Protection of Privacy Policy
The City’s Protection of Privacy Administration Policy reflects our commitment to transparency, openness and accountability when it comes to protecting personal information. It is supported by other Administration policies and programs that guide responsible and consistent decision-making and practices across the organization.
About the policy
The Protection of Privacy Administration Policy was created to guide The City's approach to privacy management.
Purpose
This policy explains the roles, responsibilities and principles that govern how The City handles personal information, data derived from personal information and non-personal data.
It covers how information and data is collected, used, shared, kept accurate, stored and protected.
The policy also shows The City's commitment to access and privacy compliance under the Protection of Privacy Act (POPA), and helps communicate that commitment to City Administration and the public to build trust and confidence.
The City is committed to protecting all information and data and uses reasonable security measures to prevent things like unauthorized access, collection, use, sharing or destruction.
However, there may be times when these security measures are not enough, and a privacy incident occurs.
As part of its commitment to privacy, The City is transparent about practices for addressing and responding to privacy concerns and complaints.
The policy also includes a privacy incident response protocol (Schedule 1), which outlines roles, responsibilities and what steps must be taken if there is a suspected or confirmed privacy incident.
Legal foundation
Rooted in POPA, the policy ensures a solid legal foundation for our privacy practices and sets clear expectations for compliance with legislative requirements.
Frequently asked questions
What is the purpose of the Protection of Privacy Administration Policy?
When Calgarians share personal information with The City, it is our legal responsibility to keep it safe and secure. This policy is designed to ensure that we do this in compliance with the Protection of Privacy Act (POPA). The policy outlines principles, responsibilities, and our protocol in the event of a privacy incident.
What kind of information does the policy cover?
The policy covers any recorded information about an identifiable individual, including but not limited to:
- name
- address
- telephone number
- race
- age
- health information
It addresses how this kind of information is collected, used, and protected.
How will I be informed if my personal information is collected?
When your personal information is collected directly from you, we will provide notice regarding the purpose for collection, legal authority, and a City contact for any questions.
How does the policy ensure the accuracy of personal information?
The City commits to making reasonable efforts to ensure the accuracy of personal information is used to make decisions affecting individuals. People also have the right to access and request corrections to their personal information, subject to POPA limitations.
What is privacy compliance and risk assessment engagement?
Privacy compliance and risk assessment engagement introduces a new screening tool called Privacy Risk Questionnaire (PRQ). The PRQ is used to initiate privacy compliance and risk assessment engagement with the corporate privacy team when a new, or a substantial change to an existing, administrative practice, program, project or service involves the collection, use or disclosure of personal information.
A privacy impact assessment (PIA) should be completed if The City's practice, program, project or service meets POPA and ministerial regulation requirements. A PIA highlights high-risk issues, prompting consideration of alternative technologies, products or service designs, potentially saving time, cost and preventing privacy incidents.
For more information, contact your business unit Access and Privacy Program Administrator (APPA) or visit Privacy Impact Assessment (employee portal access required).
What happens in the event of a privacy incident?
There may be times when The City’s reasonable security safeguards (administrative, technical and/or physical) may be compromised, inadequate, missing or subject to malice and a privacy incident occurs. The privacy incident response protocol (Schedule 1 - page 10) of the Protection of Privacy Policy outlines the process for managing suspected or actual privacy incidents. The City will investigate, respond and take necessary actions to mitigate the impact.
How can I report a privacy incident or express concerns?
If you suspect a privacy incident or have concerns, use the Privacy Incident Form (available on the employee portal). You can also contact a Privacy Officer at accessandprivacy@calgary.ca or follow the reporting process outlined in the privacy incident response protocol.