1 - Accountability
Requires business to have documented privacy policy that applies to both customer and employee personal information (PI).
2 - Identifying the Purpose
Requires business to identify the purpose for their collection and use of personal information.
3 - Obtain Consent
Requires business to receive consent from individuals to use, disclose, or collect their PI, and notify them in what instances their PI might be used or disclosed.
4 - Limiting Collection
Requires business to limit the amount and type of PI collected to only what is necessary for the identified purpose; limit the collection of SIN to legally established purpose.
5 - Limiting Use, Disclosure, and Retention
Requires business to only use or disclose PI for the purpose it was collected for, unless additional consent has been given.
6 - Accuracy
Requires business to use reasonable efforts to make sure PI is accurate, complete, and current before using it for decision making.
7 - Safeguards
Requires business to adopt physical, technical, and administrative safeguards to protect PI from loss, theft, unauthorized access, disclosure, copying, use, or modification.
8 - Openness
Requires business to make policies and procedures about the management of PI available to individuals
9 - Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information.
10 - Challenging Compliance
Requires business to have policies and procedures to receive and respond to complaints or questions about how PI is handled by the business\