London Health Sciences Foundation ("Foundation") is responsible for personal information within its custody and control and adopts, to the fullest extent possible, a high standard of privacy for its personal information practices. The Foundation adopts the Principles set out in the National Standard of Canada entitled "Model Code for the Protection of Personal Information". While separate corporate entities, because the Foundation's principal activity is to raise funds for London Health Sciences Centre ("Hospital"), the two organizations have adopted similar policies with respect to fair personal information practices.
This Policy will apply to personal information collected, used, disclosed and retained by the Foundation, subject to legal requirements.
"agent" in relation to an organization, means a person, whether or not the person is employed by the organization and whether or not the person is being remunerated, when that person is authourized to act for or on behalf of the Foundation in exercising powers or performing duties with respect to personal information. For greater certainty, "agent" includes employees, volunteers, students, physicians, consultants, vendors and contractors.
"personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
Principle 1 - Accountability for Personal Information
The Foundation is responsible for personal information within its
control and has designated an individual who is accountable for the
Foundation's compliance with the following principles
Accountability for the Foundation's compliance with the policy rests with the President and CEO, although other individuals within the Foundation are responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the Foundation are delegated to act on behalf of the President and CEO, such as the Chief Privacy Officer.
The name of the Chief Privacy Officer designated by the Foundation to oversee compliance with these principles is Evelyn Salhani. She can be contacted at:
- e-mail: firstname.lastname@example.org
- phone: 519.685.8409/ 888.814.4612
- fax: 519.685.8265
- mail: London Health Sciences Foundation
- 747 Baseline Road East, London, Ontario N6C 2R6
The Foundation is responsible for personal information in its possession or custody, including personal information that has been transferred to a third party for processing. The Foundation will use contractual or other means to provide a comparable level of protection while the personal information is being processed by a third party.
The Foundation has implemented policies and practices to give effect to this policy, including:
- Implementing policies & procedures to protect personal information, including personal information relating to employees, volunteers, donors, potential supporters and other stakeholders.
- Establishing procedures to receive and respond to complaints and inquiries about our privacy compliance.
- Training and communicating to staff, volunteers and agents information about the Foundation's privacy policies and practices.
- Developing and communicating to the public, Hospital and key stakeholders information to explain the Foundation's privacy policies and procedures.
Principle 2 - Identifying Purposes for the Collection, Use and Disclosure of Personal Information
At or before the time that personal information is collected, the Foundation will identify the purposes for which personal information is collected. The primary purposes are fundraising to meet the needs of the Hospital, providing donors and supporters with stewardship and recognition information, providing donors and potential supporters with information about the Hospital and Foundation initiatives and meeting legal and regulatory requirements.
Identifying the purposes for which personal information is collected at or before the time of collection allows the Foundation to determine the personal information that it needs to collect to fulfill these purposes.
The identified purposes are specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the personal information is collected, this can be done orally or in writing. Notices within the Hospital and/or on Hospital forms, for example, may give notice of the purposes. Individuals will be given the option to accept or reject such uses.
When personal information that has been collected is to be used for a purpose not identified at the time of collection, the new purpose will be identified prior to use. Unless law requires the new purpose, the consent of the individual is required before personal information can be used for that purpose.
Persons collecting personal information will be able to explain to individuals the purposes for which the information is being collected.
Principle 3 - Consent for the Collection, Use, and Disclosure of Personal Information
The knowledge and consent of an individual are required for the collection, use or disclosure of personal information about that individual, except where inappropriate.
Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. In addition, if the Foundation does not have a direct relationship with the individual, it may not be possible to seek consent.
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, the Foundation will seek consent for the use or disclosure of the personal information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the personal information has been collected but before being used or disclosed (for example, when the Foundation wishes to use personal information for a purpose not previously identified).
The principle requires "knowledge and consent". The Foundation will make a reasonable effort to ensure that the individual is advised of the purposes for which his/her personal information will be used or disclosed. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the personal information will be used or disclosed.
The Foundation will not require an individual to consent to the collection, use, or disclosure of personal information beyond that required by law.
In obtaining consent, the reasonable expectations of the individual are also relevant. The Foundation can assume that an individual's donation constitutes consent for specific purposes, such as the issuance of an income tax receipt. On the other hand, an individual would not reasonably expect that personal information given to the Foundation would be given to another fund raising organization.
The form of consent sought by the Foundation may vary, depending on the circumstances and the type of personal information collected. In determining the form of consent to use, the Foundation will take into account the sensitivity of the personal information. The Foundation will generally seek express consent when the personal information is likely to be considered sensitive. Implied consent would generally be appropriate when the personal information is less sensitive. An authorized representative such as a substitute decision maker if the donor is not capable, a legal guardian or a person having power of attorney can also give consent.
Individuals can give consent in many ways. For example:
- Notices within the Hospital may be used to seek consent and inform the individual of the use and disclosure that will be made of the personal information
- A pledge form and other Foundation materials may be used to seek consent, collect personal information, and inform the individual of the use and/or disclosure that will be made of the personal information. By completing and signing the form, the individual is giving consent to the collection and the specified uses and/or disclosures
- Consent may be given orally when personal information is collected over the telephone or at the time that individuals make a donation, use a health service, etc.
- Consent may be given by registering for a program or event sponsored by the Foundation, by participation as a volunteer, by sponsoring a Foundation event, etc.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The Foundation will inform the individual of the implications of such withdrawal.
Principle 4 - Limiting Collection of Personal Information
The collection of personal information will be limited to that which is necessary for the purposes identified by the Foundation. Personal information will be collected by fair and lawful means.
