Procedure Management Responsibility
Staff Responsible: Executive Director
Oversight by: Finance Audit and Technology Committee
Approval by: Board of Directors
Purpose and Scope
THE Calgary Catholic Education Foundation (THE CCEF) is committed to maintaining the confidentiality, security, and accuracy of the Personal Information of THE CCEF’s Personnel and other third parties that is in its possession as a result of its normal business, including with respect to volunteer and charitable operations.
The CCEF collects, uses and discloses Personal Information about its Personnel, donors, customers, suppliers and others with whom it has contact in the course of conducting its normal business operations, including for purposes of establishing, managing, or terminating employment and contractual relationships between Personnel and THE CCEF. This Policy describes and governs the collection, use, and disclosure of Personal Information by THE CCEF.
This Policy applies to THE CCEF, and to all Representatives. When a Representative, donor, customer, or supplier provides THE CCEF with Personal Information, that individual consents to THE CCEF’s collection, use and possible disclosure of their Personal Information for the designated purpose and agrees to the terms for accessing and correcting data as described below.
The Policy governs THE CCEF’s activities that are subject to the provisions of applicable privacy legislation, including the Personal Information Protection Act (Alberta). However, as a not-forprofit organization, please note that certain of THE CCEF’s activities may not be subject to applicable privacy legislation in all instances.
Information, recorded in any form, about an identifiable individual (including, (i) for employees: a home address and phone number, names of partners and spouses, a socialinsurance number, performance appraisals, medical and benefit information, or hobbies and interests, and (ii) for donors: any donation and billing information).
This does not include the name, title, business address or telephone/facsimile number or business email address of an employee of an organization, when used for business communications. Also, it does not include anonymous, aggregated or non-personal information or statistical data (i.e., information that cannot be associated with or tracked back to a specific individual).
A director, officer, employee, volunteer or independent contractor of THE CCEF.
An employee or prospective employee of THE CCEF, as well as any other individuals, including third parties that may provide and have access to Personal Information in THE CCEF’s possession.
THE CCEF and its divisions and affiliates, including any and all internal governance bodies.
If an individual has a question about (a) access to Personal Information, (b) the collection, use, management or disclosure of Personal Information, (c) changing or withdrawing consent with respect to Personal Information, or (d) obtaining more information about this Policy or relevant legislation, please contact the office of our Privacy Officer by telephone or in writing or by e-mail at:
The Calgary Catholic Education Foundation
1000-5th Ave SW
Calgary, AB T2P 4T9
Attention: Executive Director
The CCEF endeavours to answer all questions raised in a timely manner, and advise in writing of any steps taken to address an issue brought forward. If an individual is not satisfied with TheCCEF’s response, they may be entitled to make a written submission to the privacy authority applicable for their jurisdiction.
Collection, Use and Disclosure of Personal Information
- Personal Information
- Collection Rationale
- Use Or Disclosure Of Personal Information
- Protection Of Personal Information
I. Personal Information
THE CCEF collects and maintains different types of Personal Information about individuals
with whom it interacts (such as those who seek to be, are, or were employed by THE CCEF, or
volunteers, donors, customers or suppliers of THE CCEF), including:
- identification and contact information: such as a Representative’s name, home address, telephone, personal email address, date of birth, social insurance number, marital and dependent status, videos, photographs, and beneficiary and emergency contact information;
- employment information: such as a Representative’s job title, resumes and/or applications, interview notes, letters of offer and acceptance of employment, compensation and benefit information, background verification information, employment references, mandatory policy acknowledgement sign-off sheets and evaluations;
- benefit information: such as forms relating to the application or change of employee health and welfare benefits, including but not limited to health care, life insurance, short and long term disability, medical and dental care;
- payroll and financial information: including but not limited to social insurance number, wages, pay cheque deposit information, pension information, group savings plans, information and tax related information;
- business relationship and operations information: such as customer and supplier names, customer addresses and personal contacts, credit information, billing records, service and equipment records, any recorded customer complaints, investor contact information and requests, agreement terms and preferences and information necessary to effect emergency response plans;
- donor information: such as donor identities, donation amounts and banking information ; and
- other information necessary for THE CCEF’s business purposes, which may be voluntarily disclosed or collected in the course of a Representative’s application to and employment with THE CCEF.
As a general rule, THE CCEF collects Personal Information directly from the individual it pertains to. If third parties hold information THE CCEF requires, THE CCEF will endeavour to ensure the information has been collected with the appropriate consent.
Where permitted or required by applicable law or regulatory requirements, THE CCEF may collect Personal Information about an individual without their knowledge or consent.
II. Collection Rationale
THE CCEF collects Personal Information to manage and develop its business and operations, and to support its volunteer and charitable activities, including:
- determining eligibility for initial employment, including the verification of references and qualifications;
- administration of pay and benefits;
- establishing training and/or development requirements and assessing qualifications for a particular job or task;
- performance reviews and determining performance requirements;
- processing employee work-related claims (e.g. worker compensation, insurance claims, etc.);
- establishing, managing and terminating business relations with volunteers, customers, donors and suppliers;
- protection against error, fraud, theft damage or nuisance relating to THE CCEF’s assets, operations or reputation and securing organization-held information;
- compliance with individual requests;
- compliance with applicable law or regulatory requirements;
- maintaining and improving its service offerings to employees, volunteers, donors and customers; and
- any other reasonable purpose required by THE CCEF and to which an individual consents.
