Confidentiality & Protection of Privacy Policy

Policy Name: Confidentiality & Protection of Privacy Policy
Policy Number: GOV18-01
Policy Sponsor: ACHF Governance Committee
Approving Authority: ACHF Board of Directors
Approval Date: March 22, 2018
Next Review Date: Spring 2023

 

Purpose:

The Alberta Children’s Hospital Foundation (the “Foundation) recognizes and respects an individual’s right to privacy and the importance of maintaining the confidentiality of personal and sensitive business information. In all of our business activities, we will ensure appropriate safeguards be taken for personal information collected, used and disclosed by the Foundation entrusted to us by our donors, stakeholders, partners, volunteers and employees, as well as the information that is shared with us through our relationships with the grateful patients, families, and children in the past or present care of the Alberta Children’s Hospital (our “ambassadors”). This includes information received over the internet, via email, on the telephone, through our business interactions or through our office. This policy is designed to reflect that commitment as well as our agreement to uphold the Personal Information Protection Act (PIPA) of Alberta, while providing our employees, volunteers, and third party contractors and consultants with guidance to ensure that we meet our obligations to protect privacy and confidentiality.

Privacy:

This policy governs information that is managed by employees, volunteers, the Board of Directors, Committees of the Board of Directors, and third party contractors and consultants provided with access to personal information and confidential business information in the care of the Foundation. The Foundation is accountable for any such information in our custody and under our control and will work diligently to ensure that the safety, security and confidentiality of personal information is maintained. This information may be stored in a variety of formats including, but not limited to, paper, electronic devices, portable storage devices, and processing and storage facilities. Access and privileges to Foundation information shall be restricted to the minimum level required to fulfill an individual’s roles and responsibilities at the Foundation.

Personal information is any information that can be used to distinguish, identify or contact a specific individual and can include a person’s opinions, beliefs, as well as facts about, or related to the individual.

Confidential information includes any sensitive business information, Foundation-related financial or administrative information, information that is proprietary to the Foundation, and information that we have access to that is related to our partners and stakeholders but that is not available publicly.

Business contact information and information that is available publicly, such as names, addresses and telephone numbers published in telephone directories or information in the public domain is not considered confidential information.

Collection:

The Foundation will only collect and store personal and confidential information that we need to conduct our business and will identify the purpose before or at the time that such information is collected. Information that is collected will primarily be used to support the Foundation’s charitable fundraising activities and associated business activities. This includes data processed and stored in our databases, third-party databases and cloud-based systems. We will only record and maintain personal and confidential information that is factual and essential to our fundraising activities and our mission. In determining which information is essential, our employees and volunteers will act with the highest level of professionalism, discretion and with the view of collecting the least amount of information needed to establish and maintain a record as well as with the understanding that records may be accessed by that individual. Where information is derived from the public domain and not considered confidential, we will include the source of this information in our database.

Consent:

We will ask for consent to collect, use or disclose personal and confidential information, except in specific circumstances where it is authorized or required by law (fully documented legal, medical or security reasons, or statutory reporting obligations). Consent may be expressed verbally, electronically, or in writing and, if consent is given, an individual may withdraw consent at any time and with reasonable notice. Consent is understood to be express or implied, depending upon the circumstances and sensitivity of the information. Consent is implied where there is an existing business or non-business relationship with the Foundation (within the past two years). Examples include but are not limited to a donor, volunteer, Board member, event participant, or grant applicant including instances when a donation is made and when a person volunteers for or expresses an interest in volunteering or working for the Foundation, unless explicit instructions are received not to use the information provided.

In conducting our business, we are required to collect and maintain employee and volunteer information, and will provide prior notice about the information we collect, use and disclose and the purpose for doing so. We will limit the amount and type of personal information to that which would be reasonably expected in managing the employee or volunteer relationship and lifecycle including information required to: determine volunteer or employment eligibility; manage performance, training, and development requirements; administer pay and benefits; process work related claims; complete hiring and terminations; and comply with applicable laws. We will always obtain consent to use this information for purposes unrelated to employment or volunteering, except in situations where it is authorized or required by law, or where there is a concern for the safety and well-being of an employee, volunteer, or another individual.

Due to the nature and sensitivity of the personal information of children, we do not collect, process or use any personal information related to an individual, whom we know to be under 13 years of age, without the prior, verifiable express consent of their legal representative.

Disclosure:

Personal and confidential information will not be used or disclosed other than for the purposes for which it was collected unless we have consent or if it is required by law. The Foundation will not rent, trade barter or sell any personal information to third parties. We will only retain personal information for as long as it is required to fulfill the intended purpose or as legally acquired.

Safeguarding and Access:

The Foundation will protect personal and confidential information and maintain confidentiality through security measures that are appropriate for the sensitivity of the information. We will make every reasonable effort to prevent loss, misuse, disclosure or modification of personal information and other sensitive information, as well as to prevent any unauthorized access.

Methods of protection are administrative, physical and technical measures including: the implementation of procedures to protect personal information and maintain confidentiality; processes to address and respond to complaints and inquiries regarding personal information and confidentiality; delivery of specific annual training for employees and volunteers; and review and sign off of the privacy and confidentiality agreement upon commencement of their relationship with the Foundation and on an annual basis thereafter to signify their understanding of, and agreement to comply with, privacy procedures. Employees will be required to complete annual Confidentiality and Protection of Privacy training, with new hires completing the training as a condition of employment when they commence.

We will make every reasonable effort to ensure that personal information and other sensitive information in our custody is accurate, complete, and up-to-date. When an error is brought to our attention, we will make the amendment whenever possible. An individual may provide a request in writing to access to the information that we have collected about that said individual and, should they challenge the accuracy or completeness of the same, we will amend it as appropriate.

For further detail on safeguarding, security measures, processes, procedures, and training, please refer to our Information Technology Security and Acceptable Use of Technology agreement.

Openness and Transparency:

The practices related to the management of personal and confidential information will be published on our website and will also be available in printed format upon request. The Foundation will regularly review the practices, policies, and procedures, updating them to ensure that the organization remains current with changing laws, industry best practices, and the evolving expectations of the public.

Concerns and Complaints:

Concerns and complaints related to the collection, use or disclosure of personal and confidential information by the Foundation, or requests for access to personal information can be submitted in writing to our Privacy Officer by mail at:

Alberta Children’s Hospital Foundation
Attention: Privacy Officer
28 Oki Drive NW
Calgary, Alberta T3B 6A8

Or by email to: privacy@achf.com

The Privacy Officer will provide a formal, written response within 5 business days and take corrective actions should any improper collection, use or disclosure of information have occurred. Further information on the protection of privacy and personal information may be found on the website of the Information and Privacy Commissioner of Alberta at www.oipc.ab.ca.

Monitoring and Compliance:

The Senior Director, Human Resources and Workplace Operations is the executive champion for this policy direction and will lead the monitoring of the application of and compliance with this policy and the related procedures in collaboration with the other members of the Executive Team, the CEO, and the management team.

This policy is subject to change due to legal and regulatory requirements, introduction of new technologies, business practices, and stakeholder needs.