1. Greater Toronto Hockey League The Implementation of PIPEDA and Amateur Sports – A Case Study

2. PIPEDA  Personal Information Protection and Electronic Documents Act  Applies to the collection, use, disclosure and security of personal information in the course of commercial activities  Personal information is any information about an identifiable individual

3. PIPEDA  Requires consent for collection, use and disclosure of personal information  Consent can be Implied versus Expressed  Opt in v. Opt Out  The distinction between an obvious purpose and a secondary purpose

4. What is needed by organizations  Chief Privacy Officer  Process to inventory/classify existing personal information  Effective Policies and Practices  Staff Training and Awareness on Privacy  Retain consent provided on file  Continuous process to keep information up to date/accurate  Physical security safeguards over personal information  Strong IT security and configuration (who can see or use)  Process to communicate Privacy policies and practices  Process to respond to Access requests/corrections/complaints  Complaints review process – initiate changes to policies and practices  Compliance/Monitoring process - internal or external

5. GTHL – A Case Study – What We Did  GTHL Privacy Policy  Grass Roots Up Development  Consistent Policy–GTHL–OHF–Hockey Canada  Written so that GTHL Clubs/Associations can use in an easily adaptable form

6. Chief Privacy Office  GTHL Executive Director and President  Jointly accountable to the Board of Directors for compliance  Responsible for the GTHL’s Compliance with PIPEDA privacy principles  Responsible for responding to access requests  Responsible for ensuring the GTHL is accountable for all personal information it it’s possession

7. Inventory/Classy  Inventoried existing hard copy data  Inventoried electronic information  Classified what was needed  Classified purpose of collection  Archived and destroyed data that was not needed.

8. Policies/Practices  Established GTHL Policy  Ensured Polices and Practices reflected both the legislation and GTHL Policy

9. Training  “Internal procedures and employee education is as important as what the privacy policy says”  Trained Staff  Trained Volunteers  Informed GTHL Clubs and Membership

10. Consent  Reviewed and revised all forms of personal information collection –Player Cards –Club Executive Forms –Tournament Forms  Statement of rationale for collection  Consent to distribute  Electronic tracking of consent

11. Accurate Data  Established Process for the keeping of accurate data  Re-Registration  Application process for review  Application process for update

12. Physical Security  IT Security Provisions were implemented including On-Line Registration and On- Line Financial Transactions  Necessary Server Protection  “Locked” Security Room was constructed to protect documents  Practices of Transferring data were reviewed (I.E. Couriers etc.)

13. IT Security  Password Protection  E-Commerce Review to ensure compliance  Tiered Access to Information

14. Communication  Web-site publication of policy  Other GTHL documents to participants

15. Processes  Access Requests  Corrections  Complaints  Review

16. Questions  ??????