| PRIVACY
POLICY: 10 Principles
Overview
THE
QUILT: A Breast Cancer Support Project is responsible
for personal information within its custody and control and adopts,
to the fullest extent possible, a high standard of privacy for its
personal information practices. THE QUILT: A Breast Cancer Support
Project has adopted the 10 Principles set out in the Canadian
Standards Association Model Code for the Protection of Personal
Information. This document defines how THE QUILT A Breast Cancer
Support Project subscribes to the 10 Principles through the development
of an organization specific code.
This
Policy will apply to personal information collected, used, disclosed
and retained by the THE QUILT: A Breast Cancer Support Project
, subject to legal requirements.
Definitions
Organization
means THE QUILT: A Breast
Cancer Support Project.
Agent
in relation to the organization,
means a person, whether or not the person is employed by the organization
and whether or not the person is being remunerated, when that person
is authorized to act for or on behalf of THE QUILT: A Breast
Cancer Support Project in exercising powers or performing
duties with respect to personal information. For greater certainty,
Agent includes employees, volunteers, students, sponsors,
consultants, vendors and contractors.
Personal
information means information
about an identifiable individual, but does not include the name,
title or business address or telephone number of an employee of
an organization.
Principle
1 - Accountability for Personal Information
THE QUILT: A Breast Cancer Support Project is responsible
for personal information within its control and has designated an
individual who is accountable for the organization's compliance
with the following principles:
•
Accountability for compliance with
the policy rests with the Executive Director, although other individuals
within the organization are responsible for the day-to-day collection
and processing of personal information. In addition, other individuals
within the organization are delegated to act on behalf of the
Executive Director, such as the Chief Privacy Officer.
The name of the Chief Privacy Officer designated by the Organization
to oversee compliance with these principles is Susan Grabarczyk.
She can be contacted at:
email:
privacy@thequilt.com
Telephone:
519-272-2588
Fax:
519-272-2588
Mail:
P.O.
Box 1052
Stratford
, ON
N5A
6W4
•
THE QUILT: A Breast Cancer Support
Project is responsible for personal information in its possession
or custody, including personal information that has been transferred
to a third party for processing. The organization will use contractual
or other means to provide a comparable level of protection while
the personal information is being processed by a third party.
•
Policies and practices have been
implemented to give effect to this policy, including:
•
Policies & procedures to protect
personal information, including personal information relating
to employees, volunteers, donors, sponsors, potential supporters
and other stakeholders.
•
Establishing procedures to receive
and respond to complaints and inquiries about our privacy compliance.
•
Training and communicating to staff,
and agents information about the organization’s privacy policies
and practices.
•
Developing and communicating to the
public, and key stakeholders information to explain the organization's
privacy policies and procedures.
Principle
2 - Identifying Purposes for the Collection, Use and Disclosure
of Personal Information
At
or before the time that personal info rmation is collected, THE
QUILT: A Breast Cancer Support Project will identify the
purposes for which personal info rmation is collected. The primary
purposes are fundraising to meet the needs of the organization’s
charitable activities and operating expenses, publication of the
“Show Guide” and display of exhibition materials, providing donors
and supporters, and potential supporters with stewardship and recognition
info rmation, and meeting legal and regulatory requirements.
•
Identifying the purposes for which
personal information is collected at or before the time of collection
allows the organization to determine the personal information
that it needs to collect to fulfill these purposes.
•
The identified purposes are specified
at or before the time of collection to the individual from whom
the personal information is collected. Depending upon the way
in which the personal information is collected, this can be done
orally or in writing. Individuals will be given the option to
accept or reject such uses.
•
When personal information that has
been collected is to be used for a purpose not identified at the
time of collection, the new purpose will be identified prior to
use. Unless law requires the new purpose, the consent of the individual
is required before personal information can be used for that purpose.
•
Persons collecting personal information
will be able to explain to individuals the purposes for which
the information is being collected.
Principle
3 - Consent for the Collection, Use, and Disclosure of Personal
Information
The
knowledge and consent of an individual are required for the collection,
use or disclosure of personal information about that individual,
except where inappropriate.
Note:
In certain circumstances personal information can be collected,
used, or disclosed without the knowledge and consent of the individual.
For example, legal or security reasons may make it impossible or
impractical to seek consent. When information is being collected
for the detection and prevention of fraud or for law enforcement,
seeking the consent of the individual might defeat the purpose of
collecting the information. In addition, if the organization does
not have a direct relationship with the individual, it may not be
possible to seek consent. Seeking consent may be impractical when
acquiring a mailing list from another organization. In such cases,
the organization providing the list would be expected to obtain
consent before disclosing personal information.
•
Consent is required for the collection
of personal information and the subsequent use or disclosure of
this information. Typically, the organization will seek consent
for the use or disclosure of the personal information at the time
of collection. In certain circumstances, consent with respect
to use or disclosure may be sought after the personal information
has been collected but before being used or disclosed (for example,
when the organization wishes to use personal information for a
purpose not previously identified).
