Procedure Management Responsibility:
Staff Responsible: Chief Privacy Officer
Oversight by: Finance and Audit Committee
Approval by: Board of Directors
Purpose and Scope
UWCA is committed to maintaining the confidentiality, security and accuracy of the Personal Information of the United Way's Personnel and other third parties that is in its possession as a result of its normal business, including with respect to volunteer and charitable operations.
UWCA collects, uses and discloses Personal Information about its Personnel, donors, customers, suppliers and others with whom it has contact in the course of conducting its normal business operations, including for purposes of establishing, managing or terminating employment and contractual relationships between Personnel and UWCA. This Policy describes and governs the collection, use and disclosure of Personal Information by UWCA.
This Policy applies to UWCA, and to all Representatives. When a Representative, donor, customer or supplier provides UWCA with Personal Information, that individual consents to UWCA's collection, use and possible disclosure of their Personal Information for the designated purpose and agrees to the terms for accessing and correcting data as described below.
The Policy governs UWCA's activities that are subject to the provisions of applicable privacy legislation, including the Personal Information Protection Act (Alberta). However, as a not-for-profit organization, please note that certain of UWCA’s activities may not be subject to applicable privacy legislation in all instances.
Information, recorded in any form, about an identifiable individual (including, (i) for employees: a home address and phone number, names of partners and spouses, a social insurance number, performance appraisals, medical and benefit information, or hobbies and interests, and (ii) for donors: any donation and billing information).
This does not include the name, title, business address or telephone/facsimile number or business email address of an employee of an organization, when used for business communications. Also, it does not include anonymous, aggregated or non-personal information or statistical data (i.e., information that cannot be associated with or tracked back to a specific individual).
|A director, officer, employee, volunteer or independent contractor of UWCA.|
|Representative||An employee or prospective employee of UWCA, as well as any other individuals, including third parties that may provide and have access to Personal Information in UWCA’s possession.|
|UWCA||United Way of Calgary and Area and its divisions and affiliates, including any and all internal governance bodies.|
Collection, Use and Disclosure of Personal Information
UWCA collects and maintains different types of Personal Information about individuals with whom it interacts (such as those who seek to be, are, or were employed by UWCA, or volunteers, donors, customers or suppliers of UWCA), including:
- identification and contact information: such as a Representative's name, home address, telephone, personal email address, date of birth, social insurance number, marital and dependent status, videos, photographs, and beneficiary and emergency contact information;
- employment information: such as a Representative's job title, resumes and/or applications, interview notes, letters of offer and acceptance of employment, compensation and benefit information, background verification information, employment references, mandatory policy acknowledgement sign-off sheets and evaluations;
- benefit information: such as forms relating to the application or change of employee health and welfare benefits, including but not limited to health care, life insurance, short and long term disability, medical and dental care;
- payroll and financial information: including but not limited to social insurance number, wages, pay cheque deposit information, pension information, group savings plans, information and tax related information;
- business relationship and operations information: such as customer and supplier names, customer addresses and personal contacts, credit information, billing records, service and equipment records, any recorded customer complaints, investor contact information and requests, agreement terms and preferences and information necessary to effect emergency response plans;
- donor information: such as donor identities, donation amounts and banking information ; and
- other information necessary for UWCA's business purposes, which may be voluntarily disclosed or collected in the course of a Representative's application to and employment with UWCA.
As a general rule, UWCA collects Personal Information directly from the individual it pertains to. If third parties hold information UWCA requires, UWCA will endeavour to ensure the information has been collected with the appropriate consent.
Where permitted or required by applicable law or regulatory requirements, UWCA may collect Personal Information about an individual without their knowledge or consent.
UWCA collects Personal Information to manage and develop its business and operations, and to support its volunteer and charitable activities, including:
- determining eligibility for initial employment, including the verification of references and qualifications;
- administration of pay and benefits;
- establishing training and/or development requirements and assessing qualifications for a particular job or task;
- performance reviews and determining performance requirements;
- processing employee work-related claims (e.g. worker compensation, insurance claims, etc.);
- establishing, managing and terminating business relations with volunteers,
- customers, donors and suppliers;
- protection against error, fraud, theft damage or nuisance relating to UWCA's assets, operations or reputation and securing organization-held information;
- compliance with individual requests;
- compliance with applicable law or regulatory requirements;
- maintaining and improving its service offerings to employees, volunteers, donors and customers; and
- any other reasonable purpose required by UWCA and to which an individual consents.
UWCA may use and disclose Personal Information provided it is reasonably required in the following circumstances:
- for purposes described in this Policy;
- where the information is publicly available;
- where necessary to protect the rights and property of UWCA;
- when emergencies occur or where it is necessary to protect the safety of a person or group of persons;
- where required by Personnel and other parties (including its related business entities or affiliates) who require Personal Information to assist in establishing, maintaining and managing UWCA's relationship with an individual, including, for example, third parties who provide services to UWCA or on UWCA's behalf or third parties who collaborate with UWCA in the provision of services to an individual; or
- UWCA has otherwise obtained an individual's consent.
