CITC's Privacy Policy



[ Download Privacy Policy ]   [ Download Guide for Businesses ]   [ Privacy Policy FAQ ]   

[ Dec 11, 2003 Tele-Seminar FAQ ]   [ Francais ]


The revisions to the Privacy Act, which will go into effect on January 1, 2004, require CITC to provide the following information to all our members.

Terms of Reference:
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • Age, name, ID numbers, income, ethnic origin, or blood type
  • Opinions, evaluations, comments, social status, or disciplinary actions
  • Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
Personal information does not include the name, title, business address or telephone number of an employee of an organization.

The Provisions of the Privacy Act require compliance in 10 areas: We have listed those areas below, as well as information on how CITC complies with each requirement.

1. Be accountable

  • CITC will comply will all 10 principles of the Privacy Act
  • Steve Gillick, President and Chief Operating Officer, is responsible for CITC's compliance with the Act
  • CITC will protect all personal information held by the Institute.
  • CITC does not transfer information to third parties, nor have we ever made our membership lists available to third parties, either voluntarily or for sale. While CITC members benefit from the Institute's association with Corporate Partners and Industry sponsors, CITC is very up front with these parties in maintaining a policy of not providing membership information.
  • In the case of sponsored events, such as specific seminars and conferences, CITC does allow the speaker(s) and sponsors access to the list of members attending, for the purpose of providing additional educational material, after the event has concluded. Members who wish that this information not be provided will have their information delisted.
  • Other than for the express purpose of bringing business to our members, CITC does not divulge names or contact information for members.
  • All Full Members in good standing (CTC/CTM) who are listed on the National Directory of Certified Travel Professionals, (The Directory), have given their permission to post their name and business contact information on the CITC website, and therefore, on the World Wide Web. Members are reminded on a regular basis to inform CITC if information on the Directory needs to be updated, corrected or removed.
  • CITC makes every reasonable attempt to correct member information and keep both public records (those on the Directory) and private records (those in our database and in our paper back-up files) up to date.
  • CITC has had occasion to destroy obsolete files over the years. In these cases, the services of a shredding company have been used, to ensure that personal membership information is destroyed, and not simply discarded.
What personal information do we collect?
Each membership file lists:
  • Name
  • Designation
  • Membership Number
  • Canada location code
  • Membership Category
  • Preferred Language of correspondence
  • Preferred place of correspondence
  • Home Contact information
  • Business Contact information
  • Business Title/ Position
  • Dates on which pertinent information was sent
  • CITC sponsored seminars attended and ACCESS credits
  • Birthday (to send out Birthday cards)
  • Last fee paid
  • Paid fee date
  • Method of Payment (we do not keep credit card records in our database--we only note whether payment was made by cash, cheque or credit card)
  • Graduation Date (for student members)
  • CITC events in which the member participated
  • Date of Membership Upgrade
2. Identify the Purpose

Why do we collect it?
We collect information to maintain correspondence with CITC members, past and present. We collect mailing information from consumers who have requested to be placed on mailing lists. The information allows us to contact individuals at the place of their choosing.

How do we collect it?
Generally, information is collected...
  • Verbally--over the telephone, in person at CITC functions, and during office visits
  • Electronically-via email
  • Written-information via membership renewal forms, written correspondence and faxes
3. Obtain Consent

What is consent?
CITC considers consent to be an expression of permission to collect and use information for the purpose of providing membership services and benefits, or for the provision of consumer information.
We obtain consent by:
  • Written permission via mail, email or fax
  • Verbal permission with a dated notation in the member's file, along with the initials of the staff who recorded the information
  • Third party consent, as long as the third party is well known to CITC and/ or is in a reasonable position to give such consent (eg. The Office manager correcting the information on an associate's file)
What do we use your personal information for?
To maintain the accuracy of membership records; to better communicate with our members; to establish member eligibility for membership services and benefits, to mail information to consumers who have specifically requested CITC information.

Where do we keep your personal information?
Information at CITC is kept:
  • In the database, on the computer
  • Paper records are kept in file cabinets

    How is your personal information secured?
    CITC computers are backed up regularly, with back up tapes kept in the on-site safe.
    The office is secured in off-hours, and the building in which the office is located has strict off-hours security.

    Who has access to your personal information, or uses it?
    Only employees of CITC have access to membership records. When part time help is used for filing, all activities take place under the direct supervision of a CITC full time employee.

    To whom is your personal information disclosed?
    Information is used in the office and by CITC employees to service the membership. CITC does not disclose information without the express permission of CITC members. In cases that request immediate contact with a member, CITC will telephone or email the member before giving out any contact information.

