1. Policy Statement
Pegasus recognizes that privacy is a key component of its relationship of trust with all its stakeholders. In accordance with applicable privacy legislation, Pegasus protects and maintains the privacy of the personal information of its participants, donors, volunteers and other stakeholders.
Pegasus does not rent, sell or trade any personal information, including our mailing lists, with outside parties.
All employees are required to maintain confidentiality regarding all information relating to stakeholders, service and support functions, personnel matters and the business matters of Pegasus. Employees are required to sign a confidentiality agreement upon hire and renew on an annual basis. Volunteers and other stakeholders will be required to sign a confidentiality agreement as required.
Pegasus is committed to promoting responsible and transparent practices in the confidentiality and management of personal information. Pegasus will review this policy on an annual basis to ensure that it is relevant and current with changing laws and technologies.
2. Policy Outline
Pegasus adheres, to the maximum extent possible, to the principles of fair information practices laid out in the Canadian Standards Association Model Code for the Protection of Personal Information and the Personal Health Information Protection Act (PHIPA).
Pegasus also complies with all other applicable laws and established ethical guidelines for charitable organizations.
This policy covers all personal and health information related to participants, volunteers and donors held by Pegasus in various formats (e.g. paper, electronic).
Pegasus employee information is not subject to this policy. Our employee personal and health information is safeguarded according to industry standard best practices and other relevant legislation.
Personal information within this policy is inclusive of health or clinical information (physical, mental and/or behavioural) of participants.
In addition, this policy covers all matters related to the business activity of Pegasus including all intellectual property.
Personal Information is information about an identifiable person (not including business contact information). Examples of personal information include the history of an individual’s donations to Pegasus, school records, health records or family information.
Pegasus collects personal information in a variety of different ways and for a variety of purposes e.g. when a participant joins our services and supports or when we conduct fundraising activities or volunteer drives. The personal information that Pegasus collects could include:
· Name, address, email, telephone number and other contact information
· Income, employment information, personal and social history
· Information about participant’s support, health and welfare
· Donation/fundraising details or history of giving
Consent is voluntary agreement with what is being done or proposed. Consent can be either expressly given, either orally or in writing, or implied. Implied consent is where consent may reasonably be inferred from the action or inaction of an individual.
Appropriate purpose is where an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances or to comply with duty of care for participants, staff and volunteers as part of support and day to day programming .
Records includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things.
It also includes any information or records regarding participants that are deemed necessary for the support, safety and day to day programming. Discretion of what information is necessary to share with employees or volunteers is applied, dependent on the circumstance or event.
All personal records, including health information, will remain the property of Pegasus. Staff and volunteers are required to sign a Confidentiality Agreement (Appendix 1) and maintain the privacy and confidentiality of all records during and after their employment or service ends.
6. Privacy and Confidentiality Principles
Pegasus is committed to upholding the following principles to ensure privacy and confidentiality of information is correctly maintained:
6.1. Identifying Purposes
Pegasus will – at or before the time of collecting personal information – identify the purposes for which personal information is collected to the individual from whom the information is being collected. Pegasus will also inform individuals of any new purpose for personal information and obtain consent to use the information for that new purpose.
Personal information may be used by Pegasus for the following purposes:
· Planning and providing supports, services, programs or information about Pegasus
· Educating program supervisors and staff or volunteers about participants’ health conditions and other information that is relevant to appropriate care and supervision
· Providing information to third parties only when consent has been given
· Fundraising and promotional activities
· Evaluation of our services
· Contact information among volunteers for the purpose of co-ordination of schedules and committees.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Pegasus may also disclose personal information without knowledge or consent in the case of life threatening emergencies or to comply with the law (e.g. a subpoena).
By providing us with your personal information during the intake process, we will assume that you consent to our collection and use of that information for the purposes identified in this policy. Pegasus will obtain participants written consent to collect and release information from and to third parties e.g. other service agencies (Appendix 2: Authorization to Collect, Use and Release Information for Services).
To obtain consent:
6.2.1. Pegasus will make reasonable efforts to ensure that the individuals are advised verbally or in writing of the purposes and use for the collection. Purposes shall be stated in a manner that can reasonably be understood by the individuals in their language.
6.2.2. Under normal circumstances, Pegasus will seek consent at the time of collection for the use and disclosure of personal information. However, Pegasus may seek consent after it has been collected, but before it has been disclosed or used, for a new purpose.
6.2.3. In determining the appropriate form of consent, Pegasus shall take into account the sensitivity of the personal information and the reasonable expectations of the individual.
· Express consent – verbal or written, including an email, letter or a form that you sign describing the intended uses and disclosures of personal information (Appendix 2).
· Implied consent – for example, when you provide information necessary for a service you have requested, or where Pegasus has given notice about using your personal information and you have not withdrawn your consent for the identified purpose (e.g. using opt-out option provided).
Consent may also be given by your authorized representative (e.g. legal guardian) on your behalf.
Personal information will be as accurate, complete and up to date as possible at all times. This minimizes the possibility that inappropriate information may be used to make a decision about an individual. Individuals can contact Pegasus at any time to update their personal information, and Pegasus may retain the original information for reference purposes.
Pegasus is responsible for maintaining and protecting the personal information we hold. Pegasus has appointed an Information Officer who ensures that Pegasus complies with this policy in accordance with applicable privacy legislation. The information officer also responds to any inquiries and complaints related to privacy matters, as well as requests for access or correction of records (see sections 6.i. and 6.j. below for more information).
