In collecting, using, and disclosing employee or client information, UWSM strives to:
• Comply with all applicable privacy statutes and regulations,
• Limit access of private information to appropriate staff,
• Safeguard the storage and destruction of such information, and
• Keep employee information safe and secure.
Confidential information about UWSM (including its stakeholders, suppliers, and employees) shall not be divulged to anyone other than persons who are authorized to receive such information. When the employee is in doubt as to whether certain information is confidential, no disclosure should be made without first asking appropriate management employees. This basic policy promotes caution and discretion in the handling of confidential information, and it extends to both external and internal disclosure.
Confidential information obtained as a result of employment with UWSM is not to be used by any employee for the purpose of furthering private interest, or as a means of making personal gains. Use or disclosure of such information can result in civil or criminal penalties—both for the individuals involved and for UWSM.
During the course of employment, an employee may become aware of personal and confidential information; UWSM depends on the professionalism and loyalty of each employee to keep such information private. Each employee may also depend on his/her supervisor to keep confidential
any personal matters discussed.
In some instances, UWSM must comply with the Federal Privacy Information Protection and Electronic Documents Act ( PIPEDA ), which applies to the standards for the collection, use, and disclosure of personal information with respect to commercial activity.
The Chief Administrative Officer is the Privacy Officer. He/she is responsible for the agency’s compliance with all privacy legislation.
The Privacy Officer’s duties are to:
• Review UWSM policies, with regard to personal information of employees, donors, and volunteers;
• Implement the necessary changes to guarantee that the collection and retrieval of personal information follows UWSM policy;
• Inform stakeholders and public on how UWSM treats personal information;
• Handle privacy complaints; and
• Respond to all requests for access to confidential information.
For the application of this policy, personal information means:
• The personal address, telephone number, or email address of the individual;
• Any identifying number assigned to an individual that can lead to his/her identification (e.g. Social Insurance Number);
• Information about an individual’s income and assets;
• Bank account and credit card information;
• Information relating to the race, nationality or ethnic origin, citizenship status, colour, religion, age, sex, sexual orientation, marital, or family status of the individual;
• Information relating to the education, medical, psychiatric, psychological, criminal, or employment history of the individual;
• Information about an individual’s personal or political opinions;
• Correspondence sent to UWSM that is of a private or confidential nature, and any replies from UWSM that would reveal contents of the original correspondence; or
• Employee information including résumés, salary and benefits, disciplinary action, bank account information, client complaints about the individual, and problems between staff. Personal information does NOT include the name, position, or business phone number of employees, nor does it include statistical data, which is summarized in such a way as to not identify any individuals.
Personal information will be collected only for the following purposes:
• To demonstrate compliance with funding requirements,
• To protect the health and safety of the client,
• To conduct reference and employment checks, and
• To retain relevant information on employees for government reporting purposes. Staff must not seek out personal information about stakeholders unless it is relevant to their work.
• All staff, volunteers, and Board members will be required to sign a confidentiality agreement.
• Client and employee files (including information on databases) must be safeguarded against unauthorized access.
• Client information and employee information must be stored in a locked filing cabinet. Secure storage facilities must be provided for archived client/employee and accounting information.
• Staff and Board members, where appropriate, should have access to records containing personal information only if required in order to fulfil their duties.
• Databases containing files with personal information and other confidential electronic files must be password protected against unauthorized access.
• All staff have a responsibility to ensure that unauthorized individuals do not have unsupervised access to areas where files are kept and used.
• Paper-based personal information must be shredded prior to disposal. Electronic media must be purged prior to disposal.
No personal information will be released without prior authorization from the Chief Executive & Philanthropy Officer.
Funders and Auditor: UWSM, in order to be in compliance with funding program requirements, must release information to funders and auditors. Personnel performing these jobs have their own professional code of ethics and are required to maintain confidentiality. Staff should confirm that the person concerned is seeking access legitimately.
Researchers: Occasionally, UWSM may be asked to assist a researcher from an academic institution or an independent researcher. Authorization for such individuals to have access to files will depend on their credentials and the nature of their research. The Privacy Officer must approve all such requests for personal information. In the absence of the Privacy Officer, the Chief Executive & Philanthropy Officer must approve requests for personal information.
Law Enforcement: While UWSM has a responsibility to protect clients’ rights to privacy, this responsibility must be balanced with an obligation to the broader community. The Chief Executive & Philanthropy Officer will work with law enforcement when required and mutually determine what information will be released.
Personal information may be released to the police:
• In the context of reporting criminal activity, staff with personal knowledge should report theft, damage, or fraud.
• With respect to crimes against persons, witnesses are obligated to report and provide appropriate information to the police so that charges can be laid.
• If there is a report of suspected criminal activity. If there is good reason to believe that there is a drug problem or other illegal activity in the building, this should be reported to the police.
• If there is a concern that a person may harm themselves or someone else.
Next of Kin or Emergency Contacts: It may be appropriate to use personal information to contact a community service agency or a designated relative in exceptional circumstances (i.e. when using an emergency contact).
• The Privacy Officer will respond to all requests for access to confidential information of employees, donors, volunteers, and recipients.
• An individual who provides satisfactory identification will be informed of the existence, use and disclosure of his or her personal information, and will be given access to that information. The privacy of others’ personal information must be protected when giving an individual access to his or her own personal information.
• An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. If the Privacy Officer is not in agreement with the individual’s request for correction, a counter-statement will be filed with the original information.
The Privacy Officer will respond to all complaints about collection, use, disclosure, storage and disposal of personal information within thirty days of the request being made and advise the complainant as to the action that has to be taken.
Each complaint will be assessed to determine whether:
• Correction of personal information is necessary;
• Information was collected, used, released, or disposed of inappropriately;
• UWSM’s policies and procedures need to be strengthened; and
• Disciplinary or other action needs to be taken with respect to a breach of a confidentiality agreement.
Where necessary, the Privacy Officer will make the necessary recommendations to the Board of Directors in connection with resolution of the complaint.