UWCA may use or disclose Personal Information without an individual's knowledge or consent where it is permitted or required by applicable law or regulatory requirements to do so, including, but not limited to, circumstances relating to the establishment, maintenance or termination of an employment relationship.
UWCA does not sell employee, volunteer, donor or customer information to third parties.
UWCA endeavours to maintain physical, technological and procedural safeguards that are appropriate to the sensitivity of the Personal Information in question. These safeguards are designed to prevent Personal Information from loss and unauthorized access, copying, use, modification or disclosure. Examples of these safeguards include: password, encryption and other electronic security means; locked or limited access premises and file cabinets; and the security monitoring methods.
Retention of Personal Information
Except as otherwise permitted or required by applicable law or regulatory requirements, UWCA endeavours to retain Personal Information only for as long as it believes is necessary to fulfill the purposes for which the Personal Information was collected (including, for the purpose of meeting any legal, accounting or other reporting requirements or obligations). UWCA may, instead of destroying or erasing Personal Information and where this is economically feasible, make it anonymous such that it cannot be associated with or tracked back to a specific individual.
Updating Personal Information
It is important that Personal Information contained in UWCA's records is both accurate and current. UWCA asks that Personnel, donors, customers and suppliers keep it informed of changes to Personal Information during the course of the individual's employment, charitable or business relationship with UWCA.
If an individual believes the Personal Information about them held by UWCA is not correct, the individual may request an update of that information by making a request to our Privacy Officer using the contact information set out below.
Accessing Personal Information
An individual may ask to see the Personal Information that UWCA holds about them. If individuals want to review, verify or correct their Personal Information, they may contact our Privacy Officer at the coordinates set out below. Please note that any such communications must be in writing (whether by traditional or electronic means).
When making an access request, UWCA may require specific information from an individual to confirm their identity and right to access, as well as to search for, and provide that individual with, the Personal Information that it holds about them. UWCA may charge a fee to access Personal Information; but it will advise of any fee in advance. If help is needed in preparing a request, please contact the office of our Privacy Officer. Where Personal Information will be disclosed to an individual, UWCA will endeavour to provide the information in question within a reasonable time, and in most cases, no later than 30 days following the request.
An individual's right to access the Personal Information that it holds about them is not absolute. There are instances where applicable law or regulatory requirements permit or require UWCA to refuse a Personal Information access request. UWCA also reserves the right to decline to provide access to Personal Information where the information requested:
1) would disclose:
a) Personal Information, including opinions, about another individual or about a deceased individual; or
b) trade secrets or other business confidential information that may harm UWCA or the competitive position of a third party, or interfere with contractual or other negotiations of UWCA or a third party;
2) is subject to solicitor-client or litigation privilege;
3) is not readily retrievable and the burden or cost of providing would be disproportionate to the nature or value of the information;
4) could reasonably result in serious harm to any individual.
5) may harm or interfere with law enforcement activities and other legal or employment related investigative or regulatory functions.
In addition, the Personal Information may no longer exist, may have been destroyed, erased or made anonymous in accordance with UWCA's record retention obligations and practices.
In the event that UWCA cannot provide an individual with access to their Personal Information, it will endeavor to inform that individual of the reasons why access has been denied, subject to any legal or regulatory restrictions.
Out of Country Storage and Processing of Personal Information
UWCA has and will invest in new data management systems and software solutions on a routine basis, in order to work with or provide its services to its Personnel, Representatives, donors, customers, suppliers and others. As data processing technologies continually evolve, more systems and software solutions utilize “cloud-based” delivery models, where data processing and storage functionality is delivered from outside UWCA’s premises and through the internet or similar connections to the service provider, and where UWCA does not host the system or software solution within its physical premises. Accordingly, while UWCA maintains its responsibility for the protection of this data and of the Personal Information contained within it, Personal Information collection, use, disclosure, processing and storage may actually occur outside of Canada.
- The purposes for which UWCA may utilize such cloud-based systems and solutions for the collection, use, disclosure, processing and storage of Personal Information, are those purposes that are otherwise described in this Policy.
- UWCA has and will only engage service providers for such collection, use, disclosure, processing and storage of Personal Information, where such Personal Information is or will be located in Canada or in the United States of America.
- Any Personnel, Representative, donor, customer, supplier or third person may obtain further information about UWCA’s collection, use, disclosure, processing and storage of such Personal Information, or about UWCA’s policies and practices with respect to such service providers, located in the USA, by contacting UWCA’s Privacy Officer through the contact information below.