III. Use or Disclosure of Personal Information
THE CCEF may use and disclose Personal Information provided it is reasonably required in the following circumstances:
- for purposes described in this Policy;
- where the information is publicly available;
- where necessary to protect the rights and property of THE CCEF;
- when emergencies occur or where it is necessary to protect the safety of a person or group of persons;
- where required by Personnel and other parties (including its related business entities or affiliates) who require Personal Information to assist in establishing, maintaining and managing THE CCEF’s relationship with an individual, including, for example, third parties who provide services to THE CCEF or on THE CCEF’s behalf or third parties who collaborate with THE CCEF in the provision of services to an individual; or
- THE CCEF has otherwise obtained an individual’s consent.
THE CCEF may use or disclose Personal Information without an individual’s knowledge or consent where it is permitted or required by applicable law or regulatory requirements to do so, including, but not limited to, circumstances relating to the establishment, maintenance or termination of an employment relationship.
THE CCEF does not sell employee, volunteer, donor or customer information to third parties.
IV. Protection of Personal Information
THE CCEF endeavours to maintain physical, technological, and procedural safeguards that are appropriate to the sensitivity of the Personal Information in question. These safeguards are designed to prevent Personal Information from loss and unauthorized access, copying, use, modification or disclosure. Examples of these safeguards include: password, encryption, and other electronic security means; locked or limited access premises and file cabinets; and the security monitoring methods.
Retention of Personal Information
Except as otherwise permitted or required by applicable law or regulatory requirements, THE CCEF endeavours to retain Personal Information only for as long as it believes is necessary to fulfill the purposes for which the Personal Information was collected (including, for the purpose of meeting any legal, accounting, or other reporting requirements or obligations). THE CCEF may, instead of destroying or erasing Personal Information and where this is economically feasible, make it anonymous such that it cannot be associated with or tracked back to a specific individual.
Updating Personal Information
It is important that Personal Information contained in THE CCEF’s records is both accurate and current. THE CCEF asks that Personnel, donors, customers and suppliers keep it informed of changes to Personal Information during the course of the individual’s employment, charitable or business relationship with THE CCEF.
If an individual believes the Personal Information about them held by THE CCEF is not correct, the individual may request an update of that information by making a request to our Privacy Officer using the contact information set out below.
Accessing Personal Information
An individual may ask to see the Personal Information that THE CCEF holds about them. If individuals want to review, verify, or correct their Personal Information, they may contact our Privacy Officer at the coordinates set out below. Please note that any such communications must be in writing (whether by traditional or electronic means).
When making an access request, THE CCEF may require specific information from an individual to confirm their identity and right to access, as well as to search for, and provide that individual with, the Personal Information that it holds about them. THE CCEF may charge a fee to access Personal Information; but it will advise of any fee in advance. If help is needed in preparing a request, please contact the office of our Privacy Officer. Where Personal Information will be disclosed to an individual, THE CCEF will endeavour to provide the information in question within a reasonable time, and in most cases, no later than 30 days following the request.
An individual’s right to access the Personal Information that it holds about them is not absolute. There are instances where applicable law or regulatory requirements permit or require THE CCEF to refuse a Personal Information access request. THE CCEF also reserves the right to decline to provide access to Personal Information where the information requested:
- would disclose:
- Personal Information, including opinions, about another individual or about a deceased individual; or
- trade secrets or other business confidential information that may harm THE CCEF or the competitive position of a third party, or interfere with contractual or other negotiations of THE CCEF or a third party;
- is subject to solicitor-client or litigation privilege;
- is not readily retrievable and the burden or cost of providing would be disproportionate to the nature or value of the information;
- could reasonably result in serious harm to any individual.
- may harm or interfere with law enforcement activities and other legal or employment related investigative or regulatory functions.
In addition, the Personal Information may no longer exist, may have been destroyed, erased or made anonymous in accordance with THE CCEF’s record retention obligations and practices.
In the event that THE CCEF cannot provide an individual with access to their Personal Information, it will endeavor to inform that individual of the reasons why access has been denied, subject to any legal or regulatory restrictions.
Out of Country Storage and Processing of Personal Information
THE CCEF has and will invest in new data management systems and software solutions on a routine basis, in order to work with or provide its services to its Personnel, Representatives, donors, customers, suppliers and others. As data processing technologies continually evolve, more systems and software solutions utilize “cloud-based” delivery models, where data processing and storage functionality is delivered from outside THE CCEF’s premises and through the internet or similar connections to the service provider, and where THE CCEF does not host the system or software solution within its physical premises. Accordingly, while THE CCEF maintains its responsibility for the protection of this data and of the Personal Information contained within it, Personal Information collection, use, disclosure, processing and storage may actually occur outside of Canada.
