WESTHILLHURST COMMUNITY ASSOCIATION (“WHCA”) PRIVACY GUIDELINES

Privacy Policy

The WHCA Privacy Guidelines incorporate the provisions of Part 1 of the Personal Information and Electronic Documents Act (PIPEDA – Government of Canada), the principals of the Personal Information Protection Act (PIPA – Government of Alberta) and the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. 

Application of Privacy Principles: 

1. ACCOUNTABILITY: 

The WHCA has appointed a Privacy Officer(s) who is accountable for ensuring compliance with the WHCA Privacy Policy and Guidelines.  Accountability rests with the Privacy Officer even though other individuals within the WHCA may take responsibility for the day-to-day collection and processing of personal information.  The privacy officer for WHCA is the Executive Director while the person responsible for the day-to-day collection and processing of personal information is the Administrative Assistant. 

The WHCA is responsible for all personal information in its possession or control, including information that has been transferred to a third party for processing.  The WHCA will use contracts or other means to provide an appropriate level of protection when a third party processes information on behalf of the association. 

The WHCA will, from time to time, establish procedures to implement its commitment to privacy, including:

- Procedures to protect personal information

- Procedures to receive and respond to complaints and inquiries

- Communications and training programs to provide information to the WHCA’s staff about privacy policies and practices. 

2. IDENTIFYING PURPOSES: 

The WHCA identifies the purposes for which personal information is collected at or before the time the information is collected, and documents those purposes. 

The WHCA collects only that information necessary for the purposes that have been identified. 

The WHCA specifies (verbally, electronically or in writing) and explains the identified purposes(s) to the individual at or before the personal information is collected. 

When personal information is collected for a purpose not previously identified, the new purpose is communicated to the individual prior to use.  In such cases, the consent of the individual is required before the information is re-used. 

The WHCA collects personal information from individuals in order to:

- Screen individuals for employment, volunteer or contracting suitability

- Manage and administer personnel (including performance appraisal, security and access control and discipline)

- Manage and administer compensation and benefits programs

- Administer payroll

- Administer occupational health and safety programs

- Monitor and track skills and competency development

- Meet legal and regulatory requirements (e.g. Employment Standards legislation, casino volunteer registration under provincial gaming laws, Canada Customs and Revenue Agency reporting requirements)

- Facilitate WHCA audits when required to do so

- Provide contact information of WHCA staff, board members and other volunteers, to the Federation of Calgary Communities (“FCC”), to other communities within FCC, and to other affiliated organizations (e.g. Volunteer Calgary)

- Provide contact information of WHCA staff and volunteers to WHCA’s insurers

- Provide such information as may be required for administration of WHCA programs. 

3. CONSENT: 

The WHCA uses reasonable efforts to ensure that individuals understand how their personal information will be used.  The WHCA obtains consent as required for the collection, use and disclosure of personal information, except where inappropriate. 

When determining the form of consent, the WHCA considers the sensitivity of the information and the reasonable expectations of the individual.  Express consent will be obtained when the information is likely to be considered sensitive; implied consent may be appropriate when information is less sensitive.  Consent may also be given through an individual’s authorized representative (such as a legal guardian or a person having power of attorney). 

The WHCA obtains consent for the collection, use or disclosure of information through various means, including verbal, written (e.g. signed forms) or electronic processes. 

In rare circumstances, the WHCA may collect and use personal information without the individual’s knowledge or consent. For example:

- If it is clearly in the interests of the individual and consent cannot be obtained in a timely way (e.g. when the individual is seriously ill)

- If obtaining prior consent would defeat the purpose of collecting the information (e.g. in the investigation of alleged criminal activity)

- In the case of an emergency where the life, health or security of the individual is threatened. 

The WHCA generally seeks to obtain consent at the same time personal information is collected.  The WHCA may, however, seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose (e.g. before disclosing board member information to a funding organization if this purpose was not previously contemplated). 

Consent may be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice. The WHCA and/or the Privacy Officer informs individuals of the implications for withdrawing consent. 

4. LIMITING COLLECTION: 

The WHCA limits the amount and type of personal information collected to that which is necessary for the identified purpose.  

