Kamloops Community YMCA-YWCA
PRIVACY GUIDING PRINCIPLES
The Kamloops Community YMCA-YWCA (the Y) respects the right of individuals to the protection of their personal information.
PRIVACY PROTECTION PROCEDURE
All staff and volunteers must protect personal information by following responsible information handling practices, in keeping with privacy laws. See Required Reading, Protecting the Privacy of Personal Information.
PROTECTING THE PRIVACY OF PERSONAL INFORMATION
The Y is committed to maintaining the confidentiality, privacy, and accuracy of personal information it collects, uses and discloses about its participants, members, donors, parents, staff, volunteers and independent contractors. The Y uses a third party services for online ticketing; view their terms of service.
People are concerned about their ability to exercise a substantial degree of control over the collection, use and disclosure of their personal information.
Personal information is information about an identifiable individual.
- Examples of personal information include, but are not limited to, name, address, gender, age, ID numbers, income, racial or ethnic origin, relationship status, employee files, payment or medical/health records, assessments or evaluations.
- An individual’s name does not need to be attached to the information in order for it to qualify as personal information.
- Personal information does not include name, title, business address, or phone number of an employee of an organization.
Y staff and volunteers having access to personal information must follow the ten fair information principles and steps for implementing these principles, in keeping with privacy laws.
PRINCIPLE 1 – Accountability1
The Y is responsible for personal information under its control and shall designate an individual or individuals who are accountable for YMCA compliance with established privacy principles.
Managers and Supervisors are responsible for and shall oversee compliance by their staff with Y privacy protection procedure and fair information principles, to ensure:
- Purposes are defined for collection of personal information;
- Consents are obtained;
- Collection, use and disclosure of personal information is limited;
- Information used is accurate, complete and up to date;
- Adequate safeguards protect personal information in Y’s control;
- Retention and destruction timetables are maintained;
- Access requests by individuals are processed promptly;
- Timely response is provided to an inquiry or complaint regarding Y handling of personal information;
- Contracts with third parties that process Y information shall include privacy protection requirements.
Supervisors are responsible for the day-to-day collection, processing and safeguarding of personal information under their control. Supervisors shall inform and train staff, and volunteers having access to personal information, on Y privacy protection procedure and information, handling practices.
Staff and relevant volunteers shall follow the privacy protection practices established by the Y when collecting, using, disclosing and safeguarding personal information.
PRINCIPLE 2 – Identifying Process
The Y shall identify the purposes for collecting personal information before or at the time personal information is collected.
The Y needs to collect, use and disclose some information about its members, participants, parents, donors, staff and volunteers, in order to conduct its operations, and deliver YMCA programs and services to the communities it serves.
The Y’s purposes for collecting personal information are:
- To establish and maintain responsible relationships with its members, participants, parents, donors, staff and volunteers;
- To manage, develop and enhance Y operations, programs and services;
- To acknowledge gifts, issue tax receipts, and other administrative requirements including information requests;
- To process and collect fees for service;
- To assess participant needs;
- To determine program, service, employment or volunteer eligibility;
- To provide safe and secure Y environments;
- To collect data for statistical purposes;
- To better understand the changing needs of communities we serve;
- To communicate a range of programs, services, and philanthropic opportunities that benefit people we serve;
- To meet legal, regulatory and contractual requirements.
The Y shall indicate with orally, electronically or in writing, at or before that time personal information is collected, the purpose for which it is being collected.
Staff and volunteers collecting personal information shall use reasonable efforts to explain identified or refer the individual to a supervisor who shall explain the identified purposes for collecting personal information.
Unless required by law, staff and volunteers shall not use or disclose for any new purpose, personal information that has been collected, without the consent of the individual. Staff shall advise their supervisor of a potential new identified purpose. Any new identified purpose must be approved by the Chief Privacy Officer, documented and consent obtained from individuals prior to Y use or disclosure.
