ADO Privacy Policy

In accord with this covenant, the Anglican Diocese of Ottawa has approved an updated Privacy Standards Policy and associated procedures and guidelines covering the collection, management, retention and disposition of personal information held by the Diocese, in accordance with the federal Personal Information Protection and Electronics Document Act.

The Policy outlines our commitment to privacy and applies to all individuals, lay or ordained, paid or unpaid, who are the staff, donors, subscribers, volunteers or clients of the Diocese of Ottawa, its offices, agencies and parishes.

Included is a toolkit including a checklist to help parishes and agencies assess their own handling of personal information, and a “how to” for website privacy.

The Policy and related documents can be found by clicking the button below.

If you have questions on the policy, procedures, guidelines or complaints received about the handling of personal information held in a diocesan office, agency or parish, please write to the Diocese Privacy Officer.

Privacy Standards Policy

In accord with this covenant, the Anglican Diocese of Ottawa (ADO) has approved an updated Privacy Standards Policy and associated procedures and guidelines covering the collection, management, retention and disposition of personal information held by the Diocese, in accordance with the federal Personal Information Protection and Electronics Document Act (PIPEDA).

The Policy outlines our commitment to privacy and applies to all individuals, lay or ordained, paid or unpaid, who are the staff, donors, subscribers, volunteers or clients of the Diocese of Ottawa, its offices, agencies and parishes.

Included is a Privacy Standards Policy to help parishes and agencies assess their own handling of personal information, and a “how to” for website privacy.

If you have questions on the policy, procedures, guidelines or complaints received about the handling of personal information held in a diocesan office, agency or parish, please write to the Diocese Privacy Officer.

Purpose of the Policy

The Privacy Standards Policy and related procedures and guidelines for use are intended to ensure the proper collection, use, retention and distribution of personal information by the Anglican Diocese of Ottawa, its agencies and its parishes, to reflect the requirements of the PIPEDA. The Policy and its procedures and guidelines are to be followed by all individuals, lay or ordained, paid or unpaid, who serve the Diocese under the jurisdiction of the Bishop of Ottawa or in the parishes which make up the Diocese. Protecting the privacy and confidentiality of personal information in the way we collect, use and disclose information appropriately, responsibly and ethically is fundamental to the effective functioning of the Diocese.

The Diocese follows the ten principles for handling personal information as set out in Schedule 1 to the PIPEDA. These principles are accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and providing of recourse.

Accountability

Each office, agency or parish is responsible for following procedures for collection, retention and distribution that are in accordance with this policy and following the principles outlined in Appendix A and B.

Staff will be made aware of the importance of maintaining the security and confidentiality of personal information. The misuse or improper handling of personal information may result in disciplinary action up to and including dismissal.

Each office, agency and parish of the Diocese will assign at least one person as Privacy Contact. The Privacy Contact will be responsible to co-ordinate the application of the Privacy Policy and Procedures within that office, agency or parish and to be the person to whom queries on privacy matters should be directed, by the Privacy Officer and by others.

Collection

The Diocese of Ottawa has a decentralized record management process for the collection, management, retention and disposition of personal information collected from donors and/or clients.

Information about employees, cleric and lay, full-time, part-time or contract is located in confidential and secure personnel files located in the Diocese offices. Parishes retain information on staff, on the congregational membership, on pastoral care matters and on the financial and organizational aspects of parish operations.

Any information on individual parishioners, forwarded to the Diocese of Ottawa by the parishes, is retained in secured files located in the Diocese offices. Congregational information is contained in parish files in the Administration and Finance Office and is stored in locked file cabinets. The Administration and Finance Office manages donor record information.

All personal information is the property of the Diocese of Ottawa and all individuals have controlled access to their personal information. All Diocese of Ottawa personal information obtained by or shared with other organizations and agencies must be handled in compliance with standards comparable to the Diocese of Ottawa Privacy Standards Policy.

This includes the signing of the diocese confidentiality agreement and provisions in the contract of work regarding the protection of the personal information.

Computer and Network Systems

The Diocese computer network systems and databases are secured by complex passwords and firewalls to which only authorized individuals may have access. Routers and servers connected to the internet are protected by a firewall and are further protected against viral attacks and “snooping” by software solutions which meet industry standards.

Retention

Personal information will be retained by the Diocese only for the duration it is needed to conduct its business and ensure statutory compliance. Once personal information is no longer required, it will be destroyed promptly, safely and securely. However, certain laws may require that certain personal information may be kept for a specified amount of time. Where this is the case, the law will supersede this policy. The Diocese will take every reasonable precaution to protect personal information with appropriate security measures, physical safeguards and electronic precautions. The Diocese maintains personal information through a combination of paper and digital files. Where required by legislation, disaster recovery or business continuity policies, older records may be stored in a secure offsite location.

