Ten Privacy Principles

Last updated on August 22, 2023
  1. Identify purpose
  2. Limit collection
  3. Get consent
  4. Limit use, disclosure and retention
  5. Reasonable security
  6. Be accountable
  7. Be open and transparent
  8. Ensure accuracy
  9. Right of access and correction
  10. Provide recourse

Identify Purpose

You must identify in writing: the purpose for which you are collecting personal information, the legal authority and the contact information of someone who can answer questions about the collection, unless an exception applies. Find help here (PDF).

Limit Collection

Do not collect personal information indiscriminately or without a legal authority. Information must be necessary to fulfill identified purposes, and be reasonable and appropriate. Find your collection authority here (PDF).

Get Consent

Secure consent for as a means to use or disclose personal information for secondary purposes. Consent must be written and explicit. There are some specific circumstances where consent is not required. Find more here.

Limit Use, Disclosure & Retention

You may use or disclose personal information for the purposes identified when it was collected, or another reason authorized by FOIPPA. For new uses, get consent. Find your use (PDF) and disclosure (PDF) authorities here.

Limit Retention

Personal Information used to make a decision about an individual must be retained for at least one year. Information must be destroyed in accordance with any applicable records retention schedules. Find your Records Officer here.

Reasonable Security

You must make reasonable security arrangements to protect personal information. Measures should be appropriate and proportional to the sensitivity of the information. Consideration should be given to physical, technical and procedural measures. Find your MISO here.

Be Accountable

Be responsible for all personal information under your control, including contractors’ records. Be aware of who your Ministry Privacy Officer is. Find your MPO here.

Be Open & Transparent

Routinely release any records that can be regularly provided to the public. Proactively disclose any records that will be of interest to the public. Consult with Information Access Operations on these processes. Find the Open Information Open Data Policy here (PDF).

Ensure Accuracy

You must make a reasonable effort to ensure personal information collected is accurate and complete if it will be used to make a decision affecting the individual it is about. Learn more about this requirement here.

Right of Access & Correction

Individuals have a right to access their own personal information, or have that information corrected. Be aware of the FOI process, and direct any requests to Information Access Operations immediately.

Provide Recourse

If you receive a complaint about how an individual’s personal information has been handled, direct it to the Corporate Privacy Office immediately, via the breach reporting line: 7-7000, option 3. Learn more here.

Contact information