Saskatchewan Transportation Company Privacy Policy

Vision Statement

To protect the personal information entrusted to us and retain the trust of our stakeholders, STC will ensure that Privacy Management is an integral part of our business.

Introduction

In this age of Electronic storage and movement of information, more and more personal information on individuals is at risk. The Saskatchewan Transportation Company recognizes it has a responsibility to ensure the privacy of personal information entrusted to the company by its employees, customers, business partners, contractors and stakeholders.

This policy is designed to comply with all privacy related requirements:

  • The ten Canadian Standards Association CSA Principles of Privacy
  • The Cabinet directives contained in Cabinet Minute # 6168
  • Saskatchewan legislation ? The Freedom of Information and Protection of Privacy Act (FOIPP)
  • Federal legislation ? The Personal Information Protection and Electronic Documents Act (PIPEDA)

Principle 1 - Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization?s compliance with the following principles.

  1. A member of corporate management is to be designated as the company?s Chief Privacy Officer, and that person?s activities will be assisted by the appointment of a Privacy Committee, with representation from each work unit. This Committee will chose from itself an individual empowered to act in the place of the Chief Privacy Officer when that individual is not available.
  2. This policy will be reviewed, on an annual basis, by the Privacy Committee, to ensure that it is up to date, and that it is in line with the vision statement.
  3. Employees will receive training in privacy requirements and a refresher program will be established, and made mandatory for employees.
  4. In those areas where procedures are not yet in place to meet the requirements of this policy, the company will have a period of six months from the adoption of the policy to put such procedures in place. Similarly, if the policy is amended in the future to require new procedures, the company will have a period of six months to ensure those procedures are in place.

Principle 2 - Identifying Purposes

The purpose for which information is collected shall be identified at or before the time the information is collected.

  1. Notices will be posted prominently in all areas where STC staff and the public meet to engage in business (ticket office, express counter, etc.), stating that STC has a policy for the protection of private information and that, in accordance with that policy, any private information that may be collected in the course of any transaction that occurs will be used only for the purpose of those transactions, and for no other purpose.
  2. A similar statement will be added to Charge Account/Credit Applications and to Charter Quote Sheets & Charter Confirmations.
  3. A similar statement will be included in all future Agency Agreements.
  4. A similar statement will be added to all personnel forms, such as offers of employment, enrollment in the Capital Pension Plan, etc.

Principle 3 - Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information except where required or permitted by law.

  1. STC will rely on implied consent in its business transactions, through the posting of our privacy statement.
  2. By including the statement on all other documents, STC will be relying on informed consent, where the signing of the document will be taken as consent.

Principle 4 - Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purpose identified by the organization. Private information can include, but is not limited to, names, addresses, phone numbers, age, occupation, banking and credit information, monies paid, and employment records and personnel files. Information shall be collected by fair and lawful means.

Principle 5 - Limiting Disclosure, Use and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law, statute, or the direction of the Government of Canada or the Government of Saskatchewan. Personal information shall be retained as long as necessary for the fulfillment of those purposes.

  1. STC will disclose private information, without prior consent to agents of the legal system (police, courts), when that information is to be used in the furtherance of a legitimate investigation. In these instances, the consent of the Chief Privacy Officer will be required.
  2. STC will disclose personal information to a third party on the basis of a written request by the individual whose private information is held by the company.
  3. Some information held by the company can be disclosed to those engaged in oversight of the company?s operations, such as auditors and legislative bodies.
  4. Information collected in the furtherance of business transactions will be retained only for the time period required to fulfill STC?s commitments for auditing purposes.
  5. Information in personnel files will be retained for the length of time required to fulfill commitments under the federal and provincial Labour Codes.

Principle 6 - Accuracy

Personal information shall be accurate, complete and up to date as is necessary for the purpose for which it is to be used.

Principle 7 - Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

  1. Each work unit will report to the Privacy Committee what safeguards it has in place to protect personal information it retains.
  2. The Privacy Committee can direct any work unit to make changes to improve how it safeguards personal information.
  3. Any changes or improvements to the safeguarding of private information, held either electronically or in paper files, will be reported to the Chief Privacy Officer, in writing.
  4. Privacy training and refresher courses will emphasize the need to physically safeguard any personal information.
  5. Any employee of STC who has concerns about whether or not some information should be privately held should contact the Chief Privacy Officer of the company.

Principle 8 - Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

  1. STC?s Privacy Policy will be in place on the STC website, with a prominent ?link? from the home page.

Principle 9 - Individual Access

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given the access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

  1. Any individual can apply, in writing, to the Chief Privacy Officer, to review any private information regarding that individual, held by the company. The individual can challenge to accuracy of the information and make the case to the Chief Privacy Officer to have the information changed. If the change is warranted, it will be made.

Principle 10 - Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the principles to the designated individual accountable for the organization?s compliance.

  1. The Chief Privacy Officer will hear all challenges to compliance with the policy. If the company has not been compliant, the shortcoming will be addressed immediately. If the individual is not satisfied with the actions taken by the Chief Privacy Officer, he or she will be referred to the Chief Privacy Officer for the Province of Saskatchewan for any further actions.

Enforcement

While it is hoped that most charges of non-compliance can be resolved without the imposition of formal penalties, that is not always the case.

Where an issue has been resolved amongst the parties involved, and the behavior does not continue, no form of sanction is required.

If the complaint is pursued through informal or consultative means, and an agreement is reached, a letter describing the situation and the settlement reached is placed in the employee?s file for a period of two years. Should no similar actions be warranted in that time period, the letter is removed from the files and destroyed.

A repeat of any such action must be dealt with by the privacy officer, in consultation with the union representative. The privacy officer has the final say in disciplinary action, but must not act without consultation. Penalties can include an official reprimand, a suspension or a termination, depending on the circumstances involved.

If the individual is not satisfied with the actions taken by the Chief Privacy Officer, they will be referred to the Chief Privacy Officer for the Province of Saskatchewan for any further actions.

No employee is to be subject to discipline for bringing a charge of non compliance which is not subsequently borne out by an investigation of the case, unless it can be shown that there was malicious intent in bringing the charge, in which case the employee could be subject to discipline.

If a complaint is not borne out, and there is no indication of malice, then the allegation, review and findings will have no effect on the career of either the complainant or the respondent.

Employees should be aware that, in some cases, violation of a person?s right to privacy of personal information could result in action being taken under either Federal or Provincial Statutes.
 
 
 
 
 
 
 
 
 
 

© Copyright 2007 - Saskatchewan Transportation Company
2041 Hamilton Street, Regina, SK
Canada   S4P 2E2
TEL: (306) 787-3340
http://www.stcbus.com
Contact Us | Privacy Policy