3.0 Information Management
3.1 Privacy Protection (Adopted 02-23-2021)
To ascertain required personal and organizational information to adequately support the mission of the Foundation, while ensuring the integrity of the Foundation by respecting privacy and access to information requirements, regulations and laws. To ensure appropriate collection, management, maintenance, preservation and disposal of records and information.
- Maintain and adhere to the Donor Bill of Rights.
- The Board must appoint a Director as Privacy Officer who will be the liaison for any person having any personal information on file with the Foundation.
- Introduce any person or organization to the Privacy Officer if that person or organization requires liaison with the Foundation on a privacy matter.
- Verification of a donor’s identity must occur prior to any release of information from a donor’s personal account.
- Written evidence that the requester is a personal representative of the donor and has authority to act must be provided through presentation of Power of Attorney, a clear statement from the administrator or executor indicating authority to act, a copy of the Will, Letter of Probate, and/or Affidavit of Assets. Responses to written requests for personal information should occur within thirty (30) days, and in writing.
- Ascertain and record only necessary information.
- Use information only for the purpose for which it was ascertained, and do not disclose information by way of sharing, renting or selling it to a third party.
- Develop an electronic database, supported by hard copy files when appropriate, on current and potential donors and Foundation members.
- Maintain the integrity of the information by making revisions on a timely basis, including the notation of those who do not wish to be contacted.
- Delete or destroy unneeded electronic or hard copy information at least once a year.
- Personal information collected must be retained for one (1) year, after which it must be destroyed, if the purposes of collection are no longer served and there is no legal or business purposes for keeping it.
- May delete or destroy a donor’s information file after a minimum seven (7) years of inactivity, keeping only the donor’s name, last known address, and total donation revenue; with donors of endowed gifts and estates exempted.
- Taxation information must be retained for a minimum of seven (7) years and gaming information must be retained for a minimum of five (5) years as per CRA regulations, after which it must be destroyed if there is no legal or business purposes for keeping it.
- Secure all donor information in the offices of the Foundation and in controlled access computer data storage. All cash currency and donor information must be secured by staff in the safe or in a secure location.
- Backup electronic database daily, including all pertinent financial information.
- The Executive Director is responsible for informing the Privacy Officer, Executive and the Board of any privacy legislation or regulation relevant to the Foundation.
3.2 Confidentiality (Adopted 06-25-2019)
The Foundation will treat all personal information ascertained as confidential and disclose this information only to those persons authorized to receive, and in need of, such information to fulfill their duties.
To maintain the public respect and trust of the Foundation and uphold donor confidentiality.
- At the beginning of a Director’s term, the Director takes and signs the Board of Directors Membership Agreement which includes an Oath of Office, Confidentiality Statement, Conflict of Interest Statement & Statement of Commitment.
- The signed document is kept on file during the Director’s tenure.
- At the beginning of employment, staff take and sign the Employee Agreement which includes an Oath of Office, Confidentiality Statement, Conflict of Interest Statement & Statement of Commitment.
- Volunteer role descriptions and orientation information will be provided to all volunteers to ensure confidentiality is maintained while engaging in any Foundation volunteer activities.
- Director and staff signed Agreements are kept on file after their departure, in accordance with privacy legislation guidelines.
Adjustments will be made as necessary, with approval of the Executive and Board.
Risk Assessment & Privacy Audit Check List
Risk Assessments will be conducted on an annual basis, using the following check list, to ensure compliance with applicable legislation.
- Privacy Officer Appointment
- Collection, Use and Disclosure of Personal Information.
- Must inform individuals of reason and obtain consent for collection, use and disclosure of personal information;
- Personal information collected, used or disclosed for appropriate purposes and limited to those purposes; and
- Act with openness, accountability and transparency at all times.
