Access and Privacy Code:
The Administrative Agreement between the Minister of Government and Consumer Services and TICO contains the terms of the delegation to TICO of the administration of the Travel Industry Act, 2002. Section 11(3) of the Administrative Agreement deals with access and privacy issues. Schedule “F” of the Administrative Agreement contains the terms of the Access and Privacy Code that apply to TICO records and personal information. The Administrative Agreement, including Schedule “F”, is posted on TICO's website or available on request.
What Is Personal Information?
Personal information is any information about an identifiable individual that is recorded in any form. Personal information can relate to one’s personal characteristics, for example, gender, age, income, home address or telephone number, ethnic background, family status; their health or their activities and views. Personal information is to be contrasted with business information, for example, an individual’s business address and telephone number, which is not protected by privacy legislation.
Who We Are:
Our organization, The Travel Industry Council of Ontario, employs approximately twenty-six staff members. We also use a number of consultants and agencies that may, in the course of their duties, have limited access to personal information we hold. These include computer consultants, office security and maintenance, a file storage company, temporary workers, website managers, cleaners, our landlord, lawyers and auditors. We restrict their access to any personal information we hold as much as is reasonably possible. We also have their assurance that they follow appropriate privacy principles. A fifteen member Board of Directors oversees the organization.
Primary Purposes for Collecting Personal Information:
TICO is the organization mandated by the Ontario Government to administer the Travel Industry Act, 2002, which governs approximately 3,000 travel retailers and travel wholesalers registered in Ontario. TICO’s mission is to promote a fair and informed marketplace where consumers can be confident in their travel purchases.
TICO has the authority to collect, use and disclose personal information for the purpose of carrying out its objects. TICO shall not collect, use or disclose more personal information than is reasonably necessary to carry out its regulatory activities and fulfill its consumer protection mandate. TICO collects information about registrants, about members of the general public and about contract staff.
Personal information will be collected by lawful means directly from the applicant or registrant to whom it relates whenever possible and will be compiled only where there is a demonstrable need for the information in order for TICO to administer the Travel Industry Act, 2002. Individuals will be informed of the purposes for which personal information is collected, unless the information is collected as part of an inspection, investigation or a complaint. TICO staff involved in the collection of personal information will communicate the reasons personal information is required at the request of the individual to whom the information pertains. The primary purposes of collecting the information are to determine if one is qualified for registration under the statute and to ensure that the legislation is being complied with.
An individual’s written consent will be obtained before personal information is collected from third parties except for the conduct of an inspection, investigation or complaint. The TICO Registration and Renewal Forms contain a consent provision with respect to the collection of relevant personal information from third parties to determine if the applicant is eligible for or remains entitled to the registration applied for under the Act.
About Members of the General Public:
Members of the general public (consumers) may also provide TICO with personal information so that TICO may assist them with complaint matters or in making a claim against the Compensation Fund. The primary purpose of collecting this information is to assess whether the individual has a valid claim against the Compensation Fund or a complaint that TICO can assist them with, to advise them regarding their rights and responsibilities and to investigate and mediate any dispute the consumer may have with a registrant.
About Contract Staff:
For people who are contracted to do work for us (temporary workers), our primary purpose for collecting personal information is to ensure that we can contact them in the future for new assignments or for other necessary work-related communications such as sending out paycheques or year-end tax receipts. Examples of the type of personal information we collect for those purposes include home addresses and telephone numbers. It is rare for us to collect such information without prior consent, but it might happen in the case of a health emergency (e.g., the outbreak of a contagious disease) or to investigate a possible breach of law (e.g., if a theft were to occur in the office).
About Job Applicants:
If individuals apply to TICO for a job, we may need to consider their personal information as part of our review process. TICO normally retains information from candidates after a decision has been made, unless asked not to retain such information. If an individual is offered a job and they accept, the information will be retained in accordance with our privacy procedures for employee records.
Secondary Purposes for Collecting Personal Information:
Like most organizations, we also collect, use and disclose information for purposes related to or secondary to our primary purposes. The most common examples of our related and secondary purposes are as follows:
TICO is delegated to administer the Travel Industry Act, 2002. The Ministry of Government and Consumer Services is responsible for overseeing that TICO performs that role properly. The Ministry may conduct performance, governance, accountability or financial reviews of the Administrative Authority.
