Privacy Policies and Procedures
Preamble
The Canadian College of Health Leaders (CCHL) undertakes to protect personal information it collects in compliance with the federal Personal Information Protection and Electronic Documents Act. The following outlines CCHL’s commitment to respect privacy, maintain confidentiality and safeguard personal information. The following principles and policies are based on those in Schedule 1 of the Act.
The Act defines personal information as “any information about an identifiable individual.” As such “business card” information is excluded from the definition; it is not subject to the rules in the Act or these policies.
Should you have questions or concerns about this Privacy Policy and Procedures, or CCHL’s use of your Personal Data, contact us at:
Email: [email protected]
Telephone: 1-800-363-9056 (toll-free)
Send Mail:
Canadian College of Health Leaders
150 Isabella, Suite 1102
Ottawa, Ontario K1S 1V7
Policies
1. Accountability
1.1 CCHL’S President and CEO is accountable for CCHL’s compliance with the Personal Information Protection and Electronic Documents Act, even though other employees or agents may be delegated to act on behalf of the President And CEO.
Procedure:
When delegating duties and responsibilities under the Act or the CCHL’s policies, the President and CEO will issue a written notification to employees and agents
1.2 CCHL uses contractual or other means to provide privacy protection, when personal information collected by CCHL is being processed by a third party.
Procedure:
When a contractor has access to personal information, collected by CCHL, for processing or other purposes, the contract has provisions addressing the contractor’s duty to:
a) limit uses and disclosures to purposes allowed by the contract;
b) use physical, organizational and technical safeguards to protect the personal information from unauthorized access, use, disclosure or destruction, to an identified standard;
c) limit access to its employees and agents who have a “need to know”;
d) ensure its employees and agents sign a confidentiality pledge; and § allows CCHL to conduct audits of the contractor’s compliance with the provisions.
1.3 CCHL implements privacy policies and practices, including:
a) implementing procedures to protect personal information;
b) establishing procedures to receive and respond to complaints and inquiries;
c) training staff and communicating to staff information about CCHL’s policies and practices; and
d) developing information to explain CCHL’s policies and procedures.
Procedure:
a) See procedures under section 7
b) See procedures under section 10
c) See procedures under section 7
d) See procedures under section 8
2. Identifying Purposes
2.1 CCHL identifies and documents the purposes for which personal information is collected.
Procedure:
a) The employee or agent responsible for each CCHL program or service that involves the personal information, drafts a statement of purposes.
b) The employee or agent then consults with appropriate advisory groups or committees, where they exist.
c) The employee or agent then submits the purposes statement to the President and CEO.
d) Upon approval by the President and CEO, the employee or agent:
- includes the purposes statement in documentation of the program or service, and
- makes it available upon request.
2.2 CCHL communicates the identified purposes to individuals at or before the time of collection. Depending upon the way in which the information is collected, this can be done orally or in writing.
Procedure:
The employee or agent responsible for each CCHL program or service that involves the personal information ensures that the approved purposes are communicated to individuals at or before the time of collecting personal information. This may occur by:
a) including a notice on application, registration and order forms, both paper and electronic;
b) including the purposes in brochures and other materials that describe the program or service; and
c) verbally explaining the purposes when information is collected verbally (e.g., by phone).
2.3 When personal information is to be used for a new purpose, CCHL documents the new purpose prior to use. Unless the new purpose is required by law, CCHL obtains the consent of the individual before information is used for the new purpose.
Procedure:
The employee or agent responsible for each CCHL program or service that involves the personal information:
a) ensures any new purpose is documented, approved and communicated by following procedures 2.1 and 2.2; and
b) obtains consent from individuals to use personal information for the new purpose, unless the new purpose is required by law
2.4 CCHL employees and agents who collect personal information are able to explain the identified purposes.
Procedure:
The employee or agent responsible for each CCHL program or service that involves the personal information ensures that those who collect the personal information are able to explain the identified purposes.
3. Consent
3.1 CCHL obtains consent for the collection of personal information and its subsequent use or disclosure, at the time of collection or before use for a new purpose.
Procedure:
The employee or agent responsible for each CCHL program or service ensures that implied or express consent is obtained when personal information is collected.
3.2 CCHL assumes implied consent has been provided when an individual completes and submits an application, registration and order forms when the purposes are on the form or identified in related program documentation provided to the individual.
CCHL makes a reasonable effort to inform individuals of the identified purposes, so that they can understand how their personal information will be used or disclosed.
