Privacy Policy
Meaford Hospital Foundation
April, 2024
A) Purpose
The Meaford Hospital Foundation’s (MHF) Privacy Policy is a formal statement of principles and guidelines concerning the requirements for the protection of personal information provided to the Foundation by its donors and supporters. The objective of this Policy is to promote responsible and transparent practices in the management of personal information, in accordance with the provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Health Information Protection Act (PHIPA) and industry standards.
The Foundation will continue to review its privacy policy to ensure it remains relevant and current with changing technologies and laws. More importantly, the MGH Foundation wants to ensure it continues to meet the evolving needs of its donors. Privacy is a key component of the Foundation’s relationship of trust with its donors.
B) Policy
The Meaford Hospital Foundation’s Privacy Policy incorporates the provisions of Part 1 of PIPEDA and includes the ten principles of the Canadian Standards Association Model Code for the Protection of Personal Information (CAN/CSA-Q830-96), which was published in March 1996 as a National Standard of Canada. These 10 principles form the basis of this Policy. The Policy also incorporates the provisions of Part 4 of PHIPA as enacted by the Province of Ontario in 2004.
The MGH Foundation complies with applicable laws and established ethical guidelines for charitable organizations (see our Donor Bill of Rights and Ethical Fundraising and Financial Accountability Code for more information.).
See our website at www.mhfoundation.ca for more information.
C) Scope
This Policy covers all personal information related to donors, prospective donors and volunteers which is under the custody or control of the Meaford Hospital Foundation, regardless of the format in which the information is held (e.g. paper, electronic, verbal, etc.).
Foundation employee information is not subject to PIPEDA. Our employee information is, however, safeguarded according to industry best practices and other relevant legislation.
This Policy applies to all individuals associated with the Meaford Hospital Foundation Inc., including staff, board members, and volunteers.
D) Definitions
Commercial Activity: any particular transaction, act or conduct that is of a commercial character. For our purposes this applies to events for which a ticket is purchased, telemarketing, direct mail, raffles, and greeting cards.
Consent: voluntary agreement with what is being done or proposed. Consent can be either expressed or implied. Express consent (opt-in) is given explicitly, either orally or in writing. Express consent (opt-out) is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Donor: a donor, legally appointed representative (as set out in the Substitute Decisions Act, 1992) or entity that gives something, such as money or property, to the Foundation without receiving anything of value in return.
Personal Information: information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Personal information does not include public domain information, nor does it apply to corporations.
Public Domain: pertains to information that is accessible to the general public. This includes information that can be obtained from the (1) phone book; (2) magazines, books, newspapers or other publications where the individual has provided the information (3) publicly available databases or registries; (4) court orders; and (5) business or professional directories. Personal information from (3), (4), (5) can be used without consent only to the extent that its collection, use and disclosure relate directly to the purpose for which the information appears in the database, registry, record, or directory.
Purpose: stated purpose for which personal information is being collected, used or disclosed. Rules which govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information that a reasonable person would consider appropriate in the circumstances.
Sensitive Personal Information: might include (but not be limited to) medical or health conditions, legal information (information outlined in a legal document, e.g. contracts, agreements, disputes), financial information (information that would outline a person’s salary or any unpublished financial information), racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual preferences.
E) Our Privacy Standards
1. Accountability
The Meaford Hospital Foundation is responsible for all personal information under its custody or control, including information which it may transfer to third parties for processing.
The Privacy Officer is accountable for the Foundation’s overall compliance with this Policy and acts as its arbitrator on privacy of information and security matters.
In addition, each person who has an association with the Foundation has a responsibility to ensure that personal information is protected at all times in accordance with this Policy. Each of these individuals receives information regarding privacy policies and is expected to take personal responsibility for the following: familiarity with, and following current Foundation policies and procedures; reporting possible problems and improvements in information privacy and security to the Privacy Officer; and helping to solve problems & implement improvements.
The Meaford Hospital Foundation will implement policies and procedures to give effect to this Policy document, including: using contractual or other means to provide a comparable level of protection for information that has been transferred to a third party for processing; establishing procedures to receive and respond to inquiries or complaints; training and communicating to staff about the Foundation’s policies and practices; developing public information to explain its policies and practices.
2. Identifying Purposes
At the time of collection, the Meaford Hospital Foundation will identify the purposes for which personal information is collected, used, disclosed and retained. The Foundation collects personal information only for the following purposes: to process donations; to keep our donors informed about the activities of the hospital and the Foundation; and to ask individuals and organizations to support the Foundation’s mission to improve health care for people in its service area.
Individuals collecting personal information on behalf of the Meaford Hospital Foundation shall be able to identify the purposes for which the information is being collected. If personal information is to be used for a purpose not previously identified, the Foundation will identify this purpose prior to use and provide donors with an opportunity to opt-out of this activity.
3. Consent
The knowledge and consent of the individual is required for the collection, use or disclosure of personal information.
