Privacy Policy: 10 Principles

Overview

THE QUILT: A Breast Cancer Support Project is responsible for personal information within its custody and control and adopts, to the fullest extent possible, a high standard of privacy for its personal information practices. THE QUILT: A Breast Cancer Support Project has adopted the 10 Principles set out in the Canadian Standards Association Model Code for the Protection of Personal Information. This document defines how THE QUILT: A Breast Cancer Support Project subscribes to the 10 Principles through the development of an organization specific code.

This Policy will apply to personal information collected, used, disclosed and retained by THE QUILT: A Breast Cancer Support Project , subject to legal requirements.

Definitions

Organization means THE QUILT: A Breast Cancer Support Project.

Agent in relation to the organization, means a person, whether or not the person is employed by the organization and whether or not the person is being remunerated, when that person is authorized to act for or on behalf of THE QUILT: A Breast Cancer Support Project in exercising powers or performing duties with respect to personal information. For greater certainty, Agent includes employees, volunteers, students, sponsors, consultants, vendors and contractors.

Personal information means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

Principle 1 - Accountability for Personal Information

THE QUILT: A Breast Cancer Support Project is responsible for personal information within its control and has designated an individual who is accountable for the organization's compliance with the following principles:

• Accountability for compliance with the policy rests with the Executive Director, although other individuals within the organization are responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization are delegated to act on behalf of the Executive Director, such as the Chief Privacy Officer.

The name of the Chief Privacy Officer designated by the Organization to oversee compliance with these principles is Susan Grabarczyk. She can be contacted at:

• THE QUILT: A Breast Cancer Support Project is responsible for personal information in its possession or custody, including personal information that has been transferred to a third party for processing. The organization will use contractual or other means to provide a comparable level of protection while the personal information is being processed by a third party.
• Policies and practices have been implemented to give effect to this policy, including:
  • Policies & procedures to protect personal information, including personal information relating to employees, volunteers, donors, sponsors, potential supporters and other stakeholders.
  • Establishing procedures to receive and respond to complaints and inquiries about our privacy compliance.
  • Training and communicating to staff, and agents information about the organization’s privacy policies and practices.
  • Developing and communicating to the public, and key stakeholders information to explain the organization's privacy policies and procedures.

Principle 2 - Identifying Purposes for the Collection, Use and Disclosure of Personal Information

At or before the time that personal information is collected, THE QUILT: A Breast Cancer Support Project will identify the purposes for which personal information is collected. The primary purposes are fundraising to meet the needs of the organization’s charitable activities and operating expenses, publication of the “Show Guide” and display of exhibition materials, providing donors and supporters, and potential supporters with stewardship and recognition information, and meeting legal and regulatory requirements.

• Identifying the purposes for which personal information is collected at or before the time of collection allows the organization to determine the personal information that it needs to collect to fulfill these purposes.
• The identified purposes are specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the personal information is collected, this can be done orally or in writing. Individuals will be given the option to accept or reject such uses.
• When personal information that has been collected is to be used for a purpose not identified at the time of collection, the new purpose will be identified prior to use. Unless law requires the new purpose, the consent of the individual is required before personal information can be used for that purpose.
• Persons collecting personal information will be able to explain to individuals the purposes for which the information is being collected.

Principle 3 - Consent for the Collection, Use, and Disclosure of Personal Information

The knowledge and consent of an individual are required for the collection, use or disclosure of personal information about that individual, except where inappropriate.

Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. In addition, if the organization does not have a direct relationship with the individual, it may not be possible to seek consent. Seeking consent may be impractical when acquiring a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.

• Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, the organization will seek consent for the use or disclosure of the personal information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the personal information has been collected but before being used or disclosed (for example, when the organization wishes to use personal information for a purpose not previously identified).
• The principle requires "knowledge and consent". The organization will make a reasonable effort to ensure that the individual is advised of the purposes for which his/her personal information will be used or disclosed. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the personal information will be used or disclosed.
• The organization will not require an individual to consent to the collection, use, or disclosure of personal information beyond that required by law. An organization may not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
• In obtaining consent, the reasonable expectations of the individual are also relevant. The Organization can assume that an individual's donation constitutes consent for specific purposes, such as the issuance of an income tax receipt. On the other hand, an individual would not reasonably expect that personal information given to the organization would be given to another fund raising organization.
• The form of consent sought by the organization may vary, depending on the circumstances and the type of personal information collected. In determining the form of consent to use, the organization will take into account the sensitivity of the personal information. The organization will generally seek express consent when the personal information is likely to be considered sensitive. Implied consent would generally be appropriate when the personal information is less sensitive.
• Individuals can give consent in many ways. For example:
  • An application, a Call for Entry form, a Marathon pledge form and other organization materials may be used to seek consent, collect personal information, and inform the individual of the use and/or disclosure that will be made of the personal information. By completing and signing the form, the individual is giving consent to the collection and the specified uses and/or disclosures.
  • A check box may be used to allow individuals to request that their names and addresses not be used by the organization for future mailings, etc. Individuals who do not check the box are assumed to consent to the use of this information for other mailings.
  • Consent may be given orally when personal information is collected over the telephone or at the time that individuals make a donation, etc.
  • Consent may be given by registering for a program or event sponsored by the organization, through participation as a volunteer, by sponsoring an organization event, etc.
• An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization will inform the individual of the implications of such withdrawal.

