Privacy Policy

Category: Monitoring for Quality and Risk Policy Title: Privacy and Security of Personal Information

PREAMBLE

BLAC is committed to protecting the privacy and security of personal information in its custody or under its control, including personal information of its clients, staff and volunteers. The Board is accountable for BLAC’s privacy and security practices and has developed this operational framework to support the protection of personal information. BLAC has adopted reasonable safeguards to protect the privacy and security of personal information of its clients, staff and volunteers.

All employees and volunteers must abide by the Corporation’s policies, procedures and practices when handling personal information. Although it is not subject to privacy legislation, it adopts the ten privacy principles set out in the National Standard of Canada Model Code for the Protection of Personal Information (“Privacy Principles”).

These include:

• Principle 1-Accountability

• Principle 2-Identifying Purposes

• Principle 3-Consent

• Principle 4-Limiting Collection

• Principle 5-Limiting Use, Disclosure and Retention

• Principle 6-Accuracy

• Principle 7-Safeguarding Information

• Principle 8-Openness

• Principle 9-Individual Access

• Principle 10-Challenging Compliance

 

1. Scope

This policy applies to all BLAC employees and volunteers, including members of the Board of Directors (for the purposes of this Policy, “Staff”).

 

2. Definitions

• “Client” – A current or past client of BLAC.

• “Collection” – involves the act of gathering, acquiring or obtaining personal information from any source, including from third parties, by any means.

• “Consent” – means the voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the persons seeking the consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

• “Disclose” – release or make personal information available to another person or corporation; it does not mean to use the information. Disclosure is to be distinguished from the “transfer” of information to agents or third parties who are simply processing the information on the Corporation’s behalf.

• “Identifying information” – any information that identifies an individual or that one could reasonably foresee might be used either on its own or with other information to identify an individual.

• “Personal information” – means identifying information, but does not include the name, title or business address or telephone number. Personal information collected by BLAC may include personal health information and other information such as: name, date of birth (and age), marital status, family status, nationality, race, gender, sexual orientation; health/medical history, diagnosis, employment, education and financial information; personal address, telephone number, e-mail address, social insurance number (Staff only).

   

3. Guiding Principles

Accountability BLAC assurnes accountability for personal information within its custody or under its control. The Executive Director is responsible for ensuring the protection of personal information and is accountable for BLAC’s compliance with its privacy and security policies, including this Policy.

BLAC’s Executive Director shall serve as its designated Privacy Officer, responsible for:

• the development and implementation of privacy and security policies and practices; providing privacy training to BLAC Staff;

• monitoring and auditing BLAC’s compliance with its privacy and security practices;

• addressing privacy-related requests, complaints and inquiries;

• conducting regular risk assessments.

The Executive Director shall report to the Board at least annually on BLAC’s performance with respect to the privacy and security of personal information.

Identifying Purposes BLAC identifies the purposes for which personal information is collected at or before the time that the information is collected. BLAC collects personal information directly from the Client, or person authorized to act on the Client’s behalf. Personal information may be collected from other sources, with consent, or if the law permits.

The primary purpose for which BLAC collects and uses personal information is to carry out its mandate to combat individual and systemic anti-Black racism by providing legal representation in areas of “clinic law” to Clients with low or no income that identify as black or African Canadian, including matters related to housing and shelter, income maintenance, social assistance, and other similar government programs, human rights, health, employment, and education, engaging in test case litigation, law reform, and community development.

Other purposes include compliance with legal and regulatory requirements; to address payment and funding requirements; and for quality improvement and education purposes. Personal information is also used to administer employment related processes. 

Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except as otherwise permitted or required by law. In order to be knowledgeable, BLAC makes reasonable efforts to ensure that the individual knows the purpose for which the personal information is being collected, used or disclosed, and that consent may be withdrawn. The way in which BLAC seeks consent may vary, depending on the circumstances and type of information.

Consent is required from a minor client that is sixteen years or older except where the minor is represented by an adult under a court ordered guardianship. A Client may withdraw their consent by contacting the Privacy Officer, however, such withdrawal cannot be retroactive.

Limiting Collection of Personal Information The collection of personal information is limited to that which is necessary for the purposes identified by BLAC. Information is collected by fair and lawful means.

Limiting Use, Disclosure and Retention of Personal Information BLAC does not use or disclose personal information for purposes other than those for which it was collected, except with the Consent of the Client or as required by law. Only those staff with a business need-to-know, or whose duties reasonably so require, are authorized to access personal information of Clients.

BLAC retains personal information in accordance with statutory or contractual requirements. Once personal information is no longer required, it is destroyed in a safe and secure manner.

Accuracy BLAC makes reasonable efforts to ensure that personal information collected, used or disclosed by or on its behalf is accurate and complete, as is necessary for the purposes for which it is to be used.

Safeguards BLAC safeguards personal information in its custody or control by utilizing security measures and practices to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. BLAC utilizes security safeguards that are appropriate to the sensitivity of the information. These include physical measures (i.e. locked cabinets, restricted access, security clearances); operational measures (i.e. access limited on a “need to know” basis) and technological measures (i.e. passwords, encryption, audits).

BLAC uses contractual or other means to provide a comparable level of protection when personal information is being processed or handled on its behalf. BLAC conducts regular and random audits of its electronic data systems and monitors its privacy compliance. Failure to comply with this Policy and the Privacy Principles may result in disciplinary action, up to and including dismissal for staff or termination of the relationship.

Openness BLAC has developed and follows privacy and security policies and practices. Information about its privacy practices is available on request.

Upon request, Clients have a right to request access to personal information that BLAC holds about them. In most instances, BLAC will grant individuals access to their personal information upon presentation of a written request and identification. Should BLAC deny an individual’s request for access to his or her personal information, it will advise in writing of the reason for such a refusal. The individual may then challenge the decision.

An individual who has been granted access may request correction or amendment to their information by notifying the Privacy Officer in writing.

 

4. Compliance Challenges

Individuals are encouraged to bring any concerns or issues regarding privacy to the Privacy Officer for discussion and response. BLAC will investigate all complaints. If a complaint is found to be justified, BLAC will take appropriate measures, including, if necessary, amending its policies and practices.