The Jesse Davidson Foundation (the Foundation) is committed to controlling the collection, use and disclosure of Personal Information.
- means gathering, acquiring or obtaining Personal Information from any source, including third parties, by any means.
- means voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the Foundation. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.
- means making Personal Information available to other Foundation personnel or others outside the Foundation.
- means information about an identifiable individual recorded in any form and might include, but will not be limited to, such things as race, ethnic origin, colour, age, marital status, religion, education, medical, criminal, employment or financial history, address and telephone number, numerical identifiers such as a Social Insurance Number, and views and personal opinions.
- does not include the name, title or business address or business telephone number of an employee of the Foundation.
- means the Federal Privacy Commissioner as set out under section 2 of the Act.
- means the Foundation’s Privacy Officer as required by Schedule 1 of the Act.
- means the treatment and handling of Personal Information within the Foundation.
- The Foundation, as a matter of basic principle, does not rent, sell, exchange or otherwise disclosePersonal Information about its staff, volunteers, donors, friends and supporters to any outside entity except as provided in paragraph 2 of APPLICATION.
- any Personal Information that the Foundation collects, uses or discloses in the course of commercial activities or any Personal Information about an employee of the Foundation.
- exceptions set out under section 7 of the Act. These include, among other things, using PersonalInformation in exigent circumstances, such as health emergencies, or to prevent criminal acts; using Personal Information in investigations of alleged illegal activity; and using Personal Information to prevent destruction of data.
The Ten Privacy Principles
Principle 1. Accountability
The Privacy Officer for the Foundation:
PERRY ESLER, Chief Executive Officer
- Accountability for compliance by the Foundation with these policies and procedures rests with the Privacy Officer, even though other individuals within the Foundation may be responsible for the day-to-day collection and processing of Personal Information. In addition, the Privacy Officer may, from time to time, designate one or more other individuals within the company to act on his or her behalf.
- The Foundation is responsible for Personal Information in its possession or custody, including Personal Information that has been transferred to a third party for processing. The Foundation shall use contractual or other means to provide a comparable level of protection while the Personal Information is being processed by a third party.
- implementing procedures to protect Personal Information;
- establishing procedures to receive and respond to complaints and inquiries;
- training staff and communicating to staff information about the Foundation’s policies and practices; and
- developing information to explain the Foundation’s policies and procedures.
- The designation of a Privacy Officer does not relieve the Foundation from accountability for compliance with these principles.
Principle 2. Identifying Purposes
The Foundation shall identify the purposes for which Personal Information is collected at or before the time the Personal Information is collected. The purposes for which Personal Information is collected, used or disclosed by the Foundation must be those that a reasonable person would consider are appropriate in the circumstances.
- The Foundation shall document the purposes for which Personal Information is collected in order to comply with the Openness principle (Principle 8 of Schedule 1 to the Act) and the Individual Access principle (Principle 9 of Schedule 1 to the Act).
- Identifying the purposes for which Personal Information is collected at or before the time of collection allows the Foundation to determine the Personal Information it needs to collect to fulfil these purposes. The Limiting Collection principle (Principle 4 of Schedule 1 to the Act) requires the Foundation to collect only that Personal Information necessary for the purposes that have been identified.
- The identified purposes shall be specified at or before the time of collection to the individual from whom the Personal Information is collected. Depending upon the way in which the Personal Information is collected, this can be done orally or in writing.
- When the Foundation personnel intends to use Personal Information that has been collected for a purpose not previously identified, it shall identify the new purpose prior to Unless the new purpose is required by law or consent is otherwise not required under the Act, the consent of the individual is required before Personal Information can be used for that purpose.
- Persons collecting Personal Information shall explain to individuals the purposes for which the PersonalInformation is being collected.
Principle 3. Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of PersonalInformation, except where consent is not required by law or section 7 of the Act.
- Consent is required for the collection of Personal Information and the subsequent use or disclosure of this Personal Information. Generally, the Foundation personnel shall seek consent for the use or disclosure of the Personal Information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the Personal Information has been collected but before use (for example, when the Foundation wants to use Personal Information for a purpose not previously identified).
- The principle requires Acknowledge and consent. The Foundation shall make a reasonable effort to ensure that the individual is advised of the purposes for which the Personal Information will be used. To make the consent meaningful, the Foundation shall state the purpose in such a manner that the individual can reasonably understand how the Personal Information will be used or disclosed.
