BACKGROUND
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) became law on January 1, 2004, and therefore, all organizations are regulated with respect to personal information collected from its constituents.
At Muscular Dystrophy Canada, this includes persons with neuromuscular disorders and their families, donors, volunteers and employees. Where a province enacts legislation similar to the federal Act, the provincial statute will apply within the province, in primacy over the federal statute. The following policy is compliant with the British Columbia legislation Personal Information Protection Act (PIPA), effective, January 1, 2004.
Muscular Dystrophy Canada (MDC) is committed to protecting the privacy and security of personal information under its control. This policy applies to all personal information collected, used or disclosed by MDC with respect to donors, fundraisers, event participants, individuals who use the services of MDC, volunteers and staff.
Muscular Dystrophy Canada is committed to protecting the privacy and safeguarding the personal information of all our stakeholders. Muscular Dystrophy Canada endeavours to adhere to all legislative requirements with respect to privacy.
We understand that personal information must be protected and therefore, Muscular Dystrophy Canada will:
- Provide the highest level of confidentiality around the collection, use and disclosure of your personal information;
- Collect only information and use that information with your knowledge and solely for the purpose you are seeking;
- Ask your permission before disclosing any personal information;
- Recognize your right of access to your personal information;
- Be available to respond to your questions and concerns about the way we handle the privacy of your personal information.
In an effort to maintain appropriate standards of care in managing personal information, MDC commits to the following ten principles, as outlined in the Canadian Standards Association’s Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) and that comply with provincial and federal legislation:
- Accountability
- Identifying purposes
- Consent
- Limiting collection
- Limiting use, disclosure and retention
- Accuracy
- Safeguards
- Openness
- Individual access
- Challenging compliance
Ten Privacy Principles
- 1. Accountability
Every employee and volunteer of MDC is responsible for maintaining and protecting personal information under his/her control. The Board of Directors designates the Kendra Morton as the Privacy Officer for the organization. - 2. Identifying Purposes
The purposes for which personal information is collected shall be identified at or before the time the information is collected, i.e. at the time of registration. - 3. Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information. - 4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. - 5. Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. - 6. Accuracy
Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. - 7. Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. - 8. Openness
MDC shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. - 9. Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. - 10. Challenging Compliance/Providing Recourse
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
Maintaining the Confidentiality of Information
Confidentiality of all confidential information will be maintained by the Volunteer or Staff beyond the length of their relationship with MDC.
This policy is subject to change due to changes in organizational practices or legal and regulatory requirements. We encourage you to periodically check our website for updates to this policy.
Definition of Personal Information
Personal information is any information recorded in any form that identifies or can identify an individual, other than an individual’s business contact information. Thus, personal information includes your name, gender, address, phone number, date of birth, credit card details or other financial information, health information, donation amounts and dates, volunteer information such as availability and areas of interest, history of involvement with MDC, and information required to maintain an employment relationship with MDC.
Personal information does not include anonymous or aggregate information that cannot be tracked back to you personally.
- Accountability
- MDC accepts full responsibility for protecting personal information under its possession or control. Our Privacy Officer is accountable for the organization’s compliance with this policy. They can be reached at privacy@muscle.ca.
- The Senior Privacy Officer delegates responsibilities relating to privacy management, oversight and compliance to provincial representatives on an as-needed basis.
- The duties of the Senior Privacy Officer include:
- developing and, on a regular basis, reviewing MDC policies and practices to ensure consistent implementation and compliance;
- ensuring all staff are trained on privacy best practices and are aware of the importance of safeguarding any personal information to which they are privy;
- ensuring that all inquiries and complaints relating to privacy are appropriately handled;
- ensuring all third parties to whom MDC provides access to personal information adhere to appropriate standards of care in managing that information; and
- informing the CEO and/or Board about significant privacy breaches that could potentially cause harm to MDC’s reputation.
- Identifying Purposes
- Personal information is collected for purposes such as:
- providing neuromuscular-related support services and running MDC events;
- responding to any concerns or inquiries about MDC’s activities;
- fundraising and promoting MDC events and services;
- communicating with the community, including communications with donors, funders, partners and individuals that participate in MDC events or use MDC services;
- determining an individual’s suitability to be in a position of trust, including the handling of cash or working with vulnerable persons;
- accounting and other financial purposes such as issuing tax receipts; and
- maintaining an employment relationship with employees of MDC.
- Should you choose, or are required as part of our support programs, to provide us with your health information, MDC does not collect or use this information to provide you with opinions or endorse any particular treatment option or course of action, nor do we use this information to make decisions on your behalf or provide you with medical referrals or advice.