    When does CITC dispose of your personal information?
    CITC disposes of obsolete membership files, usually those with whom we have had no correspondence for a period of 5 years. We use the services of a shredding company to dispose of all records that include personal information.

    4. Limit Collection

    In order to make our database as efficient as possible with regard to responding to membership inquiries, CITC maintains one "screen" for all membership information, as well as a second screen to record ACCESS approved events. Neither do we collect information that is extraneous to the efficient operation of the membership organization, nor do we collect information on behalf of third parties. The only instance where "other" information is collected is through regular industry surveys for the purpose of obtaining general industry trends. Surveys returned anonymously, as well as those that contain personal information (for instance if an incentive prize is involved for survey completion) are destroyed after the information is recorded.

    5. Limit use, disclosure and retention
    • CITC only collects information for the purpose of maintaining membership files, for the purpose of recording attendance at events (seminars, workshops, conferences), for the purpose of maintaining records with regard to the purchase of educational materials, texts, home study programs, courses and certification programs, and for the purpose of attending and writing exams.
    • CITC retains registration records for a period of three years; obsolete membership records are shredded every five years. Financial records are maintained for a period of 6 years.
    6. Be Accurate
    • CITC endeavours to keep membership records as up-to-date as possible, through regular communication with members via the CITC Latest Buzz (email newsletter), the Update (printed newsletter); Membership renewals (every October 31st or thereabouts); other mailed and emailed correspondence, including election notices, educational standards updates and targeted mailings (example, to travel & tourism educators and industry trainers).
    • Personal information on individual members can be retrieved from the database by a CITC employee in order to verify the accuracy of the information, in consultation with a member. The National Directory of Certified Travel Professionals is an on-line listing of CTCs and CTMs in Canada. Full members in good standing are urged, several times a year, to check the currency of their listing.
    7. Use Appropriate Safeguards
    • CITC employees are made aware, verbally and in writing (The CITC Corporate Culture Document) of CITC's Privacy Policy with regard to compliance of the Privacy Act
    • CITC's security policy regarding membership records includes:
      • Physical measures: The Downtown CITC office is situated in a security building where after-hours access is restricted to employees with a pass-card. The office itself has two deadbolts on the door.
      • The Brampton Office has a deadbolt on the main entrance doorway.
      • Technological Tools: CITC computers are double password protected. All computer forms that relate to financial transactions are "secure". The CITC computer system is firewall protected.
      • Organizational Controls: CITC employees are vigilant with regard to the access of membership files. Staff training includes awareness of the provisions of the Privacy Act, as well as this policy document.
    8. Be Open
    • CITC has always made it known, and will continue to inform members, industry associates, sponsors and the public, of CITC's policies and practices for the management of personal information
    • CITC's Privacy Policy is available on the CITC website (www.citc.ca), as a main link, and also on the site index. Henceforth, in all membership renewal packages, membership registration packages and, periodically throughout the year, CITC will ensure that due notice is made of the CITC Privacy Policy.
    • Steve Gillick, the President and Chief Operating Officer is responsible for CITC's privacy policies and practices.
    • While any full time employee is able to update membership information files, correspondence should be sent to the Membership Services Coordinator at 416-484-4450 Ext 21, 1-800-589-5776 Ext 21 or members@citc.ca. Registrants in Certification programs may directly contact the Education Standards Division to update personal information, at 905-940-5333 or access@citc.ca
    • Members may contact the sources listed above for a copy of the personal information in their files. Full members in good standing may also review and download information from the National Directory of Certified Travel Professionals at http://www.citc.ca/certifiedcoun.cfm.
    • Individuals can complain to CITC using the contact information listed above
    9. Give individuals access
    • Individuals may visit the CITC office during regular office hours to review their membership records. They may also request a copy of the information CITC has in their file, as long as they satisfy verification of their identity.
    • CITC will correct information in membership files on a timely basis, usually within 24 hours of notice.
    • There are no costs or charges associated with the correcting of information in membership files
    • CITC attempts to translate all abbreviations, short-forms and codes used in membership files. This information is readily available should a member be unable to decipher any aspect of their membership record.
    10. Provide Recourse
    • The easiest method of complaint about CITC's enforcement of Privacy policy and procedures is to communicate directly with the organization, via letter, fax, email or telephone. In most cases, complaints can be satisfied within 24 hours. Understandably, complaints that involve more than a simple correction or updating of information should be submitted in writing so that both the complainant and CITC have a paper trail to follow in accounting for the resolution of the complaint.
    • Should an individual not be satisfied with the handling of a Privacy Policy complaint by a CITC employee, they should:
      • Bring the complaint directly to the attention of the President and Chief Operating Officer.
      • If still not satisfied they should bring the complaint to the attention of the Chair of the Board of Directors
      • If still not satisfied they should bring the complaint to the attention of the Privacy Commissioner of Canada.

