MRIA | STANDARDS

En français >>

The Marketing Research and Intelligence Association
Privacy Code

Table of Contents

Introduction
Summary of Principles
Scope and Application
Definitions
Principle 1 - Accountability
Principle 2 - Identifying Purposes for Collection of Personal Information
Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information
Principle 4 - Limiting Collection of Personal Information
Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information
Principle 6 - Accuracy of Personal Information
Principle 7 - Security Safeguards
Principle 8 - Openness Concerning Policies and Procedures
Principle 9 - Access to Personal Information
Principle 10 - Challenging Compliance
Additional Information

Introduction

At the MRIA, respecting privacy has always been important to us and is why we have developed The MRIA Privacy Code. The MRIA Privacy Code is a statement of principles and guidelines regarding our management of personal information. The objective of The MRIA Privacy Code is to promote responsible and transparent personal information management practices in a manner consistent with the provisions of applicable privacy laws such as the Personal Information Protection and Electronic Documents Act (Canada). The MRIA will continue to review The MRIA Privacy Code to make sure that it remains current with changing industry standards, technologies and laws.

Summary of Principles

Principle 1 - Accountability
The MRIA is responsible for personal information under its control and will designate one or more persons who are accountable for the MRIA's compliance with the following principles.

Principle 2 - Identifying Purposes for Collection of Personal Information
The MRIA will identify the purposes for which personal information is collected at or before the time the information is collected.

Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information
The knowledge and consent of an individual are required for the collection, use or disclosure of personal information, except where exempted by applicable law.

Principle 4 - Limiting Collection of Personal Information
The MRIA will limit the collection of personal information to that which is necessary for the purposes identified by the MRIA. The MRIA will collect personal information by fair and lawful means.

Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information
The MRIA will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law.

Principle 6 - Accuracy of Personal Information
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 - Security Safeguards
The MRIA will protect personal information by security safeguards appropriate to the sensitivity of the information.

Principle 8 - Openness Concerning Policies and Procedures
The MRIA will make readily available to individuals specific information about its policies and procedures relating to the management of personal information.

Principle 9 - Access to Personal Information
The MRIA will inform an individual of the existence, use, and disclosure of his or her personal information upon request and will provide the individual access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 - Challenging Compliance
An individual will be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for the MRIA's compliance with The MRIA Privacy Code.

Scope and Application
The ten principles that form the basis of The MRIA Privacy Code are interrelated and the MRIA will adhere to the ten principles as a whole. Each principle should be read in conjunction with the accompanying commentary. As permitted by applicable privacy laws such as the Personal Information Protection and Electronic Documents Act (Canada), the commentary in The MRIA Privacy Code has been drafted to reflect personal information issues specific to the MRIA.

The scope and application of The MRIA Privacy Code are as follows:

The MRIA Privacy Code applies to personal information collected, used, or disclosed by the MRIA.
The MRIA Privacy Code applies to the management of personal information in any form whether oral, electronic or written.
The MRIA Privacy Code does not impose any limits on the collection, use or disclosure of the following information by the MRIA:

(a) as per applicable privacy laws, certain business contact information such as an individual's name, title, business address or telephone number;
(b) other information about an individual that is publicly available and is specified by regulation pursuant to applicable law; or
(c) as otherwise exempted by The MRIA Privacy Code and/or applicable law.

The MRIA Privacy Code will not typically apply to information regarding organizations that deal with the MRIA. However, such information may be protected by other MRIA policies and procedures or through contractual arrangements.
The application of The MRIA Privacy Code is subject to the requirements and provisions of the Personal Information Protection and Electronic Documents Act (Canada), the regulations enacted thereunder, and other applicable legislation or regulation.

Definitions

MRIA: The Marketing Research and Intelligence Association and its chapters.

collection: The act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.

consent: Voluntary agreement for the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing, but is always unequivocal and does not require any inference on the part of the MRIA. Implied consent is consent that can reasonably be inferred from an individual's action or inaction.

disclosure: Making personal information available to a third party that is not an agent of the MRIA.

employee: An employee of or an independent contractor to the MRIA.

individual: An employee, volunteer, member or non-member.

member: A natural person who is a member of the MRIA.

non-member: A natural person who is not a member of the MRIA who purchases or otherwise acquires or uses any of the MRIA's products or services or otherwise provides personal information to the MRIA in the course of the MRIA's commercial activities.

personal information: Information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organization.

third party: An individual or organization outside of the MRIA.

use: The treatment, handling, and management of personal information by and within the MRIA or by a third party with the knowledge and approval of the MRIA.

volunteer: A natural person who volunteers for the MRIA.