PRINCIPLE 3 – Consent
The knowledge and consent of an individual is required for the collection, use, or disclosure of personal information, except where not required by law (see Exceptions).
In obtaining consent, staff and volunteers shall advise participants, members, parents, donors, staff, volunteers, independent contractors of identified purposes for which personal information will be used of disclosed. Purposes shall be communicated in clear, understandable language.
The Y takes into account the sensitivity of the personal information when determining what form of consent is appropriate for the circumstances.
In general, the following actions by an individual constitute implied consent for the Y to collect, use and disclose personal information for purposes identified to the individual:
- Registration for Y programs and services;
- Completion of a donation pledge form;
- Acceptance of employment and benefits enrollment by an employee;
- Acceptance of a volunteer position or student placement.
For most Y employment and community service programs, the Y is obligated by its contract with the government to obtain the express written consent from a participant to collect, use and disclose their personal information.
Express consent is required from an individual when dealing with more sensitive information, such as financial and medical data. Speak with your supervisor for more information about when express consent is required in your program or service area.
Individuals may at any time withdraw their consent to the Y’s use or disclosure of their personal information, subject to certain service, legal or contractual restrictions. Individuals wishing to withdraw consent may contact the Y for more information regarding the implications of withdrawing consent.
The Y may collect, use or disclose information without an individual’s prior knowledge or consent in certain circumstances permitted by law.
For example, the Y may collect, use or disclose personal information without prior knowledge or consent, if it is clearly in the best interest of the individual to do so, such as in an emergency situation where the life, health or security of an individual is threatened.
YMCA may disclose personal information without prior knowledge or consent of the individual:
- To a lawyer or other legal representative of the Y;
- To a government body or agency in certain circumstances;
- To collect a debt, or comply with a subpoena, warrant or other court order, or as may be otherwise required by law;
- In circumstances otherwise permitted by law.
For more information about consent and disclosure, please speak with your VP/GM.
PRINCIPLE 4 – Limiting Collection
The Y shall limit the collection of personal information which is necessary for the purposes identified by the Y. Information shall be collected by fair and lawful means.
When collecting personal information, staff and volunteers will usually collect it directly from the individuals about whom the personal information pertains.
Personal information may be collected from other sources with prior consent from the individual, for example, from prior employers, personal references or from other third parties having the right to disclose the information.
To avoid the complications of privacy laws, the Y will consider using whenever possible non-identifiable information, such as coded or anonymous data, that does not identify individuals.
PRINCIPLE 5 – Limiting Use, Disclosure, and Retention
The Y shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. See Exceptions about under Principle 3 – Consent.
Personal information shall be retained only as long as necessary for the fulfillment of those purposes for which it was collected, or as required by law, or by contract with a funding partner.
Depending on the circumstances, where personal information has been used to make a decision about an individual, the Y shall retain, for a period of time that is reasonably sufficient to allow for access by the individual, either to actual information or the rationale for making the decision.
Supervisors shall maintain schedules for record retention and destruction, which apply to personal information that is no longer necessary or relevant for the identified purposes for collection or required to be retained by law or under contract. Such information shall be destroyed, erased or rendered anonymous.
Speak with your supervisor for more information on records retention and destruction requirements for your program or service area.
PRINCIPLE 6 – Accuracy
Personal information shall be as accurate, complete and up to date as is necessary for the purposes for which it is to be used.
Personal information used by the Y shall be sufficiently accurate, complete and up to date to minimize the possibility that inaccurate information is being used to make a decision about an individual.
If staff and volunteers are aware of any inaccuracy or changes in their personal information that the Y holds about them, please contact the Human Resources department or staff contact if a volunteer.
Staff handling personal information shall update personal information about participants, members, donors, staff, volunteers, independent contractors, as and when necessary.
Speak with your supervisor if you have questions about correction requests or on how accurate, complete and up-to-date personal information needs to be.
PRINCIPLE 7 – Safeguards
The Y shall protect personal information by security safeguards appropriate to the sensitivity of the information.
