The Canadian Foundation for the Americas (FOCAL) values the trust of those it represents and is committed to protecting the privacy of its employees, volunteers, partners, stakeholders and all who entrust it with personal information.

Personal information is defined under the Personal Information Protection and Electronic Document Act as any information that can be used to distinguish, identify or contact a specific individual but does not include business contact information or publicly available information. Where home contact information is used as business contact information FOCAL considers the information provided as business contact information that is not subject to protection under the Act. FOCAL does not sell, rent or trade personal or business contact information

FOCAL will collect only the limited personal information needed to deliver high quality services, manage the association effectively and fulfill its obligations to you and to government. We will use this information only for purposes expressly identified, for keeping you informed of FOCAL activities, programs and services, and for other purposes which could be reasonably considered to be consistent with our mission. You may remove your name from our lists at any time by contacting the Privacy Officer.

The personal information collected is protected with appropriate physical, organizational and electronic safeguards to prevent its unauthorized use and will be retained only for as long as needed to achieve the purposes stated above. FOCAL may make personal information available to others or to appropriate authorities without permission if the information is used to take action during an emergency that threatens the life, health or security of an individual, or if it has reasonable grounds for believing that, by doing so, it is helping in the investigation or prevention of a breach of the laws or security of Canada or a Province. Information no longer required will be destroyed or erased.

Upon application to the Privacy Officer individuals may access their personal information held by FOCAL unless the information contains references to other individuals or cannot be disclosed for legal or security reasons. FOCAL commits to promptly correcting any inaccuracies.

FOCAL’s Privacy Officer is responsible for monitoring information collected, data security, staff training, privacy inquiries, personal information access and responding to complaints. Complaints should be made in writing to the Privacy Officer who will immediately acknowledge receipt and will respond to the complaint within 30 days. Unresolved complaints may be taken to the federal Privacy Commissioner.

Contact Carlo Dade, FOCAL’s Privacy Officer, at Suite 720, 1 Nicholas Street, Ottawa, Ontario K1N 7B7, at focal@focal.ca or telephone 1.613.562.0005.

RIGHT TO ACCESS

Individuals have a right to be informed of the existence, use and disclosure of their personal information and be given access to that information. The individual is entitled to question the accuracy and completeness of the information and have it amended as appropriate.

With the exception of staff, all access requests must be submitted in writing and provide adequate proof of the individual’s identity or right to access. Staff may verbally request access to their personal information.

Restricting Access

In certain situations FOCAL may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific and may include the following:

- Providing access would reveal personal information about a third party, unless such information can be severed from the record, or the third party consents to the disclosure, or the information is needed due to a threat to life, health or security
- The personal information to which the individual has requested access has been requested by a government institution for the purposes of enforcing any laws, carrying out an investigation related to the enforcement of any law, the administration of any law, the protection of national security and the defense of Canada or the conduct of international affairs
- The information is protected by solicitor-client privilege
- Providing access might threaten the life or security of a third party, provided this information cannot be severed from the file containing other information requested by the individual
- The information was collected without knowledge or consent for purposes related to contravention of the laws of Canada or a province
- The information was generated in the course of a formal dispute resolution process.

Response

FOCAL will respond to an individual’s request within 30 days. When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, FOCAL shall promptly amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion or addition of information.

Cost of Response

At the Privacy Officer’s discretion, FOCAL may impose a fee at a stated hourly rate where the collection of the requested information requires exceptional time and effort. The individual must be informed of an estimate of costs prior to the commencement of the request.

COMPLIANCE

An individual can challenge FOCAL’s compliance with the requirements of the Personal Information and Electronics Document Act by sending a written complaint or question to the Privacy Officer. The inquiry and complaint handling process is as follows:

- The Privacy Officer will immediately acknowledge the complaint or question in writing
- The Privacy Officer shall investigate all complaints
- A written response will be made within 30 days of receiving the complaint or question
- If a complaint is found to be justified, FOCAL shall take appropriate measures, including revision of the personal information and, if necessary, amendment of policies and practices
- If the complaint is not satisfactorily resolved, it may be taken to the Board of Directors, an independent mediator or arbitrator, or to the federal Privacy Commissioner.

SECURITY OF PERSONAL INFORMATION (PI)

Electronic

Authorized users require a personal user name and password to access FOCAL’s network and network resources will be limited based on the groups the user is a member of. Protocols for passwords are contained in the Network Policy manual. Departmental and personal folders are protected via network permissions. Specific files containing PI are further protected by passwords initiated by the person who gathered the information.

System backups are locked in a fireproof cabinet to which access is restricted or off-site in a safety deposit box.

Paper

1. All PI shall be stored in filing cabinets or drawers that can be locked and access restricted to the individual who provided the information, the Privacy Officer if necessary, and the person(s) who need the information for the purpose for which it was gathered. PI must be securely stored overnight, at weekends and when not in use during office hours.

2. Copies of keys are held by the Privacy Officer.

RETENTION OF PERSONAL INFORMATION (PI)

1. PI shall be retained only for as long as required for the purpose for which it was obtained, or to conform to legal requirements.

2. Documentation that may be required by the Canada Customs and Revenue Agency, by other federal departments or provincial governments, or by project funders according to contracts, shall be held as specified:

· Federal or provincial government - 7 years
· Project Funders - As required by the applicable contract or Contribution Agreement

DISPOSAL OF PERSONAL INFORMATION (PI)

Electronic

Employees are responsible for deleting PI from personal network drives on a regular basis. Each department will assign responsibility to a staff member for purging PI from departmental drives twice a year. The Information Systems Manager has overall responsibility for electronic data management practices and the effective disposal or cleaning of PI from the network, although the absolute destruction of electronic data cannot be assured.

Paper

PI shall be shredded when no longer required. The Office Manager is responsible for planning clean up days at least once a year when shredding facilities will be made available.