The MRIA Privacy Code in Detail

Principle 1 - Accountability

The MRIA is responsible for personal information under its control and will designate one or more persons who are accountable for the MRIA's compliance with the following principles.

1.1 Responsibility for compliance with the provisions of The MRIA Privacy Code rests with the MRIA Privacy Officer who can be reached at (905) 602-6854 or via info@mria-arim.ca. Other individuals within the MRIA may be delegated to act on behalf of The MRIA Privacy Officer or to take responsibility for the day-to-day collection and/or processing of personal information.

1.2 The MRIA will make known, upon request, the title of the person or persons designated to oversee the MRIA's compliance with The MRIA Privacy Code.

1.3 The MRIA is responsible for personal information in its possession or control. The MRIA will use contractual or other means to provide a comparable level of protection while information is being processed or used by a third party.

1.4 The MRIA implements policies and procedures to give effect to The MRIA Privacy Code, including:

(a) implementing procedures to protect personal information and to oversee the MRIA's compliance with The MRIA Privacy Code;

(b) implementing procedures to receive and respond to complaints or inquiries;

(c) training employees and volunteers, as appropriate, to understand and follow The MRIA Privacy Code;

(d) developing information materials to explain The MRIA Privacy Code; and

(e) reviewing on an annual basis the effectiveness of the polices and procedures to facilitate compliance with The MRIA Privacy Code and consideration of any revisions as deemed appropriate.

Principle 2 - Identifying Purposes for Collection of Personal Information

The MRIA will identify the purposes for which personal information is collected at or before the time the information is collected.

2.1 The MRIA collects personal information only for the following purposes:

(a) to identify individuals;

(b) to establish, maintain, communicate and renew membership in the MRIA;

(c) to advertise, develop, enhance and provide member services and products;

(d) to measure and improve the effectiveness of the MRIA's services, products and marketing endeavours;

(e) to manage and develop the MRIA's operations, including personnel and employment matters;

(f) to manage the MRIA Qualitative Central member service;

(g) to protect the MRIA against error and fraud; and

(h) to meet legal and regulatory requirements.

Further reference to "identified purposes" mean the purposes identified in this Principle.

2.2 Upon request, persons collecting personal information will explain these identified purposes or refer the individual to a designated person within the MRIA who can explain the purposes.

2.3 When personal information that has been collected is to be used or disclosed for a purpose not previously identified, the new purpose will be identified prior to use. Unless otherwise permitted or required by law, the consent of the individual will be acquired before the information will be used or disclosed for the new purpose.

2.4 The MRIA will document the purposes for which personal information is collected prior to the information being collected.

2.5 The MRIA will make reasonable efforts to ensure that individuals are aware of the purposes for which personal information is collected, including any disclosures to third parties.

Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information

The knowledge and consent of an individual are required for the collection, use or disclosure of personal information, except where exempted by applicable law. In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual.

3.1 In obtaining consent, the MRIA will use reasonable efforts to ensure that, where non-obvious, an individual is advised of the purposes for which personal information will be used or disclosed. The identified purposes will be stated in a manner that can be reasonably understood by the individual.

3.2 Generally, the MRIA will seek consent to use and disclose personal information at the same time it collects the information. However, the MRIA may seek consent to use and/or disclose personal information after it has been collected, but before it is used and/or disclosed for a new purpose.

3.3 The MRIA may require individuals to consent to the collection, use and/or disclosure of personal information as a condition of the supply of a product or service only if such collection, use and/or disclosure are required to fulfill the explicitly specified and legitimate identified purposes.

3.4 In determining the appropriate form of consent, the MRIA will take into account the sensitivity of the personal information and the reasonable expectations of the individual.

3.5 The purchase or use of products and/or MRIA services by a member or non-member, or the acceptance of employment or benefits by an employee, may constitute implied consent for the MRIA to collect, use and disclose personal information for the identified purposes, including communicating with the individual.