- The purposes for which THE CCEF may utilize such cloud-based systems and solutions for the collection, use, disclosure, processing and storage of Personal Information, are those purposes that are otherwise described in this Policy.
- THE CCEF has and will only engage service providers for such collection, use, disclosure, processing and storage of Personal Information, where such Personal Information is or will be located in and outside Canada.
- Any Personnel, Representative, donor, customer, supplier or third person may obtain further information about THE CCEF’s collection, use, disclosure, processing and storage of such Personal Information, or about THE CCEF’s policies and practices with respect to such service providers, located in and outside Canada, by contacting THE CCEF’s Privacy Officer through the contact information below.
It is important to THE CCEF that it collects, uses or discloses Personal Information with consent to do so or as otherwise provided in this Policy. Depending on the sensitivity of the Personal Information, consent may be implied, deemed (using an opt-out mechanism) or express. Express consent can be given orally, electronically or in writing. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction. For example, when financial information is requested for donation purposes, THE CCEF will assume consent to the collection, use, or disclosure of Personal Information for purposes related to that request for information or for other purposes identified by the requesting individual at the time.
Typically, THE CCEF will seek consent at the time that it collects the Personal Information. In some circumstances consent may be obtained after collection but prior to THE CCEF’s use or disclosure of Personal Information. If THE CCEF plans to use or disclose Personal Information for a purpose not previously identified (either in this Policy or separately), it will endeavour to advise an affected individual of that purpose before such use or disclosure.
THE CCEF may collect, use or disclose Personal Information without an individual’s knowledge or consent where it is permitted or required to do so by applicable law or regulatory requirements.
THE CCEF assumes that, unless it is advised otherwise, by receiving a copy of this Policy or by continuing to engage in business with THE CCEF, an individual will have consented to the collection, use and disclosure of their Personal Information as explained in this Policy.
An individual is entitled to change or withdraw their consent at any time, subject to legal or contractual restrictions (and reasonable notice), by contacting our Privacy Officer using the contact information set out below. In some circumstances, a change in, or withdrawal of, consent may limit THE CCEF’s ability to provide products or services to, or acquire products or services from, that individual.
The work output of Personnel, whether in paper record, computer files, or in any other storage format belongs to THE CCEF, and that work output, whether it is stored electronically, on paper or in any other format, and the tools used to generate that work product, are always subject to review and monitoring by THE CCEF.
In the course of conducting THE CCEF’s business, THE CCEF may monitor Representative activities and its property. Pursuant to the Ownership of Computer Data, E-mail and Internet Use and Social Media policies, THE CCEF has the capability to monitor all Personnel’s computer and e-mail use.
Representatives should not have any expectation of privacy with respect to their use of THE CCEF’s equipment or resources. This section is not meant to suggest that all Representatives will be monitored or their actions subject to constant surveillance – as THE CCEF has no duty to monitor – it is meant to bring to each Representative’s attention the fact that such monitoring may occur and may result in the collection of Personal Information (e.g. through their use of THE CCEF’s electronic resources).
Any collection of Personal Information held or used in the course of monitoring will not be more than is necessary for the purpose of the monitoring. Monitoring is or will be done on an “as required” basis and will be in proportion to the risks that THE CCEF faces. THE CCEF will conduct any monitoring in the least intrusive way possible. In some instances, when reasonably necessary, THE CCEF may supplement this monitoring notice with more specific policies or statements as appropriate.
Responsibility & Interpretation
Any violation of this Policy will result in action by THE CCEF. If any Representative misuses the Personal Information of another Representative, donor, or customer of THE CCEF, it will be considered a serious offence for which appropriate disciplinary action may be taken, up to and including termination of employment. If any individual or organization misuses the Personal Information of a Representative – provided for the purpose of providing services to THE CCEF – it will be considered a serious issue for which appropriate action may be taken, up to and including termination of the service agreement or court action.
Any interpretation associated with this Policy will be made by the Privacy Officer. This Policy includes examples but is not intended to be restricted in its application to such examples, therefore where the word ‘including’ is used, it shall mean ‘including without limitation’.
THE CCEF will review and revise this Policy from time to time to reflect changes in legal or regulatory obligations or changes in the manner in which it deals with Personal Information, and in any event, at least every 12 months. Any revised version of this Policy will be posted, and each Representative is encouraged to refer back to it on a regular basis. Any changes to this Policy will be effective from the time they are posted, provided that any change that relates to why THE CCEF collects, uses or discloses Personal Information will not apply to a particular Representative, where their consent is required to such collection, use, or disclosure, until THE CCEF has obtained that Representative’s consent to such change.
This Policy does not create or confer upon any individual any rights, or impose upon THE CCEF any rights or obligations outside of, or in addition to, any rights or obligations imposed by applicable privacy legislation. Should there be, in a specific case, any inconsistency between this Policy and relevant legislation, this Policy shall be interpreted, in respect of that case, to give effect to, and comply with, such privacy legislation.
This Policy shall have effect from October 1, 2018
Frequency: 12 months
Date of last Committee review: October 1, 2018
Date of last amendment: October 1, 2018
Date of last Board approval: October 1, 2018