The WHCA collects information by fair and lawful means. 

The WHCA may collect the following information from employees and contractors:

- demographic and contact information including home address and telephone number, date of birth, social insurance number and gender

- education and employment history

- banking or financial information

- health information

- security background checks, as required. 

The WHCA may collect the following personal information from board members and other volunteers:

- demographic and contact information including home address and telephone number, business name, address and telephone number

- education and employment history

- areas of interest and expertise

- history of community involvement. 

The WHCA may collect the following personal information from members of the WHCA:

- names and contact information, including home address and telephone numbers

- demographic information about community association membership, including number and ages of children, seniors, ethnic background, interest in programs or facilities, for program planning purposes

- financial information, if members involved in programs with financial eligibility requirements, or where payment is required for programs or services

- limited medical information for members or children of members participating in sporting activities 

The WHCA may collect personal information through the following means:

- solicited and unsolicited resumes and correspondence

- completed application forms (paper or on-line format) for employment, benefits, grants and bursaries, volunteer opportunities, sports and other program registrations, facilities rental applications, etc.

- in person and through telephone interviews

- on-line forms through the website. 

5.  LIMITING USE, DISCLOSURE AND RETENTION 

The WHCA does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.  

Notwithstanding the above, the WHCA may disclose personal information without consent: 

- to a lawyer representing the WHCA

- to a company or individual employed by the WHCA to perform functions on its behalf (e.g. outsourced information processing function, administration of health services plan)

- in order to collect a debt owed by the individual to the WHCA

- to comply with a subpoena, warrant, or court order

as required or authorized by law (e.g. Employment Standards legislation)

- when the information is publicly available (e.g. telephone directory information)

to a public authority in the event of imminent danger to any individual. 

The WHCA obtains consent for all other disclosures of personal information for purposes other than those for which the information was initially collected (e.g. to provide references regarding current or former employees. The WHCA does not require consent to confirm an individual’s employment record (e.g. confirm years of employment, and position held)). 

Only WHCA employees or volunteers with a business need-to-know, or whose duties so require, are granted access to personal information. 

The WHCA has developed guidelines and implemented procedures with respect to the retention of personal information.  The WHCA retains personal information only as long as it is necessary for the identified purpose, or as required by law.  Where personal information is used to make a decision about an individual, the WHCA retains the information, or the rationale for making the decision, long enough to allow the individual access to the information after the decision has been made. 

Personal information that is no longer required to fulfill the identified purposes or required by law to be retained is destroyed, erased or made anonymous.  

6.  ACCURACY 

The WHCA ensures that personal information collected, used and disclosed is as accurate, complete and up-to-date as necessary for the intended purpose. 

Personal information is kept sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the subject individual. 

The WHCA updates personal information as and when necessary to fulfill the identified purpose or upon notification by the individual who is the subject of the information.  

7.  SAFEGUARDS 

The WHCA protects personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, regardless of the format in which it is held. 

The WHCA has developed and implemented information security policies and procedures that outline physical, organizational, and technological measures in place to protect personal information as appropriate to the sensitivity of the information. 

The WHCA protects personal information disclosed to, or processed by third parties by contractual agreements which address the following as necessary: 

- identifying the types of records provided, collected, created, or maintained in order to deliver the service, and specifying any applicable privacy legislation;

- stipulating the confidentiality of the information and the purposes for which it is to be used (requiring the third party provides at least the same level of protection that the WHCA does);

- identifying the organization(s) having custody and control of the records, including the responsibility and process for handling requests for access to information;

- ensuring that third parties and their employees having access to the WHCA’s information assets are aware of, and understand their responsibility to adhere to the WHCA’s information handling and security policies, including maintaining the confidentiality of personal information;

- ensuring that the WHCA has access to information produced, developed, recorded or acquired by third parties as a result of the contract, including timely access in response to requests for information, and specifying that third parties shall not deny access to, or retain custody of, personal information because of late or disputed payment for services;

- requiring third parties to report breaches of confidentiality and privacy to the WHCA’s Privacy Officer within 48 hours of knowing that the breach occurred;

- addressing disaster recovery and backup of any information assets and systems in the custody of the third party;

- addressing the disposition (e.g. destruction or return) of all of the WHCA’s information assets (e.g. records, hardware, system documentation) upon termination of the contract;

- specifying any audit or enforcement measures that the WHCA will undertake to ensure that third parties comply with information handling and security provisions outlined in contractual agreements (for example, non-disclosure agreements, audit trails, regular review of third party access requirements, inspection of third party premises). 

