide a comparable level of protection in situations where information is processed by a third party.
- OMCA will protect all personal information held by the Association.
- OMCA does not transfer personal information to third parties, without consent of the individual, nor will OMCA make personal information contained in membership lists available to third parties, either voluntarily or for sale.
- In the case of sponsored events, such as specific seminars and conferences, OMCA will provide to speaker(s) and sponsors access to the list of members attending, for the purpose of providing additional educational material, after the event has concluded. The list will contain business information only and will not disclose personal information about a member.
- In order to help bring business to our members, OMCA will divulge names or contact information of members, but not personal information without consent.
- All OMCA members in good standing who are listed in the OMCA Resource Guide have given their permission to post their name and business contact information on the OMCA’s website, and therefore, on the World Wide Web. OMCA members are reminded on a regular basis to inform OMCA if information in the Resource Guide needs to be updated, corrected or removed.
- OMCA makes every reasonable attempt to correct member information and keep both public records (those on the Directory) and private records (those in our database and in our paper back-up files) up to date.
- OMCA will occasionally destroy obsolete files. In these cases, a shredder will be used to ensure that personal information is destroyed and not simply discarded.
PRINCIPLE # 2 – IDENTIFYING PURPOSE
The purposes for which personal information is collected shall be identified by OMCA at or before the time the information is collected. Information is collected in order for OMCA to maintain the accuracy of membership records; to better communicate with our members; to establish member eligibility for membership services and benefits, and to mail information to consumers who have specifically requested information from OMCA about a member’s services.
Information that we collect:
- Business (company) name
- Contact Name & Business Title/Position
- Membership number
- Mailing address
- Membership Category
- Last fee paid
- Paid fee date
- Method of payment (cash, cheque, credit card)
- Home contact information (if applicable)
- Business contact information
- Email address
- Fax number
- OMCA events/conferences etc. attended
- Phone number
We collect this information to maintain correspondence with OMCA members in order to provide timely and efficient member services and to conduct general business practices and the administration of the Association. Information is collected verbally (buy telephone, or in person), electronically by e-mail, or written correspondence using forms, letters and faxes.
- OMCA documents the purposes for which personal information is collected. These purposes are limited to the following:
– To develop and market travel services tailored to the interests of our members.
– To resolve member customer concerns and complaints.
– To recruit, train and retain a highly motivated workforce, including the administration of compensation and pension plans.
– As required by law.
- OMCA will specify the identified purpose in writing (at or before the time of collection) to the individual from whom the personal information is collected.
- Personal information that has been collected by OMCA will not be used for a purpose not previously identified without further individual consent, unless the new purpose is required by law.
- OMCA employees (or contractors conducting work for and on behalf of OMCA) collecting personal information will be pleased to explain the purposes for which the information is being collected.
PRINCIPLE #3 – OBTAINING CONSENT
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- OMCA will seek consent for the collection of personal information wherever possible at the time information is collected
- OMCA will make a reasonable effort to ensure individuals are advised of the purposes for which information will be used and will state purposes in such a manner that individuals can reasonably understand how the information will be used or disclosed.
- OMCA will not require an individual to consent to the collection, use or disclosure of information beyond that which is required to meet legitimate purposes.
- Where any personal information that might be considered sensitive is collected, only express consent will be used.
– OMCA considers consent to be an expression of permission to collect and use information for the purpose of providing membership services and benefits, or for the provision of consumer information.
A Note Regarding E-mail Addresses
E-mail addresses of a general format that do not identify an individual (for example info@ etc.) are not considered “personal information”. E-mail addresses that are of an individual nature (contain information about an identifiable individual for example John.smith @ etc) are deemed “personal information” (except in Alberta and British Columbia). New OMCA members at time of application provide express consent for OMCA to use their e-mail address as a means of communication with OMCA and for customers or potential customers to communicate with OMCA members. Members of OMCA prior to Dec 31, 2003 are advised that OMCA will continue to use e-mail addresses on file for these purposes, (on the basis of “implied consent) unless OMCA is otherwise advised.
PRINCIPLE #4 – LIMITING COLLECTION
The collection of personal information shall be limited to that which is necessary for the purposes identified by OMCA. OMCA will specify the type of information collected in a regularly updated Guide to Information Handling (see below).
- OMCA will collect personal information only by fair and lawful means.
OMCA’s Guide to Information Handling
OMCA will collect only the following personal information about OMCA members:
- Name, address and telephone number
- The interest expressed about by the member various services and benefits offered by the Association
- information for the purpose of maintaining membership files, for the purpose of recording attendance at events (seminars, workshops, conferences), for the purpose of maintaining records with regard to the purchase of educational materials and seminars
- The interest expressed by a member in receiving further information
- Any other information provided by a member to assist in planning or providing services to the member
- Information obtained from the member to provide for their comfort and safety (e.g. emergency contacts, age, medical, dietary or similar information at OMCA events, conferences, etc.)
