Privacy and Information Protection Policy

PRIVACY AND INFORMATION PROTECTION POLICY

1. Purpose

Northern Lights Library System (NLLS) is committed to:

  • Ensuring the responsible collection, use, and protection of personal information in compliance with Alberta’s Protection of Privacy Act (PPA).
  • Providing access to public records in accordance with Alberta’s Access to Information Act (AIA).
  • Maintaining transparency and accountability while protecting sensitive data.

This policy aligns with:

  • Records Retention Policy (Sec 2, 1M) – Defines retention and disposal requirements.
  • Confidentiality of User Records Policy (Sec 4, 1C) – Governs library user data protection.

2. Legislative Compliance

NLLS operates under the following Alberta legislation:

  1. Protection of Privacy Act (PPA) – Governs:
    • The collection, use, and disclosure of personal information.
    • Privacy breach notification requirements.
    • Privacy management programs and compliance obligations.
  2. Access to Information Act (AIA) – Governs:
    • The public’s right to request access to NLLS records.
    • Exemptions for protected information (e.g., cabinet confidences, legal matters).
    • Timelines and processes for responding to access requests.

3. Privacy Management Program

NLLS will implement a Privacy Management Program to ensure compliance with the PPA, which includes:

  • Staff training on privacy protection and data security.
  • Clear guidelines for handling personal information.
  • Regular privacy impact assessments for new programs.
  • Breach response protocols to mitigate and report data breaches.

4. Collection & Use of Personal Information

  1. NLLS will only collect personal information necessary for operational purposes, such as:
    • Employee payroll, benefits, and human resources management.
    • Library user records for membership and borrowing privileges.
    • Stakeholder and vendor information for financial transactions.
  2. Personal information will only be used for the purpose for which it was collected, unless required by law.
  3. NLLS will not sell personal information under any circumstances.

5. Access to Information Requests

  1. Members of the public may request access to NLLS records under the Access to Information Act (AIA).
  2. Exemptions – Certain records may be exempt from disclosure, including:
    • Legal and personnel records.
    • Cabinet confidences and workplace investigations.
    • Information that could compromise individual privacy.
  3. Request Process:
    • Requests must be submitted in writing to the Executive Director (Access to Information Officer).
    • Responses will be provided within legislated timelines.

6. Privacy Breach Response Plan

If a privacy breach occurs (e.g., unauthorized access, loss of data):

  1. Contain the breach – Secure affected information.
  2. Assess the impact – Determine whose data was compromised.
  3. Notify affected individuals – Employees or library users will be informed promptly.
  4. Report to Alberta’s Information and Privacy Commissioner if the breach poses significant harm.
  5. Implement corrective actions to prevent future breaches.

7. Retention & Disposal of Records

  1. All records will be retained in accordance with the Records Retention Policy (Sec 2, 1M).
  2. Minimum Retention Periods:
    • Employee records: 6 years post-termination (per CRA and PPA).
    • Access to Information Requests: 1 year after resolution.
    • Financial and tax records: 6 years (per CRA).
  3. Secure Disposal: Personal information will be shredded or permanently deleted when no longer required.

8. Third-Party Data Sharing & Compliance

  1. NLLS does not share personal data unless required for legal or operational purposes.
  2. Third-party service providers (e.g., payroll processors) must adhere to strict confidentiality agreements.
  3. Contracts with third-party vendors handling personal information must comply with the PPA.

9. Employee Rights & Privacy Complaints

  1. Employees may request access to their personal information by submitting a written request to the Privacy Officer (Executive Director).
  2. Employees may request corrections to inaccurate information.
  3. Privacy complaints should be submitted in writing to the Privacy Officer at privacy@nlls.ab.ca.
  4. If unresolved, complaints may be escalated to Alberta’s Information and Privacy Commissioner.

10. Review & Compliance

  • This policy will be reviewed every three (3) years to ensure compliance with evolving legislation.
  • The Executive Director (Privacy Officer) is responsible for policy implementation and oversight.

 


Links & Files



Answered By: Terri Hampson
Last Updated: May 13, 2025   
FAQ Actions