The CPIO Code of Privacy and the CSA Model Code of Personal Information Privacy Ten interrelated principles form the basis of the Canadian Standards Association Model Code for the Protection of Personal Information. Each principle is a core element in the Council of Private Investigators - Ontario (CPIO) Code of Privacy.
Each organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. Each Member is responsible for all personal information in his/her/its control. The CPIO will assist Members with training issues and certify Members as compliant with the CPIO's Code of Privacy. The CPIO's Ethics Committee is accountable for enforcement of the CPIO's Code of Privacy. An annual report of the Ethics Committee will be posted on the CPIO's website.
2. Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. The purpose for which Members collect personal information is to facilitate the investigation of contravention's of the law and breaches of agreements. Personal information collected as part of the investigation of a contravention of the law may include information pertaining to individuals involved in criminal activity, individuals suspected of involvement in criminal activity, individuals with knowledge of criminal activity, and
individuals who may advance an investigation by providing information relating to the identity of those involved or suspected of criminal activity. Personal information collected in the investigation of the breach of an agreement may pertain to individuals who are party to an agreement, individuals who have knowledge of the terms and conditions of an agreement, individuals who have knowledge of the breach of an agreement, or individuals who may advance an investigation by providing information relating to a breach of an agreement.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. In most instances, obtaining the knowledge and consent of individuals would defeat the purpose of an investigation. Personal information will only be collected, used and disclosed by Members without consent in accordance with section 7 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (PIPEDA).
4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Members will collect information about individuals only if there are reasonable grounds to believe that the information relates to dishonest conduct, breaches of agreements or contravention's of the laws of Canada, a province, or a foreign jurisdiction. Members of the CPIO will only collect the personal information that is required for the preventative and investigative purposes set out above.
5. Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes. Members may only use or disclose personal information for the purposes for which it was collected. Members may only keep personal information for as long as may be necessary
to satisfy such purpose. Members may disclose personal information only to law enforcement agencies, other investigative bodies or their clients for the purpose for which the personal information was collected. Members will destroy personal information in its possession once it is no longer required for the purpose for which it was collected.
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Members will ensure to the best of their ability that the personal information they collect, use, and disclose is accurate, complete, current, and relevant to the stated purpose.
Security safeguards appropriate to the sensitivity of the information shall protect personal information. Members will ensure that personal information is stored in secure electronic and hard copy files. Hard copy files will be stored in locked file cabinets with restricted access. Electronic files will be stored in secure systems that include power-on password protection and a secure firewall. Electronic files will be encrypted with an industry standard encryption program before being transferred electronically. Distribution of personal information will be on a need-to-know basis.
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Members will make available to the public easily understandable information about the Member Company, its privacy policies, this Code of Privacy, both in hard copy and on its web site www.cpi-ontario.com.
9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. In accordance with paragraph 9(3)(c.1) of PIPEDA, if such disclosure does not defeat the purposes for which the information was collected, each Member will, upon request by an individual, advise the individual whether the Member has personal information concerning
him or her, what that information is, what it is being used for and to whom their information has been disclosed. If the individual can provide proof of an error in the personal information held by the Member, the Member will amend the information and send the corrected information to others who have used the incorrect information. If the individual challenges certain information but cannot disprove its accuracy, the Member will note the challenge so that those using the information will be aware of the unresolved challenge. If a Member denies an individual's
request for access, it will state the reasons for the denial and advise the individual of his/her right to appeal to the Office of the Privacy Commissioner of Canada or Ontario as the case may be.
10. Challenging Compliance