Freedom of Information & Protection of Privacy

In circumstances where the District can rely on consent for the collection of personal information (i.e. recording or updating an individual's contact information, updating an individual's name), the District will obtain consent in writing.

A consent notice must include the following information:

• Description of the personal information the consent relates to
• Purpose of the disclosure
• To whom the personal information will be disclosed
• The jurisdiction where the personal information will be disclosed (if practicable)
• The date when the consent is effective and the date it expires (if applicable)

People have a right to access their personal information and to request corrections to it. People also have the right to request a correction of personal information if they believe there is an error or omission.

Requests to access personal information or the correction of personal information must be made to the District's privacy coordinator. The District must provide the change to any other body the information has been provided to within the preceding one-year period.

The District is responsible for protecting personal information in its control by making reasonable security arrangements against risks such as unauthorized collection, use,
disclosure or disposal. The District’s Freedom of Information and Protection of Privacy
Policy & Procedures Manual (pages 27-28) discusses privacy protection measures practiced
by staff.

A privacy breach is the theft or loss of personal information or the access, collection, use or
disclosure of personal information in the custody or control of a public body. This is not
limited to written information. The District is required to have a documented process for responding to privacy breaches and complaints. Any privacy breaches and complaints must or are to be reported to the District’s privacy coordinator. District staff are required to
follow the District’s Privacy Breach Procedure. If a privacy breach is reasonably expected to result in significant harm to an individual, public bodies are required to issue a notification about that breach to the affected individual and to the Information and Privacy Commissioner.

Submit a Privacy Complaint or Breach

The District is required to retain personal information for one year if that information was used as a basis for a decision directly affecting the individual and to allow the affected individual a reasonable opportunity to obtain access. After one year, the information is disposed of in accordance with the records retention schedule defined in the District's Records & Information Management Program Handbook (pages 13-15).

A privacy impact assessment (PIA) is used to determine whether a project or initiative
involves personal information and, if so, how the information will be collected or used. Staff are required to complete a Privacy Impact Assessment Form and submit it to the District’s privacy coordinator prior to proceeding with a new initiative that involves the collection of personal information. The goal is to work together to identify, evaluate and manage privacy risks.