Privacy Policy

Summary of the POV General Privacy Policy

Ten interrelated principles form the basis of Pacific Opera Victoria’s Privacy Policy. Each principle should be read in conjunction with the accompanying commentary.

POV is subject to the BC Personal Information Protection Act and to the independent oversight of the Information and Privacy Commissioner for BC.

Accountability for Personal Information
POV is responsible for personal information under its control and will designate an individual or individuals who are accountable for its compliance with the following principles.

Openness about Personal Information Policies and Practices
POV will make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Identifying Purposes for Personal Information
POV will identify the purposes for which personal information is collected at or before the time the information is collected.
Consent for Personal InformationPOV requires the knowledge and consent of the individual for its collection, use, or disclosure of personal information, except where inappropriate or not required by law.
Limiting Collection of Personal Information
POV will limit its collection of personal information to that which is necessary for the purposes it has identified. It will collect information by fair and lawful means.
Limiting Use, Disclosure, and Retention of Personal Information
POV will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
Ensuring Accuracy of Personal Information
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Safeguards for Personal Information
Personal information will be protected by security safeguards appropriate to the sensitivity of the information.
Individual Access to Personal Information
Upon request, POV will inform an individual of the existence, use, and disclosure of his or her personal information and will give access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Challenging Compliance with the Privacy Policy
An individual will be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for POV’s compliance and to the Office of the BC Information and Privacy Commissioner.
1

Privacy Policy for Pacific Opera Victoria
Note: This privacy policy, approved by the Board of Directors of Pacific Opera Victoria on April 27, 2011, is based on Schedule 1 of the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which is, in turn, based on the Canadian Standards Association’s Model Code for the Protection of Personal Information. POV, as a not-for-profit, is specifically subject to British Columbia’s Personal Information Protection Act (PIPA), which the federal government has deemed to be substantially similar to PIPEDA. Footnotes to this privacy policy quote the specific requirements of BC PIPA. POV is also subject to the independent oversight of the BC Information and Privacy Commissioner.
Summary of the POV General Privacy Policy
Ten interrelated principles form the basis of Pacific Opera Victoria’s Privacy Policy. Each principle should be read in conjunction with the accompanying commentary.
1. Accountability for Personal Information
POV is responsible for personal information under its control and will designate an individual or individuals who are accountable for its compliance with the following principles.
2. Openness about Personal Information Policies and Practices
POV will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
3. Identifying Purposes for Personal Information
POV will identify the purposes for which personal information is collected at or before the time the information is collected.
4. Consent for Personal Information
POV requires the knowledge and consent of the individual for its collection, use, or disclosure of personal information, except where inappropriate or not required by law.
5. Limiting Collection of Personal Information
POV will limit its collection of personal information to that which is necessary for the purposes it has identified. It will collect information by fair and lawful means.
6. Limiting Use, Disclosure, and Retention of Personal Information
POV will not use or disclose personal information for purposes other than those for
1

which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
7. Ensuring Accuracy of Personal Information
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
8. Safeguards for Personal Information
Personal information will be protected by security safeguards appropriate to the sensitivity of the information.
9. Individual Access to Personal Information
Upon request, POV will inform an individual of the existence, use, and disclosure of his or her personal information and will give access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance with the Privacy Policy
An individual will be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for POV’s compliance and to the Office of the BC Information and Privacy Commissioner.
Introduction
Pacific Opera Victoria collects, uses, discloses, and retains personal information about individuals to employ and retain staff, consultants, artists, directors, designers, and musicians; to market its operatic productions and programs to the public; to conduct fundraising activities; to comply with legal requirements; and to manage its operations.
2

Principle 1 – Accountability for Personal Information
POV is responsible for personal information under its custody and/or control and will designate an individual or individuals who are accountable for its compliance with the following principles.1
1.1
Accountability for POV ‘s compliance with the principles rests with the designated individuals, even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual.
1.2
The identity of the individuals designated by POV to oversee its compliance with the principles will be made known upon request.
1.3
POV is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.2 POV will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
1.4
POV will implement policies and practices to give effect to the principles, including
• • •
(a) implementing procedures to protect personal information;
(b) establishing procedures to receive and respond to complaints and inquiries;3
(c) training staff and communicating to staff information about its policies and practices; and
(d) developing information to explain its policies and procedures.4 Principle 2 – Identifying Purposes for Personal Information
POV identifies the purposes for which it collects personal information at or before the
1 BC PIPA, s. 4(3): “An organization must designate one or more individuals to be responsible for ensuring that the organization complies with this Act.” Contact information for this individual must be made available to the public. [s. 4(5)]
2 BC PIPA, s. 4(2): “An organization is responsible for personal information under its control, including personal information that is not in the custody of the organization.”
3 BC PIPA, s. 5: “An organization must … (b) develop a process to respond to complaints that may arise respecting the application of this Act….” Upon request, information about this complaint process must be made available.
4 BC PIPA, s. 5: “An organization must (a) develop and follow policies and practices that are necessary for the organization to meet the obligations of the organization under this Act.” Upon request, information about such policies and practices must be made available.