- Information provided by the member required to address a customer concern or complaint
- Information required for billing purposes or payment collection
- Any information required by law
OMCA will collect only the following personal information about OMCA employees:
- Name, home address and telephone number, emergency contacts, next of kin, dependents
- Age, sex, education, training, experience, driver licensing, trades accreditation licensing, employment history, references
- Years of employment, salary & benefits, performance evaluations
- Information required for the administration of group insurance (benefits) plans and Workplace Safety & Insurance (workers compensation)
- Any information required by law
PRINCIPLE #5 – LIMITING USE, DISCLOSURE & RETENTION
Personal information shall not be used or disclosed for purposes other than for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
- OMCA will document any new purpose for using personal information and obtain further consent before use
- OMCA will set minimum and maximum retention periods for the retention of personal information. Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made.
When personal information is no longer required to fulfil the identified purpose, it will be destroyed under guidelines prescribed by the Association.
OMCA retains registration records for a period of three years; obsolete membership records are shredded every five years. Financial records are maintained for a period of 6 years.
PRINCIPLE #6 – ACCURACY
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- OMCA will ensure that information is sufficiently accurate, complete and up-to-date to meet required purposes and to minimize any likelihood that inappropriate information may be used to make a decision about an individual.
- OMCA endeavors to keep membership records as up-to-date as possible, through regular communication with members via the OMCA’s newsletter Report and annual membership renewal procedures.
- OMCA will not routinely update personal information unless this is necessary to fulfil the purposes for which the information was collected.
- Personal information on individual members can be retrieved from the database by an OMCA employee in order to verify the accuracy of the information, in consultation with a member.
PRINCIPLE #7 – SAFEGUARDS
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- OMCA will protect all personal information, regardless of format, against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. More sensitive information will be safeguarded by a higher level of protection.
- The methods of protection will include physical measures, organizational measures and technological measures. OMCA will make employees aware of the importance of maintaining the confidentiality of personal information.
- OMCA will take care in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to it.
- The OMCA office is situated in a secured building with 24-hour security. After-hours access is restricted to employees with a pass-card. The office itself is locked at all times out side of normal business hours.
- OMCA computers are password protected. All computer forms that relate to financial transactions are “secure”. The OMCA computer system is firewall protected. Membership data is stored off-site by a contracted firm. This firm must, as a condition of its contract with OMCA, abide by the PIPEDA in respect to protection and security of OMCA members’ personal information.
PRINCIPLE #8 – OPENNESS
OMCA will make specific information about its personal information management policies and practices readily available to individuals.
OMCA will be open about its polices and practices with respect to the management of personal information. Individuals will be able to acquire information about OMCA’s policies and practices without unreasonable effort and in a form that is generally understandable.
This information will include:
- The name or title, and the address, of the person who is accountable for OMCA’s policies and practices and to whom complaints or inquiries can be forwarded.
- How to gain access to personal information held by the Association
- A description of the type of personal information held by OMCA, including a general account of its use
- A copy of any brochures or other information that explain OMCA’s policies, and
- What personal information is made available to related organizations
- Members may contact OMCA at any time for a copy of the personal information in their files.
- Individuals can complain to OMCA using the contact information listed.
PRINCIPLE #9 – INDIVIDUAL ACCESS
Upon request, OMCA will inform individuals of the existence, use and disclosure of their personal information and provide access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, OMCA may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific, but may include instances where disclosure would reveal information about a third party where the information cannot be severed’ for certain investigator and legal reasons as specified by legislation’ where the information is protected by solicitor-client privilege; where disclosure would reveal confidential commercial information and cannot be severed; or where the information was generated in the course of a formal dispute resolution process.
- Upon request, OMCA will inform individuals whether or not the organization holds personal information about them and will allow access to this information. Where possible, OMCA will indicate the source of the information, and will provide an account of its use and an account of the third parties to which it has been disclosed. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, OMCA will provide a list of organizations to which it may have disclosed the information. OMCA may chose to make sensitive medical information available through a medical practitioner.
- OMCA may require sufficient information to permit the company to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.
- OMCA will respond to individual requests within a reasonable time and at no cost to the individual. The requested information shall be provided in a form that is generally understandable.
- When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, OMCA will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question. There are no costs or charges associated with the correcting of information in membership files
- When a challenge is not resolved to the satisfaction of the individual, OMCA will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
- Individuals may visit the OMCA office during regular office hours to review their membership records. They may also request a copy of the information OMCA has in their file, as long as they provide verification of their identity.
PRINCIPLE #10 – CHALLENGING COMPLIANCE
OMCA will implement procedures to receive and respond to complaints or inquiries about policies relating to the handling of personal information. These procedures will be easy accessible and simple to use.
- OMCA will investigate all complaints. If a complaint is found to be justified, OMCA will take appropriate measures, including, if necessary, amending its policies and practices.
- Inquiries or complaints about OMCA’s personal information handling policies or practices should be directed to the President at the address below.
- Individuals can also contact the Privacy Commissioner of Canada in writing at the address provided.