CCHL does not require an individual to consent to the collection, use, or disclosure of personal information beyond that required to supply a product or service.
Procedure:
The employee or agent responsible for each CCHL program or service ensures that application, registration and order forms and/or related documentation:
- include the identified purposes;
- include a statement that “CCHL considers there is implied consent to use and disclose the personal information collected for the identified purposes when a completed form is submitted”; and
- provide “opt-out” boxes that permit an individual to refuse consent for specific purposes which are not essential for the program or service (for example, appearing in the Members’ Directory or on the list of conference participants).
3.3 CCHL seeks express consent when appropriate, given the reasonable expectations of an individual and the sensitivity of the information.
Procedure:
The employee or agent responsible for each CCHL program or service ensures that express consent for the collection, use or disclosure of personal information is obtained from an individual, when:
a) implied consent would not be reasonable; or
b) the information is sensitive.
3.4 CCHL does not obtain consent through deception.
Procedure:
No related procedure.
3.5 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. CCHL informs the individual of the implications of such withdrawal.
Procedure:
The employee or agent responsible for each CCHL program or service ensures that:
a) individuals are advised of the implications of withdrawing consent (for example, if an individual withdraws consent for CCHL to use the information on his or her application, the application cannot be processed); and
b) personal information is not used or disclosed when consent has been withdrawn.
4. Limiting Collection
4.1 CCHL only collects personal information necessary to fulfil the identified purposes.
Procedure:
The employee or agent responsible for each CCHL program or service reviews application, registration and order forms to ensure that only personal information necessary for the purpose is collected.
4.2 CCHL specifies the type of personal information collected as part of its information-handling policies and practices.
Procedure:
The employee or agent responsible for each CCHL program or service ensures that public information about the programs and services describes the types of personal information collected.
4.3 CCHL only collects personal information by fair and lawful means.
Procedure:
a) An employee or agent who believes personal information is being collected by unfair or unlawful means, advises the President and CEO.
b) The President and CEO investigates and takes corrective action if required.
5. Limiting Use, Disclosure, and Retention
5.1 CCHL does not use personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Procedure:
The employee or agent responsible for each CCHL program or service ensures that personal information is only used for the identified purposes, unless:
- the individual has consented to another use; or
- the use is required by law.
5.2 CCHL does not disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Procedure:
The employee or agent responsible for each CCHL program or service ensures that personal information is only disclosed for the identified purposes, unless:
- the individual has consented to another disclosure; or
- the disclosure is required by law.
5.3 CCHL retains personal information only as long as necessary for the fulfilment of the purposes it was collected for, according to minimum and maximum retention periods.
Procedure:
a) CCHL prepares a retention schedule, with minimum and maximum retention periods for various types of personal information collected by CCHL.
b) Upon approval by the President and CEO, the retention schedule is distributed to all employees and agents for implementation.
5.4 Personal information that is no longer required to fulfil the identified purposes is destroyed, erased, or made anonymous. CCHL destroys personal information in a manner that prevents unauthorized access, use or disclosure.
Procedure:
a) CCHL prepares a record disposition procedure for records of personal information collected by CCHL.
b) Upon approval by the President and CEO, the record disposition procedure is distributed to all employees and agents for implementation.
6. Accuracy
6.1 CCHL ensures personal information shall be as accurate, complete, and up-to-date as is necessary for the identified purposes, to minimize the possibility that inappropriate information may be used to make a decision about the individual.
Procedure:
The employee or agent responsible for each CCHL program or service takes reasonable steps to ensure that personal information is accurate, complete and up-to-date as necessary for the purposes.
6.2 CCHL routinely updates personal information only when necessary to fulfil the purposes for which the information was collected.
Procedure:
a) CCHL ensures that members have the opportunity to review and update their personal information for the membership database as part of the annual membership renewal process.
b) For other purposes, the employee or agent responsible for each CCHL program or service only updates personal information when needed to carry out the purpose.
7. Safeguards
7.1 CCHL has security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
CCHL’s safeguards include:
a) Physical measures such as restricted access to its offices;
b) Organizational measures such as having staff sign a confidentiality pledge; and
c) Technological measures, such as the use of passwords and firewalls.
