Pursuant to the Canadian Federal Government’s Personal Information Protection and Electronic Documents Act (“PIPEDA”)
Under PIPEDA, the Ontario Association of Architects (the “OAA”) must obtain consent for the collection, use, disclosure and retention of personal information in the course of its commercial activities. A commercial activity is defined as any transaction, act or conduct (or course of conduct) that is of a commercial character. A commercial activity includes the selling, bartering or leasing of membership lists.
Importantly, Personal information collected, used, disclosed and retained by the OAA for regulatory purposes is not captured by PIPEDA and is not subject to the same requirements. This policy only applies to personal information collected by the OAA for commercial activities.
The OAA is required to comply with the following ten principles with respect to personal information:
The OAA is responsible for personal information under its control and shall designate at least one staff member who is accountable for the OAA’s compliance (the “privacy officer”).
Policy: The OAA has designated OAA Executive Director, Kristi Doyle as the privacy officer. General questions and comments related to PIPEDA and the OAA’s compliance with the legislation, as well as inquiries from individual architectural practices should be forwarded to Kristi Doyle at firstname.lastname@example.org.
Kristi Doyle can also be contacted regarding concerns related to the OAA’s compliance with the legislation, including the OAA’s collection, use, retention and destruction of personal information.
Kristi Doyle is the data protection officer for the purpose of the General Data Protection Regulation.
2. IDENTIFYING PURPOSES
The purpose for which personal information is collected by the OAA must be identified at or before the time that the information is collected.
Policy: Personal information is collected by the OAA for the purpose of enabling the OAA Group Insurance Plan to contact Architects, Licensed Technologists OAA and other classes of persons (e.g. Student Associates, Intern Architects, Retired Members, Honorary Members and Life Members). This purpose is outlined in the OAA’s Consent Form.
Procedure: The Consent Form is provided to Architects, Licensed Technologists OAA and other classes of persons. Individuals have an opportunity to accept or deny the OAA’s proposed collection, use, disclosure and retention of personal information. Any individual may subsequently amend their consent in writing.
As of January 1, 2004, the Consent Form is submitted by an individual at the time of licence application or application for appointment as an Intern Architect or Student Associate. A copy of the Consent Form was also sent to individuals who were Architects or other classes of persons prior to January 1, 2004.
The knowledge and consent of the individual is generally required for the OAA’s collection, use, disclosure or retention of personal information.
The form of the consent sought by the OAA may vary depending on the circumstances, the type of information that is collected, and the reasonable expectations of the individual. The Consent Form seeks express consent, whereby an individual may indicate that their personal information is not to be shared by the OAA. Given the type of personal information in question, it is reasonable to infer that an individual has given implied consent for the collection, use, disclosure or retention of personal information necessary for the identified purposes until the individual has returned a completed Consent Form to the OAA.
The OAA may collect personal information without the knowledge or consent of the individual if the collection is in the best interest of the individual and where consent cannot be obtained in a timely manner.
The OAA may use and disclose personal information that was produced by an individual in the course of their employment, business or profession without knowledge and consent where the use and disclosure is consistent with the purposes for which the information was produced. Other specific and restricted circumstances where the OAA may collect, use and disclose personal information are outlined in PIPEDA.
An individual may withdraw their consent at any time upon reasonable notice, subject to legal or contractual restrictions.
Policy: Personal information collected, used, disclosed and retained by the OAA is identified in the Consent Form. Through the Consent Form, the OAA obtains written consent from Architects, Licensed Technologists OAA and other classes of persons to collect, use, disclose and retain personal information for the purpose of enabling the OAA Group Insurance Plan to contact these individuals.
See the procedure for Consent Forms outlined in Section 2 above.
4. LIMITING COLLECTION
The OAA’s collection of personal information shall be limited to that which is necessary for the purposes identified by the OAA. Information shall be collected by fair and lawful means.
Policy: All personal information collected, used and disclosed by the OAA is obtained using the Consent Form and is limited to information necessary for the purpose of enabling the OAA Group Insurance Plan to contact Architects, Licensed Technologists and other classes of persons.