All staff and volunteers with access to information shall be required as a condition of employment or volunteer role, to respect the confidentiality of personal information.
The more sensitive personal information is, the more security is required. Speak with your supervisor for more information on safeguards appropriate to the sensitivity of personal information in your program or service area.
Staff shall protect personal information in their control (regardless of format) against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security safeguards.
Safeguards may include physical measures (such as locked doors, locked file cabinets), organizational measures (such as staff training, limited access, security clearances) and technological measures (such as passwords, anti-virus software for computer systems). See safeguards outlined in Required Reading 5.VS.8 – Acceptable Use of Computer Resources if you have access to a YMCA computer.
Personal information shared with a third party for processing shall be protected through contractual agreements with requirements for confidentiality and appropriate safeguards.
PRINCIPLE 8 – Openness
The Y shall make readily available to individuals, information about its procedures and practices relating to the management of personal information.
Information on the Y’s commitment to privacy is available to the public on the Y web site at www.kamloopsy.org.
Staff and volunteers shall make known upon request the contact information for a supervisor to whom inquiries or complaints can be forwarded. See Challenging Compliance below.
PRINCIPLE 9 – Individual Access
The Y shall upon request inform an individual of the existence, use and disclosure of his or her personal information and shall give the individual access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Staff and volunteers shall refer requests about personal information held about an individual to a supervisor.
Staff shall immediately inform their supervisor of a request for access by an individual to his or her personal information collected by the Y. The Chief Privacy Officer shall respond to a written request for individual access by providing access to the individual’s data, except in limited circumstances. See Exceptions to Access below.
In order to safeguard personal information, an individual may be required to provide sufficient identification to permit Y to account for the existence, use and disclosure of personal information, and authorize access to the individual’s file.
The Chief Privacy Officer shall respond to a written request for access in a reasonable time, and at minimal or not cost. Personal information shall be provided in a format that is understandable, along with any explanation needed to facilitate. the individual’s understanding.
The Chief Privacy Officer shall provide the individual a reasonable opportunity to review and challenge the accuracy and completeness of personal information. A statement of disagreement will be attached to records where a requested amendment cannot be made.
Upon request, the Chief Privacy Officer shall provide an account of the use and disclosure of personal information. A list of organizations to which the Y may have disclosed personal information shall be provided, when it is not possible to provide a list of actual disclosures.
Exceptions to access
The Y may not be able to provide an individual with access to some or all of his or her personal information in certain circumstances permitted by law. Some exceptions include if:
- Doing so would likely reveal personal information about a third party;
- Disclosure could reasonably be expected to threaten the life or security of another individual;
- Information was collected in relation to the investigation of a breach of an agreement, or a contravention of law, or as otherwise permitted by law.
If access to personal information cannot be provided, the Chief Privacy Officer shall provide the individual with written reasons for denying access.
PRINCIPLE 10 – Challenging Compliance
An individual shall be able to address a challenging concerning compliance with the above principles to the designed persons accountable for Y compliance.
Staff and volunteers shall refer any inquiries or complaints about Y’s handling of personal information, to the Chief Privacy Officer for response in a fair and timely manner.
Individuals may contact the Chief Privacy Officer to discuss their question or concern about Y information handling practices.
Individuals wishing to make a complaint about Y information handling practices, will be asked to provide in writing to the Chief Privacy Officer, the following information:
- Name and address or fax number where the individual prefers to be reached;
- Nature of the complaint and relevant details;
- If applicable, the name of the Y staff with whom the individual has already discussed the issue.
The Y shall investigate all complaints. If a complaint is found to be justified, the Y shall take appropriate measures to resolve the complaint.
The Y regularly reviews its policies and procedures to ensure we remain current with evolving public expectations and changing laws.
Contact your supervisor for more information on our Y’s commitment to privacy. Also, the following website provides information on privacy: Privacy Commissioner of Canada, www.pdvcom.gc.ca