Privacy Policy

Type: Operational

Target audience: Public

1.0 Rationale

OTF is committed to respecting the privacy rights of individuals and ensuring the protection of the personal information in our custody and control.

2.0 Purpose

To ensure that OTF's practices involving personal information are consistent with the Freedom of Information and Protection of Privacy Act (FIPPA) Part III – Protection of Individual Privacy.

3.0 Policy

  • OTF collects only the minimum necessary personal information, whether recorded or verbal.
  • OTF provides notice when it collects personal information (either directly from the individual or indirectly from another source) unless it is waived or falls under an exception under FIPPA. At a minimum, the notice will provide the authority for the collection, the purpose for collecting the personal information and contact information for further inquiries.
  • OTF uses personal information under the following circumstances:
    • With the individual’s consent
    • For the purpose identified at time of collection or for a consistent purpose
  • OTF discloses personal information where permitted under FIPPA.  Some of the circumstances in which organizations are permitted to disclose personal information include:
    • where the individual has consented to the disclosure;
    • for the purpose for which the personal information was obtained or compiled or for a consistent purpose;
    • where the disclosure is necessary and proper in the discharge of the organization’s functions;
    • for the purpose of complying with another Act;
    • for law enforcement purposes;
    • in compelling circumstances affecting the health or safety of an individual;
    • in compassionate circumstances, to facilitate contact with the next of kin or a friend of an individual who is injured, ill or deceased;
    • to facilitate the auditing of shared cost programs between the Government of Ontario and the Government of Canada. 
  • OTF follows the Ontario Archives and Recordkeeping Act 2006, for retention and disposal requirements for personal information.
  • OTF’s Agency Head shall ensure that only those individuals who need a record for the performance of their duties have access to it and take the necessary steps to protect the organization’s personal information records from accidental destruction.
  • OTF’s Agency Head takes reasonable steps to ensure that personal information on the organizations’ records are not used unless accurate and up to date. 
  • OTF takes the necessary administrative, technical and physical safeguards/ precautions to protect personal information (at rest, in motion, in use) from a privacy breach, including unauthorized access, linkage, disclosure or alteration.
  • OTF’s Agency Head shall ensure that every contract for data collection and processing be subject to a Threat Risk Assessment and Privacy Impact Assessment.
  • OTF Board members, volunteers and staff, must sign and follow a Code of Conduct and Ethics that includes a commitment to “Store, handle, and transfer all records, in all formats, in a way that attends to the needs of OTF and its stakeholders for privacy and security.”
  • In the event of a privacy breach, OTF will follow its privacy breach protocol.
  • OTF provides contact information for questions or concerns about any collection, use or disclosure of personal information by us, or to request access to personal information in our custody and control.
  • Where personal information from different sources are merged into a single record for an individual (data integration), records will be de-identified, including any linking of records or information. Data integration may be conducted to compile information, including statistical information to enable analysis in relation to management, planning and/or evaluation of OTF funded programs and services.
  • No person or entity (including but not limited to staff and volunteers) shall use or attempt to use information that has been de-identified, either alone or with other information, to identify an individual.
  • The collection, use and, treatment methodologies (including de-identification and linkage) of personal information will be summarized and published annually in a publicly available report or part of a publicly available report establishing the requirements of FIPPA have been met.

4.0 Definitions

Agency Head: The CEO, Ontario Trillium Foundation is the Agency Head for the purpose of this policy and any decisions made related to privacy.

Breach: The result of an unauthorized access to, or collection, use or disclosure of personal information.

Control (of a record): The power or authority to make a decision about the use or disclosure of the record. 

Custody (of a record): The keeping, care, watch, preservation or security of the record for a legitimate business purpose. While physical possession of a record may not always constitute custody, it is the best evidence of custody. 

Consistent Purpose: Where personal information has been collected directly from the individual to whom the information relates, the purpose of a use or disclosure of that information, without consent, is a consistent purpose only if the individual might reasonably have expected such a use or disclosure. This means that the original purpose and the proposed purpose are so closely related that the individual would expect that the information would be used for the consistent purpose, even if the use is not spelled out.

De-identification: The removal of the following information from a record:

  1. Information that identifies an individual.
     
  2. Information that could be used, either alone or with other information, to identify an individual based on what is reasonably foreseeable in the circumstances.

FIPPA: Freedom of Information and Protection of Privacy Act in Ontario

Linkage: The joining of two different datasets for the same individual into one dataset containing more data fields for the purposes of data integration using a data key or other unique identifier.

Personal information: Recorded information about an identifiable individual, including: 

  1. information relating to the race, national or ethnic origin, colour, religion, age, sex, gender, sexual orientation or marital or family status of the individual;
  2. information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
  3. any identifying number, symbol or other particular assigned to the individual;
  4. the address, telephone number, fingerprints or blood type of the individual;
  5. the personal opinions or views of the individual except if they relate to another individual;
  6. correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence;
  7. the views or opinions of another individual about the individual; and
  8. the individual's name if it appears with other personal information relating to the individual or where disclosure of the name would reveal other personal information about the individual.

Privacy: The principle that an individual has the right to control their own personal information.