ALMONTE GENERAL HOSPITAL - FAIRVIEW MANOR FOUNDATION
PRIVACY POLICY

ADOPTED: MAY 5, 2016

The Almonte General Hospital/Fairview Manor Foundation is committed to protecting the privacy of our donors, volunteers, staff and prospective supporters.  We value the trust of those we deal with, and of the public, and recognize that maintaining this trust requires transparency and accountability in our treatment of the information that is entrusted to us.

Accordingly, the Foundation complies with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) Personal Health Information ACT (PHIPA) and the provincial Personal Information Protection Act (PIPA), and embraces ethical guidelines established by the Association of Fundraising Professionals. These include the Donor Bill of Rights and Ethical Code of Conduct which are available through our website or by contacting the Foundation’s Managing Director.

This policy may be updated from time to time with changes approved by the Board of Directors to reflect developments in our practises, new technology or in the law.

PURPOSE, APPLICATION AND SCOPE:

Personal information is any information that can be used to distinguish, identify or contact a specific individual.  This information can include an individual’s opinions or beliefs, as well as facts about or related to the individual. Business contact information and certain publically available information, such as phone numbers, emails, etc. are not considered personal information.

The AGH-FVM Foundation is responsible for all personal information under its custody or control including information which it may transfer to a third party for processing. The Managing Director is responsible for ensuring compliance with this policy but may delegate day-to-day responsibility for administration of the policy to other employees. The Managing Director remains accountable for the handling of personal information. 

The Foundation is responsible for information sent to third parties for processing on behalf of the Foundation or to service providers. The Foundation requires any such third party to use the personal information only for the purposes for which it is provided to them and to protect the security of the information in accordance with privacy laws.

PROCEDURES:

The Foundation collects and uses personal information of donors only for the following purposes:

  • To process donations
  • To keep donors informed about the activities of the Hospital and the Foundation
  • To ask individuals and organizations for their support
  • To send an acknowledgement to the designated recipient of an in memoriam or in honour gift
  • To process orders for event or activity tickets or other fundraising products
  • For internal analysis to assist the Foundation with planning and future activities

When contacting donors, the Foundation respects their expressed preferences concerning matters such as method, frequency or public recognition.
Individuals collecting personal information on behalf of the Foundation will be able to identify the purposes for which the information is being collected. If information is to be used for a purpose not previously mentioned, the Foundation will identify this purpose and provide individuals with an opportunity to opt out.

Former patient solicitation (Grateful patient mailings)
Fundraising is permitted under the Personal Health Information Protection Act (PHIPA). Consent is implied by being a patient and allows hospitals to use personal information about an individual for the sole purpose of fundraising.  A patient can withdraw consent at any time by contacting the Managing Director.

The Foundation receives limited information on patients who have been discharged from the Almonte General Hospital.  Safeguards have been put in place to protect patient privacy and to eliminate inappropriate mailings. The Hospital prepares the data and then sends it to the Foundation which prepares Grateful Patient mailings. Patients that are excluded include:

  • Mental health patients
  • Stillborn or neonatal deaths
  • 18 years and younger

Only if a patient responds to a mailing does the Foundation enter their personal information into our database.  Except as otherwise permitted or required by law, the Foundation collects, uses and discloses personal information only with the consent of the individual.

Any individual may withdraw consent to use his or her personal information for any purposes at any time by contacting the Managing Director. The Foundation will explain the consequences of withdrawing consent. Please allow a reasonable time to process any request to withdraw consent.

Consent to the collection of information from the website

Donations to the Foundation may be made via the website. Any personal information provided by an individual over the website will be treated in accordance with this policy. Credit card information is processed via a secure encrypted payment gateway.

Accuracy

The Foundation seeks to ensure that the personal information it uses is accurate and up-to-date. Please assist us by advising of any inaccuracies you notice and we will make appropriate corrections.
Limiting disclosure and retention of personal information

The Foundation limits the collection of personal information to that which is necessary for the purposes for which it is collected.  The Foundation does not see, rent or lease donor lists.

Only employees, authorized volunteers and agents with a need to know for Foundation business purposes have access to personal information.
The Foundation retains personal information only as long as necessary for the specified purposes. When no longer required, the information will be destroyed.

Safeguards

The Foundation protects personal information against such risks as loss or theft, unauthorized access, disclosure, copying, modification and destruction by using appropriate security measures. The Foundation is committed to protecting the information regardless of the format in which it is held.
The Foundation’s employees, authorized volunteers and agents with access to personal information are required to respect the confidentiality of that information by signing a Confidentiality Agreement, participating in privacy training and implementing methods of protection that include:

  • Physical measures such as locked filling cabinets and desk drawers
  • Organizational measures such as limiting access to a “need to know” basis and
  • Technological measures such as passwords, encryption and audits

Privacy Breach

Any individual that learns of a breach will stop and minimize the breach and then contact the Managing Director of the Foundation.

The Managing Director will:

  • Identify the extent of the privacy breach and take steps to contain it
  • Retrieve hard copies of any personal information that has been disclosed
  • Ensure that the person who was not authorized to receive the information did not make or keep copies of the information and get that person’s contact information for follow up
  • Determine if the breach allows unauthorized access to any other personal information
  • Take appropriate steps to stop any further breaches, i.e. change password, get new keys etc.
  • Identify the person(s) whose privacy was breached
  • Notify the Foundation’s board chair

Following the breach, the Managing Director will ensure:

  • Immediate containment requirements are addressed
  • The circumstances surrounding the breach have been identified
  • That the individuals or their substitute decision makers will make a determination of notification of the breach and notify and inform:
    • What and how much personal information was affected?
    • What steps have been taken to rectify the breach?
    • If financial information is involved, suggest the individual contact the appropriate agencies, i.e. bank etc.
    • Whether the police should be involved

Access

Upon request, the Foundation will inform an individual of the existence, use and disclosure of his/her personal information. Requests must be made by contacting the Managing Director. On receiving a request, the Foundation may require sufficient documentation to confirm the individual’s identity before releasing personal information. Upon receiving the request, the Foundation will disclose:

  • Whether or not it holds personal information about the individual
  • The source of the information
  • An account of third parties with whom the information has been disclosed.

The Foundation will also allow the individual to view the information or receive copies of it. There may be circumstances where the Foundation cannot provide access to all information requested.  This may be for legal or security reasons. The Foundation will explain it reasons in those circumstances.
Subject to applicable legislation, the Foundation will endeavour to provide this information with 30 days of receipt of the written request.

Contact: Managing Director

For further information about the AGH-FVM Foundation’s information handling practises or to make a complaint, please contact the Managing Director, Al Roberts, CFRE, 613-256-2500 ext. 2297
or aroberts@agh-fvm.com

EVALUATION:

This policy will be reviewed annually by the Governance and Nominating Committee.