    FAQ's on the Requirements of the Privacy Act for Travel Counsellors,
    Owners and Managers.

    [ Download Privacy Policy FAQ ]

    Introduction:

    The following is a general summary of the information available regarding the obligations of Travel Agencies (and other organizations) with regard to the Personal Information Protection and Electronic Documents Act (PIPEDA), as of January 1, 2004. It includes frequently asked questions, a list of the 10 principles to be followed, and issues to consider regarding compliance with the Act. Note: The Business guide may be downloaded at www.privcom.gc.ca/information/guide_e.asp.

    This FAQ is merely meant as a guideline to help clarify some issues that specifically relate to the travel industry. This in no way replaces reading the statue itself and understanding the obligations of your compliance with the Act. If you collect personal information or disclose personal information to third parties, then the PIPEDA affects you.

    Q: Why, all of a sudden, am I hearing about a Privacy Act, which will come into effect on January 1, 2004?

    A: In fact, there has been a statute called the "Privacy Act" in place in Canada for more than two decades. It dealt with privacy of personal data in the hands of the many departments and agencies of the federal government. The PIPEDA, on the other hand, was passed by the federal government only in 2000, with parts of it taking effect in January 01, 2001. It is being implemented in three stages.

    The first stage (January 01, 2001) dealt with personal information used or disclosed in the course of commercial activities by federally regulated works and businesses such as airlines, telephone companies, etc. The first stage also dealt with disclosure of personal information across provincial or national borders, by organizations such as credit reporting agencies or organizations that lease, sell or exchange mailing lists or other personal information. It also applies in the Yukon, Northwest Territories and Nunavut.

    The second stage was implemented on January 1, 2002, and extended to personal health care information.

    The third and final stage comes into effect on January 1, 2004. This stage covers the collection, use or disclosure of personal information in the course of any commercial activity within a province, even if the industry is provincially regulated, like travel. There is provision for an exemption with respect to a province that passes its own legislation if it substantially similar to the federal law. To date, Quebec and British Columbia have passed such legislation and Alberta is in the process of doing so, but no specific exemptions have been yet been granted.

    Q: What is considered to be "Personal Information"?

    A: The Act defines personal information as factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form such as:
    • Age, name, ID numbers, income, ethnic origin, or blood type.
    • Opinions, evaluations, comments, social status, or disciplinary actions.
    • Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
    • Publicly available data (addresses, telephone numbers) is not covered in this definition. Neither is employee related data held by a provincially regulated company (e.g. travel agency in British Columbia, Ontario and Quebec. )
    Q: What is the definition of "Consent"?

    A: Consent, for the purposes of the PIPEDA, is defined as "Voluntary agreement with what is being done, or proposed to be done, with the individual's personal information". Consent can be either expressed or implied.
    • Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference or interpretation on the part of the organization seeking consent. Eg. You ask the client "May I give your name to XYZ Tours for inclusion in their catalogue mailing list, Yes or No?"
    • Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual. Example: A client leaves a message that they would like information on Alaska Cruises as well as any material that the Alaska Tourism Board may have. You might reasonably imply that you have permission to send the client the information and have the Alaska Tourism Board forward information directly to the client.
    Q. Let's cut to the quick - what exactly do I have to do to ensure compliance with the Act?

    A: Even a busy person should find time to review the details provided in the Guide (see below). A glossing-over of the requirements of the Act may result in missing something that may come back to haunt you later in the form of a consumer complaint, a Privacy Commission complaint, or possible legal action.

    Simply stated, an organization is responsible for the protection of personal information and the fair handling of it at all times throughout the organization and in dealings with third parties. The Act states, "Care in collecting, using and disclosing personal information is essential to continued consumer confidence and good will".

    The entire Guide for Business and Organizations to Canada's Personal Information Protection and Electronic Documents Act may be downloaded at www.privcom.gc.ca/information/guide_e.asp. Also, a sample of a Privacy Policy can be found on the CITC website under Main links at www.citc.ca, or on the ACTA website at www.acta.ca.

    Any individual who deals with personal information as defined by the Act, is strongly urged to read the Guide and follow the procedures step-by-step. They not only identify the requirements for an organization but also explain how to implement policies and procedures, and include tips and checklists to facilitate the task.

