St. Mary’s General Hospital Foundation is committed to protecting the privacy of our donors. We do not sell, rent, or exchange our mailing list with any third party.
The St. Mary’s General Hospital Foundation is committed to protecting the privacy of the personal information of its donors, employees, volunteers and other stakeholders. We value the trust of those we deal with, and of the public, and recognize that maintaining this trust requires that we be open and accountable in how we treat the information shared with us.
During the course of our various projects and activities, the Foundation frequently gathers and uses personal information. Anyone from whom we collect such information must be sure that it will be carefully protected and that any use of this information is subject to their prior consent. Our practices must be designed to protect privacy.
Personal information gathered by us is kept in confidence. Our staff is authorized to access personal information based only on their need to deal with the information for the reason(s) for which it was obtained. We have imposed safeguards to ensure the information is not disclosed or shared any more than is necessary to achieve the purpose for which it was gathered. We also do our best to ensure the integrity of this information is maintained and to prevent it being lost or destroyed.
This policy is based on the Canadian Standards Association Model Code, and adheres to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Defining Personal Information
Personal information is any information which can be used to distinguish, identify or contact an individual. This information includes an individual’s opinions or beliefs, as well as facts about, or related to, the individual. Exceptions are: business contact information and certain publicly available information, such as names, addresses, and telephone numbers, as published in telephone directories, and are not considered personal information.
Where an individual uses his or her home contact information as business contact information as well, the contact information becomes business contact information, and is not considered personal information.
The Foundation President serves as the Foundation’s Chief Privacy Officer and works closely with the Hospital Chief Privacy Officer to ensure the consistent application of privacy legislation, policies and procedures.
The Chief Privacy Officer’s responsibility is to understand the broad impact of privacy, to implement policies and procedures, and to handle complaints. He/she will communicate and explain this policy and give training regarding it to all employees and volunteers, who might be in a position to collect, retain or use personal information.
This policy is available upon request.
1.1 Third Party Use of Personal Information
The Foundation uses third parties to process mailings. This requires sending name and address information, usually segmented into specific gift level categories, to a mail house that addresses, prints, sorts, and co-ordinates distribution of these mailings. In all cases, the third party vendor signs a confidentiality agreement promising that it will take every precaution to protect personal information in its possession and to destroy it upon completion.
Further, data sent by the Foundation to a third party vendor will be encrypted to ensure protection. The vendor will be required to act likewise in sending data to the Foundation.
2. Identifying Purpose
Before personal information is collected, the Foundation must identify the purpose for which it is being collected.
Information collected will only be used for the original purpose for which it was collected, unless required otherwise by law. Should a new purpose be established, individuals must be notified of the change.
In the collection, use or disclosure of personal information, knowledge and consent of the individual is required. This consent must be meaningful and easily understood. (See sample Purpose Statement Appendix 2). The Foundation offers individuals the opportunity to not receive mailings or other communications.
3.1 Former Patient solicitation
In particular, the consent of former patients will be obtained through an initial mailing within 30-60 days of their discharge from hospital. It will include an opt-out clause. Signage and brochures throughout the Hospital will supplement this. Purpose statements will be posted on the Foundation website, and included in our newsletters, direct mailings, and other communication materials.
Requests from individuals to be excluded from mailings or other communications will be respected and acted on promptly.
3.2 Publication of Donor Lists
With respect to the publication of donor lists by gift category, donor consent will be obtained at the time of solicitation.
4. Limiting Collection
Personal information collected is limited to that which is necessary to fulfill the purposes identified.
Information will be collected only by lawful means without misleading or deceiving individuals as to the reason. The source of data will be indicated on each file.
5. Limiting Use, Disclosure and Retention
Information can only be used for the purpose for which it was collected. When personal information is no longer required, it will be permanently erased from electronic records, or shredded if in hard copy format.
The Foundation does not lend, exchange, rent or sell our donor list to other organizations or individuals.
The Foundation will ensure that all personal information is accurate, complete, and as up to date as possible.
The Foundation will ensure that steps are taken to protect personal information from theft and loss, as well as unauthorized access, disclosure, copying or use.
Hard copies of records are kept in locked filing cabinets and are accessible by Foundation staff only on a need-to-know basis. Only Foundation staff with confidential passwords may access electronic records. Information obtained from visitors or donors to our website is protected by special electronic security measures.
Foundation staff signs a confidentiality statement in which they agree to protect all personal information they use in the conduct of their job.
The Foundation is part of the Hospital network, and has been assured that appropriate firewalls and other like safeguards are in place.
Our Foundation provides the public with general information on our personal information protection policies and practices, and makes it clear who serves as the Foundation’s Chief Privacy Officer. This information is posted on our website and published on a regular basis in our various communications.
9. Individual Access
Upon request, individuals will be informed of the existence, use and disclosure of all their personal information and be given access to that information. An individual has the right to challenge the accuracy and completeness of the information and have it amended if appropriate.
An exception to this would be if information cannot be disclosed for legal, security or other reasons.
All request for access will be responded to within a reasonable time (no more than 30 days) and at minimal or no cost to the individual.
10. Challenging Compliance
An individual can challenge the Foundation’s compliance with this policy. If so, the Foundation will follow procedures as outlined in its Complaints Policy (see Appendix 3).
Policies and procedures will be amended if a complaint has validity.
The Compliance Committee of the Foundation will regularly review and update this policy and our privacy practices as required.