- Aggregated information is used for service planning and delivery, health promotion, and the general administration of MDC’s business, including to assess the effectiveness of MDC programs and campaigns, improving donor experience and assisting in the developing new programs and channels. This information will be compiled and analyzed on an aggregate basis and, unless we have your specific consent to use identified information, does not identify any individual and therefore is not treated as personal information under this policy.
- Each time an individual accesses the MDC website, we automatically receive and store certain types of non-personally identifiable information. Please refer to Website Practices on page 7 for more information.
- Personal information is collected for purposes such as:
- Consent
- Requirements for consent to the collection, use, or disclosure of personal information vary depending on circumstances and on the type of personal information. Consent can be obtained in person, by phone, by mail, or via the Internet.
- In determining whether implied or explicit consent is required and, if so, which form of consent is appropriate, MDC will take into account the sensitivity of the personal information at issue, the purposes for which MDC will use the information and any legal requirements. Consent may be implied based upon the reasonable expectations of the individual. For example, if you provide personal information in response to a fundraising communication, consent may be implied for the purposes of using the information for fundraising. In determining the appropriate form of consent, MDC will take into account the sensitivity of the personal information. Implied consent will generally be appropriate where the personal information is non-sensitive in nature and context. Express consent will always be sought should the primary purpose of collection be to promote a corporate partner product or should we wish to disclose your personal information to a third party, such as another charity.
- Your provision of personal information to MDC means that you agree and consent that we may collect, use and disclose your personal information in accordance with this privacy policy. If you do not agree with these terms, please do not provide any personal information to MDC. Failure to provide your personal information to MDC may prevent us from offering you the products or services you have requested.
- MDC will usually obtain your informed consent at the time that we collect your personal information. If your personal information will be used or disclosed for any additional purposes that are not outlined in this policy, MDC will advise you of these new purposes before such use or disclosure, unless otherwise required by law.
- Consent may be time-limited and may be revoked by the individual who gave it, subject to legal restrictions, limited exceptions and reasonable notice. Withdrawal of consent will not exclude an individual from service delivery, unless the information requested is required to fulfill an explicitly specified and legitimate purpose.
- Limiting Collection
- MDC only collects personal information for the purposes outlined under Principle 2
- Every MDCS department or business unit is responsible for ensuring that all information collected is limited, both in amount and type, to what is needed to fulfill the identified purposes.
- MDC usually collects personal information directly from the individual in the course of its business through various means including, but not limited to:
- registration and application forms;
- MDC programs and services;
- donor and fundraising forms; and
- on-line applications, services and systems.
- MDC may also collect personal information from other sources (including personal references and family members), with the consent of the individual or where permitted or required by law (for example, when the information is about a minor) or is publicly available.
- Limiting Use, Disclosure and Retention
- Personal information is only used and disclosed for the purposes for which it was originally collected (as outlined under Principle 2) unless specific consent has been obtained or if otherwise required by law. There are circumstances where a disclosure without consent is justified or permitted, for example in the context of a legal investigation or a request from law enforcement authorities, or where MDC believes, upon reasonable grounds, that the disclosure is necessary to protect the rights or safety of an identifiable person or group.
- Also, note that your personal information may be shared with volunteers and service providers (collectively “Affiliates”). Such Affiliates assist us in establishing, managing and maintaining our relationship with you and providing products and services to MDC, such as mailing and fulfillment organizations and third party fundraising agencies. Such Affiliates will only use your personal information for the purposes identified above and are bound by confidentiality agreements and commit to safeguarding your personal information. Note that in working with our service providers, your personal information may be transferred to a foreign jurisdiction to be processed or stored. Such information may be provided to law enforcement or national security authorities of that jurisdiction upon request, in order to comply with foreign laws.
- Personal information is only retained as long as it is necessary for the fulfillment of the purposes identified in this policy (under Principle 2) and as required by law. MDC has established retention timelines for staff to follow and also periodically reviews MDC’s retention needs.
- The retention period may extend beyond your relationship with us. When your personal information is no longer required for MDC’s purposes, the information is either physically destroyed or deleted.
- Accuracy
- MDC makes reasonable efforts to keep personal information as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used.
- We rely on our donors, fundraisers, event participants, individuals who use the services of MDC, volunteers and employees to provide us with accurate information and to notify us if their information needs to be updated.
