- In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA).
- In the EU, the General Data Protection Regulation (GDPR).
What to Include
Before any writing is put on paper, you should make sure that you have a clear overview of what personal information is held by your company, and your personal information handling procedures. Some of this information you may already have, but for others you may need to investigate or conduct audits for.
- Providing specified services
- Conducting publicity campaigns
- Handling complaints
- Running a website
- Sending out a newsletter
For each activity you should also describe:
- The personal information that you collect and hold, and how you collect and hold it.
- The reasons or purposes for which you will collect, hold, use and disclose that personal information.
- Whether you disclose personal information to overseas entities.
- Phone numbers
- Email addresses
- IP addresses
- Access dates and times
The means by which information is collected include:
- Web forms
- Registration for an event or course
- Newsletter sign-up
- Placing an order
In terms of personal information handling procedures there are a few items to be on top of:
- Specific approaches, principles or commitments your company has decided to adopt for handling specific personal information. An example of this is:
- “In relation to X process, the company will link personal information across business processes, or never do so, or only do so if the individual would expect it, or only with the individual’s consent, or only if not sensitive information, or only for X purpose.”
- Processes for identifying, assessing and managing privacy and security risk, as well as developing and monitoring controls for those risks
- Approaches to identifying and handling personal information your company no longer needs
- Processes for providing access to and correction of personal information
- Complaints handling procedures
- Policies for managing contractors when personal information may be disclosed.
Scope: Describe what the policy applies to
Collection of personal information: Provide key information on what personal information is collected and why.
Disclosure: Describe the key disclosures and conditions around those disclosures.
Rights and choices: Describe any rights and choices that individuals have, including the right to request access and correct personal information held about them.
How to make a complaint: Describe how to make a complaint about privacy and what to do if they are not satisfied with the outcome.
Ensure that you include ways customers can contact your business
Book a Demo Now
Learn more about how Polonious can help your company.