- The Foundation may collect, use or disclose Personal Information without consent only in those circumstances permitted by section 7 of the The Foundation shall consult the Act to determine whether an exception to the obligation to obtain consent applies. Legal, medical, or security reasons may make it impossible or impractical to seek consent. For example, when Personal Information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the Personal Information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill or mentally incapacitated, in which case consent must be obtained from parents, guardians or legal representatives of such individuals.
- The form of the consent sought by the Foundation may vary depending upon the circumstances and the type of Personal In determining the form of consent to use, the Foundation shall take into account the sensitivity of the Personal Information. Although some Personal Information (for example, medical records and income records) is almost always considered to be sensitive, any Personal Information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive Personal Information. However, the names and addresses of donors to the Foundation most likely is sensitive.
- In obtaining consent, the Foundation shall also consider the reasonable expectations of the The Foundation shall not obtain consent through deception.
- The way in which the Foundation seeks consent may vary, depending on the circumstances and the type of Personal Information collected. The Foundation shall generally seek express consent when the Personal Information is likely to be considered sensitive. It shall rely on implied consent only where collection and use of the Personal Information is directly related to a transaction or exchange of Personal Information in which the individual is directly Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
- Individuals can give consent in many For example:
- an application form may be used to seek consent, collect Personal Information and inform the individual of the use that shall be made of the Personal Information. By completing and signing the form or sending the form via email, the individual is giving consent to the collection and the specified uses;
- consent may be given orally when Personal Information is collected over the telephone or on-line.
- An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Principle 4. Limiting Collection
The collection of Personal Information shall be limited to that which is necessary for the purposes identified by theFoundation. Personal Information shall be collected by fair and lawful means.
- The Foundation shall not collect Personal Information indiscriminately. The Foundation shall limit the amount and the type of Personal Information it collects to that which is necessary to fulfil the purposes identified. The Foundation shall specify the type of Personal Information collected as part of its information-handling policies and practices, in accordance with the Openness principle (Principle 8 of Schedule I to theAct).
- The requirement that Personal Information be collected by fair and lawful means is intended to prevent the Foundation from collecting Personal Information by misleading or deceiving individuals about the purpose for which Personal Information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
Principle 5. Limiting Use, Disclosure and Retention
Personal Information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual, as required by law or as exempted by the Act. Personal Information shall be retained only as long as necessary for the fulfilment of those purposes.
- The Foundation has guidelines and procedures with respect to the retention of Personal These guidelines have minimum and maximum retention periods. The Foundation shall retain PersonalInformation that has been used to make a decision about an individual long enough to allow the individual access to the Personal Information after the decision has been made. The Foundation may be subject to legislative requirements with respect to retention periods.
- The Foundation shall destroy, erase or make anonymous Personal Information that is no longer required to fulfil the identified purposes. The Foundation shall develop guidelines and implement procedures to govern the destruction of Personal Information.
Principle 6. Accuracy
Personal Information shall be as accurate, complete and up-to-date as is necessary for purposes for which it is to be used.
- The Foundation shall ensure that Personal Information is sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate Personal Information may be used to make a decision about the individual. The extent to which Personal Information will be accurate, complete and up-to-date will depend upon the use of the Personal Information, taking into account the interests of the individual.
- The Foundation shall not routinely update Personal Information, unless this is necessary to fulfil the purposes for which the Personal Information was collected.
- The Foundation shall ensure that Personal Information that is used on an ongoing basis, is generally accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Principle 7. Safeguards
Personal Information shall be protected by security safeguards appropriate to the sensitivity of the PersonalInformation.
- The Foundation shall implement security safeguards to protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the Personal Information is held.
- The nature of the safeguard shall vary depending on the sensitivity of the Personal Information that has been collected; the amount, distribution and format of the Personal Information; and the method of storage. More sensitive Personal Information shall be safeguarded by a higher level of protection.
- The methods of protection shall include, where applicable, and depending on the sensitivity of thePersonal Information:
- physical measures (e.g., locked filing cabinets and restricted access to offices);
- organizational measures (e.g., security clearances and limiting access on a need-to- know basis); and
- technological measures (e.g. the use of passwords and encryption).
- The Foundation shall make its employees aware of the importance of maintaining the confidentiality of Personal Information.
Principle 8. Openness
The Foundation shall make specific information about its policies and practices relating to the management ofPersonal Information readily available to individuals.