3

time the information is collected.5
2.1
POV documents the purposes for which personal information is collected in order to comply with the Openness principle (Clause 8) and the Individual Access principle (Clause 9).
2.2
Identifying the purposes for which personal information is collected at or before the time of collection allows POV to determine the information it needs to collect to fulfill these purposes. The Limiting Collection principle (Clause 4) requires POV to collect only that information necessary for the purposes that have been identified.
2.3
The identified purposes will be specified at or before the time of collection to the individual from whom the personal information is collected.6 Depending upon the way in which the information is collected, this can be done orally or in writing.7 A ticket or donation form, for example, may give notice of the purposes.
2.4
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
2.5
Persons collecting personal information for POV will be able to explain to individuals the purposes for which the information is being collected.
5 BC PIPA governs “the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.” (s. 2.) The standard of “reasonableness” is especially important. An “organization” includes a “not for profit” entity like POV.
6 BC PIPA, s. 8(3) provides that “An organization may collect, use or disclose personal information about an individual for specified purposes if (a) the organization provides the individual with a notice, in a form the individual can reasonably be considered to understand, that it intends to collect, use or disclose the individual’s personal information for those purposes, (b) the organization gives the individual a reasonable opportunity to decline within a reasonable time to have his or her personal information collected, used or disclosed for those purposes, (c) the individual does not decline, within the time allowed under paragraph (b), the proposed collection, use or disclosure, and (d) the collection, use or disclosure of personal information is reasonable having regard to the sensitivity of the personal information in the circumstances.” 7 BC PIPA, s. 10(1): “On or before collecting personal information about an individual from the individual, an organization must disclose to the individual verbally or in writing (a) the purposes for the collection of the information, and (b) on request by the individual, the position name or title and the contact information for an officer or employee of the organization who is able to answer the individual’s questions about the collection.”
4

Principle 3 – Consent for Personal Information
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.8
Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected as required or authorized by law, seeking the consent of the individual might defeat the purpose of collecting the information.
3.1
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, POV will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when POV wants to use information for a purpose not previously identified).
3.2
The principle requires “knowledge and consent.” POV will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes will be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
3.3
POV will not, as a condition of the supply of a service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.9
3.4
The form of the consent sought by POV may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, POV will take into account the sensitivity of the information.
3.5
In obtaining consent, POV will also take account of the reasonable expectations of the individual.10
8 This consent requirement does not apply if “(a) the individual gives consent to the collection, use or disclosure, (b) this Act authorizes the collection, use or disclosure without the consent of the individual, or (c) this Act deems the collection, use or disclosure to be consented to by the individual.” BC PIPA, s. 6(2). 9 BC PIPA, s. 7(2): “An organization must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.” Furthermore, “[i]f an organization attempts to obtain consent for collecting, using or disclosing personal information by (a) providing false or misleading information respecting the collection, use or disclosure of the information, or (b) using deceptive or misleading practices any consent provided in those circumstances is not validly given.” [s. 7(3)]
10 BC PIPA: s. 4(1): “In meeting its responsibilities under this Act, an organization must consider what a reasonable person would consider appropriate in the circumstances.”
5

