Privacy of Personal Information
Introduction
This policy will ensure that Across Languages complies with the Fair Information Practice Principles set out in federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial privacy legislation, Bill 31, the Health Information Protection Act (HIPA) and specifically, Schedule A, also known as the Personal Health Information Protection Act (PHIPA) relating to collection, use, disclosure and retention of personal information. This policy is a living document and is expected to change as the body of knowledge in this area grows.
Across Languages – Our Commitment
Across Languages is committed to ensuring that all personal information under our care, custody and control shall be regarded as confidential and available only to authorized users. Across Languages also acknowledges its responsibilities to ensure the confidentiality of personal information related to its employees, contractors and volunteers.
DEFINITIONS
CONFIDENTIALITY refers to the obligation upon an organization or person to protect information that has been entrusted in its care for a specific purpose, and to ensure that information is only accessible to those authorized to have access.
DISCLOSURE in relation to information in the custody or under the control of an Across Languages employee, contractor or volunteer, means to make the information available or to release it to another person, but does not include to use the information.
PERSONAL INFORMATION includes any factual or subjective information, recorded or not, about an identifiable individual (for example, age, name, ID numbers, income, ethnic origin, social status). Personal information does not include the name, title, and business address or business telephone number of an employee of an organization.
Personal Information includes PERSONAL HEALTH INFORMATION (PHI), means identifying information about an individual in oral or recorded form, if the information,
- relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
- relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
- is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
- is the individual’s health number
PRIVACY refers to the right of an individual to control who has access to his or her personal information and under what circumstances.
RECORD means a record of information in any form or in any medium, whether in written, printed, electronic form or otherwise.
SECURITY is characterized as the preservation of the confidentiality, integrity and availability of personal information. Information security is achieved by or through physical, organizational and technical means, including implementing policies and procedures based on relevant legislation, standards and ethical principles, careful planning, design, implementation and maintenance of appropriate technology solutions and managing ongoing operations related to the collection, classification, access and disclosure of personal information.
USE in relation to personal information in the custody or under the control of an employee, contractor or volunteer means to handle or deal with the information, but does not include disclosing the information, and “use”, as a noun, has a corresponding meaning.
PHIPA is structured on the 10 Fair Information Practices principles published by the Canadian Standards Association (CSA), which form the basis of most privacy legislation around the world.
Principle 1 – Accountability for Personal Information
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
Accountability for Across Languages’ compliance with the principles rests with the Board and/or ED having overall accountability, although other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).
The Executive Director shall oversee Across Languages’ compliance with the principles and shall be responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. AL shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Across Languages shall develop and implement policies and practices to give effect to this principle.
Principle 2 – Identifying Purposes for Collecting Personal Information
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
The primary purposes for which personal information is collected are: the provision/delivery of interpretation and translation services, including adequate interpreter/assignment match, provision/delivery of interpreter training services, including professional development planning, quality assurance/risk management activities, statistical analysis, and to meet legal and regulatory requirements.
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required or permitted by law, the consent of the individual is required before information can be used for that purpose.
Persons who collect personal information will be able to explain the purpose(s) for which the information is being collected.
Principle 3 – Consent for Collection, Use and Disclosure of Personal Information
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
Across Languages shall make a reasonable effort to ensure that individuals are advised of the purposes for which the information will be used or disclosed. To make the consent meaningful (i.e. knowledgeable), the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
In obtaining consent, the reasonable expectations of the individual are relevant. For example, a limited-English speaking individual coming to a hospital for tests will reasonably expect that the hospital, in addition to using the individual’s personal information for treatment purposes, will also contact Across Languages to arrange an interpreter. In most cases, Across Languages may assume the individual’s request for service constitutes an implied consent for specific, related purposes. In contrast, an individual would not reasonably expect that personal information given to the hospital and shared with Across Languages for the provision of interpretation or translation services, would be in turn passed on to a company selling health care products, for example.
Individuals may give consent in many ways-for example:
- Consent may be given at the time that the individual receives the service, for example during an interpreted encounter. In this instance, the interpreter shall explain to all parties in both languages how the information collected will be used.
- Consent may be given when the individual receives the service, for example a translation or upon signing up for a training course.
- Consent may be given orally when appointment confirmation is done over the telephone, and should be so recorded.
- Consent shall not be obtained through deception or coercion.
Consent may be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice. Across Languages shall inform the individual of the right to and the implications of withdrawal of consent. Withdrawal is not retrospective and is only valid on a ‘day forward’ basis.
Principle 4 – Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by Across Languages. Information shall be collected by fair and lawful means.
Both the amount and type of personal information collected will be limited to that which is necessary to fulfill the purposes identified, mainly the provision of translation and interpretation services.
