- Obtain consent for collecting, using and disclosing personal information, except when inappropriate (for example, in an emergency or when consent would compromise the availability or accuracy of the information). Obtain the consent in a form appropriate to the kind of information concerned. If an individual modifies or withdraws his or her consent, respect the changes.
- Collect personal information only for reasonable purposes and only as much as is reasonable for those purposes. Except when inappropriate, collect personal information directly from the individual concerned and inform the individual of how you will use and disclose the information.
- Use and disclose personal information only for the purposes for which it was collected, unless the individual consents or the Act permits the use or disclosure without consent.
- On request, provide an individual with information about the existence, use and disclosure of the individual’s personal information and provide access to that information, if reasonable. On request, correct information that is inaccurate.
- Ensure that any personal information is as accurate as necessary for the collection purposes; ensure that personal information is secure; and keep the information only as long as reasonable for business and legal reasons.
- Destroy or anonymize the personal information once it is no longer needed.
- Notify the Information and Privacy Commissioner of an incident that involves the loss of or unauthorized access to or disclosure of personal information that may pose a real risk of significant harm to individuals.
- Designate an individual to make sure you comply with the Act and make information about the organization’s management of personal information available on request.
May 2010