3.6
The way in which POV seeks consent may vary, depending on the circumstances and the type of information collected. It should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.11
3.7
Individuals can give consent in many ways. For example:
(a) A POV ticket application form may be used to seek consent, collect information, and inform the individual of the uses that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) A check off box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) Consent may be given orally when information is collected over the telephone; or
(d) Consent may be given at the time that individuals use a service. 3.8
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. POV will inform the individual of the implications of such withdrawal.12
Principle 4 – Limiting Collection of Personal Information
POV will limit the collection of personal information to that which is necessary for the purposes it has identified.13 Information will be collected by fair and lawful means.
11 BC PIPA provides for “implicit consent.” S. 8(1): “An individual is deemed to consent to the collection, use or disclosure of personal information by an organization for a purpose if (a) at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person, and
(b) the individual voluntarily provides the personal information to the organization for that purpose.”
12 BC PIPA, s. 9: “Subject to subsections (5) and (6), on giving reasonable notice to the organization, an individual may withdraw consent to the collection, use or disclosure of personal information about the individual at any time. (2) On receipt of notice referred to in subsection (1), an organization must inform the individual of the likely consequences to the individual of withdrawing his or her consent. (3) An organization must not prohibit an individual from withdrawing his or her consent to the collection, use or disclosure of personal information related to the individual. (4) Subject to section 35 [“retention of personal information,”] if an individual withdraws consent to the collection, use or disclosure of personal information by an organization, the organization must stop collecting, using or disclosing the personal information unless the collection, use or disclosure is permitted without consent under this Act. (5) An individual may not withdraw consent if withdrawing the consent would frustrate the performance of a legal obligation….”
13 BC PIPA, s. 11 specifies “limitations on the collection of personal information: Subject to this Act, an organization may collect personal information only for purposes that a reasonable person would consider
6

4.1
POV will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified. POV will specify the type of information collected as part of its information- handling policies and practices, in accordance with the Openness principle (Clause 8).
4.2
The requirement that personal information be collected by fair and lawful means is intended to prevent POV from collecting information by misleading or deceiving individuals about the purposes for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
4.3
This principle is linked closely to the Identifying Purposes principle (Clause 2) and the Consent principle (Clause 3).
Principle 5 – Limiting Use, Disclosure, and Retention of Personal Information
Personal information will not be used or disclosed for purposes other than those for 14 which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
5.1
If using personal information for a new purpose, POV will document this purpose (see Clause 2.1).
5.2
POV will develop guidelines and implement procedures with respect to the retention of personal information.15 These guidelines will include minimum and maximum retention
appropriate in the circumstances and that (a) fulfill the purposes that the organization discloses under section 10 (1), or (b) are otherwise permitted under this Act.”
14 BC PIPA, s. 14 provides for “limitations on use of personal information: Subject to this Act, an organization may use personal information only for purposes that a reasonable person would consider appropriate in the circumstances and that (a) fulfill the purposes that the organization discloses under section 10 (1), (b) for information collected before this Act comes into force, fulfill the purposes for which it was collected, or (c) are otherwise permitted under this Act.” Section 17 of BC PIPA provides for “limitations on disclosure of personal information: Subject to this Act, an organization may disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances and that (a) fulfill the purposes that the organization discloses under section 10 (1),
(b) for information collected before this Act comes into force, fulfill the purposes for which it was collected, or (c) are otherwise permitted under this Act.”
15 BC PIPA, s. 35(1) requires that if an organization “uses an individual’s personal information to make a decision that directly affects the individual, the organization must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it. (2) An organization must destroy its documents containing personal information, or remove the means by which the personal information can be associated with particular individuals, as soon as it is reasonable to assume that (a) the purpose for which that personal information was collected is no longer being served by retention of the personal information, and (b) retention is no longer necessary for legal or business purposes.”
7

periods. Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made. POV is subject to legislative and regulatory requirements with respect to retention periods.
5.3
Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous. POV will develop guidelines and implement procedures to govern the destruction of personal information.
5.4
This principle is closely linked to the Consent principle (Clause 3), the Identifying Purposes principle (Clause 2), and the Individual Access principle (Clause 9).
Principle 6 – Accuracy of Personal Information
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.16
6.1
The extent to which personal information will be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
6.2
POV will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
6.3
Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Principle 7 – Safeguards for Personal Information
POV will protect personal information by security safeguards appropriate to the sensitivity of the information.17
7.1
The security safeguards will protect personal information against loss or theft, as well as
16 BC PIPA, s. 33 requires that an “organization must make a reasonable effort to ensure that personal information collected by or on behalf of the organization is accurate and complete, if the personal information (a) is likely to be used by the organization to make a decision that affects the individual to whom the personal information relates, or (b) is likely to be disclosed by the organization to another organization.”
17 BC PIPA, s. 34 stipulates that an “organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.”
8

unauthorized access, disclosure, copying, use, or modification. POV will protect personal information regardless of the format in which it is held.
7.2
The nature of the safeguards will vary depending on the sensitivity of the information that POV has collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information will be safeguarded by a higher level of protection.
7.3
The methods of protection include
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures, for example, the use of passwords and encryption. 7.4
POV will make its employees aware of the importance of maintaining the confidentiality of personal information.
7.5
Care will be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (see Clause 5.3).
Principle 8 – Openness about Personal Information Policies and Practices
POV will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
8.1
POV will be open about its policies and practices with respect to the management of personal information. Individuals will be able to acquire such information without unreasonable effort. This information will be made available in a form that is generally understandable.
8.2
The information made available will include:
(a) the name or title, and the address, of the persons who are accountable for POV’s policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by POV;
(c) a description of the type of personal information held by POV, including a
9