3.6 An individual may withdraw consent at any time, subject to legal or contractual restrictions, provided that reasonable notice of withdrawal of consent is provided to the MRIA and the withdrawal of consent is in writing and includes understanding by the individual that withdrawal of consent could mean that the MRIA cannot provide the individual with a related product or service. Individuals may contact the MRIA for more information regarding the implications of withdrawing consent.

3.7 The MRIA may collect, use or disclose personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is seriously ill or mentally incapacitated.

3.8 The MRIA may collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting, using or disclosing the information, such as in the investigation of a breach of an agreement or a contravention of a law.

3.9 The MRIA may collect, use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.

3.10 The MRIA may use or disclose personal information without knowledge or consent to a lawyer representing the MRIA, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required or authorized by law.

Principle 4 - Limiting Collection of Personal Information

The MRIA will limit the collection of personal information to that which is necessary for the purposes identified by the MRIA. The MRIA will collect personal information by fair and lawful means.

4.1 The MRIA typically collects personal information directly from members, non-members, volunteers and employees.

4.2 The MRIA may also collect personal information from other sources including credit bureaus, employers or personal references, or other third parties who represent that they have the right to disclose the information.

Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information

The MRIA will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. The MRIA will retain personal information only as long as necessary for the fulfillment of those purposes.

5.1 The MRIA may disclose an individual's personal information to:

(a) a member who has the authority to access such personal information from the MRIA Qualitative Central member service;

(b) a new association, in the event that the MRIA should merge to form a new association;

(c) a third party who in the reasonable judgment of the MRIA is seeking the information as an agent of the individual;

(d) a third party involved in supplying the individual with MRIA products or services;

(e) a third party engaged by the MRIA to perform functions on its behalf;

(f) a third party engaged by the MRIA for the development, enhancement, marketing or provision of any of the MRIA's products or services;

(g) a third party engaged by the MRIA to collect the member's or non-member's account;

(h) a credit reporting agency;

(i) a public authority or agent of a public authority if, in the reasonable judgment of the MRIA, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information; or

(j) a third party or parties, where the individual consents to such disclosure or disclosure is required or permitted by law.

5.2 In addition to the purposes identified in 5.1 of The MRIA Privacy Code, the MRIA may disclose personal information about an individual who is an employee:

(a) for normal personnel and benefits administration, such as the initiation, management or termination of the employment relationship; or

(b) in the context of providing references regarding current or former employees in response to requests from prospective employers.

5.3 Only the MRIA's employees or volunteers with a business need-to-know, or whose duties reasonably so require, are granted access to personal information about members and employees.

5.4 The MRIA will keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about an individual, the MRIA will retain, for a period of time that is reasonably sufficient to allow for access by the individual, either the actual information or the rationale for making the decision.

5.5 The MRIA will maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction that applies to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information will be destroyed, erased or made anonymous.

Principle 6 - Accuracy of Personal Information

Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

6.1 Personal information used by the MRIA will be sufficiently accurate, complete, and up-to date to minimize the possibility that inappropriate information may be used to make a decision about an individual.

6.2 The MRIA will update personal information about individuals as necessary to fulfill the identified purposes or upon notification by the individual.

Principle 7 - Security Safeguards

The MRIA will protect personal information by security safeguards appropriate to the sensitivity of the information.

7.1 The MRIA will protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures, regardless of the format in which it is held.

7.2 The MRIA will protect personal information disclosed to third parties by contractual or other means to safeguard the confidentiality of the information and the purposes for which it is to be used.

7.3 All of the MRIA's employees and volunteers with access to personal information will be contractually required to respect the confidentiality of that information.

7.4 The nature of the safeguards will vary depending on the sensitivity, amount, distribution and format of the information, and the method of storage. More sensitive information will be safeguarded by a higher level of protection.

7.5 The methods of protection will include:

(a) physical measures, for example, locked filing cabinets and restricted access to offices;

(b) organizational measures, for example, controlling entry to data centers and limiting access to information on a "need-to-know" basis;

(c) technological measures, for example, the use of passwords and encryption; and

(d) investigative measures, in cases where the MRIA has reasonable grounds to believe that personal information is being inappropriately collected, used or disclosed.

Principle 8 - Openness Concerning Policies and Procedures

The MRIA will make readily available to individuals specific information about its policies and procedures relating to the management of personal information.

