Personal Information Privacy Policy

Applicability
This policy applies to all Water Security Agency (WSA) employees as well as any contractors, vendors, or third parties who may act on behalf of the Water Security.

Policy Statement
WSA’s Privacy Policy provides guidance to WSA employees, contractors, vendors, or third parties for the interpretation, implementation, enforcement, and compliance of privacy obligations in accordance with the Act, the Regulations and is aligned with the Code’s ten fair information principles.

Background
As a Treasury Board Crown corporation, WSA is subject to The Freedom of Information and Protection of Privacy Act (the Act), as well as The Freedom of Information and Protection of Privacy Regulations (the Regulations) of Saskatchewan. The Act sets forth the statutory obligation of the WSA with respect to the handling of personal information and provides a strong legislative basis upon which to build privacy policies and procedures.

The Canadian Standards Association’s Model Code for the Protection of Personal Information (the Code) establishes ten fair information principles that form the ground rules for the collection, use and disclosure of personal and personal health information. These ten principles are appended at the end of this policy.

Policy Details

1. Privacy Training and Procedures
   All employees who have access to personal information receive training on the handling of such information. New employees receive training on privacy as a fundamental part of their initial company orientation. Additionally, employees are required to review the Privacy Policy on an annual basis as part of their Individual Work Plan renewal.
   
   All vendors, contractors, and/or third parties acting on behalf of WSA are expected to establish and follow effective procedures for the safe handling of personal information obtained through the contract in accordance with WSA’s Privacy Policy.
   
   WSA is committed to ensuring its employees, contractors, vendors, or third parties are informed of privacy policies and procedures and will reinforce the importance of privacy.
   
   
2. Policy Requirements
   
   Obtaining Personal Information
   WSA obtains personal information about individuals directly from those individuals. WSA may obtain information from another source with the individual’s consent. The personal information obtained shall be limited to the necessary purposes as identified by WSA.
   
   Wherever possible, WSA will obtain express consent for the collection and use of personal information. Written consent is required for disclosure of personal information unless disclosure is permitted or required by law.
   
   Individuals may withhold personal information in part or in whole; however, individuals should understand that such a choice may affect the ability of WSA to provide services either initially or on an ongoing basis.
   
   Use of and Access to Personal Information
   Personal information must only be used for the purpose for which it was collected. Employee access to personal information must be on a foundation of role-based permission.
   
   Upon request, individuals can review, verify, and/or update their personal information held by the WSA. There may be a charge to obtain the information requested.
   
   Releasing Personal Information
   WSA will only disclose personal information where disclosure to a third party is necessary to provide WSA programs and services and where that third party is bound to meet the standards set in this Privacy Policy.
   
   Personal information will not be disclosed where it is exempt from disclosure or disclosure is prohibited by law. Should WSA be unable to provide access to personal information, an explanation will be provided.
   
   Where WSA uses contractors, vendors, or third parties to provide services to WSA or to WSA clients that require access to and use of personal information, contracts will be executed requiring privacy at the same or a higher standard required by WSA. Where required, confidentiality provisions will be incorporated into contracts WSA executes with these contractors, vendors, or third parties.
   
   Safeguards
   WSA will take precautions to ensure the safeguarding of personal information, whether stored electronically or in paper format.
   
   Controls are in place to protect against unauthorized use, alteration, duplication, destruction, disclosure, loss, theft, or unauthorized access to personal information.
   
   WSA utilizes physical, organizational, and electronic security for personal information using secure locks on filing cabinets and doors, restricted access to information processing and storage areas, system partitioning, password protection, pass keys to secure areas and encryption of transmitted data, among others.
   
   The duty to protect, as outlined in the Act and the Regulations, ensures personal information about an identifiable individual that is recorded in any form within WSA is protected. In the event of unauthorized access, loss, modification, or improper disclosure of personal information (a breach), WSA has developed strategies to mitigate potential harm and prevent recurrence.
   
   See WSA’s Privacy Breach Response Procedure for more information.
   
   Retention and Disposition of Personal Information
   WSA shall ensure appropriate destruction, deletion or disposition of documents containing personal information per The Archives and Public Records Management Act.

Definitions
Personal information is information about an identifiable individual that is recorded in any form (see subsection 24(1) of the Act for further detail). The individual may be a client, employee, or any other person in respect to whom WSA has obtained personal information. Employees, contractors, vendors, or third parties must be aware that, despite the fact that some personal information is widely available (name, address, phone number, etc.) this does not lessen the responsibility to protect its collection, use and disclosure.

References
The Freedom of Information and Protection of Privacy Act
The Freedom of Information and Protection of Privacy Regulations
The Archives and Public Records Management Act
Canadian Standards Association Privacy Code

Contact
Program Manager, Records and Access to Information and Privacy

Water Security Agency’s Privacy Principles

1. Accountability
   Water Security Agency (WSA) is responsible for personal information under its control and shall designate an individual or individuals who are accountable for WSA’s compliance with the following principles.
2. Identifying Purposes
   The purposes for which personal information is collected shall be identified by WSA at or before the time the information is collected.
3. Consent
   The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
4. Limiting Collection
   The collection of personal information shall be limited to that which is necessary for the purposes identified by WSA. Information shall be collected by fair and lawful means.
5. Limiting Use, Disclosure, and Retention
   Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
6. Accuracy
   Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
7. Safeguards
   Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
8. Openness
   WSA shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
9. Individual Access
   Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance
    An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for WSA’s compliance.