Privacy and Confidentiality Policy
WISH is committed to protecting the privacy and confidentiality of all WISH community members, including employees, volunteers, donors, applicants, participants and funders. Anyone who serves WISH, its programs, or participants must comply with this policy. WISH’s practices concerning the collection, use, disclosure, storage and retention, and disposal of personal information ensure compliance with applicable privacy laws, including the BC Personal Information Protection Act (PIPA) and, if applicable, Freedom of Information and Personal Privacy Act (FOIPPA).
Maintaining the confidentiality and security of information is vital to WISH’s success and stability, and trust of its community members. Personal information is protected and used only for services and functions of WISH. Information will only be disclosed upon proper authorization and to those with a legitimate need to know. This duty of confidentiality applies to all WISH-related information, whether on or off WISH premises, during and after an employee’s employment or a volunteer’s service. Duty of confidentiality also applies to information transmitted through WISH’s electronic communications.
Anyone found in violation, or to have improperly accessed, copied, recorded, or disclosed personal or confidential information will be subject to disciplinary action, up to and including termination.
Personal Information is any information that can identify an individual, such as home address, name, gender, age, family status, credit card numbers, etc.
Confidential Information refers to information about WISH’s business records, financial data, contracts, personnel information, or other material that WISH considers proprietary and confidential.
All information, particularly data and images about participants, are treated as confidential and will not be accessed, used or disclosed for any other purposes than as necessary to provide WISH’s services.
Collection and Use
WISH collects personal information only as is reasonably required about:
- Participants to provide programs and services
- Employees and job applicants for the purposes of establishing, managing, and terminating employment relationships
- Volunteers for contacting and reporting as required for funding
- Donors for the purposes of contacting and issuing financial documentation
WISH will obtain consent for the collection, use and disclosure of personal information as permitted or required by law. Collection, use, or disclosure of personal information may be done without consent if allowed by privacy laws or required by other legislation. Such situations include:
- By order of an authorized court, tribunal, or regulatory or law-enforcement agency
- Where WISH believes, on reasonable grounds, that it is necessary to protect the health or safety of any person
- Where it is necessary to collect monies owed, or to respond to proceedings against WISH
- As part of an investigation into possible breach of an individual’s obligations to WISH or proceedings involving WISH
Disclosure
WISH does not sell, trade, barter, or exchange for consideration any personal information. WISH ensures that service providers agree to use such personal information solely for the purposes of providing those services and will comply with relevant portions of this policy.
Accuracy and Protection
WISH takes appropriate security measures to ensure that paper and electronic records containing personal information are secure from loss, unauthorized use, access or copying, disclosure or modification.
Access
WISH allows individuals to have reasonable access to their personal information and will endeavour to provide requested information within a reasonable time, generally within thirty business days following a written request.
Retention and Destruction
WISH endeavours to retain personal information only for so long as it is either:
- Required to be retained by law, i.e., Income Tax Act requirements; or
- Reasonably necessary for business needs
When personal information is no longer needed, it will be destroyed in a suitably secure manner. Where required under privacy legislation, information used to make a decision directly affecting an individual will be kept for one year after the date of the decision.
Right of Access to Data Systems:
For a variety of reasons including ensuring appropriate use of technology and monitoring productivity, WISH reserves the right to monitor or review without advance notice all employees’ use of WISH’s technology systems and/or resources, including all emails sent or received and internet usage.
Video Monitoring:
WISH utilizes and reserves the right to install security cameras in public work areas for specific operational reasons, such as security, theft protection or protection of proprietary information.
Data Breach:
If personal information is accessed by unauthorized persons through accidental loss, sharing of such information, or hacking into technology systems and/or resources, WISH will comply with any applicable requirements to secure information as quickly as possible.
WISH will evaluate the scope of loss, potential risks to persons affected and, where appropriate or required under privacy laws, notify such persons of the breach and any other relevant information, including steps to mitigate the risk.