External consultants (e.g., auditors, lawyers, information technology) may do audits or continuing quality improvement reviews of our organization, including reviewing TICO’s database, files and interviewing staff.
- Professional staff in our organization may be subject to review by their regulatory bodies, which may inspect our records and interview our staff as a part of their regulatory activities in the public interest. For example, our lawyers are regulated by the Law Society of Upper Canada. Also, like all organizations, various government agencies (e.g., Canada Customs and Revenue Agency, Information and Privacy Commissioner, Human Rights Commission, etc.) have the authority to review our files and interview our staff as part of their mandates.
TICO will keep information accurate and up to date based on the information provided to it. Registrants will be reminded periodically in the TICO Talk newsletter of their statutory obligation to keep information current and up to date.
Use and Disclosure of Personal Information:
Generally, personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual to whom the information applies or as required by law.
Section 35(1) of the Travel Industry Act, 2002 states:
35. (1) A person who obtains information in the course of exercising a power or carrying out a duty related to the administration of this Act or the regulations shall preserve secrecy with respect to the information and shall not communicate the information to any person except,
(a) as may be required in connection with a proceeding under this Act or in connection with the administration of this Act or the regulations;
(b) to a ministry, department or agency of a government engaged in the administration of legislation similar to this Act or legislation that protects consumers or to any other entity to which the administration of legislation similar to this Act or legislation that protects consumers has been assigned;
(b.1) as authorized under the Regulatory Modernization Act, 2007;
(c) to a prescribed entity or organization, if the purpose of the communication is consumer protection;
(d) to a law enforcement agency;
(e) to his, her or its counsel; or
(f) with the consent of the person to whom the information relates.
Before disclosing information to third parties, TICO will take steps to ensure that the third party has measures in place to protect the personal information.
Protecting Personal Information:
TICO recognizes the importance of protecting personal information. TICO will take reasonable steps to ensure that personal information in its custody or under its control is protected against unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or destruction. What constitutes reasonable steps shall be determined taking into consideration all the circumstances including the volume of information, its sensitivity and the format in which it is stored.
TICO is taking the following steps to safeguard its information:
A refresher training session will be held for all staff annually.
Staff members are required to sign confidentiality agreements.
Access to the premises of TICO is controlled by security cards.
Paper information is either under supervision or kept in a locked or secure area that is protected from unauthorized access.
Paper information is transmitted through sealed, addressed envelopes or boxes by reputable companies.
Electronic hardware is either under supervision or secured in a locked or restricted area at all times.
- Password protection, firewalls, virus protection and other recognized security measures are used for electronic information.
Individuals should be aware that e-mail is not a 100% secure medium. Individuals should be aware of this when contacting TICO to send personal or confidential information.
Retention and Destruction of Personal Information:
Personal information will be retained for as long as is necessary to fulfill the purposes for which the information was collected. A record of personal information will not be retained after the purpose for which it was collected has been fulfilled unless:
another law requires or authorizes the retention;
the record is reasonably required for purposes related to TICO’s regulatory activities including future regulation of members; or
- the record is transferred to storage for the purposes of permanent preservation or historical research.
Where TICO has used a record of personal information about an individual to make a decision about the individual, it shall retain the record long enough after making the decision to allow the individual a reasonable opportunity to request access to the information. This requirement does not apply if the individual has already been given access to the information prior to the making of the decision. Personal information in paper form is required to be placed in a locked shredder box so that it can be shredded or otherwise destroyed before it is disposed of. Electronic data is destroyed before the hardware holding the data is discarded.
Access to Records:
Generally, TICO will provide public access to information held by the Council unless the release of the information would:
violate an individual’s right to privacy, unless required by law;
violate a legally recognized privilege;
impair the ability of TICO to ensure a fair, safe and informed marketplace that supports a competitive economy; or
- involve information on the conduct of business by the Board of Directors, its committees or task forces.
It is the policy of TICO to be open and accountable with the public and registrants regarding the information maintained for the Administration of the Act. At the same time, TICO is accountable for maintaining the confidentiality of sensitive personal information provided to TICO in the course of its business activities with registrants.
Upon request, the Council shall provide an individual with information regarding the existence, use and disclosure of his or her personal information and provide to the individual the applicable personal information unless releasing the information would:
violate another individual’s right to privacy, unless the individual consents to the information’s release, or unless required by law;
violate a legally recognized privilege; or
- compromise security or commercial proprietary concerns.
