Your Privacy

Southlake Foundation is committed to protecting the privacy of its donors’ and sponsors’ personal information. As part of this commitment, the Foundation has developed a Privacy Policy and related privacy procedures.

If you have any questions about your privacy at Southlake Foundation, please contact our Chief Privacy Officer by e-mailing foundationprivacy@southlakeregional.org or phoning 905-836-7333 ext. 5117.

POLICY

Scope

This Privacy Policy applies to the Foundation and its employees, volunteers and board members, and covers all personal information under the Foundation’s control regardless of its format (e.g., paper, electronic or oral).

Definitions

The Foundation has taken a policy decision to align its privacy program with the ten privacy principles set out in the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information.

Our Privacy Standards

Principle 1 - Accountability

The Foundation has implemented procedures to give effect to this Privacy Policy: - to manage the collection, use, retention, storage, transfer, disclosure, accuracy, correction and disposal of its donors’ or sponsors’ personal information, - to receive and respond to inquiries and complaints, - to train employees, volunteers and board members about the Foundation’s Privacy Policy and related procedures, and - to analyze new initiatives that may affect personal information.

The Foundation accepts responsibility for protecting personal information under its control, including any personal information that it transfers to third party service providers acting on its behalf. The Foundation takes reasonable steps to protect personal information that it transfers to others (for example, by including privacy clauses in its contracts with third party service providers to ensure a comparable level of protection).

The Foundation has a designated individual, known as the Chief Privacy Officer, who is accountable for the Foundation’s compliance with this Privacy Policy.

Principle 2 - Identifying Purposes

The Foundation identifies the purposes for which it collects, uses and discloses personal information. The Foundation only collects, uses and discloses personal information necessary for the identified purposes.

The Foundation collects, uses and discloses information to: - process donations and sponsorships and issue tax receipts, where applicable, - keep donors and sponsors informed about Foundation and Southlake Regional Health Centre activities, - ask individuals and organizations for their support, - process orders for promotional products, lottery tickets and special fundraising events and to provide the purchased products and services, - engage in donor and sponsor recognition activities such as stewardship reports, plaquing, printed articles, tours and events, - send an acknowledgement to the designated recipient of an in memoriam or in honour gift, - permit internal analysis to assist the Foundation with planning for future fundraising activities, and - comply with legal and regulatory requirements. The Foundation collects the following information to achieve its identified purposes: - name, - contact information, including telephone number, residential address or e-mail address, - demographic information including information about an individual’s gender and age that will help us communicate more effectively, - specific areas of interest in hospital activities, - publicly available information including personal information that appears in a publication such as a magazine or newspaper, and - history of charitable giving including charitable giving to the Foundation.

Principle 3 - Consent

The Foundation obtains consent from individuals for its collection, use and disclosure of their personal information for the identified purposes, except where otherwise permitted by law. The form of consent sought by the Foundation may vary depending on the circumstances and the sensitivity of the personal information that is collected.

Consent can be express, implied or given through an authorized representative. Before deciding what form of consent is appropriate, the Foundation will consider the type of personal information it needs, the reason for its use, and the type of customer contact that is involved. The Foundation will generally seek express consent when the information is likely to be considered sensitive.

Individuals may give express consent in writing, orally or electronically. They can also imply consent through action or inaction. For example: - by completing and signing a pledge form or other Foundation materials, or by registering for an event sponsored by the Foundation, - by voluntarily disclosing personal information, including personal health information, to an employee, volunteer or board member of the Foundation, - orally, at the time an individual uses a health service, makes a donation or when personal information is collected over the telephone, - by attending a fundraising or other Foundation event, - by not responding to the Foundation’s offer to have their personal information removed from a direct marketing list. In this case, the Foundation may assume that the individual consents to the use of their personal information for the identified purposes.

Individuals can also give consent through an authorized representative, such as a legal guardian or a person with a power of attorney. This is necessary, for example, if the Foundation cannot obtain express consent from an individual who is a minor, seriously ill, or mentally incapacitated. The Foundation receives potential donors’ and sponsors’ names and mailing addresses from the Southlake Regional Health Centre, and uses this information to contact these individuals through mailings. The Southlake Regional Health Centre provides notice to individuals of its intention to disclose the information to the Foundation for fundraising purposes, and provides individuals with the opportunity to opt-out of this process.

