Policy Context
Context Description
In the course of its daily activities, the Bank of Canada Museum may gather personal information from individuals, in order to provide services, make decisions and support its business operations, programs and activities.
This Policy was developed according to the requirements of, and in compliance with, the Privacy Act of Canada.
Principles
The Bank of Canada Museum has long recognized and accepted its responsibility to protect the privacy of individuals who interact with the Museum through electronic or other means and to safeguard their personal information.
Policy Statement
The purpose of this policy is to outline the Museum’s commitment to protect personal information and manage this information with the utmost responsibility and care.
It governs the collection, use, and disclosure of all personal information of individuals who interact with the Museum, regardless of whether the information is held in paper, electronic or digital form.
Scope
This Policy applies to information collected by the Museum or on behalf of the Museum by service providers pursuant to a contract.
The Museum will identify the purposes for which personal information is collected at the time or before the information is collected. These purposes include but are not limited to manage:
- applications for employment at the Bank of Canada Museum
- enquiries from the general public, including Access to Information and Privacy Act requests
- registration for Museum hosted conferences
- the logging of visitors to and the administration of the Bank of Canada Museum’s website
- the logging of visitors to the Bank of Canada Museum’s premises
- the registration for visits to the Bank of Canada Museum
- surveys involving the general public
- the security of Bank of Canada Museum premises and Museum held information through various means, including CCTV surveillance
- such other purposes as required by the Museum
All personal information collected by the Museum is listed in Personal Information Banks (PIBs) which are published in Info Source, an annual Treasury Board publication which describes the purpose for the collection, notes any consistent uses that may be made of the information and specifies the retention and disposal standards for the information collected.
The Museum reserves the right, in appropriate circumstances, to collect and hold information outside Canada.
Mandatory Policy Requirements
Limiting collection, use and disclosure of personal information
- The Museum only collects personal information that relates directly to authorized programs or activities.
- Wherever possible, personal information is collected directly from the individual to whom the information relates and individuals are informed of the purpose of the collection at the time of the collection.
- The Museum only uses personal information or discloses it to third parties for the purpose for which the information was originally obtained or compiled, for a use consistent with that purpose or for a purpose permitted under the Privacy Act.
- The consent of the individual in question must be obtained before his or her personal information is used or disclosed for any other purpose.
- Any disclosure to third parties will be done pursuant to agreements setting out the requirements for use, safeguarding, retention and disposal of such information, or as required by law.
Safeguarding personal information
- Personal information, whatever its form, is classified according to the sensitivity of the information and is protected from unauthorized access, use, disclosure, removal, alteration and destruction in accordance with the Museum’s Corporate Security Policy and Operational Standard: Information Security.
- The Museum may use outside service providers or agents to collect and/or use personal information on its behalf. As part of the contractual agreements, these suppliers must protect personal information in a manner consistent with the privacy policies and practices established by the Museum and as obligated under the Privacy Act.
Retention and disposal of personal information
- The Museum retains and disposes of personal information in accordance with the Bank of Canada’s Corporate Records Management Policy, which meets the requirements set out in applicable legislation (i.e. the Privacy Act, the Library and Archives Act).
- Retention schedules for Personal Information held by the Museum are described in the Info Source publication.
Access to, and accuracy of, personal information
- Upon request, the Museum shall provide an individual with timely access to his or her personal information contained in records under the control of the Museum. Individuals may also request correction to their personal information which is under the Museum’s control. Requests can be made in writing to the Museum’s Access to Information and Privacy Coordinator citing the Privacy Act.
- The Museum may require sufficient information to allow it to confirm that the person making the request is authorized to receive the related information before granting access or making corrections.
- Access will not be provided when the records contain information that would be exempt from access under the Privacy Act, such as containing personal information about other individuals. If access to personal information cannot be provided, the Museum shall provide the reasons for denying access.
Responding to privacy complaints
The Museum is committed to investigating and resolving all complaints related to privacy, confidentiality or its information-handling practices in the most thorough, prompt and confidential manner possible. Any individual who believes their privacy or access-related rights have been breached can submit a complaint in writing to the Bank of Canada’s Access to Information and Privacy Coordinator.
Alternatively, individuals may submit a complaint to the Office of the Privacy Commissioner of Canada, the nation’s ombudsman for addressing unresolved privacy complaints:
Office of the Privacy Commissioner of Canada
112 Kent St.
Place de Ville
Tower B 3rd Floor
Ottawa ON K1A 1H3
Privacy breaches
A privacy breach involves the improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information. The Museum takes seriously any information or complaint pertaining to a breach of privacy. Any complaint, allegation or information regarding possible breaches of privacy are considered and assessed in a consistent manner, and investigated fairly and impartially in a manner commensurate with the nature of the alleged complaint.
Further Advice and Guidance
This section contains information on frequency of review, maintenance, and contact information should users have questions related to specific aspects of the policy.
Frequency of reviews and maintenance
Any updates and amendments to this policy and the effective date shall be determined by the General Counsel and Corporate Secretary and communicated on the Museum’s website.
Enquiries
See the Access to Information and Privacy section on the Bank of Canada’s website.
Appendices
Definitions
Personal Information: refers to information about an identifiable individual and includes but is not restricted to
- race, national or ethnic origin, colour, religion, age or marital status
- medical, educational, financial, employment and criminal history
- address and identifying numbers assigned to the individual
- correspondence with the Museum that is explicitly or implicitly of a private nature
- the views or opinions of another individual about the individual
- the name of an individual, where disclosure of the name itself would reveal information about the individual
Personal Information Banks (PIB): As defined in the Privacy Act, a Personal Information Bank refers to a privacy-sensitive records system containing personal information which: 1) has been used, is being used or is available for use in decision-making affecting individuals directly, and/or 2) is retrievable by personal identifier.
A Personal Information Bank listing in Info Source includes
- a description of the type of records under Description
- the reason for collecting the information under Purpose
- the intended use or disclosure of the information under Consistent Uses
- how long the information is kept under Retention and Disposal Standards