PURPOSE:
To ensure the proper collection, retention and distribution of personal information. The policy applies to all individuals, lay or ordained, paid or unpaid, who are the employees, donors, subscribers, General Synod members, volunteers or customers of the General Synod.
PRIVACY OFFICER:
The General Secretary has been designated the Privacy Officer of the General Synod with responsibility to ensure compliance with the General Synod Privacy Standards Policy. Staff will be informed of the name and responsibilities of the Privacy Officer. The Privacy Officer will report to the Management Team for discussion on a regular basis in regard to any activities related to personal information protection. The Privacy Officer will ensure regular training for staff/volunteers as to the policies and procedures personal information protection requires. The Policy will be reviewed periodically by the Privacy Officer, in consultation with the Department Privacy Contacts, and updated accordingly. Employees will be made aware of the importance of maintaining the security and confidentiality of personal information. The misuse or improper handling of personal information may result in disciplinary action up to and including dismissal.
DEPARTMENTAL ACCOUNTABILITY:
Each department will assign one person responsible for ensuring the standards are maintained. Each department is responsible for developing and following the procedures for collection, retention and distribution in accordance with this policy and following the principles listed below.
Collection:
The General Synod has a decentralized record management process for the collection, management, retention and disposition of personal information collected from donors and/or customers.
Information about employees (cleric and lay) – full-time, part-time or contract is located on a pass protected central database of the Human Resources department as well as in confidential and secure personnel files located in the Human Resources department.
All information on individual parishioners, forwarded to the General Synod by dioceses and parishes is stored on pass protected central databases of the General Synod.
All individuals have controlled access to their own personal information owned by the General Synod of the Anglican Church of Canada. All General Synod personal information obtained by other organizations and agencies must comply with standards comparable to the General Synod Privacy Standards Policy.
DEFINITIONS
Personal information:
Any factual or subjective information, recorded or not, about an identifiable individual. Personal information does not include the name, title or business address or telephone number of an employee of an organization.
Personal information includes information in any form, such as: home address and home phone number, age, marital status, family members’ names, employee files, identification numbers, ethnic origin, evaluations, disciplinary actions, the existence of a dispute, opinions, comments, social status, income, credit records, donation information, loan records or medical records.
Commercial activity:
Any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists.
Consent:
Voluntary agreement with what is being done or proposed. Consent can be either expressed or implied. Expressed consent is given explicitly, either orally or in writing. Expressed consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
Disclosure:
Making personal information available to others outside the organization.
Use:
Refers to the treatment and handling of personal information within an organization.
PRINCIPLES:
The General Synod and its associated corporate entities will follow the ten principles for handling personal information as set out in Schedule 1 to the Personal Information Protection and Electronics Document Act of Canada.
These principles are: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and provision of recourse.
1. Be accountable
It is our intent to:
- Comply with all 10 of the principles of Schedule 1.
- Appoint an individual (or individuals) to be responsible for organizational compliance.
- Protect all personal information held by General Synod or transferred to a third party for processing.
- Develop and implement personal information policies and practices.
2. Identify the purpose
We will identify the reasons for collecting personal information before or at the time of collection by:
- Reviewing all personal information holdings to ensure they are all required for a specific purpose.
- Notifying the individual, either orally or in writing, of these purposes.
- Recording all identified purposes and obtained consents for easy reference in case an individual requests an account of such information.
- We will ensure that these purposes are limited to what a reasonable person would expect under the circumstances.
3. Obtain consent
We intend to obtain consent by:
- Informing the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data.
- Obtaining the individual’s consent before or at the time of collection, as well as when a new use is identified.
- Using express consent whenever possible and in all cases when the personal information is considered sensitive.
4. Limit collection
We intend to meet this principle by:
- Limiting the amount and type of the information gathered to what is necessary for the identified purposes.
- Identifying the kind of personal information that is collected in information-handling policies and practices.
- Ensuring that staff members can explain why the information is needed.
5. Limit use, disclosure and retention
We intend to meet this principle by:
- Instituting maximum and minimum retention periods that take into account any legal requirements or restrictions and redress mechanisms and establishing policies setting out the types of information that need to be updated.
- Documenting any new purpose for the use of personal information.
- Disposing of information that does not have a specific purpose or that no longer fulfils its intended purpose.
- Disposing of personal information in a way that prevents improper access such as shredding paper files or deleting electronic records.
6. Be accurate
We intend to minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties by:
- Keeping personal information as accurate, complete and up to date as necessary, taking into account its use and the interests of the individual.
- Updating personal information only when necessary to fulfill the specified purposes.
- Keeping frequently used information accurate and up to date unless there are clearly set out limits to this requirement.
7. Use appropriate safeguards
We take seriously our responsibility to protect personal information against loss or theft; to safeguard the information from unauthorized access, disclosure, copying, use or modification; and, to protect personal information regardless of the format in which it is held.
We will review and update security measures regularly taking the following factors into consideration in selecting appropriate safeguards:
- sensitivity of the information
- amount of information
- extent of distribution
- format of the information (electronic, paper, etc.)
- type of storage.
8. Be open
We will inform customers, donors, volunteers and employees of our policies and practices for the management of personal information.
9. Give individuals access
When requested, we will inform individuals of any personal information on file about them including: how it is or has been used and providing a list of any organizations to which it has been disclosed.
Individuals will have access to their information.
We will correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient.
10. Provide recourse
We will develop a simple and easily accessible complaint procedure and inform complainants of avenues of recourse. All complaints received will be investigated and we will take appropriate measures to correct information-handling practices and policies found deficient.
EXCEPTIONS TO THE CONSENT PRINCIPLES:
The General Synod and its associated corporate entities may collect and use personal information without consent:
- If it is clearly in the individual’s interests and consent is not available in a timely way
- If collection is required to investigate a breach of an agreement or contravention of a federal or provincial law
- For journalistic, artistic or literary purposes
- If it is publicly available
- For an emergency that threatens an individual’s life, health or security
- For statistical or scholarly study or research.
The General Synod and its associated corporate entities may disclose personal information without consent:
- To a lawyer representing General Synod and/or its associated corporate entities
- To collect a debt the individual owes the General Synod
- To comply with a subpoena, warrant or order made by a court or other juridical body
- To a lawfully authorized government authority