Pegasus maintains strict control over access to personal information once it has been shared with Pegasus. Access to information is granted only to authorized employees who need the information to fulfil their job requirements. Certain health and behavioural information about participants is only accessible by senior staff members and the Executive Director.
Some information about participants can be shared on a case by case basis, with permission such as contact information for a charity event, or information to volunteers if they are working directly with participants. Information may be shared on a case to case basis in service planning, supervision and internal reviews or investigations.
All Pegasus staff and volunteers are trained in this policy at the time of orientation and sign a Confidentiality Agreement on an annual basis (Appendix 1) that specifies personal information cannot be discussed or used outside of Pegasus. Pegasus has also developed information that explains how personal information is protected and the procedures and processes followed if a complaint arises for participants, volunteers and donors (Appendix 3: Procedures for ensuring and maintaining the protection of confidentiality and privacy of information).
Pegasus protects personal information by security safeguards appropriate to the sensitivity of the information. Pegasus has processes and systems in place to protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use modification or disposal, through appropriate security measures. Pegasus will protect the information regardless of the format in which it is held.
Pegasus will protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.
Pegasus will make readily available to individuals specific information about its policies and practices relating to the management of personal information. This information will be made available in multiple formats. Pegasus will also make readily available:
6.6.1. The name or title, address of person or persons accountable for compliance of the Privacy of Information and Confidentiality Policy within Pegasus and to whom complaints and inquiries can be forwarded.
6.6.2. The means of gaining access to personal information held by Pegasus.
6.6.3. A description of the type of personal information held by Pegasus, including a general account of its use.
6.6.4. Publicly available copies of any information that explains Pegasus’ policies, processes and principles.
6.7. Limiting Collection
The collection of personal information will be limited to that which is necessary for the purposes identified by Pegasus. Information will be collected by fair and lawful means.
6.7.1. Pegasus will not collect personal information indiscriminately. The amount and type of information collected will be limited to the minimum amount necessary to satisfy the purpose.
6.7.2. As much as possible, personal information will be collected directly from the individual.
6.8. Individual Access
If a participant, donor or volunteer requests, Pegasus will provide them access to their personal information. Pegasus will respond to requests for access within 30 days, unless 30 days would unreasonably interfere with our activities or more time is required to undertake the consultations necessary to respond to the request.
A participant, donor or volunteer can challenge the accuracy and completeness of the information and have it amended as appropriate.
If you would like to access or amend Pegasus’ file of your personal information, write to:
The Information Officer
Pegasus Community Project
931 Kingston Road
Toronto, M4E 1S6
Your right to access or correct your personal information is subject to applicable legal, security, and solicitor-client litigation privilege or commercial restrictions. Other restrictions include information that is costly to provide or information that contains certain references to other individuals or if access to an individuals’ information entails access to third party information.
Upon request, Pegasus will give the individual a reasonable time to review their personal information on file and will provide copies in an understandable format if requested. If the information access request is related to information given to third parties, Pegasus will provide a list of organizations where personal information has been disclosed.
6.9. Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or as required by law. Pegasus will retain personal information as long as necessary for the fulfilment of those purposes or as legally required.
6.9.1. Only Pegasus employees, or authorized agents with a need to know for organization purposes, or whose duties reasonably so require, are granted access to personal information about participants, volunteers or donors.
6.9.2. Pegasus does not allow third parties access to its participants, volunteer or donor lists
6.9.3. Pegasus is committed to managing and controlling information through best practice processes and documentation management systems. This includes retention and regular destruction of information that is no longer necessary or is made anonymous.
6.10. Challenging compliance
Pegasus is committed to maintaining best practice procedures for all complaints and inquiries regarding compliance of this policy. Pegasus widely communicates this policy and trains staff, participants and volunteers on the systems and procedures in place around privacy of information and confidentiality.
An individual can challenge Pegasus compliance with this policy at any time. The Information Officer will raise the concern to the Executive Director who will investigate all complaints within a reasonable time period. External advice may be sought in certain cases before a final written response is given. If a complaint is found to be justified, all appropriate measures will be taken which may include amendment of policies and procedures. The individual will be informed of the outcome of the investigation.
7. Withdrawal of consent to collection, use and disclosure of personal information
You may withdraw your consent to collection, use and disclosure of personal information at any time, subject to contractual and legal restrictions and reasonable notice in writing.
If you withdraw your consent to certain uses of your personal information, we may no longer be able to provide you with certain supports or services or to continue our working agreement with you.
8. Policy Violations
Employees who do not follow this policy will be subject to disciplinary action, which may include termination. Examples of violations include:
· Violation of client confidentiality agreements
· Misusing, disclosing without authorization, making unauthorized or agreed amendments to personal information.
· Breaking electronic security processes by sharing passwords.
Staff will receive training on this policy as a part of their initial orientation and yearly thereafter.
Participants will be trained on policies and procedures related to privacy of information and confidentiality in a language and manner, and with a level of support, that is appropriate to their needs. This training will take place during intake and annually thereafter or as often as needed.
10. Policy Review
Pegasus’ Board of Directors and Executive Director will undertake an annual review of all its policies and related procedures to ensure compliance with best practice information management and the protection of privacy and personal information of all participants, donors and volunteers.
The review process will consist of a documented audit and any recommended changes to prevent any violation of this policy will be implemented as required.