Procedures
Principle 1 – Accountability
1) Branch Managers of the YM-YWCA of Greater Victoria will sit on the Privacy Committee.
2) One member will be designated as Privacy Officer, holding the post for 1 calendar year, at which time the office will shift to another member.
3) The Privacy Officer oversees updates and changes to the policies
4) The Privacy Officer touches base on a quarterly basis with other Branch Managers to ensure each branch adheres to the Association’s policies and procedures.
5) Responsibility for compliance with the provisions of the Y’s privacy policies and procedures rests with the designated Privacy Officer who can be reached at 250-386-7511 or via privacy@ymywca.victoria.bc.ca. Other individuals within the Y may be delegated to act on behalf of the Privacy Officer or to take responsibility for the day-to-day collection and/or processing of personal information.
6) The Y shall make known, upon request, the title of the person or persons designated to oversee compliance with the Privacy Code.
7) The Y is responsible for personal information in its possession or control and shall use contractual or other means to provide a comparable level of protection while information is being processed or used by a third party.
8) The Y shall implement policies and procedures to give effect to this Privacy Code, including:
a) implementing procedures to protect personal information and to oversee compliance with the Privacy Code;
b) implementing procedures to receive and respond to complaints or inquiries;
c) training and communicating to staff about Privacy policies and procedures; and
d) developing information materials to explain the Agencies policies and procedures.
Principle 2 - Identifying Purposes
1) The Y shall specify orally, electronically or in writing the identified purposes for which the information is needed to the participants, members, donors, parent(s)/guardian(s), staff and volunteers, at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes and uses or refer the individual to a designated person within the Y who can explain the purposes.
2) When personal information that has been collected is to be used or disclosed for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is permitted or required by law, the consent of the participant, donor, employee or volunteer will be acquired before the information will be used or disclosed for the new purpose. The Privacy Officer should be notified of any new use of information.
Principle 3 - Consent
1) At the time personal information is collected the Y will advise the person of the privacy policy.
2) For persons under 14, consent of the child’s parent/guardian will be required.
3) A simple referral to the privacy policy is adequate for the following:
a) registration for YM-YWCA membership, programs and services;
b) completion of a donation pledge form;
c) acceptance of employment and benefits enrollment by an employee;
d) acceptance of a volunteer position or student placement.
4) A copy of the privacy flyer should be given in cases of the following
a) Participation in a government sponsored program where information will be shared with government agencies.
5) In cases where the Y is obligated to use the information collected for a specific purpose, either legislated or required by government or other bodies, the Y will require express written consent from the individual.
6) Express consent will be required when dealing with
a) Financial data,
i) Does not include information needed for method of payment
b) Medical data
i) Does not include emergency contact or health concerns as recorded in Mistral
7) In the case of a third party registration implied consent is assumed for information that is common between the two parties. Information not common to the two parties must be delivered by the third party.
a) i.e. signing up a spouse for a program or membership, common info like address & phone number is alright, medical info is not alright to get from the spouse.
Principle 4 - Limiting Collection
1) Information will usually be collected from the person to whom it refers
a) Consent for third party information for emergency purposes is the responsibility of the individual
2) Information about an individual can be collected with consent
a) i.e. employment references, consent to call a third party must be acquired in writing.
Principle 5 - Limiting Use, Disclosure, and Retention
1) All information will be audited on a yearly basis to ensure the data is used only for those purposes expressed to individuals.
2) Audits will be shared with all staff involved in acquiring and using information so they can have a full understanding of the rules involved with that information.
3) Personal information will be retained for the following terms
a) 2 years
i) Adult membership info
b) 7 Years
i) Donors
c) 25 years
i) Employee and volunteers files
ii) Camper files
iii) Licensed child care files
iv) Children’s & youth memberships
d) Other data can be kept for a predetermined period of time with express written consent of the individual, i.e. for specific contractual purposes.