Principle 5 – Limiting Use, Disclosure, and Retention of Personal Information
Personal information will not be used or disclosed for purposes other than those identified, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
Principle 6 – Accuracy of Personal Information
Personal information shall be as accurate, complete, and up-to-date as is provided to Across Languages by the requestor of service.
Principle 7 – Safeguards for Personal Information
Security safeguards appropriate to the sensitivity of the information shall protect personal information.
The Security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Across Languages will protect personal information regardless of the format in which it is held. Each department will routinely review and update its policies and procedures to safeguard personal information, specific to its circumstances.
The methods of protection will include the following measures:
- Physical (e.g. locked filing cabinets and restricted access to offices)
- Organizational (e.g. confidentiality agreements and limited access for staff)
- Technological (e.g. the use of passwords, access controls)
Across Languages will make its employees, contractors and volunteers aware of the importance of maintaining the confidentiality and privacy of personal information through education, awareness campaigns and the use of confidentiality agreements.
Care will be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.
Principle 8 – Challenging Compliance with the Privacy Policy
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
The ED shall be accountable for Across Languages’ compliance with these Principles and legislative requirements under PHIPA. Across Languages will put procedures in place to receive and respond to complaints or inquiries about policies and practices relating to the handling of personal information. Across Langauges is committed to investigating all complaints and to taking appropriate action, including where necessary, amending policies and practices.
REFERENCES
- Personal Health Information Protection Act, 2004, S.O. 2004, c, 3, Sched A.
- Personal Information Protection and Electronic Documents Act, R.S.C. 2000, c-5.
Records Retention Policy
Introduction and Background
A records retention policy is a recognized and proven protocol within an organization for retaining information for operational use while ensuring adherence to the laws and regulations concerning them. The objectives of this records retention policy are to keep important information for future use or reference, to organize information so it can be searched and accessed at a later date and to dispose of information that is no longer required.
The records retention policy for AL is a set of guidelines that describes which records will be archived, how long they will be kept and other factors concerning the retention of the records.
A part of any effective records retention policy is the permanent deletion of the retained records when appropriate and as deemed by law.
Please see the section at the end of this document for Legal Requirements and References
Retention Guidelines for Common Administrative Records
Legislative context of Across Languages: Section 6 of the Privacy Act, and Section 4 and 7 of the Privacy Act Regulations. Section 4. (1) of the Privacy Act Regulations states that personal information that is used for an administrative purpose (i.e. the use of the information in a decision making process that directly affects that individual) must be retained for a minimum of two (2) years unless the individual consents to its earlier disposal.
For Across Languages, in the absence of specific retention guidance and unless specified otherwise, the 7-year retention period for policy and procedures and the 7-year period for routine records should be applied to similar records. Retention periods should always be interpreted and applied “after all administrative actions are completed,” i.e., 7 years after all administrative actions are completed (complete status in ALEX).
Function/Description |
Retention Guidance |
Governing Documents · Articles of incorporation · Bylaws · Written agreements and contracts · Board and staff meeting minutes · Annual reports · Promotional materials · Fundraising materials |
Must be held for as long as the charity is registered or incorporated and for two (2) years after the date the registration of the charity is revoked, the organization is dissolved, or the organization is amalgamated.(whichever is the latest). |
Financial Records · Financial statements |
Must be kept for six (6) years from the end of the last tax year to which they relate, while the charity is |
· Ledgers · Bank statements · Expense accounts · Inventories · Investment agreements · Accountant’s working papers · Payroll records · Annual CRA information returns |
Registered or incorporated, and for two (2) years after the date the registration of the charity is revoked. the organization is dissolved, or the organization is amalgamated.(whichever is the latest). |
Official Donation Records – 10-Year Gifts |
Must be kept for as long as the charity is registered or incorporated and for a minimum of two (2) years after the date the registration of the charity is revoked, or the organization is dissolved or amalgamated (whichever is the latest). |
Official Donation Receipts – Other than 10-Year Gifts |
Must be kept for a minimum of two (2) years from the end of the calendar year in which the donations were made. [Note: typically, the retention periods follow the fiscal period; for instance, if a receipt is issued February 28, 2019, the duplicates must be retained until December 31, 2021]. |
Access to Information and Privacy: This programme/activity generally includes the business processes and activities which produce records created by AL in relation to the administration of the Access to Information Act and Privacy Act. More specifically, it includes individual requests for access to records under the acts.
Access to Information – individual case files
– reports
Protection of Privacy – individual case files
– reports |
The guidelines below will usually apply but refer to the PIPEDA Act and/or the references at the end of this document for clarity It is important that the 7-year period will not apply to Personal Health Information if the client provides instruction that the organization may not collect, use or disclose their personal information
For Personal Information, there is no defined retention period. Usually, the purpose for which it was collected is a clear indication of the retention period. If it is no longer required for the intended purpose, it should be disposed of.