Procedure: As of January 1, 2004, the OAA shall collect necessary personal information at the time of application with the accompanying Consent Form.
5. LIMITING USE, DISCLOSURE AND RETENTION
Personal information collected by the OAA in the course of its commercial activities shall not be used, disclosed or retained for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes, following which it shall be destroyed, erased or anonymized.
The OAA may disclose personal information collected in the course of its commercial activities without the knowledge or consent of the individual if the disclosure is to a lawyer who represents the OAA, for the purposes of collecting a debt owed by the individual to the OAA, where such disclosure is required to comply with a subpoena or an order of the Court or a person or body with jurisdiction to compel the production of information, where a request has been made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or contravention of the laws of Canada or a province or is required by law, and in other limited circumstances outlined in PIPEDA.
Only personal information collected from the Consent Form may used or disclosed for the purpose of enabling the OAA Group Insurance Plan to contact Architects, Licensed Technologists OAA and other classes of persons.
The OAA will destroy unnecessary personal information. An individual may also request that their personal information be destroyed.
• An individual may submit a request, in writing, to the OAA’s privacy officer that their personal information be destroyed by the OAA.
• The OAA’s privacy officer will address the matter and issue a response to the individual within 30 days of receipt of the request.
• The OAA will make reasonable efforts to alert any third parties that the individual has requested that their personal information be destroyed.
Personal information collected, used, disclosed or retained by the OAA in the course of its commercial activities shall be as accurate, complete and up to date as is necessary for the purpose for which it is to be used.
Policy: The OAA endeavours to maintain accurate and up-to-date records; however, the onus is on the individual to advise the OAA, in writing, with respect to any change in their particulars. Note that failing to notify the Registrar in writing of a change of address recorded on the OAA’s register may also amount to professional misconduct.
• Changes to information submitted in Consent Forms will only be accepted in writing and must be signed and dated. Changes to information may be delivered by email or hardcopy.
• The OAA will make reasonable efforts to alert any third parties to changes of an individual’s personal information.
Policy: Personal information collected, used, disclosed and retained by the OAA shall be protected by security safeguards appropriate for the sensitivity of the information.
• The OAA’s electronic database is password-protected.
• Access to the OAA’s internal offices is restricted to those with pass cards.
• Personal information in hardcopy form cannot be accessed or used by unauthorized individuals.
The OAA shall make readily available to individuals, specific information about its policy of practices relating to the management of personal information collected, used, disclosed and retained. An individual may contact the designated privacy officer to obtain further information.
Procedure: An individual may submit a written request to the OAA’s privacy officer using the contact information included at Section 1 above.
9. INDIVIDUAL ACCESS
Upon request, an individual shall be informed of the existence, use and disclosure of their personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Policy: An individual may request confirmation of whether the OAA holds personal information about the individual and may request access to their personal information. Upon request, the OAA will provide an account of the use that has been made (or is being made) of that information, as well as an account of any third parties to which the personal information has been disclosed.
• An individual may request confirmation of and/or access to personal information in the OAA’s possession, in writing, from the OAA’s privacy officer.
• The OAA’s privacy officer will provide a copy of the individual’s completed Consent Form to the individual for review, as well as any other personal information in the OAA’s possession.
• Alternately, the individual may request to attend at the OAA’s offices at a mutually-convenient time to review the original copy of their completed Consent Form.
10. CHALLENGING COMPLIANCE
An individual shall be able to address a challenge concerning compliance with the above nine principles with the designated privacy officer accountable for the OAA’s compliance.
Policy: Complaints may be made to the OAA’s privacy officer using the contact information included at Section 1 above. In addition, individuals may direct concerns to the Office of the Privacy Commissioner of Canada.
• A complaint must be made in writing and should be addressed to the OAA’s designated privacy officer using the contact information included in Section 1 above.
• The privacy officer, , will address the matter and issue a response to the individual within 30 days of receipt of the complaint.
Note: OAA Practice Tip PT.2 alerts architectural practices of the existence of the applicable legislation and compliance requirements. Information and additional resources regarding privacy are included therein.
Last Updated November 25, 2020