Privacy Protection Schedule

Definitions

  1. In this Schedule,
    (a) “Act” means the Freedom of Information and Protection of Privacy Act including any regulation made under it;
    (b) “contact information” means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual;
    (c) “personal information” means recorded information about an identifiable individual, other than contact information, collected or created by the Contractor as a result of the Agreement or any previous agreement between the CVRD and the Contractor dealing with the same subject matter as the Agreement;
    (d) “privacy course” means the CVRD’s online privacy and information sharing training course or another course approved by the CVRD; and
    (e) “public body” means “public body” as defined in the Act;
    (f) “third party request for disclosure” means a subpoena, warrant, order, demand or request from an authority inside or outside of Canada for the unauthorized disclosure of personal information to which the Act applies;
    (g) “service provider” means a person retained under a contract to perform services for a public body; and
    (h) “unauthorized disclosure of personal information” means disclosure of, production of or the provision of access to personal information to which the Act applies, if that disclosure, production or access is not authorized by the Act.

Purpose

  1. The purpose of this Schedule is to:
    (a) enable the Comox Valley Regional District (CVRD) to comply with the CVRD’s statutory obligations under the Act with respect to personal information; and
    (b) ensure that, as a service provider, the Contractor is aware of and complies with the Contractor’s statutory obligations under the Act with respect to personal information.

Acknowledgements

  1. The Contractor acknowledges and agrees that
    (a) it is a service provider and, as such, the requirements and restrictions established by Part 3 of the Act apply to the Contractor in respect of personal information;
    (b) unless the Agreement otherwise specifies, all personal information in the custody of the Contractor is and remains under the control of the CVRD; and
    (c) unless the Agreement otherwise specifies or the CVRD otherwise directs in writing, the Contractor may only collect, use, disclose or store personal information that relates directly to and is necessary for the performance of the Contractor’s obligations, or the exercise of the Contractor’s rights, under the Agreement.

Collection of Personal Information 

  1. Unless the Agreement otherwise specifies or the CVRD otherwise directs in writing, the Contractor may only collect or create personal information that relates directly to and is necessary for the performance of the Contractor’s obligations, or the exercise of the Contractor’s rights, under the Agreement.
  2. The Contractor must collect personal information directly from the individual the information is about unless:
    (a) the CVRD provides personal information to the Contractor;
    (b) the Agreement otherwise specifies; or
    (c) the CVRD otherwise directs in writing.
  3. Where the Contractor collects personal information directly from the individual the information is about, the Contractor must tell that individual:
    (a) the purpose for collecting it;
    (b) the legal authority for collecting it; and
    (c) the contact information of the individual designated by the CVRD to answer questions about the Contractor’s collection of personal information.

Privacy Training

  1. The Contractor must ensure that each individual who will provide services under the Agreement that involve the access, collection or creation of personal information will complete, at the Contractor’s expense, the CVRD’s privacy course prior to that individual providing those services.  
  2. The requirement in section 7 will only apply to individuals who have not previously completed the CVRD’s privacy course.

Accuracy of Personal Information

  1. The Contractor must make every reasonable effort to ensure the accuracy and completeness of any personal information to be used by the Contractor or the CVRD to make a decision that directly affects the individual the information is about.

Requests for Access to Information

  1. If the Contractor receives a request for access to information from a person other than the CVRD, the Contractor must promptly advise the person to make the request to the CVRD unless the Agreement expressly requires the Contractor to provide such access. If the CVRD has advised the Contractor of the name or title and contact information of an official of the CVRD to whom such requests are to be made, the Contractor must also promptly provide that official’s name or title and contact information to the person making the request.

Correction of Personal Information

  1. Within 5 Business Days of receiving a written direction from the CVRD to correct or annotate any personal information, the Contractor must annotate or correct the information in accordance with the direction.
  2. When issuing a written direction under section 11, the CVRD must advise the Contractor of the date the correction request was received by the CVRD in order that the Contractor may comply with section 13.
  3. Within 5 Business Days of correcting or annotating any personal information under section 11, the Contractor must provide the corrected or annotated information to any party to whom, within one year prior to the date the correction request was received by the CVRD, the Contractor disclosed the information being corrected or annotated.
  4. If the Contractor receives a request for correction of personal information from a person other than the CVRD, the Contractor must promptly advise the person to make the request to the CVRD and, if the CVRD has advised the Contractor of the name or title and contact information of an official of the CVRD to whom such requests are to be made, the CVRD must also promptly provide that official’s name or title and contact information to the person making the request.

Protection of Personal Information

  1. Without limiting any other provision of the Agreement, the Contractor must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal, including without limitation by ensuring that the integrity of the personal information is preserved. Without limiting the general nature of the foregoing sentence, the Contractor will ensure that all personal information is securely segregated from any information under the control of the Contractor or third parties to prevent unintended mixing of personal information with other information or access to personal information by unauthorized persons and to enable personal information to be identified and separated from the information of the Contractor or third parties.

