Data Policy for Canadian Citizens’ Assembly on Democratic Expression
Project Data Collection Contact
Chris Ellis
3A Gilead Pl, Toronto, Ontario, M5A 3C8
1-833-523-9922
chris@masslbp.com
Complaints
MASS LBP
c/o Privacy Contact
3A Gilead Pl, Toronto, Ontario, M5A 3C8
1-800-369-7136
privacy@masslbp.com
What is this?
This is the Data Collection Policy for the Canadian Citizens’ Assembly on Democratic Expression (“the project”).
It details how the project team will work with, manage, and protect the information gathered from project participants (i.e., volunteers and citizens’ assembly members).
Who is MASS LBP?
MASS is a small company that works with government and public organizations to run Citizens’ Assemblies and other engagement processes. Our mission is to ensure the involvement of regular people in the development of policies and decisions that can affect their lives. MASS is responsible for designing and managing the Citizens’ Assembly process on behalf of the Commission on Democratic Expression and Public Policy Forum and will be collecting and managing the information of volunteers and citizens’ assembly members.
What is the Commission on Democratic Expression?
The Commission has been established by the federal government to examine how digital technologies are shaping Canadian society and democracy. The Commission has been appointed to produce three public reports over the next three years. The Secretariat of the Commission is housed within Canada’s Public Policy Forum — an independent, non-partisan, non-profit organization and a registered charity with more than 200 member organizations including businesses, federal, provincial, and territorial governments, academic institutions, unions, and non-profit organizations.
The Project’s Data Protection Principles
Personal data will be processed fairly and lawfully;
All complaints will be responded to quickly and fairly;
Personal data will be obtained only for the purposes specified at the point of collection;
Data will be verified to be adequate, relevant, and not excessive for the purposes required;
Photographic images, videos, and other recordings of participants of non-public events will only be captured and released publicly or to our client with written consent;
Participants of public meetings where photographic images, videos, and other recordings are captured will be informed of their use;
Data will be kept accurate and up-to-date;
Data will not be kept for longer than is necessary for meeting its purpose and will be destroyed appropriately;
Data will be processed in accordance with the rights of data subjects;
Security: appropriate technical and organizational measures will be taken to protect against unauthorized or unlawful processing of personal data and against accidental loss or destruction or damage to personal data; and
Personal data will not be transferred or stored outside Canada unless that country or territory ensures an adequate level of data protection.
Primary Data Collection General Uses
Citizens’ Assembly volunteer registration: name, address, phone, email, gender, age, and basic demographic information.
Rented Personal Contact Information
All address and phone information rented and transferred from third-party data brokers (e.g., Canada Post) will be subject to these above principles;
All used and unused personal data will be destroyed after use in an appropriate manner;
All requests to remove contact information from third-party lists will be documented and sent to said third party for delisting; and
All requests to identify the source of information used to contact a person will be addressed quickly and directly.
Note: Address information is not provided to MASS LBP by Canada Post. It is used once for addressing via a secure printer and then destroyed. Phone number information is used once by MASS LBP and then destroyed.
Breach of Data Protection Principles & Complaints
Affected people will be informed immediately of the scope and type of breach;
Affected third-party data broker will be informed immediately of the scope and type of breach;
Appropriate privacy commissioner (or other authority) will be contacted and informed of the breach; and
Next steps plan for contacting affected data owners will be developed and implemented with project members.
Project Training and Review
All project members will read and understand this policy and be trained in the use of the best practices listed below;
Privacy and data policies will be reviewed with project members and will be addressed within the project charter document; and
This privacy policy document will be reviewed, updated, and refined on an annual basis through the course of the active project.
Data Protection Best Practices
All information (volunteer demographics, contact information, etc.) that is collected through our recruitment processes or for research purposes is stored in a password-protected database and can only be accessed through SSL internet connections.
Any information that is transported through email or USB is encrypted using PGP public–private key encryption services, which can only be decoded and read by the known recipient. PGP is employed when working with suppliers and external service providers. Upon the completion of a research project, all databases are decommissioned, compressed, and encrypted for storage.
If needed, our clients can enable PGP services for email communications and secure file transfer as well, depending on their service requirements.
MASS LBP will never accept, collect, or store any government identification data (such as drivers licenses, social security information, health care numbers, etc.).
Data Location Policy
Corporate Website Hosting (Squarespace / USA): Basic website hosting services for MASS LBP are provided by Squarespace, one of the largest website providers in the world.
Note: No data is stored on Squarespace.
Online Survey/Form Hosting (hostedincanadasurveys.ca / Canada): Online survey hosting is provided by hostedincanadasurveys.ca (HICS). This provider uses data storage servers located in Canada, as part of their business model is based on working with public institutions and government clients within Canada that require Canadian hosting services. Data is secured in transit and at rest. HICS is both PIPEDA and PHIPA compliant.
Note: For specific data and security information about HICS, go to:
https://www.hostedincanadasurveys.ca/privacy/data-security-protection-statement
Corporate Services Hosting (Google / USA): Password-protected online hosting service used for short-term storage of MASS’ non-sensitive operational and research information.
Secure Information Online Transfers (Sync.com / Canada): Two-step password-protected, HTTPS-protected online transfers that are encrypted at rest and in transit with all storage located in Canada.
MASS LBP Office (Toronto): Protected by alarm system, and all secure USB keys and other pertinent data are stored in a fire safe.
Staff Computers: Sensitive data is stored in 256-AES encrypted partitions, which are opened when the data is required and closed when it is not.
Paper: Paper data is stored at the MASS LBP office, which is a non-public site, protected by an alarm system. Sensitive (health, demographics, topsecret, etc.) data is stored in a locked fire safe. Paper data is only printed if immediately needed and then shredded onsite using a cross-cut DIN P-4 shredder. All shredding materials are mixed together before disposal.
Sharing of Personal Information with Third Parties
All personal information is collected on behalf of the project unless otherwise noted;
No personal data is shared, sold, rented, or transferred to third parties outside of the project;
MASS LBP securely stores all volunteer data until the project has been completed.
If the volunteer expressed interest in following the work of PPF or the Commission their name and email will be transferred to PPF and they will be asked to confirm their interest in receiving emails.
If the volunteer didn’t express interest in following the work of PPF and Commission, their name, email, phone number, address information (less the first three digital of their postal code) will be destroyed. The remaining anonymous demographic information will be used to better understand and refine the lottery process.
If the volunteer is selected as a member of the Assembly, their personal information will be kept for one-year after the final day of the Assembly. Contact information name, email, and phone number will be kept for ten years.
Version 1.0 ENG: March 1, 2020
Please refer to the English language version of this document as the true reference of this policy.