8.1 The MRIA will make information about its policies and procedures easy to understand, including:

(a) the title and address of the person or persons accountable for the MRIA's compliance with The MRIA Privacy Code and to whom inquiries and/or complaints can be forwarded;

(b) the means of gaining access to personal information held by the MRIA;

(c) a description of the type of personal information held by the MRIA, including a general account of its use; and

(d) a description of what personal information is made available to third parties.

Principle 9 - Access to Personal Information

The MRIA will inform an individual of the existence, use, and disclosure of his or her personal information upon request and will provide the individual access to that information except where inappropriate. An individual will be able to challenge the accurateness and completeness of the information and have it amended as appropriate.

9.1 Upon request, the MRIA will afford individuals a reasonable opportunity to review personal information in the custody of the MRIA. Personal information will be provided in understandable form within a reasonable time, and at minimal or no cost to the individual.

9.2 In certain situations, the MRIA may not be able to provide access to all the personal information that it holds about an individual. For example, the MRIA may not provide access to information if doing so would likely reveal personal information about a third party, such as another individual, or could reasonably be expected to threaten the life or security of another individual. Also, the MRIA may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor - client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of the laws of Canada or a province.

9.3 Upon request, the MRIA will provide an account of the use and disclosure of personal information and, where reasonably possible, will state the source of the information. In providing an account of disclosure, the MRIA will provide a list of third parties to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.

9.4 In order to safeguard personal information, an individual will be required to provide sufficient identification information to permit the MRIA to account for the existence, use and disclosure of personal information and to authorize such access. Any such information will be used only for this purpose.

9.5 The MRIA will promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness will be noted by the MRIA. Where appropriate, the MRIA will transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.

9.6 Individuals can obtain information or seek access to their personal information by contacting the MRIA Privacy Officer.

Principle 10 - Challenging Compliance

An individual will be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for the MRIA's compliance with The MRIA Privacy Code.

10.1 The MRIA will maintain procedures for addressing and responding to all inquiries or complaints from individuals regarding the MRIA's handling of personal information.

10.2 The MRIA will inform individuals about the existence of these procedures as well as the availability of complaint procedures.

10.3 The person or persons accountable for compliance with The MRIA Privacy Code may seek external advice where appropriate before providing a final response to individual complaints.

10.4 The MRIA will investigate all complaints concerning compliance with The MRIA Privacy Code. If a complaint is found to be justified, the MRIA will take appropriate measures to resolve the complaint including, if necessary, amending its privacy policies and procedures. An individual will be informed of the outcome of the investigation regarding his or her complaint.

Additional Information

For more information regarding The MRIA Privacy Code, please contact the MRIA Privacy Officer at (905) 602-6854 or via info@mria-arim.ca. Access requests, inquiries or complaints should be addressed in writing to:

The Marketing Research and Intelligence Association
2600 Skymark Avenue, Bldg 4, Suite 104
Mississauga ON L4W 5B2
905-602-6854
1-888-602-6742
Attention: Privacy Officer

Please visit the Privacy Commissioner of Canada's web site at www.privcom.gc.ca.

NOW AVAILABLE FOR ONLINE VIEWING:
Recordings of the Privacy Officer's Forum Webinar Series

MRIA Privacy Officers Forum: Kick-Off Webinar - June 17, 2009
Chaired by MRIA President David W. Stark, CIPP, MRIA's first Privacy Officers Forum Webinar was held Wednesday, June 17. It was designed for privacy officers, general/corporate counsel, online panel managers and anyone working on the agency or client side who has an interest in privacy topics.

Access to this Recording can be purchased thorough the MRIA Portal.
$50 for members | $70 for non-members

MRIA Privacy Officers Forum - April 30th 2010
Building on the success of our first Privacy Officers Forum held in June 2009, Guest Speaker Elizabeth Denham, Assistant Privacy Commissioner of Canada presented recent cases, court decisions, and technological developments that have privacy implications for marketing research organizations.

Access to this Recording can be purchased thorough the MRIA Portal.
$50 for members | $70 for non-members

The above is also available for downloading and printing in PDF format.

Viewing and printing PDF files requires Adobe Acrobat Reader. If Adobe Acrobat Reader is not installed on your computer system, you can download it at no cost by clicking here:

Share |

Facebook

RSS