•
The principle requires "knowledge
and consent". The organization will make a reasonable effort
to ensure that the individual is advised of the purposes for which
his/her personal information will be used or disclosed. To make
the consent meaningful, the purposes must be stated in such a
manner that the individual can reasonably understand how the personal
information will be used or disclosed.
•
The organization will not require an
individual to consent to the collection, use, or disclosure of
personal information beyond that required by law. An organization
may not, as a condition of the supply of a product or service,
require an individual to consent to the collection, use, or disclosure
of information beyond that required to fulfill the explicitly
specified and legitimate purposes.
•
In obtaining consent, the reasonable
expectations of the individual are also relevant. The Organization
can assume that an individual's donation constitutes consent for
specific purposes, such as the issuance of an income tax receipt.
On the other hand, an individual would not reasonably expect that
personal information given to the organization would be given
to another fund raising organization.
•
The form of consent sought by the organization
may vary, depending on the circumstances and the type of personal
information collected. In determining the form of consent to use,
the organization will take into account the sensitivity of the
personal information. The organization will generally seek express
consent when the personal information is likely to be considered
sensitive. Implied consent would generally be appropriate when
the personal information is less sensitive.
•
Individuals can give consent in many
ways. For example:
•
An application, a Call for Entry
form, a Marathon pledge form and other organization materials
may be used to seek consent, collect personal information, and
inform the individual of the use and/or disclosure that will
be made of the personal information. By completing and signing
the form, the individual is giving consent to the collection
and the specified uses and/or disclosures. Use of purpose
statements.
•
A check box may be used to allow
individuals to request that their names and addresses not be
used by the organization for future mailouts, etc. Individuals
who do not check the box are assumed to consent to the use of
this info rmation for other mail outs.
•
Consent may be given orally when
personal information is collected over the telephone or at the
time that individuals make a donation, etc.
•
Consent may be given by registering
for a program or event sponsored by the organization, through
participation as a volunteer, by sponsoring a organization event,
etc.
•
An individual may withdraw consent
at any time, subject to legal or contractual restrictions and
reasonable notice. The organization will inform the individual
of the implications of such withdrawal.
Principle
4 - Limiting Collection of Personal Information
The
collection of personal information will be limited to that which
is necessary for the purposes identified by the organization. Personal
information will be collected by fair and lawful means.
•
The organization will not collect personal
information indiscriminately. Both the amount and the type of
personal information collected will be limited to that which is
necessary to fulfill the purposes identified.
•
The requirement that personal information
be collected by fair and lawful means is intended to prevent the
organization from collecting personal information by misleading
or deceiving individuals about the purpose(s) for which personal
information is being collected. This requirement implies that
consent with respect to collection must not be obtained through
deception.
Principle
5 - Limiting Use, Disclosure, and Retention of Personal Information
Personal
information will not be used or disclosed for purposes other than
those for which it was collected, except with the consent of the
individual or as required by law. Personal information will be retained
only as long as necessary for the fulfillment of those purposes.
•
If using personal information for a
new purpose, the organization will document this purpose and seek
consent for such use and/or disclosure.
•
The organization has developed guidelines
and implemented procedures with respect to the retention of personal
information. These guidelines include minimum and maximum retention
periods. Personal information that has been used to make a decision
about an individual will be retained long enough to allow the
individual access to the personal information after the decision
has been made. The organization is subject to legislative requirements
with respect to retention periods.
•
Personal information that is no longer
required to fulfill the identified purposes will be destroyed,
erased, or made anonymous, unless required by law to keep it for
a longer period. The Organization has developed guidelines and
implemented procedures to govern the destruction of personal information
in accordance with applicable legislative requirements.
Principle
6 - Ensuring Accuracy of Personal Information
Personal
information will be kept as accurate, complete, and up-to-date as
is necessary for the purposes for which it is to be used and/or
disclosed.
•
The extent to which personal information
will be kept accurate, complete, and up-to-date will depend upon
the use/disclosure of the personal information, taking into account
the interests of the individual. Personal information will be
sufficiently accurate, complete, and up-to-date to minimize the
possibility that inappropriate personal information may be used
to make a decision about the individual.
•
The organization will not routinely
update personal information, unless such a process is necessary
to fulfill the purposes for which the personal information was
collected.
•
Personal information that is used on
an ongoing basis, including personal information that is disclosed
to third parties, will generally be kept accurate, complete and
up-to-date, unless limits to the requirement for accuracy are
clearly set out.
Principle
7 - Ensuring Safeguards for Personal Information
Security
safeguards appropriate to the sensitivity of the personal information
have been implemented by the organization to protect personal information.
•
The security safeguards will protect
personal information against loss or theft, as well as unauthorized
access, disclosure, copying, use, or modification. The Organization
will protect personal information regardless of the format in
which it is held.