Definitions

Personal Information Personal Information includes any factual or subjective information, recorded or not about an identifiable individual. This includes information in any form such as: home address or phone number, age, marital status, family members’ names, photographs or digital images of a person, employee files, identification numbers, ethnic origin, evaluations, disciplinary actions, the existence of a dispute, opinions, comments, social status, income, credit records, donation information, loan records or medical records.

Personal information does not include the name, title or business address business telephone number of an employee or volunteer of an organization.

Commercial activity

Any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Consent

Voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual. Consent occurs and is considered obtained by the ADO when an individual provides express consent orally, in writing or through an applicable online action. Before being asked to provide consent, individuals will be provided with reasons their personal information is being collected, how it will be used and stored and any disclosure or possible disclosure of information.

Disclosure

Making personal information available to others outside the organization. Use Refers to the treatment and handling of personal information within an organization.

Appendix A: Privacy Policy Procedures

Privacy Contact

Each office, agency and parish of the Diocese will assign at least one person to be their Privacy Contact. Privacy Contacts are responsible for coordinating the application of the Privacy Standards Policy and associated procedures and guidelines within their office, agency or parish, and to receive any queries on privacy matters from the Privacy Officer or others.

Access, Enquiries and Complaints

In all cases, care should be taken to confirm that the person making the enquiry or complaint or otherwise seeking access to personal information is the person about whom personal information is held or is a person entitled in law to have access to such information. In any case of doubt, the matter should be referred to the Privacy Officer.

Access
  1. All requests for personal access to records held about that individual will be made in writing.
  2. A request for access shall be responded to within a reasonable period, not later than 30 days of receipt.
  3. Persons about whom the Diocese holds personal information may access those records in the presence of the office, agency or parish Privacy Contact or other official designated by the head of the office, agency or parish.
  4. Access to certain parts of her/his personal records by that person may be denied if: a) that information is protected by solicitor-client privilege b) access could reasonably be expected to threaten the life or security of another individual c) that information was generated in the course of a formal dispute process d) the individual’s knowledge of the information collection would compromise an investigation of a breach of an agreement or the contravention of the laws of Canada or a province e) access would reveal confidential commercial information f) access would give access to personal information about another person.
  5. Where access to certain information is to be denied for one of the reasons described above, but part of the record need not be denied and can be severed from the confidential part of the record, access to that portion may be granted.
  6. In a case where denial of access to all or part of a record of personal information is contemplated, the office, agency or parish must coordinate that denial with the Privacy Officer.
Enquiries
  1. Enquiries regarding personal information held by the Diocese, or one of its offices, agencies or parishes shall be referred to the relevant Privacy Contact for response.
  2. A response to such an enquiry should be made within a reasonable period.
  3. The Privacy Contact may consult the Privacy Officer on the Diocese Policy regarding the handling and disclosure of personal information for purposes of responding to the enquiry.

Complaints

  1. Complaints about the handling of personal information held in diocesan offices, agencies or parishes shall be referred to the Privacy Officer immediately on receipt.
  2. The Privacy Officer will coordinate the response to the complaint with the relevant Privacy Contact(s).
  3. The person making the complaint will be advised, immediately following its receipt, that it has been referred to the Privacy Officer, along with the Officer’s name and contact information. Where the complaint has been received in writing, the advice should be in writing.
When the policy is not followed

If a Diocese office, agency or parish gathers, uses or discloses personal information in a manner inconsistent with the Diocese Privacy Standards Policy, the Privacy Officer will investigate and prepare a report. A copy of the report will be provided to the office, agency or parish.

If the investigation indicates that the gathering, use or disclosure was inadvertently inconsistent with the Privacy Standards Policy, the Privacy Officer and head of the office, agency or parish will review the office, agency or parish’s procedures, including staff training, and will undertake any corrective measures necessary.

If the office, agency or parish gathered, used or disclosed personal information in a manner it knew was inconsistent with the Diocese Privacy Policy, the Privacy Officer will provide a copy of the report on the matter to the Bishop’s Office for such action as the Bishop or his delegate directs.

Any questions on the Policy or these procedures and the following guidelines, and any complaints received about the handling of personal information held in a diocesan office, agency or parish should be directed to the ADO Privacy Officer.

Appendix B: The Ten Principles

The Anglican Diocese of Ottawa (ADO) will follow the ten principles for handling personal information as set out in Schedule 1 to the federal Personal Information Protection and Electronics Document Act or PIPEDA.

These principles are as follows: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and provision of recourse.