    In order to comply with the Act, each of the following 10 principles developed by the Canadian Standards Association and reflected in the PIPEDA must be followed.
    1. Be Accountable
      • Comply with all 10 principles.
      • Appoint an individual to be responsible for your organization's compliance.
      • Protect all personal information held by your organization or transferred to a third party.
      • Develop and implement policies and practices that support the intent of the Act.
    2. Identify the Purpose
      • Identify why the personal information is needed by your organization, and how it will be used.
      • Document why the information is collected.
      • Inform the individual from whom the information is collected and why it is needed.
      • Identify any new uses for the information and obtain the individual's consent before using it for that new purpose.
    3. Obtain Consent
      • Inform the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data.
      • Obtain the individual's consent before or at the time of collection, as well as when a new use is identified.
    4. Limit Collection
      • Do not collect personal information indiscriminately.
      • Do not deceive or mislead individuals about the reasons for collecting personal information.
    5. Limit Use, Disclosure and Retention
      • Use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
      • Keep personal information only as long as necessary to satisfy the purposes.
      • Put guidelines and procedures in place for retaining and destroying personal information.
      • Keep personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress.
      • Destroy, erase or render anonymous information that is no longer required for an identified purpose or a legal requirement.
    6. Be Accurate
      • Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties.
    7. Use Appropriate Safeguards
      • Protect personal information against loss or theft.
      • Safeguard the information from unauthorized access, disclosure, copying, use or modification.
      • Protect personal information regardless of the format in which it is held.
    8. Be Open
      • Inform customers, clients and employees that you have policies and practices for the management of personal information.
      • Make these policies and practices understandable and easily available.
    9. Give Individuals Access
      • When requested, inform individuals if you have any personal information about them.
      • Explain how it is or has been used and provide a list of any organizations to which it has been disclosed.
      • Allow individuals access to their own information, if requested.
      • Correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient.
      • Provide a copy of the information requested, or reasons for not providing access (there are some exceptions set out in Section 9 of the Act).
      • An organization should note any disagreement on the file and advise third parties where appropriate.
    10. Provide Recourse
      • Develop simple and easily accessible complaint procedures.
      • Inform complainants of avenues of recourse.
      • Investigate all complaints received.
      • Take appropriate measures to correct information handling practices and policies.
    Q: I have already collected personal information about my clients and have already been given permission by these clients to contact them. I have over 1000 clients in my database. Do I have to do this all over again?

    A: The Grandfathering Clause in the new PIPEDA stipulates that you do NOT have to re-collect the information, however in order to CONTINUE using the information, or disclosing the information to a third party, you now require consent.

    Q: OK, so I need consent. Can you give me an example of what I should say or have included on my invoices.

    A: Yes, below is an example of what background information you may need and what express consent would include.

    Sample text for invoices...

    On January 1, 2004, the third phase of the Personal Information Protection and Electronic Documents Act (PIPEDA) comes into effect. This Act governs information collected as part of commercial activity by any private sector organization. It states that information must be gathered with consent, collected for a reasonable purpose, used for the limited purposes for which it was gathered, be accurate, be open for the owner's inspection and correction, and stored securely. (ABC TRAVEL AGENCY) already maintains a high level of security with respect to the confidentiality of your records but we are now obligated by law to advise and obtain consent to the terms of the collection, distribution and storage of your data.

    Confidentiality Agreement

    With regard to the provisions of the Privacy Act, I hereby give my permission for (ABC TRAVEL AGENCY) to maintain personal information already on file, and to collect further information for the purpose of contacting me by mail, fax, telephone and/or email with relevant information and other services (ABC TRAVEL AGENCY) may offer. (ABC TRAVEL AGENCY's) Privacy Policy is found at: (www.ABC TRAVEL AGENCY.ca)

    ________________________
    Signature
    		 ________________________
    Date


    Q: What if the cruise company calls me for the client's contact numbers so they can advise the client of any last minute changes?

    A: There are some exceptions to consent contained in the Act.
    • If it is clearly in the individual's interests and consent is not otherwise available in a timely way.
    • For an emergency that threatens an individual's life, health or security.
    Q: If someone calls the agency and asks for the name of the Manager, am I allowed to provide this according to the Act?

    A: YES. Personal information does not include the name, title, business address or telephone number of an employee of an organization

    Q: If an airline or Canadian government agency requests personal information of passengers that I have booked on flights, do I provide it?

    A: Organizations may disclose personal information without the individual's knowledge or consent only to certain individuals or bodies including:
    • A government institution that has requested the information, identified its lawful authority, and indicates that disclosure relates to national security.
    Q: My brother-in-law is starting a company specializing in Costa Rica. He has asked if I can give him the names of my clients who have expressed an interest in Costa Rica Tours. Can I give him the list?