•
The nature of the safeguards will vary
depending on the sensitivity of the personal information that
has been collected, the amount, distribution, and format of the
personal information, and the method of storage. A higher level
of protection will safeguard more sensitive personal information.
•
The methods of protection will include:
•
Physical measures, for example, locked
filing cabinets and restricted access to offices.
•
Organizational measures, for example,
limiting access on a "need-to-know" basis.
•
Technological measures, for example,
the use of passwords, encryption and audits.
•
The organization will make its employees
and agents aware of the importance of maintaining the confidentiality
of personal information. As a condition of employment, appointment,
or agency, all organization employees and agents must sign the
applicable confidentiality agreement annually.
•
Care will be used in the disposal or
destruction of personal information, to prevent unauthorized parties
from gaining access to the personal information.
Principle
8 - Openness About Personal Information Policies and Practices
The
organization will make readily available to individuals specific
information about its policies and practices relating to the management
of personal information.
•
The organization will be open about
its policies and practices with respect to the management of personal
information. Individuals will be able to acquire information about
its policies and practices without unreasonable effort. This information
will be made available in a form that is generally understandable.
•
The information made available will
include:
•
The name or title, and the address,
of the Chief Privacy Officer, who is accountable for the organization's
privacy policies and practices, and to whom complaints or inquiries
can be forwarded.
•
The means of gaining access to personal
information held by the organization.
•
A description of the type of personal
information held by the organization, including a general account
of its use and/or disclosure.
•
A copy of any information that explains
the organization policies, standards, or codes.
•
What personal information is made
available (i.e. disclosed) to affiliated organizations.
•
The organization may make information
on its privacy policies and practices available in a variety of
ways. For example, the organization may choose to mail information
to its donors and potential supporters, provide access through
the website.
Principle
9 - Individual Access to Own Personal Information
Upon
request, an individual will be informed of the existence at, or
use, and disclosure by the organization of his or her personal information
and will be given access to that personal information. An individual
will be able to challenge the accuracy and completeness of the personal
information and have it amended as appropriate.
Note:
In certain situations, the organization may not be able to provide
access to all of the personal information that it holds about an
individual. Exceptions to the access requirement will be limited
and specific. The reasons for denying access will be provided to
the individual upon request. Exceptions may include personal information
that is prohibitively costly to provide, information that contains
references to, or personal information about, other individuals,
information that cannot be disclosed for legal, security, or proprietary
reasons, and information that is subject to solicitor-client or
litigation privilege.
•
Upon request, the organization will
inform an individual whether or not it holds personal information
about that individual. The organization will seek to indicate
the source of this information and will allow the individual access
to this information. In addition, the organization will provide
an account of the uses that have been made or are being made of
this information and an account of the third parties to which
it has been disclosed.
•
An individual will be required to provide
sufficient information to permit the organization to provide an
account of the existence, use, and disclosure of personal information.
The information provided will only be used for this purpose.
•
In providing an account of third parties
to which it has disclosed personal information about an individual,
the organization will attempt to be as specific as possible as
to whom at the third party organization it was disclosed. When
it is not possible to provide a list of the organizations to which
it has actually disclosed personal information about an individual,
the organization will provide a list of the organizations to which
it may have disclosed personal information about the individual.
It should be noted that the organization does not rent, sell or
trade its mailing lists or personal information.
•
The organization will respond to an
individual's request within a reasonable time and at a minimal
or no cost to the individual. Fees will be established on a cost
recovery basis. The requested personal information will be provided
or made available in a form that is generally understandable.
For example, if the organization uses abbreviations or codes to
record information, an explanation will be provided.
•
When an individual successfully demonstrates
the inaccuracy or incompleteness of personal information, the
organization will amend the information as required, in accordance
with professional standards of practice. Depending upon the nature
of the personal information challenged, amendment may involve
the correction, deletion, or addition of personal information.
Personal information contained within donor receipt records will
not be deleted, but rather, the original must be maintained, with
any amendments or corrections being made in a transparent manner.
Where appropriate, the amended information will be transmitted
to third parties to whom the original personal information was
disclosed.
•
When a challenge is not resolved to
the satisfaction of the individual, the organization will record
the substance of the unresolved challenge. When appropriate, the
existence of the unresolved challenge will be transmitted to third
parties to whom the original personal information was disclosed.
Principle
10 - Challenging Compliance with the Organization's Privacy Policies
and Practices
An
individual will be able to address a challenge concerning compliance
with this policy to the Chief Executive Officer.
•
The Organization has procedures in
place to receive and respond to complaints or inquiries about
its policies and practices relating to the handling of personal
information. The complaint procedures are easily accessible and
simple to use.
•
The Organization will inform individuals
who make inquiries or lodge complaints of the existence of relevant
complaint procedures. A range of these procedures may exist.
•
The Organization will investigate all
complaints. If a complaint is found to be justified, the Organization
will take appropriate measures, including, if necessary, amending
its privacy policies and practices.
May
12, 2004 |
