SurreyCares Community Foundation recognizes the value of its relationships with potential donors, existing donors, volunteers, and employees, and is committed to respecting and protecting their personal information. We value the trust of those we deal with, and of the public, and recognize that maintaining this trust requires transparency and accountability in our treatment of the personal information that is entrusted to us.
DEFINITION OF PERSONAL INFORMATION
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. British Columbia Personal Information Protection Act (“PIPA”) authorizes the disclosure of certain types of publicly available information, but the information is still considered personal information under PIPA (s. 12(1) (e)).
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
Accountability for SurreyCares Community Foundation’s compliance with privacy legislation rests with the designated Privacy Officer. The name and contact information of the Privacy Officer will be made available to interested individuals through the SurreyCares Community Foundation’s website, its Privacy Statement or upon contacting the SurreyCares Community Foundation (see last page of this policy).
a. We are responsible for personal information in our possession, including information that has been transferred to a third party for processing. In cases where such transfers take place we ensure that the third party has comparable privacy safeguards in place.
2. Identifying Purposes
The purposes for which personal information is collected shall be identified by SurreyCares Community Foundation when or before the information is collected.
a. The purposes will be limited to those which are related to the SurreyCares Community Foundation’s projects, programs and activities and which a reasonable person would consider to be appropriate in the circumstances.
b. We collect personal information concerning our donors for the following reasons:
- to comply with CRA requirements for gift processing;
- to provide them with information about how donated funds are used by SurreyCares Community Foundation;
- to keep them informed about SurreyCares Community Foundation’s activities;
- to promote opportunities for donors and potential donors to support SurreyCares Community Foundation;
- to determine the donor’s motivation in creating a fund and to assist SurreyCares Community Foundation in making decisions about distributions from the fund; and
- to advise fundholders of donations made to their funds.
During the course of its various projects, programs and activities, the SurreyCares Community Foundation may also collect personal information from Board members, other volunteers and employees. The SurreyCares Community Foundation will specify the identified purposes, orally or in writing, to the individual from whom personal information is being collected either at the time of collection or after collection but prior to use or disclosure. We will state the identified purposes in such a manner that an individual can reasonably understand how the information will be used or disclosed.
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
a. The manner in which SurreyCares Community Foundation obtains consent for the collection of personal information varies with the sensitivity of the information being collected. PIPA makes provision for express, implied or deemed consent, depending on the situation. Because of the nature of the information we collect, in most cases we will rely on implied consent at the time of collection.
The principle requires “knowledge and consent,” and SurreyCares Community Foundation will ensure that individuals are aware of the purposes for which personal information is collected at or before the time of collection. Individuals can give consent:
• in writing, such as when completing an online donation form, completing the donation of securities form or signing a Fund Agreement;
• through an opt-out process, either by checking off a box on a response form or by contacting the SurreyCares Community Foundation directly; or
• orally, either in person or by telephone, or by email.
Individuals may withdraw their consent at any time, by any means, with reasonable notice to the SurreyCares Community Foundation. However, consent cannot be withdrawn retroactively.
b. SurreyCares Community Foundation may collect, use, and disclose personal information without consent if that information is considered by law to be in the public domain. Sources of public information include telephone and professional directories, newspapers, periodicals and public registries.
4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
a. SurreyCares Community Foundation will not collect information indiscriminately. The types of information collected are limited to that which is necessary and reasonable to fulfill the purposes identified in point 2.1. The SurreyCares Community Foundation will collect personal information by lawful means and will not intentionally mislead individuals about the purposes for which information is being collected.
Some of the types and means by which personal information is collected by SurreyCares Community Foundation include:
i. Information Collected Automatically from SurreyCares Community Foundation’s Website:
• the Internet Protocol Address and domain name used. The Internet Protocol address is a numerical identifier assigned either to the donor’s Internet service provider or directly to the donor’s computer. This address can be translated to determine the domain name of the donor’s service provider (e.g.www.surreycares.org);
• the type of browser and operating system;
• the date and time of the visit; and
• the web pages or services accessed.
ii. Information Collected Directly From an Individual:
The SurreyCares Community Foundation will collect and record personal information provided to us by an individual through correspondence, conversations, meetings, conferences, donations, or other forms of communication.
iii. Information Collected from Public Sources:
These types and means by which personal information collected is collected by the SurreyCares Community Foundation are not intended to be an exhaustive list, and the SurreyCares Community Foundation may collect personal information about an individual from time to time by other means as is consistent with the purposes identified in point 2.1.
5. Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
a. When SurreyCares Community Foundation uses personal information for purposes other than those given at the time of collection, consent will be obtained for those specific purposes.
b. SurreyCares Community Foundation does not sell, rent, or trade mailing lists.
c. Personal information is disclosed only to third parties who have signed an agreement by which they agree to adhere to the terms of the SurreyCares Community Foundation’s privacy policies.
d. SurreyCares Community Foundation will not disclose an individual’s identity or personal information to third parties except in accordance with the terms of its privacy policies or unless required to do so as a part of an internal investigation or other law enforcement purpose, or as required by law.
e. Personal information will be retained as long as the purpose for which the information was originally collected remains valid.
f. Personal information such as the name and address of the donor may be disclosed to a recipient organization or to a family member in accordance with the terms of the Foundation’s Disclosure Policy.
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
a. SurreyCares Community Foundation will use its best efforts to ensure that information is used on an ongoing basis, including information that is disclosed to third parties, and information that is used to make a decision about an individual (such as a giving recognition category) is accurate, complete and up-to-date.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
a. The SurreyCares Community Foundation is obligated to protect individuals’ personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal. Security measures have been integrated into the day-to-day operating practices of the SurreyCares Community Foundation.
b. We make our employees aware of the importance of maintaining the confidentiality of personal information, and we exercise care in the disposal and destruction of personal information to prevent unauthorized parties from gaining access to it. All employees and volunteers having access to personal information are required to sign a Confidentiality Agreement.
c. Our methods of protection will include physical measures (e.g. locked filing cabinets, restricted access to offices), organizational measures (e.g. security clearances and limiting access on a ‘need-to-know’ basis) and technological measures (e.g. the use of security passwords and encryption).
d. Third parties are expected to safeguard personal information entrusted to them in a manner consistent with the policies of SurreyCares Community Foundation, and are required to sign a confidentiality agreement as part of all contracts. Examples of third parties include mailing services and data analysis providers.
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
a. SurreyCares Community Foundation will be open about its privacy policies and procedures with respect to the management of personal information and will make them readily available in a form that is generally understandable.
b. The information made available will include:
• the name or title and contact information of the Privacy Officer who is accountable for compliance with SurreyCares Community Foundation’s policies and procedures, and to whom complaints or inquiries can be forwarded;
• the means of gaining access to personal information held by SurreyCares Community Foundation;
• a general description of the types of personal information held by SurreyCares Community Foundation;
• a copy of any document that explains the SurreyCares Community Foundation’s policies, procedures, standards or codes; and
• a general description of the types of personal information made available to third parties.
9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
a. SurreyCares Community Foundation will respond to an individual’s request within a reasonable length of time, but no longer than one month. While our response will typically be provided at no cost to the individual, depending on the nature and amount of information involved, we reserve the right to impose a reasonable fee to defray our cost.
b. The requested information will be made available in a form that is generally understandable. For example, where SurreyCares Community Foundation uses abbreviations or codes to record information, an explanation of those codes will be provided.
c. For the SurreyCares Community Foundation to provide an account of the existence, use and disclosure of personal information, an individual may be asked to provide additional information to aid in the search. The additional information provided will only be used for this purpose.
d. Upon request, SurreyCares Community Foundation will provide specific information about third parties to whom personal information has been disclosed unless prevented from doing so by the terms of any applicable confidentiality or non-disclosure agreements.
e. When an individual successfully demonstrates the inaccuracy or incompleteness of personal information in the possession or under the control of the SurreyCares Community Foundation, the SurreyCares Community Foundation will amend the information as required. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
f. Individuals may review the personal information the SurreyCares Community Foundation has recorded for that individual, and only that individual. An individual may also provide written permission to the SurreyCares Community Foundation to permit another individual to review the personal information the Foundation has recorded for that individual, but only for that individual.
10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
a. The name of the SurreyCares Community Foundation’s Privacy Officer will be known to staff. Information on how to contact the Privacy Officer will be identified to other individuals periodically and upon request.
b. The SurreyCares Community Foundation will maintain procedures to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint procedures will be easily accessible and user friendly.
c. Individuals who make inquiries or lodge complaints will be given information by SurreyCares Community Foundation of the existence of relevant complaint procedures.
d. If a complaint is found to be justified, the SurreyCares Community Foundation will take appropriate measures, including revision of the personal information, and, if necessary, amendment of SurreyCares Community Foundation’s policies and practices.
This policy will be reviewed every 3 years, or as required in order to ensure compliance with changes in law.
How to Contact the Privacy Officer
Inquiries, complaints, or access requests should be addressed to: Privacy Officer, SurreyCares Community Foundation, PO Box 34089, Surrey, BC V3S 8C4, Email: firstname.lastname@example.org, Telephone: (604) 591-2699 or Fax: (640) 591-2656.
Board Approval: August 17 2015