1. Cross Country Ski Ontario (XCSO) is subject to the Personal Information Protection and Electronic Documents Act (“the Act”) which sets out principles of fair information practices that in turn form ground rules for the collection, use and disclosure of personal information.
2. In accordance with the Act, XCSO is responsible for the protection of personal information and the fair handling of it at all times both throughout the organization and in dealings with third parties.
5. XCSO will comply fully with the principles and exceptions set out in the Act.
Cross Country Ski Ontario Principles of Fair Information Practices
7. Before or when any personal information is collected by or on behalf of XCSO, XCSO will identify the reason(s) for collecting the information and how it will be used. If the reason(s) for collecting the information and/or how it will be used changes after the information is collected, XCSO will inform the affected individual(s) and obtain consent before the information is used.
8. Personal information may be collected from more than one source and combined.
9. XCSO requires an individual’s consent to the collection, use and/or disclosure of personal information:
a. Before or when any personal information is collected by or on behalf of XCSO, or when the reason(s) for collecting the information and/or how it will be used changes, XCSO will obtain consent from the individual whose personal information is collected, used or disclosed.
b. For an individual who is a minor, seriously ill, or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney.
c. Consent may be obtained in person, by phone, by fax, by mail, by email or by internet, or by any other reasonable method, whether express or implied.
10. XCSO limits the information it collects to what is needed for specific purposes identified by XCSO at the time the personal information is collected.
Limiting Use, Disclosure and Retention
11. XCSO will limit the use and disclosure of the personal information it has collected to the purpose(s) for which it was collected, unless the individual otherwise consents or the use or disclosure is authorized by law.
12. Where possible, XCSO will use contracts or other agreements to ensure the protection of personal information that has been collected by XCSO and that is transferred to a third party for use, including but not limited to:
a. The personal information transferred to a third party will be limited to what is needed by and for the purposes necessary for the third party to fulfil the contract or agreement.
b. The third party will be required to refer to XCSO any requests for access to or complaints about the information provided.
c. When the personal information is no longer required by the third party, the third party will be required to either return the information to XCSO or dispose of it in a manner acceptable to XCSO.
13. Personal information collected by or on behalf of XCSO will be retained only as long as necessary to satisfy the purpose(s) for which it was collected. Any personal information collected by or on behalf of XCSO that is no longer required for an identified purpose or a legal requirement will be destroyed, erased or rendered anonymous in a manner that will prevent improper access.
14. XCSO will make efforts to keep the personal information collected as accurate, complete and up-to-date as is necessary, taking into account the purpose(s) for which the information is collected and the interests of the individual.
15. XCSO will make efforts to protect the personal information collected with appropriate safeguards and security measures:
a. Information may only be accessed by approved officials or employees, or by other persons designated as such by XCSO, and only to the extent necessary for the identified purpose(s).
b. Personal information will only be disclosed to a third party when: i. reasonable steps are taken to identify the individual requesting the personal information; ii. the individual requesting the information is able to establish his/her right to access the personal information requested; and iii. the proposed use of the personal information requested is consistent with the consent given with respect to the collection, use and/or disclosure of the personal information.
c. Personal information may only be stored, modified or deleted by the XCSO Administrator or his/her delegate as set out herein.
d. Physical safeguards include restricted physical access to XCSO offices and secure storage facilities.
e. Technological safeguards include restricted file access, computer passwords, firewalls and file encryption procedures.
16. Any requests or enquiries about this policy can be directed to the XCSO Provincial Office.
17. Any individual that has provided personal information to XCSO shall have access to that personal information collected, used or disclosed by or on behalf of XCSO.
18. An individual may review, amend or update the personal information collected about him/her.
19. If XCSO refuses access to an individual to the personal information collected, XCSO will provide to the individual the reason(s) for the refusal and any recourse available.
20. Where possible, a response to a request for access to personal information by an individual will be made within 30 days of the request.
21. XCSO will make every effort to provide access of any individual to his/her personal information at minimal or no cost. If a cost is anticipated to provide the information requested, XCSO will advise of the cost prior to disclosing the information.
22. XCSO will investigate and respond to all concerns about any aspect of the collection, use and disclosure of personal information, in a timely manner. Where necessary, an individual will be advised of available avenues of complaint, including the Office of the Privacy Commissioner of Canada.
23. XCSO will take appropriate measures to correct any inaccurate personal information that is identified or to modify policies or procedures where necessary.
Responsibility and Accountability
24. XCSO is responsible for maintaining and protecting all personal information that it collects.
a. Collection, use and disclosure of personal information;
b. Responding to requests and general inquiries for personal information;
c. Responding to requests for correction to personal information;
d. Responding to complaints about the collection, use and disclosure of personal information by XCSO;
e. Explaining the purpose(s) for the collection, use and disclosure of personal information;
f. Explaining the procedure to withdraw consent and the consequences, if any, of such a withdrawal.
Revised and reviewed October 12, 2016