Ten interrelated principles form the basis of the Canadian Standards Association Model Code for the Protection of Personal Information. Each principle is a core element in the Council of Private Investigators – Ontario (CPIO) Code of Privacy.

Each Member is responsible for all personal information in his/her/its control. The CPIO will assist Members with training issues and certify Members as compliant with the CPIO’s Code of Privacy. The CPIO’s Ethics Committee is accountable for enforcement of the CPIO’s Code of Privacy. An annual report of the Ethics Committee will be posted on the CPIO’s website.

The purpose for which Members collect personal information is to facilitate the investigation of contraventions of the law and breaches of agreements.

Personal information collected as part of the investigation of a contravention of the law may include information pertaining to individuals involved in criminal activity, individuals suspected of involvement in criminal activity, individuals with knowledge of criminal activity, and individuals who may advance an investigation by providing information relating to the identity of those involved or suspected of criminal activity.

Personal information collected in the investigation of the breach of an agreement may pertain to individuals who are party to an agreement, individuals who have knowledge of the terms and conditions of an agreement, individuals who have knowledge of the breach of an agreement, or individuals who may advance an investigation by providing information relating to a breach of an agreement.

In most instances, obtaining the knowledge and consent of individuals would defeat the purpose of an investigation. Personal information will only be collected, used and disclosed by Members without consent in accordance with section 7 of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (PIPEDA).

Members will collect information about individuals only if there are reasonable grounds to believe that the information relates to dishonest conduct, breaches of agreements or contraventions of the laws of Canada, a province, or a foreign jurisdiction. Members of the CPIO will only collect the personal information that is required for the preventative and investigative purposes set out above.

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Members may only use or disclose personal information for the purposes for which it was collected. Members may only keep personal information for as long as may be necessary to satisfy such purpose. Members may disclose personal information only to law enforcement agencies, other investigative bodies or their clients for the purpose for which the personal information was collected.

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Members will ensure to the best of their ability that the personal information they collect, use, and disclose is accurate, complete, current, and relevant to the stated purpose.

Members will ensure that personal information is stored in secure electronic and hard copy files. Hard copy files will be stored in locked file cabinets with restricted access. Electronic files will be stored in secure systems that include power-on password protection and a secure firewall. Electronic files will be encrypted with an industry standard encryption program before being transferred electronically. Distribution of personal information will be on a need-to-know basis.

Members will make available to the public easily understandable information about the Member Company, its privacy policies, this Code of Privacy, both in hard copy and on its web site www.cpio.org .

In accordance with paragraph 9(3)(c.1) of PIPEDA, if such disclosure does not defeat the purposes for which the information was collected, each Member will, upon request by an individual, advise the individual whether the Member has personal information concerning him or her, what that information is, what it is being used for and to whom their information has been disclosed.

If the individual can provide proof of an error in the personal information held by the Member, the Member will amend the information and send the corrected information to others who have used the incorrect information. If the individual challenges certain information but cannot disprove its accuracy, the Member will note the challenge so that those using the information will be aware of the unresolved challenge.

If a Member denies an individual’s request for access, it will state the reasons for the denial and advise the individual of his/her right to appeal to the Office of the Privacy Commissioner of Canada or Ontario as the case may be.

10. Challenging Compliance

Members shall post on their website and file with the CPIO its privacy policy and the name of the Member’s privacy officer.

Individuals may send complaints with respect to a Member’s compliance with its own privacy policies and procedures to the CPIO’s Ethics Committee. The CPIO Ethics Committee will investigate the complaint and respond to the individual. If the CPIO Ethics Committee finds that the Member is in violation of the CPIO Code of Privacy, the Member will have thirty days in which to change its policies or procedures. If the individual is still not satisfied, he/she will be advised by the CPIO Ethics Committee of his or her right to appeal to the Office of the Privacy Commissioner of Canada or Ontario as the case may be.