The Foundation also receives the names and contact information of potential donors’ and sponsors’ from individuals and organizations within the community including Newmarket and surrounding area for fundraising and information-sharing purposes, including for the purpose of providing tax receipts.

Individuals may withdraw consent for any identified purpose at any time, subject to legal and contractual restrictions and reasonable notice. An opt-out option is available on printed and electronic publications. If a donor or sponsor withdraws consent, the Foundation complies with the request as quickly as possible but there may be certain uses of personal information that it may not be able to stop immediately. Individuals who wish to withdraw consent as outlined in this Privacy Policy should contact the Foundation’s Chief Privacy Officer (see contact information above).

Principle 4 - Limiting Collection

The Foundation limits its collection of personal information to that which is necessary to fulfill its identified purposes. The Foundation collects personal information by fair and lawful means.

Principle 5 - Limiting Use, Disclosure and Retention

The Foundation does not use personal information, or sell, transfer or otherwise disclose personal information to any third party, for purposes other than those for which it was collected, except with the individual’s consent or as permitted or required by law. The Foundation retains personal information only as long as necessary to fulfill the identified purposes or as otherwise permitted or required by law.

Principle 6 - Accuracy

The Foundation keeps personal information as accurate, complete and up-to-date as is reasonably necessary for its identified purposes. Individuals may request corrections to inaccuracies in their personal information by contacting the Foundation’s Chief Privacy Officer (see contact information above).

Principle 7 - Safeguards

The Foundation is committed to protecting personal information in its control with security safeguards appropriate to the sensitivity of the information. Personal information is protected by safeguarding measures designed to prevent theft, loss and unauthorized access, copying, modification, use, disclosure and disposal. A higher level of protection is used to safeguard more sensitive personal information.

The Foundation takes steps to ensure that employees, volunteers and board members are aware of the importance of maintaining the security and confidentiality of donors’ and sponsors’ personal information and requires them to sign a Confidentiality Agreement. All independent contractors, vendors and suppliers that work with the Foundation’s personal information must also sign a Confidentiality Agreement.

Principle 8 - Openness

This Privacy Policy is made available to donors, sponsors and the public on our website at www.southlakefoundation.ca. Individuals may easily acquire information about: - the name and contact information for the Foundation’s Chief Privacy Officer for the purpose of questions and complaints, - the means of gaining access to personal information held by the Foundation.

Principle 9 - Access

Upon written request, the Foundation will give individuals access to their personal information and an account of its use and disclosure. Individuals can challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 - Challenging Compliance

The Foundation has procedures in place to receive and respond to donor and sponsor inquiries and complaints about the handling of their personal information. Individuals who are not satisfied with the answer received about the subject of their inquiry may complain in writing to the Foundation’s Chief Privacy Officer (see contact information above). The Foundation’s Chief Privacy Officer will investigate all complaints.

Incident Recognition, Response, Reporting and Follow-Up

All employees, volunteers and board members must ensure that the privacy of donors and the confidentiality and security of their personal information is preserved at all times. Anyone who observes a breach or potential breach of privacy must report the details as soon as possible to the Foundation’s Chief Privacy Officer. The Chief Privacy Officer will discuss the issue with the President of the Foundation. Anyone who fails to comply with this Privacy Policy will be subject to disciplinary action, up to and including termination of employment or association with the Foundation. Examples of violations of this Privacy Policy include: - Accessing information that is not required for job purposes, - Misusing, disclosing without proper authorization, or altering donor information, - Disclosing to another person one’s password for accessing electronic records.

Training

The Foundation will ensure that everyone who works with the Foundation has a good understanding of this Privacy Policy and its related procedures through privacy training sessions and other communications.

Routine Assessment of Systems and Procedures

Controls

The Foundation will routinely assess information systems and work processes to confirm that donor privacy is protected, and that only authorized individuals with a “need-to-know” have access to personal information. Whenever significant changes are proposed or undertaken for information systems or work processes, and whenever substantial external services and products are evaluated or contracted to assist with information management, the Foundation will conduct a privacy impact assessment.

Audits and Reviews

The Chief Privacy Officer will periodically conduct internal reviews and external audits of the Foundation’s Privacy Policy and related procedures with a view to maintaining and improving their effectiveness and complying with relevant legislation.

Reporting

The Foundation’s management will report annually to the board of directors on matters concerning privacy compliance.