Public statement about information practices

You must make a written statement about your information practices available to the public.

You must make a written statement about your information practices available to the public. This could be included on your website or on posters or brochures in your workplace.91

Your public statement must include an easy-to-understand description of:

  • your information practices (This means your policies for collection, use, modification, disclosure, retention and disposal of personal information, as well as the safeguards you have in place to protect the information92)
  • how an individual may obtain access to or request correction of a record of personal information held by your organization
  • how to contact your organization
  • how to make a complaint to your organization and to the IPC

It is good practice to write clear, concise statements describing the information practices of your organization, taking care to avoid technical and legal language. You can consider providing additional details through a separate document. For example, a poster in your waiting room could provide a high-level statement about your information practices, which directs readers seeking more detail to a brochure or website.

If you use or disclose personal information outside the scope of your publicly stated information practices, and without consent, you are required to inform the individual at the first reasonable opportunity. You are also required to make a note about the use or disclosure and attach it to the individual’s record.93 This might apply, for example, if you use personal information for research after stating in your description of information practice that you will only use personal information for direct service delivery.

 

91. CYFSA, s. 311
92. CYFSA, s. 281
93. CYFSA, s. 311(2). Note that you would be required to notify the individual at the first reasonable opportunity, unless they do not have a right of access to the record under s. 312.