The Foundation will not collect personal information indiscriminately. Both the amount and the type of personal information collected will be limited to that which is necessary to fulfill the purposes identified.
The requirement that personal information be collected by fair and lawful means is intended to prevent the Foundation from collecting personal information by misleading or deceiving individuals about the purpose(s) for which personal information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
If using personal information for a new purpose, the Foundation will document this purpose and seek consent for such use and/or disclosure.
The Foundation has developed guidelines and implemented procedures with respect to the retention of personal information. These guidelines include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the personal information after the decision has been made. The Foundation is subject to legislative requirements with respect to retention periods.
Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous, unless required by law to keep it for a longer period. The Foundation has develop guidelines and implement procedures to govern the destruction of personal information in accordance with applicable legislative requirements.
Principle 6 - Ensuring Accuracy of Personal Information
Personal information will be kept as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used and/or disclosed.
The extent to which personal information will be kept accurate, complete, and up-to-date will depend upon the use/disclosure of the personal information, taking into account the interests of the individual. Personal information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate personal information may be used to make a decision about the individual.
The Foundation will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the personal information was collected.
Personal information that is used on an ongoing basis, including personal information that is disclosed to third parties, will generally be kept accurate, complete and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Principle 7 - Ensuring Safeguards for Personal Information
Security safeguards appropriate to the sensitivity of the personal information have been implemented by the Foundation to protect personal information.
The security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The Foundation will protect personal information regardless of the format in which it is held.
The nature of the safeguards will vary depending on the sensitivity of the personal information that has been collected, the amount, distribution, and format of the personal information, and the method of storage. A higher level of protection will safeguard more sensitive personal information.
The methods of protection will include: Physical measures, for example, locked filing cabinets and restricted access to offices;
- Organizational measures, for example, limiting access on a "need-to-know" basis, and
- Technological measures, for example, the use of passwords, encryption and audits.
The Foundation will make its employees and agents aware of the importance of maintaining the confidentiality of personal information. As a condition of employment, appointment, or agency, all Foundation employees and agents must sign the applicable Foundation Confidentiality Agreement. In addition, volunteers with access to sensitive personal information must sign a Foundation Volunteer Confidentiality Agreements.Care will be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the personal information.
Principle 8 - Openness About Personal Information Policies and Practices
The Foundation will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
The Foundation will be open about its policies and practices with respect to the management of personal information. Individuals will be able to acquire information about its policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.
- The name or title, and the address, of the Chief Privacy Officer, who is accountable for the Foundation's privacy policies and practices, and to whom complaints or inquiries can be forwarded,
- The means of gaining access to personal information held by the Foundation;
- A description of the type of personal information held by the Foundation, including a general account of its use and/or disclosure,
- A copy of any brochures or other information that explains the Foundation policies, standards, or codes, and
- What personal information is made available (i.e. disclosed) to affiliated organizations.
The Foundation may make information on its privacy policies and practices available in a variety of ways. For example, the Foundation may choose to make brochures available in its places of business, mail information to its donors and potential supporters, post signs, provide online access, or through the Internet and Intranet.
Principle 9 - Individual Access to Own Personal Information
Upon request, an individual will be informed of the existence at, or use, and disclosure by the Foundation of his or her personal information and will be given access to that personal information. An individual will be able to challenge the accuracy and completeness of the personal information and have it amended as appropriate.
Note: In certain situations, the Foundation may not be able to provide access to all of the personal information that it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include personal information that is prohibitively costly to provide, information that contains references to, or personal information about, other individuals, information that cannot be disclosed for legal, security, or proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
Upon request, the Foundation will inform an individual whether or not it holds personal information about that individual. The Foundation will seek to indicate the source of this information and will allow the individual access to this information. In addition, the Foundation will provide an account of the uses that have been made or are being made of this information and an account of the third parties to which it has been disclosed.
An individual will be required to provide sufficient information to permit the Foundation to provide an account of the existence, use, and disclosure of personal information. The information provided will only be used for this purpose.
In providing an account of third parties to which it has disclosed personal information about an individual, the Foundation will attempt to be as specific as possible as to whom at the third party organization it was disclosed. When it is not possible to provide a list of the organizations to which it has actually disclosed personal information about an individual, the Foundation will provide a list of the organizations to which it may have disclosed personal information about the individual. It should be noted that the Foundation does not rent, sell or trade its mailing lists or personal information.
The Foundation will respond to an individual's request within a reasonable time and at a reasonable cost to the individual. Fees will be established on a cost recovery basis. The requested personal information will be provided or made available in a form that is generally understandable. For example, if the Foundation uses abbreviations or codes to record information, an explanation will be provided.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Foundation will amend the information as required, in accordance with professional standards of practice. Depending upon the nature of the personal information challenged, amendment may involve the correction, deletion, or addition of personal information. Personal information contained within donor receipt records will not be deleted, but rather, the original must be maintained, with any amendments or corrections being made in a transparent manner. Where appropriate, the amended information will be transmitted to third parties to whom the original personal information was disclosed.
When a challenge is not resolved to the satisfaction of the individual, the Foundation will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties to whom the original personal information was disclosed.
Principle 10 - Challenging Compliance with the Foundation's Privacy Policies and Practices
An individual will be able to address a challenge concerning compliance with this policy to the Chief Executive Officer.
The Foundation will put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint procedures will be easily accessible and simple to use.
The Foundation will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist.
The Foundation will investigate all complaints. If a complaint is found to be justified, the Foundation will take appropriate measures, including, if necessary, amending its privacy policies and practices.
December 31, 2003