7-10 years following the date on which a request was responded to and a |
|
subsequent complaint, if any, was fully processed.
7 years
Minimum 7 years following the date on which a request was responded to and a subsequent complaint, if any, was fully processed.
7 years |
Disposal of Records and Personal Information |
Disposal of records does not mean throwing paper documents in the trash or deleting electronic records using a delete function. Secure methods of disposal must be used.
These include shredding paper documents and using software that securely deletes electronic records. |
Legal Requirements and References
Records Retention
A registered charity must keep adequate books and records. A charity’s books and records must allow the Canada Revenue Agency (CRA) to:
- verify revenues, including all charitable donations received;
- verify that resources are spent on charitable programs; and
- verify that the charity’s purposes and activities continue to be
Books and records include:
- Governing documents (incorporating documents, constitution, trust document), bylaws, financial statements, copies of official donation receipts, copies of annual information returns (Form T3010, Registered Charity Information Return), written agreements, contracts, board and staff meeting minutes, annual reports, ledgers, bank statements, expense accounts, inventories, investment agreements, accountant’s working papers, payroll records, promotional materials, and fundraising
- Books and records also include source documents. Source documents support the information in the books and records, and include items such as: invoices, vouchers, formal contracts, work orders, delivery slips, purchase orders, and bank deposit slips.
Where Should a Charity Keep Its Books and Records?
Books and records must be kept at the Canadian address that the charity has on file with the CRA. This includes all books and records related to any activity carried on outside Canada. The charity’s books and records cannot be kept at a foreign address.
How Long Must a Charity Hold on to Its Books and Records?
A charity must keep books and records as follows:
- Copies of official donation receipts (other than for 10-year gifts)
- Must be kept for a minimum of two (2) years from the end of the calendar year in which the donations were made. [Note: typically, the retention periods follow the fiscal period; for instance, if a receipt is issued February 28, 2019, the duplicates must be retained until December 31, 2021].
· Records for 10-year gifts
- Must be kept for as long as the charity is registered and for a minimum of two (2) years after the date the registration of the charity is revoked.
· Minutes of meetings of the directors/trustees/executives
- Must be kept for as long as the charity is registered and for a minimum of two (2) years after the date the registration of the charity is revoked or, in the case of a corporation, for two (2) years after the day the corporation is dissolved.
· Minutes of meetings of the members
- Must be kept for as long as the charity is registered and for a minimum of two (2) years after the date the registration of the charity is revoked.
· Governing documents and bylaws relating to the charity
- Must be held for as long as the charity is registered and for two (2) years after the date the registration of the charity is revoked.
· General ledgers or other books of final entry containing summaries of year-to-year transactions and the accounts necessary to verify the entries
- Must be kept for six (6) years from the end of the last tax year to which they relate, while the charity is registered, and for two (2) years after the date the registration of the charity is revoked or, in the case of a corporation, for two (2) years after the day the corporation is
· Financial statements, source documents and copies of annual information returns (T3010 forms)
- Must be kept for six (6) years from the end of the last tax year to which they relate or, if the charity is revoked, for two (2) years after the date of revocation.
When a corporation is dissolved, it must keep the following records for two years after the date of its dissolution: all records and supporting documents to verify its tax obligations and entitlements all other records that corporations have to keep When corporations amalgamate or merge to create a new corporation, the new corporation must usually keep the business records of each of the amalgamated or merged corporations for six years from the end of the taxation year to which they relate.
A registered charity may destroy its books and records prior to the expiration of the retention periods prescribed above, only with the permission of the Minister of National Revenue. To ask for permission, fill out Form T137, Request for Destruction of Records, and send it to:
Charities Directorate Canada Revenue Agency Ottawa ON K1A 0L5
Books and Records in the Electronic Format
Books and records can be kept in the electronic format. Electronic records are subject to the same rules and retention periods as described above. Books and records that are created and maintained in electronic format must be kept in an electronically readable format, even if the charity has paper printouts of the electronic records. An electronically readable format means information supported by a system capable of producing an accessible and useable copy that would allow auditors to process and analyze the electronic records on CRA equipment.
If any source documents are initially created, transmitted, or received electronically, they must be kept in an electronically readable format. Scanned images of paper documents, records, or books of account that are maintained in electronic format are acceptable if proper imaging practices are followed and documented.
Books and records maintained outside Canada but accessible electronically in Canada do not meet the requirement of being kept in Canada.