4) When a file is opened on an individual for the purposes of decision making the Y shall retain that information for a period of time deemed reasonably sufficient
a) WOD – 3 years
b) Personal Training – 3 years
5) Branch Manager will maintain schedules for retention and destruction of files, and will decide upon the frequency with which files will be removed from current holdings and put into the archives if necessary, or destroyed.
6) Archived files will be done so on a Branch basis.
a) Major Y archiving happens each March.
b) Hard copy tables listing contends and the date to be destroyed will be affixed to the boxed being archived.
i) These lists will be held by the Manager of Accounting services.
7) All hard copy files will be destroyed by shredding.
8) Archived materials will he held in an off site location and will be accessible only to
Principle 6 - Accuracy
1) At certain points of contact, staff shall confirm personal information
a) When renewing memberships
b) When registering for programs
c) When going through the intake process in an Outreach program
d) When signing up for a camp
e) When dropping off at the beginning of the camp season.
2) Staff and volunteers are require to take the initiative to update their information with the Y.
Principle 7 - Safeguards
1) All staff and volunteers must sign a confidentiality agreement pertaining to the protection of personal information and their use of this information
2) Staff are required to protect personal information under their control and manage the use of this information in order to keep it safe.
a) The return of the following after use by a staff / volunteer
i) program rosters
ii) donor information sheets
iii) camper rosters
iv) camper health forms
b) Use of controls within mistral to limit staff’s use of the entire system
c) Use of locked file cabinets for personal information within offices
d) Use of passwords on computers
e) Use of passwords on files or folders on computers holding personal information.
3) Information shared with third parties will be protected through contractual agreements referring to the protection of personal information.
a) Policies and procedures of third parties may need to be evaluated in order to agree to use of service.
Principle 8 - Openness
1) All policies will be available in both paper form and on the web site.
2) Staff will make known the business contact information for the Branch Manager, CEO and privacy officer to whom inquiries or complaints can be forwarded.
Principle 9 - Individual Access
1) Staff shall immediately inform their Branch Manager or CEO of a request for access by an individual to his or her personal information collected by the YM-YWCA.
2) The Branch Manager or CEO, in conjunction with the privacy officer shall respond to a written request for individual access by providing access to the individual’s data, except in limited circumstances. See Exceptions to Access
3) Individuals will need to provide identification to permit access.
4) The Branch Manager or CEO shall respond to a written request for access in a reasonable time, and at minimal or no cost.
5) Personal information shall be provided in a format that is understandable, along with any explanation needed to facilitate the individual's understanding.
6) The Branch Manager, CEO or designate shall provide the individual a reasonable opportunity to review and challenge the accuracy and completeness of personal information.
7) A statement of disagreement will be attached to records where a requested amendment cannot be made.
8) Upon request, the Branch Manager or CEO shall provide an account of the use and disclosure of personal information.
9) A list of organizations to which the YM-YWCA may have disclosed personal information shall be provided, when it is not possible to provide a list of actual disclosures.
10) Staff can request access to their employee file by contacting their supervisor
11) The YM-YWCA may not be able to provide an individual with access to some or all of his or her personal information in certain circumstances permitted by law. Some exceptions include if:
a) doing so would likely reveal personal information about a third party;
b) disclosure could reasonably be expected to threaten the life or security of another individual;
c) information was collected in relation to the investigation of a breach of an agreement, or a contravention of law, or as otherwise permitted by law.
12) If access to personal information cannot be provided, the Branch Manager or CEO shall provide the individual with written reasons for denying access.
Principle 10 - Challenging Compliance
1) Staff will encourage individuals challenging the compliance of the Y to these policies to speak to the Branch Manager
2) If the problem is not resolved to the individual’s satisfaction, the individual may contact the Branch Manager and/or CEO. The individual will be asked to provide the following information in writing:
a) Name, address or fax number where the individual prefers to be reached;
b) Nature of the complaint, relevant details, what the individual would like us to do;
c) Name of YM-YWCA staff with whom the individual has already discussed the issue.
3) The Branch Manager or CEO will work with our Privacy Officer to investigate privacy complaints. If a complaint is found to be justified, the YM-YWCA shall take appropriate measures to resolve the complaint.