Storage of and Access to Personal Information

  1. The Contractor must comply with the requirements under the Act concerning storage of personal information outside of Canada, including, if required by the CVRD, by supporting the CVRD with completion of such assessments as may be required by law. 
  2. The Contractor must not change the location where personal information is stored without receiving prior authorization of the CVRD in writing. 
  3. Without limiting any other provision of the Agreement, the Contractor will implement and maintain an access log documenting all access to personal information, including a list of all persons that access any personal information.  The Contractor will provide a copy of the access log to the CVRD upon request.

Retention of Personal Information

  1. Unless the Agreement otherwise specifies, the Contractor must retain personal information until directed by the CVRD in writing to dispose of it or deliver it as specified in the direction.

Use of Personal Information

  1. Unless the CVRD otherwise directs in writing, the Contractor may only use personal information if that use is for the performance of the Contractor’s obligations, or the exercise of the Contractor’s rights, under the Agreement. For clarity, unless the Agreement otherwise specifies or the CVRD otherwise directs in writing, the Contractor must not anonymize, aggregate or otherwise alter or modify personal information, including by converting personal information into non-personal information, or analyze personal information (whether by manual or automated means) for any purpose, including for the purpose of developing insights, conclusions or other information from personal information.

Metadata

  1. Where the Contractor has or generates metadata as a result of services provided to the CVRD, where that metadata is personal information, the Contractor will:
    (a) not use it or disclose it to any other party except where the Agreement otherwise specifies; and
    (b) remove or destroy individual identifiers, if practicable.  

Disclosure of Personal Information

  1. Unless the CVRD otherwise directs in writing, the Contractor may only disclose personal information to any person other than the CVRD if the disclosure is for the performance of the Contractor’s obligations, or the exercise of the Contractor’s rights, under the Agreement.
  2. If in relation to personal information, the Contractor:
    (a) receives a third-party request for disclosure;
    (b) receives a request to disclose, produce or provide access that the Contractor knows or has reason to suspect is for the purpose of responding to a third-party request for disclosure; or
    (c) has reason to suspect that an unauthorized disclosure of personal information has occurred in response to a third-party request for disclosure, subject to section 24, the Contractor must immediately notify the CVRD.  
  3. If the Contractor receives a third-party request described in section 23(a) or (b) but is unable to notify the CVRD as required by section 23, the Contractor must instead:
    (a) use its best efforts to direct the party making the third-party request to the CVRD
    (b) provide the CVRD with reasonable assistance to contest the third-party request; and 
    (c) take reasonable steps to challenge the third party-request, including by presenting evidence with respect to: 
    (i) the control of personal information by the CVRD as a public body under the Act; 
    (ii) the application of the Act to the Contractor as a service provider to the CVRD; 
    (iii) the conflict between the Act and the third-party request; and 
    (iv) the potential for the Contractor to be liable for an offence under the Act as a result of complying with the third-party request. 

Notice of Unauthorized Disclosure

  1. In addition to any obligation the Contractor may have to provide the notification contemplated by section 30.5 of the Act, if the Contractor knows that there has been an unauthorized disclosure of personal information, the Contractor must immediately notify the CVRD.

Compliance with the Act and Directions

  1. The Contractor must in relation to personal information comply with:
    (a) the requirements of the Act applicable to the Contractor as a service provider, including any regulation made under the Act and the terms of this Schedule; and
    (b) any direction given by the CVRD under this Schedule.
  2. The Contractor acknowledges that it is familiar with the requirements of the Act governing personal information that are applicable to it as a service provider.
  3. The Contractor will provide the CVRD with such information as may be reasonably requested by the CVRD to assist the CVRD in confirming the Contractor’s compliance with this Schedule.

Notice of Non-Compliance

  1. If for any reason the Contractor does not comply or anticipates that it will be unable to comply in any respect, with any provision in this Schedule, the Contractor must promptly notify the CVRD of the particulars of the non-compliance or anticipated non-compliance and what steps it proposes to take to address, or prevent recurrence of, the non-compliance or anticipated non-compliance.

Termination of Agreement

  1. In addition to any other rights of termination which the CVRD may have under the Agreement or otherwise at law, the CVRD may, subject to any provisions in the Agreement establishing mandatory cure periods for defaults by the Contractor, terminate the Agreement by giving written notice of such termination to the Contractor, upon any failure of the Contractor to comply with this Schedule in a material respect.

Interpretation

  1. In this Schedule, references to sections by number are to sections of this Schedule unless otherwise specified in this Schedule.
  2. Any reference to “Contractor” in this Schedule includes any subcontractor or agent retained by the Contractor to perform obligations under the Agreement and the Contractor must ensure that any such subcontractors and agents comply with the requirements of the Act applicable to them.
  3. The obligations of the Contractor in this Schedule will survive the termination of the Agreement.
  4. If a provision of the Agreement (including any direction given by the CVRD under this Schedule) conflicts with a requirement of the Act, including any regulation made under the Act, the conflicting provision of the Agreement (or direction) will be inoperative to the extent of the conflict. 
  5. The Contractor must comply with the provisions of this Schedule despite any conflicting provision of the Agreement or the law of any jurisdiction outside Canada.
  6. Nothing in this Schedule requires the Contractor to contravene the law of any jurisdiction outside Canada unless such contravention is required to comply with the Act.