In certain circumstances, personal information can be collected, used or disclosed without the knowledge and consent of the individual, such as in the investigation of a contravention of a federal or provincial law. The Foundation may also disclose personal information without knowledge or consent to comply with a subpoena, warrant or as may otherwise be required or authorized by law.
In obtaining consent, the Meaford Hospital Foundation will make reasonable efforts to ensure that individuals are advised orally or in writing of the purposes for the collection, use and disclosure of personal information. Purposes shall be stated in a manner that can reasonably be understood by the individual. Generally, the Foundation shall seek consent to use and disclose personal information at the same time it collects personal information. It may however, also seek consent afterward, before use or disclosure for a new purpose.
In determining the appropriate form of consent, the Meaford Hospital Foundation shall take into account the sensitivity of the personal information and the reasonable expectations of an individual. In general, the receipt of a donation by the Foundation, or the use of products and services by a donor, constitutes implied consent for the Foundation to collect, use and disclose personal information for all identified purposes.
A donor may withdraw consent at any time, subject to reasonable notice. Donors may contact the Meaford Hospital Foundation for more information regarding the implications of withdrawing consent. If consent is withdrawn or altered, the Foundation will comply with the request of the donor.
4. Limiting Collection
The collection of personal information will be limited to that which is necessary for the purposes identified by the Foundation.
The Meaford Hospital Foundation may receive contact information only on patients from Brightshores Meaford. The Foundation may also collect personal information from other sources in support of its mission, but as much as possible, personal information will be collected directly from the individual.
5. Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the donor or as required by law. The Meaford Hospital Foundation shall retain personal information only as long as necessary for the fulfilment of those purposes, unless the law requires that the information be retained for an extended period of time. Only Foundation employees or authorized agents with a “need to know” for Foundation business purposes, or whose duties reasonably so require, are granted access to personal information about donors.
The Meaford Hospital Foundation does not sell, rent or lease its donor lists. The Foundation shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction. Information which is no longer necessary or relevant for the identified purposes shall be destroyed, erased or made anonymous.
6. Accuracy
Personal information will be as accurate, complete and up-to-date as is necessary for the identified purposes for which it is to be used. The Foundation shall update personal information about its donors as and when necessary to fulfil the identified purposes or upon notification by the individual. Donors may request amendments to their personal information at any time.
7. Safeguards
The Foundation shall protect personal information by security measures appropriate to the sensitivity of the information.
Personal information shall be protected against loss or theft, unauthorized access, disclosure, copying, use modification or destruction, regardless of the format in which it is held.
The Foundation shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used. All Foundation employees or agents with access to personal information shall be required to respect the confidentiality of that information by signing a confidentiality agreement. They may also be required to participate in privacy training and implementing methods of protection that may include, but will not be limited to:
Physical measures: for example, locked filing cabinet and restricted access to offices.
Organizational measures: for example, granting access on a “need-to-know” basis
Technological measures: for example, the use of passwords and encryption.
8. Openness
The Meaford Hospital Foundation will make specific information about its policies and practices related to the management of personal information readily available to the public in multiple formats.
The Foundation shall endeavour to make information about its policies and practices easy to understand, including: the title and address of the person or persons accountable for its compliance with the Privacy Policy and to whom inquiries or complaints can be forwarded; and the means of gaining access to personal information held by the Foundation.
9. Individual Access
The Meaford Hospital Foundation shall inform a donor of the existence, use and disclosure of his or her personal information upon request and shall give the individual access to that information. A donor shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Upon request, the Foundation shall afford donors a reasonable opportunity to review the personal information in the individual’s file. Personal information shall be provided in an understandable form within a reasonable time.
In certain situations, Meaford Hospital Foundation may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. Exceptions may include information that is costly to provide, information that contains certain references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
In providing an account of third parties to which it has disclosed personal information about an individual, Meaford Hospital Foundation will attempt to be as specific as possible.
The Meaford Hospital Foundation will correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient.
In order to safeguard personal information, a donor may be required to provide sufficient identification information to permit Foundation staff to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file.
10. Challenging Compliance
The Foundation shall maintain procedures for addressing and responding to all inquiries or complaints from its donors about its handling of personal information. The Foundation shall inform its donors about the existence of these procedures.
An individual shall have the ability to address a challenge concerning compliance to this Policy with the Foundation’s Privacy Officer, who will ensure it is properly discussed, documented and addressed as quickly as possible.
The Privacy Officer and Executive Director of the Foundation may seek professional advice where appropriate before providing a final response to individual complaints.
The Meaford Hospital Foundation shall investigate all complaints concerning its compliance with this Privacy Policy. If a complaint is found to be justified, appropriate measures will be taken, including amending policies and procedures where required. The individual shall be informed in writing of the outcome of his or her complaint.
F) POLICY VIOLATIONS
Individuals who fail to comply with this Privacy Policy will be subject to disciplinary actions, up to and including termination of employment or volunteer.
April 2024