Procedure:
CCHL is responsible for:
a) protecting personal information in electronic formats against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, by:
• developing, implementing and monitoring procedures and processes to support the secure collection, access, retention, destruction, storage, transfer and release of personal health information;
• implementing privacy and security enhancing technologies to counter threats to personal health information;
• maintaining disaster recovery plans to ensure the availability of information systems
• responding to security incidents and breaches and taking corrective action to prevent similar breaches in the future;
• maintaining detailed inventories of system hardware, software and data; and
• maintaining up-to-date system control and audit logs
b) protecting personal information in non-electronic formats against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, by:
• implementing and monitoring procedures and processes to safeguard personal health information from such risks;
• designating staff who have responsibilities under the procedures; and
• regularly reviewing and testing the effectiveness of the safeguards.
c) developing, implementing and monitoring procedures and systems which:
• control access to CCHL offices;
• ensure visitors are screened and supervised;
• provide for the secure disposal and destruction of non-electronic records containing personal health information; and
• other corporate safeguards
7.3 CCHL makes its staff aware of the importance of maintaining the confidentiality of personal information.
Procedure:
CCHL ensures that each new employee:
• receives a copy of these privacy policies and procedures; and
• signs a confidentiality pledge as a condition of employment.
8. Openness
8.1 CCHL makes readily available information about its policies and practices relating to the management of personal information, including:
a) the name or title and the address of the President and CEO who is accountable for the CCHL’s policies and practices and to whom complaints or inquiries can be forwarded;
b) the means of gaining access to personal information held by CCHL;
c) a description of the type of personal information held by CCHL including a general account of its use;
d) a copy of any brochures or other information that explain CCHL’s policies, standards or codes; and
e) what personal information is made available to related organizations.
Procedure:
CCHL ensures that the information listed in this policy is available to the public through appropriate means such as paper documentation and information on the CCHL website.
9. Individual Access
9.1 Upon request, CCHL informs an individual of the existence, use, and disclosure of his or her personal information.
Procedure:
When an individual:
- inquires about the existence, use and disclosure of his or her personal information; or
- requests access to his or her personal information
9.2 Upon request, CCHL provides an individual with access to his or her personal information. Exceptions to access may occur when information:
a) is prohibitively costly to provide;
b) contains references to other individuals;
c) cannot be disclosed for legal, security, or commercial proprietary reasons; and
d) is subject to solicitor-client or litigation privilege.
Upon request, CCHL provides the reasons for any denial of access.
Procedure:
CCHL:
a) coordinates the search for all records that contain the individual’s personal information;
b) reviews the records to determine if any information will be withheld; and
c) responds in writing to the individual within 30 days, to indicate:
- whether access will be provided;
- the reasons why access is denied to any of the records; or
- that the records are attached (if copies requested) or the process to examine the originals.
9.3 An individual is able to challenge the accuracy and completeness of the information.
Procedure:
When an individual requests amendments to his or her personal information, the employee or agent:
a) makes the changes when it is reasonable to do so (for example, new address): or
b) refers to the request to the appropriate employee or agent, who makes the amendments
9.4 When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, CCHL amends the information as required and, if:
a) appropriate, transmits the amended information to third parties to whom it has been disclosed; and
b) when a challenge is not resolved to the satisfaction of the individual, CCHL records the substance of the unresolved challenge and when appropriate, transmits the existence of the unresolved challenge to third parties to whom the information in question was disclosed.
Procedure:
When the amendments are of a more substantial nature, the employee receiving the request may ask the individual to submit the request in writing with supporting documentation. In this case CCHL:
a) clarifies the request with the individual;
b) reviews the request to determine if amendments are appropriate; and c) responds in writing within 30 days, to indicate:
- whether the amendment has been made;
- the reasons why an amendment has been refused;
- that a note has been added to the individual’s records which described the unresolved dispute; and
- whether the amendment or statement of dispute will be provided to other parties who have received the original information
9.5 CCHL responds to an individual's requests normally within 30 days and at no cost to the individual.
10. Challenging Compliance
10.1 An individual is able to address a challenge concerning CCHL’s compliance with these policies or the Personal Information Protection and Electronic Documents Act to the President and CEO.
10.2 CCHL informs individuals who make inquiries or lodge complaints of the relevant complaint procedures.
Procedure:
a) When an individual inquires about challenging compliance, the employee or agent provides this procedure;
b) An individual may challenge CCHL’s compliance with these policies or the Personal Information Protection and Electronic Documents Act in writing to the President and CEO; and
c) Following investigation of the challenge, the President and CEO will notify the individual in writing of:
- the findings;
- the actions being taken, if any; and
- the individual’s right to appeal to the Privacy Commissioner of Canada
10.3 CCHL investigates all complaints. If a complaint is found to be justified, CCHL takes appropriate measures, including, if necessary, amending its policies and practices.