Further Obligations
A registered charity is responsible not only for keeping books and records, but for maintaining, retaining, and safeguarding these records as follows:
- If the charity hires a third party to maintain its records, the charity is still responsible for meeting all Third parties include bookkeepers, accountants, Internet transaction managers, and application service providers.
- The charity should keep all its books and records in one area for easy access. This will make it easier for the charity in the case of an audit or when there is a change to the governing board.
- The charity should also keep copies of its books and records in a separate location (preferably off- site) for backup
- The charity is responsible for making its books and records available to CRA These officials are authorized to inspect, audit, or examine a charity’s records, as well as make or have made copies of any records, including electronic records.
Failure to keep adequate books and records may result in the suspension of a registered charity’s tax receipting privileges, or the loss of its registered status.
The Law
Income Tax Act (ITA)1
Section 230 (2) of the ITA provides that,
Every qualified donee [a registered charity is a qualified donee as per the definition under subsection 149.1(1) of the Act] referred to in paragraphs (a) to (c) of the definition qualified donee in subsection 149.1(1) shall keep records and books of account — in the case of a qualified donee referred to in any of subparagraphs (a)(i) and (iii) and paragraphs (b) and (c) of that definition, at an address in Canada recorded with the Minister [of National Revenue] or designated by the Minister — containing
- information in such form as will enable the Minister to determine whether there are any grounds for the revocation of its registration under this Act;
- a duplicate of each receipt containing prescribed information for a donation received by it; and
- other information in such form as will enable the Minister to verify the donations to it for which a deduction or tax credit is available under this Act.
Subsection 230 (4) further states that every person required by section 230 of the Act to keep records and books of account must retain
- the records and books of account referred to in this section in respect of which a period is prescribed, together with every account and voucher necessary to verify the information contained therein, for such period as is prescribed; and
- all other records and books of account referred to in this section, together with every account and voucher necessary to verify the information contained therein, until the expiration of six years from the end of the last taxation year to which the records and books of account relate.
With respect to electronic records, subsection 230 (4.2) states that every person required by this section (s. 230) to keep records who does so electronically shall retain them in an electronically readable format for the retention period referred to in subsection 230(4), above.
1 RSC 1985, c 1 (5th Supp).
Personal Information Protection and Electronic Documents Act (PIPEDA)2
PIPEDA applies to every organization in Canada that collects, uses and discloses personal information in the course of commercial activities. Commercial activity is defined by PIPEDA as “any particular transaction, act or conduct of any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or fundraising lists.”3 While it is obvious that the legislators consider charitable and non-profit organizations capable of engaging in commercial activities, it is not obvious which activities charitable and non-profit organizations engage in will be considered commercial and which will not. Whether a charitable or non-profit organization will be subject to PIPEDA depends on whether the organization engages in the kind of commercial activities contemplated by the Act.
Although a charity may not be subject to PIPEDA, it is still important for the charity to adhere to the underlying privacy principles.
Organizations covered by PIPEDA (which may or may not include a registered charity) must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information4 held by an organization. They also have the right to challenge its accuracy. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again.
Individuals should also be assured that their information will be protected by appropriate safeguards.
Organizations must follow a code for the protection of personal information. This code is included in the Act as Schedule 1. The 10 fair information principles that organizations covered by PIPEDA must follow are:
2 SC 2000, c 5.
3 Ibid, s 2(1).
4 Canada’s two federal privacy laws—the Privacy Act, which applies to federal government institutions, and the PIPEDA, which applies to many private-sector organizations—give people a right to access the personal information organizations hold about them.
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
Pursuant to Principle 5 of the Act, unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Under the same principle, organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information (Principle 5 – Clause 4.5.3).
What is “personal information”?
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
With reasonable grounds, the Privacy Commissioner of Canada may audit the personal information management practices of an organization.
What is not covered by PIPEDA?
There are some instances where PIPEDA does not apply. Some examples include:
- Personal information handled by federal government organizations listed under the Privacy Act
- Provincial or territorial governments and their agents
- Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
- An individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
- An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
Additional Resources
Books and Records: CRA Requirements and the Importance of Books and Records – https://www.canada.ca/en/revenue-agency/news/cra-multimedia-library/charities-video- gallery/transcript-financial-statements-books-records-segment-4-books-records-cra-requirements- importance-books-records.html
Best Practices; Retention Periods – https://www.canada.ca/en/revenue-agency/news/cra-multimedia- library/charities-video-gallery/transcript-financial-statements-books-records-segment-5-best-practices- retention-periods.html
Information Circular IC 78 – 10R5 Books and Records Retention/Destruction –
https://www.canada.ca/content/dam/cra-arc/formspubs/pub/ic78-10r5/ic78-10r5-10e.pdf