Privacy Policy

Our Association recognizes the importance of privacy and the sensitivity of personal information. Our Association also understands that under Federal Legislation, we are under an obligation to collect, retain, and disclose personal information only in accordance with the Privacy Act and Amendments and/or with the consent of our members. Our Privacy Policy outlines how we protect the members of our association and comply with our requirements under the Federal Privacy Act and Amendments.

“Personal information” includes home addresses, home telephone numbers, e-mail, and any other personal identification information such as social insurance numbers, medicare plan numbers, and other confidential information relating to our member’s references and criminal record checks, relevant to the person’s application for membership under the HNL Risk Management Policy.

The Association will collect only such information as is necessary for the purposes of identifying the member or applicant, obtaining accurate and up to date contact information for the member or applicant, and making the necessary screening inquiries of the member or applicant to process their initial application.

The Association is required to disclose personal information to the Branch and to Hockey Canada. This involves necessary disclosure only to those individuals within the Branch or the Hockey Canada authorized to receive and deal with such personal information as may be relevant in the circumstances.

The Association undertakes to, through its designated Privacy Officer, collect and store information in a confidential and secure fashion, including necessary safeguards for paper and electronic files. All personal information shall remain confidential unless the member or applicant consents to its release, OR if the Association is required or authorized by law to disclose the information to an identified agency or body or when it is necessarily incidental to the confirmation and otherwise authorized use of existing personal information. The Association also understands that it is under a duty to update personal information on a periodic basis for accuracy purposes.

The Association recognizes that the member is entitled to review his or her personal information in the possession of the Association unless denial of access is required or authorized by law, granting access would have an unreasonable impact on other people’s privacy, the information may relate to existing or anticipated legal proceedings against the member, or where the request is frivolous. In all other circumstances, the member is entitled to review the personal information on his or her file.

If a member is not satisfied with the response of the Association, the attention of the member shall be directed to the Privacy Commissioner of Canada at:

112 Kent Street Ottawa, ON K1A 1H3 1-800-282-1376

HOCKEY NEWFOUNDLAND & LABRADOR PRIVACY COMPLIANCE POLICY QUESTIONS & ANSWERS

Effective January 1st, 2004, all Private Associations in Canada are subject to the requirements of the Federal Privacy Act, and specifically the portion of the legislation referred to as PIPEDA (Personal Information Protection and Electronic Document Act). This piece of legislation is mandatory and any individual or organization which contravenes the Act can be prosecuted by the Office of the Privacy Commissioner. This could lead to your Association being fined and an investigation being conducted into the affairs of the Association. The fines range from a minimum of $10,000.00 to a maximum of $100,000.00, depending on the seriousness of the breach.

What is the purpose of the Privacy Amendments?

The purpose of these Amendments is to ensure that “personal information” pertaining to an individual is not distributed without that individual’s consent. The inspiration for the legislation was the emergence of Spam e-mail and unsolicited advertising.    Previously, when certain organizations came into the possession of the personal information of an individual, these organizations would identify that individual as part of a “target group” and sell the contact information to other interested parties.    The Federal Government is trying to protect individuals from being contacted by people they do not want to deal with, but the purpose of the Act is broader. The Act also prohibits the disclosure of personal information to anyone, however well intentioned, without explicit consents.

What is personal information?

“Personal information” includes virtually all an individual’s identifying information. The sole exception to this would be the person’s name and official title or position. You are also allowed to disclose a business address or business telephone number to third parties without obtaining their consent. You cannot disclose an individual’s home telephone number, home address or e-mail address without that person’s consent. Personal identification numbers such as social insurance numbers, MCP numbers, and other confidential information, and cannot be released to a third party.    In case of any doubt, you must presume that the release of any personal information is prohibited. Without the consent of the member or the member’s parent, you cannot disclose anything other than the player’s name, and the fact that the player or coach is registered with Association, and their position.

What does the Act require me to do?

The Act sets out a number of obligations. While these appear to be numerous, they are actually a matter of common sense when you understand the purpose of the Act. These principles have often been referred to as “the ten principles of Privacy” but they also come under three (3) relatively broad headings. Your Association must give thought to the (i) collection ;(ii) retention; and (iii) disclosure of personal information. Each of these will be discussed in turn, below.

 1. Collection of Personal Information

When obtaining personal information from a person, you must disclose and identify the purpose for which you are collecting that information. In an amateur hockey context, this is relatively straight forward, as we normally collect only the minimal information necessary to register and identify the player or official within the system. You must also assure the applicant or member that the Association will not use or distribute the information for any other purpose once the Association has that information on file.    A second consideration is to ensure that the information is updated regularly, such that it is accurate. From a functional point of view, this means you should have every individual within your system present a new Application for membership on an annual basis. It will no longer be acceptable to refer solely to the information on file. The Applicant will have to complete a new Application each year, thereby insuring the accuracy of the information. This practice will also be mandatory under Hockey Newfoundland & Labrador’s Risk Management Policy in any event.

2. Retention of Personal Information

Once the Association has collected an individual’s personal information, the association must store the information in a secure fashion. One of the instrumental tools in doing so is to designate a Privacy Officer within your Association for this purpose. It is usually most convenient to nominate your Registrar. While this formal step may seem excessive, it is one of the very first things which the Federal Privacy Commissioner will look for if your Association becomes the target of an investigation. If you have not demonstrated that you have trained someone, and appointed someone to be the Privacy Officer, this will lead to an almost irrefutable presumption that the Act is being neglected. The Privacy Officer must have a good working concept of why the information is being stored and when to release it to other people.