    A: You can only give him the names of those clients in your database from whom you have obtained explicit consent (see above) to have their personal information given to a third party for the specific purpose of receiving information.

    Q: In order to save time and money, can I send out a notice to all my clients informing them that from time to time I will provide their names to third parties that have information of interest to travellers--and if they do not want this information--then they should call me?

    A: NO. This does not fit under the definition of explicit consent or even implied consent. In fact, this kind of message reflects what is referred to as negative-option advertising, where it is up to the client to take the initiative to refuse services you have unilaterally decided to offer. Again, you would have to obtain "explicit consent" to hand over your clients' names to a third party.

    Q: Can you give me an understanding of the CRS/GDS use of sales data or other information provided to them by a travel agency?

    A: The CRS/GDS can use your clients' booking information and other sales data. The government is currently, (autumn of 2003) dealing with this issue. There are an increasing number of bookings being done over alternative distribution channels and as such are not contained in the CRS data. Therefore, the Federal government believes any regulations to prevent a CRS/GDS from selling data is redundant and is proposing to do away with restrictions in this regard. Individual passenger information would, however, remain protected under the PIPEDA.


    Checklist for Compliance with the Privacy Act

    • Have you appointed an individual (or individuals) to be responsible for your organization's compliance with the PIPEDA?
    • Have you developed and implemented personal information policies and practices that protect all personal information held by your organization? Use the following as a guide:
      • Define the purpose of its collection
      • Obtain consent
      • Limit its collection, used and disclosed
      • Ensure information is correct, complete and current
      • Ensure adequate security measures
      • Develop or update a retention and destruction timetable
      • Process access requests
      • Respond to inquiries and complaints
    • Have you analyzed your personal information practices to ensure that you meet fair information practices? Use the following as a guide:
      • What personal information is collected?
      • Why do we collect it?
      • How do we collect it?
      • What do we use it for?
      • Where do we keep it?
      • How is it secured?
      • Who has access to it?
      • To whom it is disclosed?
      • When it is disposed of?
    • Have you updated contracts, correspondence, brochures and company website with the Privacy Policy so that clients and consumers are familiar with it?
    • Are all staff members familiar with privacy polices and procedures?
    • Have you clearly documented and expressed to your clients and staff the purpose for collecting personal information and how it is being used?
    • Have you obtained consent from the individual whose personal information is collected, used or disclosed?
    • Has the consent been recorded in company records?
    • Are your consent clauses easy to find, clear, straightforward and specific?
    • Have you limited the amount and type of personal information gathered to what is necessary for the identified purposes?
    • Have you implemented guidelines and procedures on how to retain and destroy personal information? E.g. Minimum and maximum retention periods, disposal of documents in a way that prevents improper access (shredding or deleting electronic files).
    • Is the personal information that has been collected accurate and up to date?
    • Are there polices in place that state procedure and practices on keeping the records accurate?
    • Does staff know that all personal information should be protected against theft, loss, unauthorized access, disclosure, coping or modifying?
    • Do you have a security policy in place to protect personal information and does it consist of:
      • Physical measures (locks, restricts access to office, alarm systems)
      • Technological tools (passwords, encryption, firewalls, anonymizing software)
      • Organizational controls (security clearances, limited access on a "need to know" basis, staff training, confidentiality agreements)
    • Have you informed your clients that policies and practices exist for the management and security of personal information?
    • Is the following information available for your clients and consumers:
      • Name, title and address of the person who is accountable for your organization's privacy policies and practices.
      • Name, title and address of the person to whom access requests should be sent.
      • How the individual can gain access to his or her personal information.
      • How an individual can complain to your organization.
      • Brochures or other information that explains your organization's policies, standards and codes.
      • A description of what personal information is made available to other organizations (including subsidiaries) and why it is disclosed.
    • Are you responding to requests from individuals regarding their personal information as quickly as possible ( no later than 30 days) and at a minimal or no cost to them?
    • Are all your records of personal information in one place, to make retrieval easier? If not, do you have records of where to find the information?
    • Do you have steps in place to verify the identity of the individual who has requested the information and does that individual have a right to the information?
    • Are your complaint procedures easily accessible?
    • Do the complainants know the avenues of recourse (your organization's own complaint procedures, those of industry associations, regulatory bodies and the Privacy Commissioner of Canada)?
    • Are you prepared to:
      • Investigate complaints
      • Deal with complaints and take the appropriate action to correct information handling practices and policies
      • Record the date and nature of complaint
      • Acknowledge receipt of the complaint and contact the individual with the outcome of the investigation