It is important to UWCA that it collects, uses or discloses Personal Information with consent to do so or as otherwise provided in this Policy. Depending on the sensitivity of the Personal Information, consent may be implied, deemed (using an opt-out mechanism) or express. Express consent can be given orally, electronically or in writing. Implied consent is consent that can reasonably be inferred from an individual's action or inaction. For example, when financial information is requested for donation purposes, UWCA will assume consent to the collection, use or disclosure of Personal Information for purposes related to that request for information or for other purposes identified by the requesting individual at the time.
Typically, UWCA will seek consent at the time that it collects the Personal Information. In some circumstances consent may be obtained after collection but prior to UWCA's use or disclosure of Personal Information. If UWCA plans to use or disclose Personal Information for a purpose not previously identified (either in this Policy or separately), it will endeavour to advise an affected individual of that purpose before such use or disclosure.
UWCA may collect, use or disclose Personal Information without an individual's knowledge or consent where it is permitted or required to do so by applicable law or regulatory requirements.
UWCA assumes that, unless it is advised otherwise, by receiving a copy of this Policy or by continuing to engage in business with UWCA, an individual will have consented to the collection, use and disclosure of their Personal Information as explained in this Policy.
An individual is entitled to change or withdraw their consent at any time, subject to legal or contractual restrictions (and reasonable notice), by contacting our Privacy Officer using the contact information set out below. In some circumstances, a change in or withdrawal of consent may limit UWCA's ability to provide products or services to, or acquire products or services from, that individual.
The work output of Personnel, whether in paper record, computer files, or in any other storage format belongs to UWCA, and that work output, whether it is stored electronically, on paper or in any other format, and the tools used to generate that work product, are always subject to review and monitoring by UWCA.
In the course of conducting UWCA's business, UWCA may monitor Representative activities and its property. Pursuant to the Ownership of Computer Data, E-mail and Internet Use and Social Media policies, UWCA has the capability to monitor all Personnel's computer and e-mail use.
Representatives should not have any expectation of privacy with respect to their use of UWCA's equipment or resources. This section is not meant to suggest that all Representatives will be monitored or their actions subject to constant surveillance – as UWCA has no duty to monitor – it is meant to bring to each Representative's attention the fact that such monitoring may occur and may result in the collection of Personal Information (e.g. through their use of UWCA's electronic resources).
Any collection of Personal Information held or used in the course of monitoring will not be more than is necessary for the purpose of the monitoring. Monitoring is or will be done on an "as required" basis and will be in proportion to the risks that UWCA faces. UWCA will conduct any monitoring in the least intrusive way possible. In some instances, when reasonably necessary, UWCA may supplement this monitoring notice with more specific policies or statements as appropriate.
Responsibility & Interpretation
Any violation of this Policy will result in action by UWCA. If any Representative misuses the Personal Information of another Representative, donor or customer of UWCA, it will be considered a serious offence for which appropriate disciplinary action may be taken, up to and including termination of employment. If any individual or organization misuses the Personal Information of a Representative – provided for the purpose of providing services to UWCA – it will be considered a serious issue for which appropriate action may be taken, up to and including termination of the service agreement or court action.
Any interpretation associated with this Policy will be made by the Privacy Officer. This Policy includes examples but is not intended to be restricted in its application to such examples, therefore where the word 'including' is used, it shall mean 'including without limitation'.
If an individual has a question about (a) access to Personal Information, (b) the collection, use, management or disclosure of Personal Information, (c) changing or withdrawing consent with respect to Personal Information, or (d) obtaining more information about this Policy or relevant legislation, please contact the office of our Privacy Officer by telephone or in writing or by e-mail at:
UWCA endeavours to answer all questions raised in a timely manner, and advise in writing of any steps taken to address an issue brought forward. If an individual is not satisfied with UWCA's response, they may be entitled to make a written submission to the privacy authority applicable for their jurisdiction.
UWCA will review and revise this Policy from time to time to reflect changes in legal or regulatory obligations or changes in the manner in which it deals with Personal Information, and in any event, at least every 12 months. Any revised version of this Policy will be posted, and each Representative is encouraged to refer back to it on a regular basis. Any changes to this Policy will be effective from the time they are posted, provided that any change that relates to why UWCA collects, uses or discloses Personal Information will not apply to a particular Representative, where their consent is required to such collection, use or disclosure, until UWCA has obtained that Representative's consent to such change.
This Policy does not create or confer upon any individual any rights, or impose upon UWCA any rights or obligations outside of, or in addition to, any rights or obligations imposed by applicable privacy legislation. Should there be, in a specific case, any inconsistency between this Policy and relevant legislation, this Policy shall be interpreted, in respect of that case, to give effect to, and comply with, such privacy legislation.
This policy is one of a series of related policies addressing the collection, use, disclosure and security of Personal Information by UWCA, including:
- Information Technology Usage Policy;
- Information Services Security Policies
as defined in UWCA Employee Handbook.
This Policy shall have effect from October 1, 2013
Frequency: 12 months
Date of last Committee review: November 2017
Date of last amendment: November 2016
Date of last Board approval: November 23, 2017