The Privacy Officer must also ensure that the Association is keeping personal information confidential. If your Association stores paper information in a central location, the membership and application forms of your members should be kept in a locked filing cabinet. If the information is on computer, you would be well advised to use password protection for the files relating to registration, and install security software where appropriate. If the computer upon which personal information is stored to prone to attack from hackers, or otherwise connected to the internet, it pays to have some form of anti-spy ware program for security installed in your computer. These are simple procedural steps which will convince the Privacy Commissioner that you are taking your obligations under the Act seriously, and these would be minimum requirements for compliance. Please also note that under the Privacy Act, an individual has the right to inspect his or her file on demand. As soon as it is reasonably practical, the Association will have to show the member the contents of his or her file so the individual can confirm the nature and accuracy of the information with the Association has in its possession.

3. Disclosure of Information

This, arguably, is the most important aspect of the Act. The very purpose of the Act is to ensure that an individual’s personal information does not fall in the wrong hands. This is partially to prevent identity theft, and also to prevent individuals from being harassed by unsolicited contacts. Your Privacy Officer must know when it is acceptable to release information. You must presume that the release of all information to third parties is not permitted unless explicitly authorized by the member. The easiest way to confirm authorization is to have the member and/or their guardian sign an explicit consent on the Application Form each year. A specific clause should be added to all your Registration or Application Forms for this purpose.

We have included the wording which Hockey NL will use on its forms for your review and reference. You may elect to use this wording or alternate wording if you have independent advice, or counsel, at your disposal.    If you have any doubt as to whether or not the member’s consent is broad enough to authorize the release of the information, you should not release the information. You must obtain a fresh consent from the member or guardian and obtain this in writing. Without having your authorizations in writing, you are risking a presumption that the Act is being systemically disregarded by your association.

What is required for the upcoming hockey season?

To implement Hockey NL’s Risk Management and Privacy Compliance Policy, every Association in the Province without exception is required to have every Applicant, and every existing member, of the Association complete a new Application Form, even if it is not your existing policy to do so. The Application Form of the Association must contain the consent clause and it must contain a statement along the lines of the one contained in the Hockey NL example.

You are also advised that Hockey NL will be implementing this policy at the Grand Falls-Windsor office, as Hockey NL itself is not exempt from the obligations of the Privacy Act. Hockey NL itself will now obtain virtually all the application information which the Associations currently possess. Hockey NL will itself be taking steps to safeguard hard copies and electronic versions of files containing personal information, as required by law. Hockey NL will also be appointing a Privacy Officer and will be using the consent protocol as indicated on the attached hand out. Each Minor Hockey Association is strongly urged to do the same. It is Hockey NL’s policy that Hockey NL will adhere to the provision of the Act, and is hereby placing the various Associations on notice if Associations do not do the same, they may be placing themselves at serious risk of prosecution or investigation under the Act.

It is important to adopt a privacy statement. Hockey NL will be adopting its own privacy statement which will be visibly posted in the part of the office where personal information is stored. This is a practice which the Workers’ Compensation Act has required in recent years. The Workers’ Compensation Commission requires all workplaces to post a Workplace, Safety Statement in a conspicuous area to continually re-enforce the message of Workplace, Health and Safety. If the Privacy Policy Statement is placed in a conspicuous area near the Application and Registration files, it will result in the Registrar and/or Privacy Officer to think twice before releasing the information and, in all likelihood, cause him or her to consult the Guidelines and Recommendations contained in the Act before doing so. While this process seems overly formalistic, it has been shown to work. The absence of the formulation and display of such a policy in a conspicuous place will likely cause a Federal Privacy Investigator to conclude that Privacy Act obligations are being neglected. This relatively simple and straight forward step can therefore go a considerable way in demonstrating that your Association was diligent in recognizing its obligations.

While these requirements seem overly formalistic and excessive compared to the familiar practice of gathering information, the formalities are intended to get organizations in the habit of understanding their obligations under the Act. It is a very foreign way of thinking that seems relatively absurd at first glance. However, the clear implication of the Privacy Act Amendments is the subject every Association in Canada is now held to a standard of confidentiality which they have never been subjected to before. There was not previously a high confidentiality expectation of volunteer organizations, but volunteer organizations are now caught under this new Canada – wide legislation. The overall purpose of the legislation, however broad, is to protect the members of our Associations from risk factors such as identity theft, and unsolicited marketing.

There is no right or wrong answer in any situation. If in doubt, please refer to the attached Article, the Act and Publications by the Privacy Commissioner which would be available on line. Ask questions in cases of doubt. The Deputy Privacy Commissioner of Canada recently gave a presentation on the Amendments in St. John’s, and admitted that he could not possibly tell everyone what to do in any given situation. His advice was to be reasonable and use common sense in each fact situation. If an Association is attempting to takes is obligations under the Act seriously, and can demonstrate that it has been doing so by taking the steps above, an Association should be able to demonstrate that it was exercising “due diligence” in trying to comply in the circumstances. Neither HNL nor any related Association is expected to know in advance the correct course of action in every circumstance. All the Act requires is that Organizations be aware their obligations and that reasonably, to the best of their judgment, in complying with it.

If there are any concerns arising out of this presentation, either before the start of the hockey season, or during the registration process, please feel free to contact Hockey NL. Since the Privacy Act policy and the new Hockey NL Risk Management Policies represent drastic departures from our usual procedures based on relatively recent developments. It is imperative that we attempt to implement procedures at the earliest possible opportunity, as it will avoid liabilities and confusion in the future.