  1. Be accountable. It is our intent to:
    • comply with all 10 of the principles of Schedule 1
    • appoint an individual (or individuals) to be responsible for the Diocese of Ottawa’s compliance
    • protect all personal information held by the Diocese of Ottawa or transferred to a third party for processing
    • develop and implement personal information policies and practices
  2.  Identify the purpose. We will identify the reasons for collecting personal information before or at the time of collection by:
    • reviewing all personal information holdings to ensure they are all required for a specific purpose
    • recording all identified purposes and obtained consents for easy reference in case an individual submits a request for an account of such information
    • ensuring that these purposes are limited to what a reasonable person would expect under the circumstances
  3. Obtain consent We intend to obtain consent by:
    • informing the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data
    • obtaining the individual’s consent before or at the time of collection, as well as when a new use is identified
    • using expressed consent whenever possible and in all cases when the personal information is considered sensitive
  4. Limit collection We intend to meet this principle by:
    • limiting the amount and type of the information gathered to what is necessary for the identified purposes
    • identifying the kind of personal information that is collected in information-‐handling policies and practices
    • ensuring that staff members can explain why the information is needed
  5. Limit use, disclosure and retention We intend to meet this principle by instituting maximum and minimum retention periods that take into account any legal requirements or restrictions and redress mechanisms and establishing policies setting out the types of information that need to be updated
    • documenting any new purpose for the use of personal information
    • disposing of information that does not have a specific purpose or that no longer fulfils its intended purpose
    • disposing of personal information in a way that prevents improper access, such as shredding paper files or deleting electronic records
  6. Be accurate We intend to minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties by:
    • keeping personal information as accurate, complete and up to date as possible, taking into account its use and the interests of the individual
    • updating personal information only when necessary to fulfill the specified purposes
    • keeping frequently used information accurate and up to date unless there are clearly set out limits to this requirement
  7. Use appropriate safeguards We take seriously our responsibility to protect personal information against loss or theft; to safeguard the information from unauthorized access, disclosure, copying, use or modification; and to protect personal information regardless of the format in which it is held. We will review and update security measures regularly taking the following factors into consideration in selecting appropriate safeguards:
    • sensitivity of the information
    • amount of information
    • extent of distribution
    • format of the information (electronic, paper, etc.)
    • type of storage.
  8.  Be open We will inform customers, donors, volunteers and staff of our policies and practices for the management of personal information.
  9. Give individuals access When requested, we will inform individuals of any personal information on file about them including how it is or has been used and providing a list of any organizations to which it has been disclosed unless prohibited by law. Individuals will have controlled access to their information. We will correct or amend any personal information if its accuracy and completeness is challenged and found to be deficient.
  10. Provide recourse We will develop a simple and easily accessible complaint procedure and inform complainants of avenues of recourse. All complaints received will be investigated by the Privacy Officer and we will take appropriate measures to correct information handling practices and policies found deficient.Exceptions to the principle of consent In general, persons must be advised of the purpose for which their personal information is being collected, and how and when it will be used or disclosed. Then they must consent to its retention in diocesan records. The Diocese of Ottawa may collect and use personal information without consent:
    • if it is clearly in the individual’s interests and consent is not available in a timely way
    • if collection is required to investigate a breach of an agreement or contravention of a federal or provincial law
    • for journalistic, artistic or literary purposes
    • if it is publicly available
    • for an emergency that threatens an individual’s life, health or security or
    • for statistical or scholarly study or research

The Diocese of Ottawa may disclose personal information without consent:

  • to a lawyer representing the Diocese of Ottawa
  • to collect a debt the individual owes the Diocese of Ottawa
  • to comply with a subpoena, warrant or order made by a court or other juridical body
  • to a lawfully authorized government authority
  • for an emergency that threatens an individual’s life, health or security, or
  • where the information was recorded more than 100 years before disclosure or, is disclosed more than 20 years after the death of the individual

Appendix C: The Role of Privacy Officer

The Bishop of the Anglican Diocese of Ottawa (ADO) will designate a Privacy Officer for the ADO with responsibility to ensure compliance with the ADO’s Privacy Standards Policy. ADO staff and Parishes will be informed of the name and responsibilities of the Privacy Officer.

The Privacy Officer will:

  • Report to the Bishop and the Diocesan Council on a regular basis in regard to any activities related to personal information protection.
  • Co-‐ordinate the response to any complaints made to the Diocese, one of its agencies or its parishes regarding the handling of personal information held about that person.
  • Investigate any handling of personal information that is inconsistent with this Policy.
  • Ensure regular training for staff/volunteers of the Diocese as to the policies and procedures which the protection of personal information requires and will provide advice to Privacy contacts and others as required.
  • In consultation with the Privacy Contacts, will review periodically the Diocese Privacy Standards Policy and will propose amendments to the Policy, as required, to the Bishop and Diocesan Council.
  • Ensure a copy of the approved Privacy Standards Policy and the associated procedures and guidelines are placed in staff reference materials and on the Diocese Website.

APPENDIX D: Information for Identification and Classification of Privacy Materials

Each office, agency and parish will follow procedures for collection, retention and distribution that reflect the Privacy Standards Policy, the procedures and the guidelines described below.

The first step is to classify incoming personal information and thereby determine how it is to be handled.

There are three standard levels of security:

Level 1 – Highly Restricted
Level 2 – Confidential
Level 3 – General Information

The type of information collected, consent required, retention period and disposition will vary with each level.

Level 1 – Highly Restricted

Level 2 – Confidential