11 Web site data and electronic email
11.1 Web site Cookies and Web Beacons Some of CCHL’s web pages utilize “cookies” and other technologies, such as web beacons. A “cookie” is a small text file that may be used, for example, to collect information about website activity, and is stored on your system. Some cookies and other technologies may serve to recall personal data previously indicated by a web user. Most browsers allow you to control cookies, including whether or not to accept them and how to remove them. You can change your browser to notify you about cookies, so you can choose to accept the cookie or not. At times, if you do not accept the cookie, you will not be able to access a web page. If you want to accept the cookie, you can later delete it from your windows cookies directory. Use the search function in your browser’s help menu to learn how to manage and delete cookies. You may set most browsers to notify you if you receive a cookie, or you may choose to block cookies with your browser, but please note that if you choose to erase or block cookies, you will need to re-enter your original user ID and password to gain access to certain parts of the CCHL’s web sites. Similar controls on accepting web beacons are also available. Web beacons are electronic images contained on our web pages that permit CCHL to compile aggregated statistics about how visitors use our site and to gauge the effectiveness of our advertising. Web beacons may record information such as Internet domain and host names; Internet protocol (IP) addresses; browser software and operating system types; clickstream patterns; and dates and times that our site is accessed. CCHL’s use of cookies and other tracking technologies allows us to improve our web site and your web experience. We may also analyze information that does not contain personal data for trends and statistics.
Procedure:
CCHL will include a cookie warning when a visitor lands on CCHL web sites as well as a link to the CCHL privacy policy in the footer area of the web sites. For third party landing page service providers the College will ensure that the service provider complies with GDPR policies, and a link to CCHL’s privacy policy will be included in the footer of landing pages that use CCHL’s Google Analytics account. Any form contained on the landing page will include notification of, and a link to CCHL’s privacy policy. Third party service providers use of information will be governed by the third party’s privacy policy
11.2 Links to Other Web sites: Some pages on CCHL’s web sites may contain links to other web sites. CCHL has no control over the privacy practices or content of such web sites. We recommend you carefully read the privacy policies of each site you visit.
11.3 Canada’s Anti-Spam Legislation for Electronic Email CCHL complies with Canada’s Anti-Spam Legislation, which came into force in 2014. Only those who have given consent or have an existing business relationship with CCHL will receive our electronic mailings. You will have the option to unsubscribe to our electronic mailings and communications at no cost to you. You are considered to have given consent for our use of programs or cookies as indicated by your conduct; that is, if you disable cookies in your browser, you would not be considered to have given consent to have cookies installed.
Visit https://fightspam.gc.ca/eic/site/030.nsf/eng/home to read updates to CASL.
Procedure:
CCHL will follow CASL compliance and best practices. Email communications will be clearly identified as from our organization with full contact information provided. Only those who have given consent or have an existing business relationship with CCHL will receive our electronic mailings. As a subscriber, you have the option to unsubscribe at any time at no cost to you
Child Safety Standards Policy
Child Safety Standards
Any explicit content or child sexual abuse and exploitation (CSAE) is strongly prohibited on our application.
Compliance with Child Safety laws & reporting
Our app complies with applicable child safety laws and regulations.
Our app ensures all content shared within the app is appropriate for a mixed audience, including children. User-generated content is moderated to prevent inappropriate material from being accessible.
Any CSAM (Child Safety Abuse Material) content will be automatically removed when flagged or reported through our moderation features or if we are directly contacted for this purpose.
We will systematically take action to report confirmed CSAM content to the National Center for Missing and Exploited Children.
CSAM consists of any visual depiction, including but not limited to photos, videos and computer-generated imagery, involving the use of a minor engaging in sexually explicit conduct.
Child safety point of contact
You can reach out to [INSERT CONTACT EMAIL] if CSAM content is detected.
Privacy and Data Protection
Our app is committed to protecting user data, especially for children under 13, in compliance with applicable regulations.
The privacy policy is displayed clearly and is accessible from the app settings and our website
All data is encrypted during transmission and stored securely.
Ads and Monetization
Our app does not include ads or monetized content.
Transparency and Disclosures
Data safety: Detailed information is provided as per Google Play’s Data safety form.
Content ratings: IARC 3+, L, E, 3, 3, USK 0
Validation and updates
Regular internal testing is conducted to ensure compliance with Google Play’s child safety standards, including functionality reviews and content audits.
Policies are reviewed quarterly or as required to align with updated child safety standards.