Protection of Personal Information Policy
TorchLight recognizes that every individual has a right to privacy, which must be protected, consistent with public interest, legislation, and personal safety. Confidentiality will be valued as one of the operating principles of this organization.
Policies, training and communication shall exist, to ensure the confidentiality of every individual, including callers and Volunteers, as it pertains to telephone information and records of calls. Personal information of callers, Volunteers, Board members and Staff will be protected. Volunteers will not give their full names to callers and will not be identified to callers. Callers will not have caller information displayed or any calls recorded. Software programs will be password protected and have limitations on access. Only the Executive Director and specified management positions will have access to personnel records.
TorchLight is responsible for protecting personal information and designates the Executive Director to be accountable for controlling records and compliance with privacy policies and privacy legislation. The Executive Director will ensure that procedures are implemented to protect personal information, and to respond to complaints and inquiries. The Executive Director will give her/his name to anyone requesting compliance with privacy policies.
Accuracy and Limitation
Information collected will be by fair and lawful means and will be as accurate, and as current as necessary for the purpose for which it is used. Information collected will take into account the interests of the individual. It will also be limited to that which is necessary, has a defined reason and can be explained. The Executive Director will implement procedures to ensure that information collected is accurate and is updated as necessary. Individuals will not be contacted for information unless such a process is needed to fulfill an ethical and valid purpose.
Any individual will be able to address a challenge concerning compliance with any privacy policies, by contacting the Executive Director. Procedures will be implemented to receive and respond to complaints or inquiries relating to collecting or handling personal information. The Executive Director will inform individuals who have complaints or inquiries, about the relevant mechanisms to address these issues. The Executive Director will address complaints or inquiries to resolve any situations where privacy policies are challenged, and will further evaluate the internal and external review process each time there is a complaint, to amend if necessary, the policies and practices of TorchLight.
Information collected will not be disclosed for purposes other than those for which it has been collected. A Confidentiality Agreement will be read and signed by Staff and Volunteers at the time of orientation. Safeguards will be in place to allow the access of call report records to authorized personnel only. In the case where a valid subpoena, search warrant or court order is issued for the purpose of investigation, the Executive Director will validate the request, and comply with the request. In any case of investigation, documentation of information given, dates and reasons will be kept.
Retention and Disposal
Information will be retained as long as necessary to fulfill the intended purpose of the information, generally according to the following guidelines:
- Call records – Call out active member records are kept as long as necessary to fulfill the intended purpose of service
- Staff files – 7 years after the employee has left the organization
- Volunteer files – 3 years after the person has left the organization
- Unprocessed applications for Employees or Volunteers – 1 year after application
- Financial information – 7 years
Personal information will be retained in a secure and locked location when not in use. When in use, files or personal information documents will be treated in a confidential manner, not open for viewing by unauthorized personnel. If confidential information is stored electronically or in databases, safeguards will be in place to ensure that only those authorized may have access to information.
When personal or financial information is no longer needed or has been kept in accordance with the established guidelines, it will be destroyed, erased or made anonymous in a confidential manner. Paper documents containing names or identification, will be destroyed by the Executive Director using off-site shredding.
Security safeguards will be in place to protect personal information against loss, theft, as well as unauthorized access. The nature of the safeguards will vary, depending on the sensitivity of the information. Methods of protection will include:
- Locked filing cabinets, and secure storage of files not in use
- Restricted access to the organization’s location and to the Executive Director’s office
- Password protected sign-in software programs for collecting call reports and Volunteer schedules/information (ICarol)
- ICarol call reports are automatically deleted after 6 months
- Encryption in information systems
- Virus software updated routinely, and back up of information routinely
- Computer firewalls in place
- All printed information disposed of securely by shredding.
When faxing or emailing information, discretion will be used to ensure that the recipient is authorized, and information will be limited to that which is necessary for its purpose.
PIPEDA – The Personal Information Protection and Electronic Documents Act, updated March 3, 2006