Principle 4 - Limiting Collection of Personal Information

• The collection of personal information will be limited to that which is necessary for the purposes identified by the organization. Personal information will be collected by fair and lawful means.
• The organization will not collect personal information indiscriminately. Both the amount and the type of personal information collected will be limited to that which is necessary to fulfill the purposes identified.
• The requirement that personal information be collected by fair and lawful means is intended to prevent the organization from collecting personal information by misleading or deceiving individuals about the purpose(s) for which personal information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.

Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

• If using personal information for a new purpose, the organization will document this purpose and seek consent for such use and/or disclosure.
• The organization has developed guidelines and implemented procedures with respect to the retention of personal information. These guidelines include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the personal information after the decision has been made. The organization is subject to legislative requirements with respect to retention periods.
• Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous, unless required by law to keep it for a longer period. The Organization has developed guidelines and implemented procedures to govern the destruction of personal information in accordance with applicable legislative requirements.

Principle 6 - Ensuring Accuracy of Personal Information

Personal information will be kept as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used and/or disclosed.

• The extent to which personal information will be kept accurate, complete, and up-to-date will depend upon the use/disclosure of the personal information, taking into account the interests of the individual. Personal information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate personal information may be used to make a decision about the individual.
• The organization will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the personal information was collected.
• Personal information that is used on an ongoing basis, including personal information that is disclosed to third parties, will generally be kept accurate, complete and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Principle 7 - Ensuring Safeguards for Personal Information

Security safeguards appropriate to the sensitivity of the personal information have been implemented by the organization to protect personal information.

• The security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The Organization will protect personal information regardless of the format in which it is held.
• The nature of the safeguards will vary depending on the sensitivity of the personal information that has been collected, the amount, distribution, and format of the personal information, and the method of storage. A higher level of protection will safeguard more sensitive personal information.
• The methods of protection will include:
  • Physical measures, for example, locked filing cabinets and restricted access to offices.
  • Organizational measures, for example, limiting access on a "need-to-know" basis.
  • Technological measures, for example, the use of passwords, encryption and audits.
• The organization will make its employees and agents aware of the importance of maintaining the confidentiality of personal information. As a condition of employment, appointment, or agency, all organization employees and agents must sign the applicable confidentiality agreement annually.
• Care will be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the personal information.

Principle 8 - Openness About Personal Information Policies and Practices

• The organization will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
• The organization will be open about its policies and practices with respect to the management of personal information. Individuals will be able to acquire information about its policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.
• The information made available will include:
  • The name or title, and the address, of the Chief Privacy Officer, who is accountable for the organization's privacy policies and practices, and to whom complaints or inquiries can be forwarded.
  • The means of gaining access to personal information held by the organization.
  • A description of the type of personal information held by the organization, including a general account of its use and/or disclosure.
  • A copy of any information that explains the organization policies, standards, or codes.
  • What personal information is made available (i.e. disclosed) to affiliated organizations.
• The organization may make information on its privacy policies and practices available in a variety of ways. For example, the organization may choose to mail information to its donors and potential supporters, provide access through the website.

Principle 9 - Individual Access to Own Personal Information

Upon request, an individual will be informed of the existence at, or use, and disclosure by the organization of his or her personal information and will be given access to that personal information. An individual will be able to challenge the accuracy and completeness of the personal information and have it amended as appropriate.

Note: In certain situations, the organization may not be able to provide access to all of the personal information that it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include personal information that is prohibitively costly to provide, information that contains references to, or personal information about, other individuals, information that cannot be disclosed for legal, security, or proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

• Upon request, the organization will inform an individual whether or not it holds personal information about that individual. The organization will seek to indicate the source of this information and will allow the individual access to this information. In addition, the organization will provide an account of the uses that have been made or are being made of this information and an account of the third parties to which it has been disclosed.
• An individual will be required to provide sufficient information to permit the organization to provide an account of the existence, use, and disclosure of personal information. The information provided will only be used for this purpose.
• In providing an account of third parties to which it has disclosed personal information about an individual, the organization will attempt to be as specific as possible as to whom at the third party organization it was disclosed. When it is not possible to provide a list of the organizations to which it has actually disclosed personal information about an individual, the organization will provide a list of the organizations to which it may have disclosed personal information about the individual. It should be noted that the organization does not rent, sell or trade its mailing lists or personal information.
• The organization will respond to an individual's request within a reasonable time and at a minimal or no cost to the individual. Fees will be established on a cost recovery basis. The requested personal information will be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation will be provided.
• When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization will amend the information as required, in accordance with professional standards of practice. Depending upon the nature of the personal information challenged, amendment may involve the correction, deletion, or addition of personal information. Personal information contained within donor receipt records will not be deleted, but rather, the original must be maintained, with any amendments or corrections being made in a transparent manner. Where appropriate, the amended information will be transmitted to third parties to whom the original personal information was disclosed.
• When a challenge is not resolved to the satisfaction of the individual, the organization will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties to whom the original personal information was disclosed.

Principle 10 - Challenging Compliance with the Organization's Privacy Policies and Practices

An individual will be able to address a challenge concerning compliance with this policy to the Chief Executive Officer.

• The Organization has procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint procedures are easily accessible and simple to use.
• The Organization will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist.
• The Organization will investigate all complaints. If a complaint is found to be justified, the Organization will take appropriate measures, including, if necessary, amending its privacy policies and practices.