general account of its use;
(d) a copy of any brochures or other information that explain POV ‘s policies, standards, or codes; and
(e) what personal information is made available to related organizations (e.g., business partners and service providers).
8.3
POV will make information on its policies and practices available in a variety of ways. For example, it may choose to make brochures available in its places of business, mail information to its clients, and provide online access.
Principle 9 – Individual Access to Personal Information
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information and will be given access to that information.18 An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.19
Note: In certain situations, POV may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request.20 Exceptions may include information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
18 BC PIPA, s. 23, stipulates that, subject to certain exceptions, e.g. solicitor client privilege, “on request of an individual, an organization must provide the individual with the following: (a) the individual’s personal information under the control of the organization; (b) information about the ways in which the personal information referred to in paragraph (a) has been and is being used by the organization; (c) the names of the individuals and organizations to whom the personal information referred to in paragraph (a) has been disclosed by the organization.”
19 BC PIPA, s. 24(1): “An individual may request an organization to correct an error or omission in the personal information that is (a) about the individual, and (b) under the control of the organization.
(2) If an organization is satisfied on reasonable grounds that a request made under subsection (1) should be implemented, the organization must (a) correct the personal information as soon as reasonably possible, and (b) send the corrected personal information to each organization to which the personal information was disclosed by the organization during the year before the date the correction was made.
(3) If no correction is made under subsection (2), the organization must annotate the personal information under its control with the correction that was requested but not made.”
20 BC PIPA, s. 30(1) describes the content of a response to an applicant: “In a response under section 28, if access to all or part of the personal information requested by the applicant is refused, the organization must tell the applicant (a) the reasons for the refusal and the provision of this Act on which the refusal is based, (b) the name, position title, business address and business telephone number of an officer or employee of the organization who can answer the applicant’s questions about the refusal, and (c) that the applicant may ask for a review under section 47 within 30 days of being notified of the refusal. (2) Despite subsection (1) (a), the organization may refuse in a response to confirm or deny the existence of personal information collected as part of an investigation.”
10

9.1
Upon request, POV will inform an individual whether or not the organization holds personal information about the individual and the sources of this information. It will allow the individual access to this information. In addition, POV will provide an account of the use that has been made, or is being made, of this information and an account of the third parties to which it has been disclosed.
9.2
An individual may be required to provide sufficient information to permit POV to provide an account of the existence, use, and disclosure of personal information.21 The information provided will only be used for this purpose.
9.3
In providing an account of third parties to which it has disclosed personal information about an individual, POV will attempt to be as specific as possible.
9.4
POV will respond to an individual’s request within a reasonable time and at minimal or no cost to the individual.22 The requested information will be provided or made available in a form that is generally understandable. For example, if POV uses abbreviations or codes to record information, an explanation will be provided.
9.5
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, POV will amend the information as required. Depending upon the nature of the information challenged, amendment may involve the correction, deletion, or addition of information. With consent, the amended information will be transmitted to third parties having access to the information in question.
9.6
When a challenge is not resolved to the satisfaction of the individual, POV will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
Principle 10 – Challenging Compliance with the Privacy Policy
An individual will be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for POV‘s compliance
21 BC PIPA, s. 27: “For an individual to obtain access to his or her personal information or to request a correction of his or her personal information, the individual must make a written request that provides sufficient detail to enable the organization, with a reasonable effort, to identify the individual and the personal information or correction being sought.” Under s. 28, POV has a duty to assist such individuals and to “make a reasonable effort (a) to assist each applicant, (b) to respond to each applicant as accurately and completely as reasonably possible….”
22 BC PIPA, s. 29(1): “Subject to this section, an organization must respond to an applicant not later than (a) 30 days after receiving the applicant’s request, or (b) the end of an extended time period if the time period is extended under section 31.” If fees are charged for access to non-employee personal information, they must be minimal [s. 32(2)].
11

and to the BC Information and Privacy Commissioner.
10.1
The individual accountable for POV ‘s compliance is discussed in Clause 1.1.
10.2
POV will put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint procedures will be easily accessible and simple to use.

10.3
POV will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures.

10.4
POV will investigate all complaints. If a complaint is found to be justified, it will take appropriate measures, including, if necessary, amending its policies and practices.
12