- The information made available shall include:
- the name or title, and the address, of the Privacy Officer;
- the means of gaining access to one’s Personal Information held by the Foundation;
- a description of the type of Personal Information held by the Foundation including a general account of its use;
- copies of any brochures or other information that explain the Foundation’s policies, standards and codes as may be the case.
- The Foundation intends to make information on its policies and practices available in a variety of ways. For example, the Foundation may choose to make brochures available in its place of business, mail information to customers upon request, and provide on-line or telephone means to register complaints or inquiries relating to the privacy framework.
Principle 9. Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of his or her Personal Information and shall be given access to that Personal Information except where the Foundation is permitted by law or under the Act not to disclose Personal Information to the individual. An individual shall be able to challenge the accuracy and completeness of the Personal Information disclosed to him or her and have it amended as appropriate.
- Upon request, the Foundation shall inform an individual whether or not it holds Personal Information about such individual except where permitted by law not to disclose Personal Information to such The Foundation is encouraged to indicate the source of this Personal Information. The Foundation shall allow the individual access to this Personal Information about him or her. In addition, the Foundation shall provide an account of the use that has been made or is being made of this Personal Information.
- An individual may be required to provide sufficient Personal Information to permit the Foundation to provide an account of the existence, use and disclosure of Personal The Foundation shall use the Personal Information provided only for this purpose.
- In certain situations, the Foundation may not be able to provide access to all the Personal Information it holds about an individual. The Foundation may refuse access to Personal Information it holds about an individual only in those circumstances permitted or required by law or by sections 8 or 9 of the Act. The Foundation shall consult the Act to determine whether an exception to the obligation to provide access It shall make only limited and specific exceptions to the access requirements and, upon request, shall provide the reasons for denying access to the individual. Exceptions may include Personal Information that contains references to other individuals, Personal Information that cannot be disclosed for legal, security or commercial proprietary reasons, and Personal Information that is subject to solicitor-client, medical or litigation privilege.
- The Foundation shall respond to an individual’s request within a reasonable time and, in any event, within thirty (30) days of the request. The Foundation may extend the time for responding for up to an additional thirty (30) days if meeting the time limit would unreasonably interfere with the activities of the Foundation; or if the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet. The Foundation may also extend the time for responding for such period of time as is necessary to be able to convert the Personal Information into an alternative format. The Foundation shall provide notice to the individual of any extension taken within thirty (30) days of the individual’s request and shall advise the individual of the right to make a complaint to the Privacy Commissioner about the extension. They shall provide the requested Personal Information or make it available in a form that is generally For example, if the Foundation uses abbreviations or codes to record PersonalInformation, it shall provide a corresponding explanation.
- Upon request by an individual with sensory disabilities, the Foundation shall give access to Personal Information about the individual in an alternative format if a version of the Personal Information already exists in that format or if its conversion to an alternative format is necessary to allow the individual to exercise rights to request correction, challenge compliance of the Foundation under Principle 10 of Schedule 1 to the Act or complain to the Privacy Commissioner.
- The Foundation shall respond to an individual’s request for access to his or her Personal Information at minimal or no cost. The Foundation may respond to an individual’s request at a cost to the individual if theFoundation has informed the individual of the approximate cost and the individual advises the Foundation that the request is not being withdrawn.
- When an individual successfully challenges the accuracy or completeness of Personal Information, the Foundation shall amend the Personal Information as required. Depending upon the nature of the Personal Information challenged, amendment may involve the correction, deletion or addition of Personal Information.
- The Foundation shall record the substance of any challenge that is not resolved to the satisfaction of the individual.
Principle 10. Challenging Compliance
- The Privacy Officer is discussed in Clause 1.
- The Foundation shall put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of Personal Information. The complaint procedures should be easily accessible and simple to use.
- The Foundation shall inform individuals who make inquiries or lodge complaints about its complaint procedures.
- The Foundation shall investigate all complaints. If a complaint is found to be justified, the Foundation shall take appropriate measures, including, if necessary, amending its policies and practices.
- If an individual is not satisfied with the response from the Privacy Officer, he or she may have recourse to the Office of the Privacy Commissioner at:
Federal Privacy Commissioner
112 Kent Street
Phone: (613) 995-8210
Toll-Free: (800) 282-1376
Fax: (613) 947-6850
The Policy on Privacy was approved and adopted by the Board of Directors of the Foundation for Gene and Cell Therapy, now The Jesse Davidson Foundation, on November 26, 2003.
Dr. Jeff Preston
Chair, Board of Directors
Chief Executive Officer