- Access to and Correction/Annotation of Personal Information
- Maintain accurate records;
- Individuals have a right to access and correct/annotate only their own personal information;
- Requests for personal information received directly from an individual donor pertaining to his/her donor account can occur upon verification of the donor’s identity. Verification of identity can occur by confirming donor information through the use of a minimum of 2 questions such as: mailing address, spouse’s name, last donation made, designation of last donation, or ideally showing identification such as a driver’s license, if the donor presents in the office in person;
- Any third party, who is requesting information from a donor’s account, must prove their legal authority. Proof of legal authority must be provided via written evidence that the requester is a personal representative of the donor. Legal authority may include: power of attorney, appointee by court (committee), executor or administrator;
- Any actions, including but not limited to in kind donations, financial donations, requests for information and requests for replacement tax receipts, made on behalf of a third party must be accompanied by appropriate documentation to ensure actions are taken and gifts are accepted under proper authority. With living donors, notification of Power of Attorney and/or a clear statement from the administrator or executor indicating Legal Authority to Act is required. Donations or requests on behalf of an Estate must be accompanied by a copy of the Will, a Letter of Probate and/or an Affidavit of Assets. A copy of all documentation must be secured and kept on file in the KBRH Health Foundation office. Forms must be kept in the donor’s Estate file and/or Power of Attorney file, and with the relevant batch report;
- Responses to requests for personal information should occur within 30 days, and in writing.
- Retention and Disposal of Personal Information
- Destroy information (electronic and hard copy) when no longer needed for a specific legal/business purpose;
- Annual review and disposal of records;
- Maximum retention of records of 1 year unless for a specific legal/business purpose; and
- Secure disposal by shredding or secure shredding bin.
- Security and Access Controls
- External office doors locked when office unoccupied;
- Safe locked nightly;
- Filing cabinets locked nightly;
- All blank cheques secured in locked filing cabinets;
- Computer system access encrypted using User ID’s and passwords;
- Computers logged off nightly;
- Computer backup- as per IHA protocol;
- “Need to Know Policy”: Employees have access to the minimum amount of personal information needed to perform duties within the organization, as per their Job Descriptions and Roles; and
- Staff provided access to a lockable/secured space designated for their personal items
- All new employees must receive privacy training and education prior to accessing personal information;
- Privacy training updates will be provided as required and upon receipt of new information;
- All staff and Board Directors must sign the Employee Agreement and Board Director Membership Agreement, respectively, which includes the Oath of Office, Confidentiality Statement, Conflict of Interest Statement and Statement of Commitment annually; and
- All volunteers will receive role descriptions and orientation information to ensure confidentiality is maintained while engaging in any Foundation volunteer activities.
Procedure In the Event of a Complaint or Privacy Breach
- Foundation staff to identify breach/potential breach and/or to receive complaint;
- Collect all necessary information using the Breach Report Form;
- Assure complainant that issue will be addressed and outline timeframe in which they can expect to receive return communication;
- Inform Foundation Privacy Officer of breach/potential breach and/or complaint;
- Privacy Officer to speak to Foundation staff to record their information about the event;
- Privacy Officer to speak to complainant if required;
- Assess if situation is a breach of privacy or legitimate complaint, considering the scope of the issue;
- Recover information as soon as possible and to the fullest extent possible, maintaining records of requests;
- Assess why breach occurred: ie; mistake, misunderstanding, carelessness, intentional, other;
- Contact complainant with respect to resolution and remediation and discuss what is required; and
- Implement steps to prevent future breaches/complaints. ie; training, policy change, revise security, etc.
- Privacy Officer completes the Privacy Officer Confirmation of Resolution Template to conclude the investigation and incident.
Assessment Criteria for Privacy Breach
- Incident description: Identify:
- Identify the incident.
- Date of the incident?
- When the incident was discovered?
- How was the incident discovered?
- Location of the incident?
- Cause of the incident?
- Immediately contain the breach and recover information if possible.
- Designate an appropriate individual to lead the initial investigation.
- Determine who needs to be made aware of the incident internally, and potentially externally, at this preliminary stage. Escalate internally as appropriate, including informing the person within your organization responsible for privacy compliance.
- If the breach appears to involve theft or other criminal activity, notify the police.
- Do not compromise the ability to investigate the breach. Do not destroy evidence that may bevaluable in determining the cause or allow you to take appropriate corrective action.
- What personal information was involved
- What the cause and extent of the breach was
- How many individuals have been affected and who they are
- What harm could result from the breach
- Identify physical security in place at time of incident
- Identify technical security in place at time of incident
- Assess type of harm(s) and level of harm that may result
- Assess likelihood of harm occurring
- Determine whether affected individuals should be notified
- If they are to be notified, determine when and how, and who will notify them
- Decide what should be included in the notification
- Determine if others should be informed (i.e. privacy commissioners, police)
- Describe steps taken to notify individuals
- Describe steps taken to reduce the risk of harm to individuals
- Implement appropriate measures to prevent future breaches
Approved July 9, 2021, Board of Directors