- Safeguards
- MDC takes reasonable measures to ensure that personal information is kept safe from loss or theft, unauthorized access, use, copying, disclosure or modification. Safeguards include physical, organizational and technical measures, such as (but not limited to):
- security card access to premises;
- restriction of employee access to files on a “need to know” basis;
- confidentiality undertakings by all employees;
- locking up personal information and not leaving it unattended or in plain view;
- firewalls, anti-virus, strong passwords and software solutions for technical security (including secure, 128-bit encrypted Secure Socket Layer sessions on our website); and
- regular reviews of privacy compliance initiatives.
- MDC takes reasonable measures to ensure that personal information is kept safe from loss or theft, unauthorized access, use, copying, disclosure or modification. Safeguards include physical, organizational and technical measures, such as (but not limited to):
- Openness
- MDC always makes information available about our privacy practices upon request. MDC also takes steps to ensure that all staff/volunteers can answer inquiries about our information-handling practices and appropriately refer unanswered questions or privacy complaints to MDC’s Privacy Officer.
- Individual Access
- An individual should direct a request for access to their personal information to the Senior Privacy Officer in writing (contact information is set out at the end of this policy). The written request must provide sufficient detail so that the Senior Privacy Officer can properly and efficiently respond to the request.
- In order to safeguard personal information, an individual may be required to provide sufficient identification information in order for MDC to authenticate the individual and to authorize access to the individual’s file.
- MDC will respond to access requests in a timely manner, and in accordance with the timeframe prescribed by any relevant legislation.
- An individual may challenge the accuracy and completeness of the information obtained, if appropriate. MDC shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, MDC shall transmit to third parties having access to the personal information in question, any amended information or information regarding the existence of any unresolved differences.
- Individuals will be provided with any help needed to access their personal information, including clarifying exactly what they are looking for. Requested information will be provided in a timely manner, and in a form that is generally understandable. Depending on the amount of information requested, there may be a nominal fee charged to cover any costs associated with responding to the request.
- If MDC does not have custody of the personal information requested or must decline to provide an individual with access to their personal information for legal, regulatory or other reasons, an explanation will be provided.
- Challenging Compliance
- An individual shall address a challenge concerning MDC’s compliance with the principles set out in this privacy policy to the Senior Privacy Officer. Complaints must be in writing and will be handled in a timely manner.
- MDC has procedures in place to receive, investigate, respond to and track concerns or complaints about its management of personal information. By following these procedures, a remedy or corrective action will be undertaken to resolve the issue, including, if necessary, amending MDC’s policies and procedures.
- Within a reasonable time of conclusion of the investigation, the Senior Privacy Officer will inform the complainant of:
- the results of the investigation; and
- any appropriate measures MDC will take to rectify the source of the complaint.
WEB Practices
Tracking
Our websites may automatically record some general information about your visit in order for MDC to engage in web statistical analysis using Google Analytics. We want to make sure our sites are useful to visitors and make the most efficient use of donor dollars in our marketing efforts through targeted advertising. This information may include the:
- internet domain for your internet service provider, such as “company.com” or “service.ca” and the IP address of the computer you are using to access MDC’s website;
- type of browser you are using, such as Internet Explorer, Firefox or Chrome;
- type of operating system you are using such as Windows or Macintosh;
- date and time of the visit to our site, the pages of our site that were visited, and the address of the previous website you were visiting if you linked to us from another website;
- age category, gender, and affinity interests as determined by demographic and interest reports available through Google Analytics.
We make no effort to personally identify you based on your visit to our site. If you wish, you may opt out of being tracked by Google Analytics by disabling or refusing the cookies; by disabling JavaScript within your browser; or by using the Google Analytics Opt-Out Browser Add-On.
Data collected for web analytics purposes may be processed in any country where Google operates servers, and thus may be subject to the governing legislation of that country.
Cookies
We also use “cookies” that identify you as a return visitor and which can help us tailor information to suit your individual preferences. A cookie is a small text file that a website can send to your browser, which may then store the cookie on your hard drive. The goal is to save you time next time you visit, provide you with a more meaningful visit, and measure website activity. Cookies in and of themselves cannot be used to reveal your identity. Many browsers, however, allow you to disable cookie collection if you wish, or inform you when a cookie is being stored on your hard drive.
Targeted Advertising
As you interact with MDC’s websites, third party advertising partners may use cookies that we place on your computer, tracking pixels, web beacons and similar technologies to identify you as a visitor to our websites, and present you with targeted ads to help us promote MDC. You can opt-out of the use of your information for select ad targeting by visiting this site, and also by setting up “Do Not Track” options available through your browser.