Centennial’s Privacy and Confidentiality Policy
Approved by the Board of Directors, December 4, 2006
Centennial Infant and Child Centre and the Centennial Infant and Child Centre Foundation have always been aware of their responsibilities in safeguarding the privacy of families, children, donors, staff and volunteers.
PIPEDA and Centennial
This policy is based on the 10 principles of the federal Personal Information Protection and Electronics Documents Act (PIPEDA) that guide how organizations collect and use personal information. These principles are:
- Identifying Purposes
- Limiting Collection Individual Access
- Limiting Use, Disclosure & Retention Challenging Compliance
Phase I of the federal Personal Information Protection and Electronics Documents Act (PIPEDA) came into force January 1, 2001. This phase covers the exchange of personal information as a commercial activity by federal works, undertakings or businesses and the disclosure of personal information as a commercial activity across provincial or national borders.
Phase II came into effect January 1, 2002 and adds the exchange of personal health information as a commercial activity to PIPEDA. Phase III came into effect January 1, 2004 and will extend the act to all commercial activities within all provinces and territories unless there is substantially similar provincial or territorial privacy legislation in force.
An activity that is included in the definition of “commercial activities” in PIPEDA is “the selling, bartering or leasing of donor, membership or other fund raising lists”. The act does not regulate non-commercial activities even in the area of health information. However, since those activities are currently or probably will be regulated by various provincial or territorial legislation in the future, Centennial considers PIPEDA the standard by which personal and health information should be protected.
Centennial is defined as including the Centennial Infant and Child Centre (the “Centre”), Centennial Infant and Chile Centre Foundation, (the “Foundation”) and all volunteers, staff and students of the Centre and Foundation.
*Personal Health Information — Under PIPEDA, personal health information is defined to mean, with respect to an individual, whether living or deceased:
- Information concerning the physical or mental health of the individual;
- Information concerning any health service provided to the individual;
- Information concerning the donation by the individual of any body part or any bodily
- substance of the individual or information derived from the testing or examination of a body part or bodily substance of an individual;
- Information that is collected in the course or providing health services to the individual; or
- Information that is collected incidentally to the provision of health services to the individual.
- An individual is defined as a client, staff member, volunteer or student.
Any and all records referred to in the documents as being Personal Information or Personal Health Information are and will remain the property of Centennial. Volunteers and staff are required to maintain the privacy and confidentiality of all records in any and all formats both while acting as an active volunteer or staff member and after they leave Centennial.
Principle 1 — Accountability
Centennial is responsible for personal information under its control and will designate an individual or individuals to ensure Centennial is in compliance with the Privacy and Confidentiality Policy and PIPEDA principles. The individual designated within Centennial is the Executive Director.
1.1 Centennial will implement practices and procedures to carry out the policy, including:
- a) Implementing procedures to protect personal information;
- b) Establishing procedures to receive and respond to complaints and inquiries from individuals regarding their personal information;
- c) Training volunteers and staff and communicating to volunteers and staff information about Centennial’s Privacy and Confidentiality Policy and practices; and
- d) Developing information to explain Centennial’s Privacy and Confidentiality and practices.
Principle 2 — Identifying Purposes
Centennial, at or before the time information is collected, will identify the purposes for which personal information is collected. The identified purposes will be specified at or before the time of collection to the individual from whom the personal information is collected. When personal information that has been collected is to be used for a purpose not previously identified, Centennial is obligated to communicate the new purpose to each individual and obtain his/her consent to use the information.
Principle 3 — Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. It is anticipated that instances in which knowledge and consent of the individual would not be required would be extremely rare and would include legal, medical or security reasons which would have to be fully documented.
3.1. Typically, Centennial will seek consent for the use or disclosure of the information at the time of collection. The form of the consent sought by Centennial may be either express or implied, depending upon the circumstances and the sensitive nature of the personal information.
3.2. Express consent is required from an individual before Centennial will disclose personal health information about that individual to an external organization or individual.
3.3. Implied consent is considered to be sufficient for fund raising purposes to allow the Foundation to keep personal information about a donor on Centennial’s permanent database. Every individual will be given an opportunity in a clear and meaningful way to opt out.
Principle 4 — Limiting Collection
The collection of personal information will be limited to that which is necessary for the purposes identified by Centennial. Information will be collected by fair and lawful means.
Principle 5 — Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
Principle 6 — Accuracy
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out. Individuals will always have the opportunity to contact Centennial to update their personal information.
Principle 7 — Safeguards
Security safeguards appropriate to the sensitivity of the information will protect personal information. The security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Centennial will protect personal information regardless of the format in which it is held.
Principle 8 – Openness
Centennial will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
8.1 The information made available will include:
- a) The name or title, and the address, of the person who is accountable for Centennial’s policies and practices and to whom complaints or inquiries can be forwarded;
- b) The means of gaining access to personal information held by Centennial;
- c) A description of the type of personal information held by Centennial, including a general account of its use; and
- d) A copy of any brochures or other information that explain Centennial’s policies, standards, or codes.
Principle 9 – Individual Access
If an individual requests, Centennial will inform him/her of the existence, use, and disclosure of his or her personal information. The individual will be given access to that information and be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
In certain situations, Centennial may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
Principle 10 – Challenging Compliance
An individual will be able to address a challenge concerning Centennial’s compliance with its own Privacy and Confidentiality Policy and the 10 PIPEDA privacy principles to the designated individual or individuals accountable for Centennial’s compliance.
Centennial has detailed guidelines to assist volunteers and staff in carrying out the Privacy and Confidentiality Policy.
If you have any questions, please contact our privacy officer, Barbara Hannah by e-mail at firstname.lastname@example.org or at (416) 935-1200 ext 235.
If you have any questions related to fundraising activities, please contact the Foundation office at 416-935-1200, x 233.