ACLD Personal Information Protection Policy
December 31, 2020, 8:11:48 p.m.
Arts Council of Ladysmith and District
Personal Information Protection Policy
At the Arts Council of Ladysmith and District, we are committed to providing our stakeholders (members, customers, staff, sponsors, donors and executive) with timely and effective programming, support, and services. This commitment necessitates the collection, use and disclosure of certain personal information, and we take the protection of that information seriously.
While we have always respected our stakeholders’ privacy and safeguarded their personal information, we have strengthened our commitment to protecting personal information as a result of British Columbia’s Personal Information Protection Act (PIPA). PIPA, which came into effect on January 1, 2004, sets out the ground rules for how B.C. businesses and not-for-profit organizations may collect, use and disclose personal information.
We will inform our stakeholders of why and how we collect, use and disclose their personal information, obtain their consent where required, and only handle their personal information in a manner that a reasonable person would consider appropriate in the circumstances.
This Personal Information Protection Policy, in compliance with PIPA, outlines the principles and practices we will follow in protecting personal information. Our privacy commitment includes ensuring the accuracy, confidentiality, and security of our stakeholders’ personal information, and it allows those stakeholders to request access to, and correction of, their personal information.
Scope of this Policy
This policy also applies to any service providers collecting, using or disclosing personal information on behalf of the Arts Council of Ladysmith and District.
Personal Information – information about an identifiable individual [E.g., name, age, home address, personal email address, phone number, credit card information]. Personal information does not include business contact information (described below).
Business Contact information – information that would enable an individual to be contacted at a place of business and includes name, position name or title, business telephone number, business address, business email or business fax number. Business contact information is not covered by this policy or PIPA.
Privacy Officer – the individual who is designated responsibility for ensuring that the Arts Council of Ladysmith and District complies with this policy and PIPA.
Policy 1 – Collecting Personal Information
1.1 Unless the purposes for collecting personal information are obvious and participating individuals voluntarily provide their personal information for those purposes, we will communicate—either orally or in writing before or at the time of collection—the reasons for which personal information is being collected.
1.2 We will only collect personal information that is necessary to fulfill the following purposes:
To deliver requested products and services;
To collect and process payments;
To plan and evaluate events, programming, and services;
To operate and administer our website;
To establish and maintain relationships with stakeholders;
To fulfill grant application requirements;
To inform stakeholders about relevant organizational news;
To coordinate volunteer activities;
To conduct human resource activities;
To contact our stakeholders for fundraising initiatives;
To meet regulatory requirements.
Policy 2 – Consent
2.1 We will obtain stakeholder consent to collect, use or disclose personal information (except where, as noted below, we are authorized to do so without consent).
2.2 Consent can be provided electronically, or it can be implied where the purpose for collecting, using or disclosing the personal information would be considered obvious and the stakeholder voluntarily provides personal information for that purpose.
2.3 Consent may also be implied where a stakeholder does not opt-out after being given notice and a reasonable opportunity to opt-out of the personal information being used for mail-outs or the marketing of new services, products, fundraising activities and events.
2.4 Subject to certain exceptions (e.g., the personal information is necessary to provide the service or product, or the withdrawal of consent would frustrate the performance of a legal obligation), stakeholders can withhold or withdraw their consent for the Arts Council of Ladysmith and District to use their personal information in specific ways. A stakeholder’s decision to withhold or withdraw their consent to certain uses of personal information may restrict our ability to provide a particular service or product. If so, we will explain the situation to them in making the decision.
2.5 We may collect, use or disclose personal information without the stakeholder’s knowledge or consent in the following limited circumstances:
when it is clearly in the interests of the individual, and consent cannot be obtained in a timely way;
when it is necessary to respond to an emergency that threatens the life, health, or security of the individual, and the individual is unable to give consent;
when it is reasonable to expect that obtaining the consent of the individual would compromise the availability or the accuracy of the personal information, and the collection is reasonable for an investigation or a proceeding;
when the personal information is collected by observation at a live event that is open to the public and the individual voluntarily appears;
when the personal information is publicly available;
when it is necessary to determine the individual's suitability to receive an honour, award or be selected for an artistic purpose;
when it is required or authorized by law;
when it is necessary for debt collection.
Policy 3 – Using and Disclosing Personal Information
3.1 We will only use or disclose personal information where necessary to fulfill the purposes identified at the time of collection, or for a purpose reasonably related to those purposes such as:
· conducting surveys in order to enhance the provision of our services;
· contacting our stakeholders directly about products, services, or events that may be of interest.
3.2 We will not use or disclose personal information for any additional purpose unless we obtain consent to do so.
3.3 We will not sell stakeholder lists or personal information to other parties.
Policy 4 – Retaining Personal Information
4.1 If we use an individual’s personal information to make a decision that directly affects that person, we will retain the personal information for at least one year so that the individual has a reasonable opportunity to request access to it.
4.2 Subject to policy 4.1, we will retain personal information only as long as it is necessary to fulfill the identified purposes or a legal or business purpose.
Policy 5 – Ensuring Accuracy of Personal Information
5.1 We will make reasonable efforts to ensure that personal information is accurate and complete, including when it may be used to make a decision about an individual or be disclosed to another organization.
5.2 Individuals may request correction to their personal information in order to ensure its accuracy and completeness. A request to correct personal information must include sufficient detail to identify the personal information and the correction being sought.
5.3 If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required. If the correction is not made, we will record the correction request and note why the correction was not made.
Policy 6 – Securing Personal Information
6.1 We are committed to ensuring the security of personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
6.2 The following security measures will be followed to ensure that personal information is appropriately protected:
Retaining hard copies in a secure filing cabinet; physically securing offices where personal information is held; controlling the distribution of user IDs and passwords; providing access exclusively to those who require it to fulfill a designated purpose; requiring any service providers to provide comparable security measures.
6.3 We will use appropriate security measures when destroying personal information such as shredding documents and deleting or overriding electronically stored information.
6.4 We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security.
Policy 7 – Providing Stakeholder Access to Personal Information
7.1 Stakeholders have a right to access their personal information, except under the following exceptions:
the information was collected or disclosed without consent for the purposes of an investigation, and the investigation and associated proceedings and appeals have not been completed;
the information was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration;
the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
the disclosure would reveal personal information about another individual;
the disclosure would reveal the identity of an individual who has provided personal information about another individual who does not consent to disclosure of their identity.
Note: Where possible, if the above conditions can be addressed by redacting information, the Arts Council of Ladysmith and District will provide the requesting individual with access to the redacted documents containing personal information.
7.2 A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought. Requests to access personal information should be forwarded to the Privacy Officer.
7.3 Upon request, we will also tell stakeholders how we use their personal information and to whom it has been disclosed, if applicable.
7.4 We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request.
7.5 If a request is refused in full or in part, we will notify the requesting individual in writing, providing the reasons for refusal and detailing the recourse available.
Policy 8 – Questions and Complaints: The Role of the Privacy Officer or designated individual
8.1 The Privacy Officer is responsible for ensuring the Arts Council of Ladysmith and District’s compliance with this policy and the Personal Information Protection Act.
8.2 Stakeholders should direct any complaints, concerns or questions regarding the Arts Council of Ladysmith and District’s compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, stakeholders may also write to the Information and Privacy Commissioner of British Columbia.
Contact the Privacy Officer for the Arts Council of Ladysmith and District:
ACLD Privacy Officer
Mail: PO Box 2370 Ladysmith BC V9G 1B8