Privacy Policy

Purpose and Commitment

The purpose of this policy is to:

  • Assert Hearth Place’s commitment to the protection of personal information from theft, loss, unauthorized access, copying, modification, use or disclosure
  • Address issues of collection, access, use and disclosure
  • Provide guidelines for handling breaches of member privacy
  • Align organizational action with recommendations published by the Information and Privacy Commissioner of Ontario

Hearth Place is committed to protecting the personal information of all employees, volunteers and members.

Policy

Hearth Place recognizes its obligation to respect privacy.  We collect and use personal information in order to serve our members and provide the best care.  We will ask our members for their consent before collecting their personal information.  Membership information may include but is not limited to:

  • Health history
  • Cancer diagnosis
  • Physical condition
  • Social status
  • Cultural background
  • Contact information (address, phone numbers etc.)
  • Age

When Hearth Place obtains consent, we will explain what the information will be used for.  Hearth Place will never collect information without a specific purpose and data collection will be limited to what is absolutely necessary.  We acknowledge that we are responsible for all personal information that has been provided to us.

Consent may be written, oral, or implied. In determining the form of consent to use, Hearth Place Cancer Support Centre will take into account the sensitivity of the information, as well as the individual’s reasonable expectations. Individuals may consent to the collection and specified use of personal information in the following ways:

  1. By filling out an application or registration form;
  2. By signing a service agreement form;
  3. By checking a check off box;
  4. By providing written consent, either physically or electronically;
  5. By consenting orally in person; or
  6. By consenting orally over the phone.

Consent will not be obtained from individuals who are minors, seriously ill, or mentally incapacitated and, therefore, will be obtained from a parent, legal guardian, or person having power of attorney.

Hearth Place will never disclose personal information without an individual’s consent.  However, some circumstances render it impractical or imprudent to obtain the individual’s consent or provincial laws do not require us to obtain it.

Hearth Place restricts who is able to access personal information.  However there are some situations where personal information must be shared between staff members/service providers/volunteers in the course of providing programs, groups or individual services.  In the event that information must be transferred, a method of secure transfer must not interfere with timely delivery of programs or services.  Once all methods of transfer have been identified, the individual must assess the risks to privacy posed by each method. The method selected should carry a level of risk that is proportional to the degree of harm that could result from the breach.

Where possible, information will be provided face to face or through the Hearth Place email/network system.  There are some service providers who use personal email as a primary means of contact, as they work offsite.  In circumstances where it is necessary to transfer information through email, the following guidelines should be considered:

  • Restrict information included in the email
  • If possible, only include a first name (without a last name)
  • Use initials and case manager ID

The Executive Director serves as Hearth Place’s privacy officer.  In the event that there is a privacy breach, the privacy officer must be notified immediately.  The privacy officer will conduct an investigation to ensure that similar events do not happen in the future.  The privacy officer will notify the individual affected by the breach and they may consult with the Board of Directors when determining a resolution.

Everyone is expected to uphold this policy and work together to ensure that the privacy of all employees, service providers, volunteers and members is protected.  Anyone found to be in violation of this policy will be subject to disciplinary action.

Procedures

24.1 All privacy complaints will be directed to the privacy officer.

24.2 The Hearth Place Agreement for Service Form must be signed by every member, which provides written consent for the sharing of information between staff and service providers.

24.3 Electronically stored data is password protected.

24.4 Paper with personal information on it must be shredded.

24.5 Documents that are mailed from Hearth Place will not include any identifiers.

24.6 If a privacy breach occurs, the privacy officer will notify the individual affected by the breach in writing.

24.7 The privacy officer must notify the Board of Directors of every privacy breach.

24.8 If a member no longer wishes to be contacted about fundraising, solicitation or receive member satisfaction surveys, they may withdraw consent at any time.

 

Records Management Policy

Hearth Place uses multiple record storage formats and information may be contained in a paper record, electronic record or both.  Hearth Place is committed to securing all records.  Access to any personal record is restricted to individuals who require the information in order to provide service and/or complete job duties and responsibilities.

Member records may include:

  • Registration forms
  • Intake forms
  • Service agreement forms
  • Emergency contact information

Volunteer records may include:

  • Volunteer registration form
  • Volunteer training history
  • Signed confidentiality form
  • Hours of service
  • Criminal records check
  • Performance evaluations
  • Emergency contact information

Employee records may include:

  • Confidentiality form
  • Criminal records check
  • Performance evaluations
  • Emergency contact information

Some electronic documents may be stored on a shared computer drive.  This drive is protected by a unique log in and password.  All individuals who have access to a shared drive may only access documents that are appropriate to their position and/or in the course of their job duties and responsibilities.

Everyone is responsible for upholding this policy.  Anyone found to be in violation of this policy will be subject to disciplinary action.

Procedures

25.1 All employee, member and volunteer records will be retained for a minimum of seven years.

25.2 All records, paper and electronic, will be maintained onsite.

25.3 When a record is no longer required, it will be shredded.

25.4 All paper documents will be stored under lock and key.

25.5 All electronic documents may be stored in a database or on a shared computer drive and are restricted to staff.

25.6 All electronic documents are protected by a unique log in and password combination.

25.7 Violations of this policy must be reported to the Executive Director.