SCMA will strive to ensure that the personal information it manages in the conduct of its business is protected.
To protect personal information, and assure individuals of this protection, this policy establishes procedures enabling SCMA™ to comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Scope (to whom does this apply)
This policy addresses the protection of personal information of current and former members (including volunteers), program participants, customers and other individuals whose personal information is collected.
Policy Details, Interpretation & Administration
SCMA collects and uses Personal Information (such as name, address, telephone number, academic transcripts and membership status) for the following purposes:
- recording and determining the various services to be provided to members generally;
- evaluating and re-evaluating the goods, services, needs and preferences of existing and potential members and industry;
- assessing and meeting the preferences and needs of members and industry;
- improving the quality of goods and services we offer to existing and potential members;
- administration, billing, accounting and collection in relation to the goods and services provided to members;
- protecting against fraud and error;
- communicating with members generally or to ensure member satisfaction;
- communicating the Personal Information to a sub-contractor (or other agents, intermediaries or third parties) in the course of a contract or mandate for the performance of any of the purposes listed above.
- • We may advise your employer of your membership upon request.
In addition to the above, SCMA™ also collects and uses a member’s Personal Information for the following purposes:
- recording and maintaining membership records, awards, discipline records, performance evaluations, performance improvement plans, or maintaining any other information necessary for establishing or managing the member’s relationship with SCMA;
- such other specific purposes which are communicated to members by SCMA™ and its staff before collection
Except when otherwise permitted by law, we will only use a member’s Personal Information for the purposes identified to that member. When Personal Information is to be used for a purpose not identified, we will take all reasonable steps to ensure that the member is made aware of the new purpose.
This policy establishes procedures that reflect the principles in PIPEDA. In summary, the principles are:
- SCMA’s President and Chief Executive Officer is responsible for compliance with PIPEDA.
- Identifying Purposes
- Inform individuals about the purpose of collecting personal information
- Obtain individuals’ consent to collect, use and disclose personal information
- Limiting Collection
- Collect only the required personal information, in accordance with consent obtained
- Limiting Use, Disclosure and Retention
- Use and disclose personal information in accordance with consent obtained, and retain it for the appropriate period of time
- Update personal information as required
- Protect the personal information from loss or unauthorized access
- Maintain open communication about this policy and procedures
- Individual Access
- Make personal information reasonably accessible to individuals
- Challenging Compliance
- Facilitate inquiries and complaints of individuals
Several provincial statutes have also been deemed substantially similar to PIPEDA. Under paragraph 26(2)(b) of PIPEDA, the Governor in Council can exempt an organization, a class of organizations, an activity or a class of activities from the application of PIPEDA with respect to the collection, use or disclosure of personal information that occurs within a province that has passed legislation deemed to be substantially similar to the PIPEDA. For more information, please visit the website for the Office of the Privacy Commissioner of Canada.
- age, name, ID numbers, income, ethnic origin, or blood type
- opinions, evaluations, comments, social status, or disciplinary actions
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)” (Privacy Commissioner of Canada)
PIPEDA refers to the Personal Information Protection and Electronic Documents Act.
Designated contact refers to the Director of Corporate Services.
Personal information is “…any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
“Personal information does not include the name, title, business address or telephone number of an employee of an organization” (Privacy Commissioner of Canada)
Personal Information – Management:
General: When staff requires further information about this procedure, they should speak to the designated contact.
Purposes and Consent: When personal information is to be collected, staff must, at or before the time of collection, identify to the individuals the reasons for collection, use, and disclosure of the personal information, and obtain their consent. This may be done by whatever means is suitable in the circumstances, and can be accomplished by a paper form, website, email, telephone, or other means. In all cases, a record should be kept of the consent received.
Retention Period: If, at the end of the indicated retention period, the personal information is the subject of an inquiry or complaint, or it has been recently used to make a decision about an individual, then the retention period should be extended by a reasonable amount of time.
Disclosure: Prior to disclosing personal information, staff will refer to the intended use of the information indicated in this procedure. Staff must ensure that any disclosure is in keeping with the intended use.
Third Parties: When personal information is to be received from, or provided to, a third party, staff will confirm by contract, letter, or other means, that the principles of the PIPEDA have been/will be followed.
New Purpose: When any SCMA™ process or initiative would require using or disclosing personal information for a new purpose not identified at the time of collection, staff will seek consent from the individuals involved. This may be done by whatever means is suitable in the circumstances, and can be accomplished by telephone, email, mail, or other means. In all cases, a record should be kept of the consent received. (Note: consent is not required if the new purpose is required by law)
Updates: Refer to the section “Personal Information – Inquiries and Complaints”.
Personal Information – Inquiries and Complaints:
When staff receives an inquiry1 or complaint about personal information, or SCMA’s compliance with PIPEDA, they shall direct the individual to the Personal Information Request Form2. The form is available for printing from SCMA’s website, or staff can mail it to the individual. They shall also inform the individual that they should return the completed form (by mail, other delivery, or fax) to SCMA™, to the attention of the designated contact. There is no charge for an individual to access their personal information.
When the completed form arrives, the designated contact will, depending on the nature of the inquiry or complaint, investigate and respond, or delegate this task. In any case, the investigation and response should be completed in a reasonable period of time, and no more than the 30-day time limit specified in PIPEDA.
When the inquiry or complaint involves an amendment to personal information, the staff member responding will verify as required, prior to making the change. If SCMA™ does not agree to the requested amendment, then staff will attach a statement of disagreement to the record. When the amendment has been made, or the statement of disagreement attached, staff will then notify third parties, if applicable.
The European Union (EU) General Data Protection Regulation – GDPR
With acknowledgement of the General Data Protection Regulation (GDPR), SCMA will provision the following rights when handling data of European subjects:
- Information - The right to information requires data controllers to give individuals certain information about the processing of their personal data.
- Access - The right to obtain details of any personal data used for profiling, including the categories of data used to construct a profile.
- Rectification - The right, taking into account the purpose of the processing, to provide a supplementary statement where a profile derived from a statistics outcome differs from the actual profile of the subject.
- Objection - The right to object to processing of personal data.
- Restriction - The right to restriction of processing of personal data.
- Right to be forgotten - Also referred as the right to erasure as it includes both the right to have the data erased and the right to delisting in certain circumstances.
- Right to data portability - The right of an individual to receive personal data that he/she has provided to the data controller in a structured, commonly used and machine readable format and to transmit that data to another data controller without hindrance.
SCMA’s President and Chief Executive Officer is responsible for compliance with PIPEDA.
The designated contact for privacy matters is the Director of Corporate Services, who may be contacted at:
Supply Chain Management Association
777 Bay Street, Suite 2810
Telephone: 1-888-799-0877 ext. 3133
2 Requests for individual access to personal information must be in writing.