The WHCA ensures that all employees and volunteers are aware of its privacy policies and procedures, and understand the importance of maintaining the confidentiality of personal information. 

Care shall be taken in the disposal or destruction of personal information to prevent unauthorized parties from obtaining access to the information. 

8.  OPENNESS 

Upon request, the WHCA makes available specific information about its policies and practices relating to the management of personal information, including:

- the means of gaining access to personal information held by the WHCA;

identification of personal information held by the WHCA, and a general account of its use;

- a copy of any brochures or other information explaining the WHCA’s Privacy Policy, Guidelines and related procedures;

- reference to the statement of the WHCA Privacy Policy on the WHCA website, if applicable. 

To make an inquiry or lodge a complaint about the WHCA’s personal information handling  policies and procedures, contact:

WHCA Privacy Officer

1940 – 6^th Avenue NW

Calgary, AB,   T2N 0W3

403-283-0464

 9.  INDIVIDUAL ACCESS 

Upon request, the WHCA provides individuals with access to their personal information held by the association. Individuals have the right to challenge the accuracy and completeness of their personal information held by the WHCA, and to have it amended as appropriate. 

All requests by individuals (e.g. members, employees, volunteers, contractors) to access their personal information held by the WHCA, or to correct or amend their personal information, should be directed to the designated Privacy Officer.  Such requests should be in writing. 

The WHCA responds to requests for access to personal information within 30 business days. 

Responding to an individual’s request for information is usually done at no or minimal cost to the individual.  However, a fee for reasonable costs incurred may be charged when responding to more complex requests, provided the individual is informed in advance. 

In order to safeguard personal information, the WHCA may request sufficient information from the individual to verify that person’s identity.  

Limitations to Individual Access  

The WHCA provides individuals access to their personal information subject to limited and specific exceptions.  The WHCA will refuse access to personal information if: 

- the WHCA has disclosed information to a government institution for law enforcement or national security reasons;

- it would reveal personal information about a third party unless there is consent or a life-threatening situation;

- doing so could reasonably be expected to threaten the life or security of another individual;

- the disclosure would reveal confidential commercial information; or

- the information is protected by solicitor-client privilege. 

If access to information is refused, the WHCA shall, in writing, inform the individual of the refusal, the reason(s) for the refusal, and any recourse the individual may have to challenge the WHCA’s decision.

Correction/Amendment of Personal Information 

The WHCA corrects or amends personal information as required when an individual successfully demonstrates the inaccuracy or incompleteness of the information.  Amendment may involve the correction, deletion, erasure, or addition to any personal information found to be inaccurate or incomplete.  

Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, the WHCA shall inform any third parties having access to the personal information in question as to any amendments, or the existence of any unresolved differences between the individual and the WHCA. 

10. CHALLENGING COMPLIANCE 

The WHCA investigates all complaints concerning compliance with its Privacy Policy, Guidelines and practices, and responds within 30 days of receipt of a complaint.   If a complaint is found to be justified, the WHCA takes appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. Individuals shall be informed of the outcome of the investigation regarding their complaint. 

Complainants may address inquiries or complaints concerning compliance with these policies or guidelines by contacting the WHCA Privacy Officer as set out in these Guidelines under Principle 8 (Openness).  A complaint may also be addressed in writing to the Privacy Commissioner of Canada at 112 Kent Street, Ottawa, Ontario, K1A 1H3 –or- to the Office of the Information and Privacy Commissioner of Alberta, #410 – 9925 – 109^th Street, Edmonton, AB, T5K 2J8, 780-422-6860, www.oipc.ab.ca.