There may be a fee for production of records or photocopying. Individuals will be informed of any fees and given an opportunity to withdraw their request, if desired, prior to the request being processed.
Access to Records Procedure:
Step 1 – Informal Request:
TICO encourages individuals to informally request information as a first step.
TICO routinely provides information to registrants on the status of their registration. We will need to confirm your identity, if we do not know you, before providing you with this access. As well, TICO has a policy of routinely providing information to the public without recourse to the access procedure set out below. Information that is routinely available includes annual reports, audited financial statements, consultation reports, etc.
Step 2 – Formal Request:
When information can not be obtained through the informal route, a formal request may be made to TICO’s Privacy Officer. The request must be in writing, addressed to the Privacy Officer and must describe the records requested. TICO will make every effort to respond within 30 days of receipt of the request. If for some reason the Privacy Officer is not able to respond within 30 days, the Privacy Officer shall advise the person making the request and advise the individual the anticipated date a response can be expected.
When access to a record is not provided by TICO, we will tell you the reason, as best we can, as to why we cannot give you access. TICO will also inform you of the process to request a review of the decision, if desired.
Step 3 – Review of the Privacy Officer’s Decision:
When the individual who requested the information is not satisfied with the response to the formal request, the requester may ask TICO’s Governance and Human Resources Committee to review the decision. The request for review must be in writing, addressed to TICO’s Governance and Human Resources Committee and must describe what the requester wants reviewed. A final decision on the formal request will be provided within 30 days of receipt of the review request if at all possible.
If for some reason the Governance and Human Resources Committee is not able to respond within 30 days, the Committee shall advise the person making the request and advise the individual the anticipated date a response can be expected.
Where an individual disagrees with the accuracy of their personal information received from a formal request, the individual is entitled to request a correction. The request for correction must be in writing and addressed to the Privacy Officer.
If an individual can establish that the information in TICO’s records is not accurate and complete, TICO will take reasonable steps to correct the information, subject to the limitations that may be necessary or appropriate to enable it to carry out its regulatory activities. The following list contains examples of the types of situations where TICO may decline to correct personal information because correcting the personal information could reasonably be expected to interfere with its regulatory activities:
where the person requesting the correction does not provide sufficient information to enable TICO to assess the request to make the correction;
where the fact that the statement was made, whether it is correct or not, is relevant to the regulatory activities of the organization;
where correction may reasonably interfere with a regulatory process including an inquiry, investigation or hearing;
where the correction may reasonably interfere with the regulatory or enforcement activities of another statutory regulatory body or a law enforcement agency;
where the correction may alter an original document that belongs to someone else and will eventually be returned to that person; or
- where correction is prohibited by another Act.
Where TICO agrees to correct a record of personal information, the correction may be made so as not to obliterate the original entry. Where TICO agrees to correct a record of personal information, TICO shall provide written notice to every person to whom the original record was provided within the previous twelve months unless to do so is impractical or would reasonably interfere with its regulatory activities.
If the correction is refused by the Privacy Officer, the individual may require TICO to attach a Statement of Disagreement to the file. The Statement of Disagreement shall not exceed 500 words.
Do You Have a Concern?
TICO’s Privacy Officer, Tracey McKiernan, is available to address any questions or concerns that you might have. She can be reached at:
Travel Industry Council of Ontario
2700 Matheson Blvd. East
Suite402, West Tower
Telephone: (905) 624-6241 Ext. 223
Toll Free: 1-888-451-TICO
Fax: (905) 624-8631
If you wish to make a formal complaint about our privacy practices, you may make it in writing to TICO’s Privacy Officer. She will acknowledge receipt of your complaint; ensure that it is investigated promptly and that you are provided with a formal decision and reasons in writing.
Complaints with respect to how a matter was handled by the Privacy Officer can be made, in writing, addressed to TICO’s Governance and Human Resources Committee. The Governance and Human Resources Committee is a committee of the board of directors that has been assigned responsibility for reviewing complaints against TICO.
For general inquiries about the Personal Information Protection and Electronic Documents Act, please contact the Office of the Information and Privacy Commissioner of Canada, who oversees the administration of the privacy legislation. The Commissioner also acts as a kind of ombudsman for privacy disputes. The Privacy Commissioner can be reached at:
112 Kent Street
Phone: (613) 995-8210
Toll Free: 1-800-282-1376
Fax: (613) 947-6850
June 21, 2016