Privacy and Confidentiality Policy
Rationale and Relationship to Mission, Principles and Values
The Multiple Sclerosis Society of Canada (MS Society) recognizes
an individual’s right to privacy and is committed to maintaining
the accuracy, confidentiality and security of the personal
information in its custody. In pursuit of our mission, the MS
Society pledges to treat everyone with respect and dignity and
protect their privacy.
The MS Society adheres to the highest standards of quality,
transparency, and accountability. To demonstrate this commitment,
the organization has developed policies and procedures about the
collection, use and disclosure of information that align with
federal and provincial legislation and with industry standards.
This Policy acts as the articulation of the MS Society of
Canada’s privacy practices and standards about the collection,
use and disclosure of personal information and personal health
information in the course of its activities. It is intended to
guide all staff, volunteers and third‐parties who are given
access to personal information in MS Society’s possession.
As used in this Policy, the term personal information is
inclusive of personal health information, unless the latter term
is used exclusively. In that case, it applies only to personal
This policy applies to volunteers and staff at all levels and
locations of the MS Society including the national office,
divisions and chapters.
In addition, the MS Society requires that any individual or
third‐party who collects, uses or discloses personal information
on behalf of the organization complies with the provisions of
this policy in relation to the respective work.
The policy was first approved by board of directors of the MS
Society of Canada on May 4, 2002. Upon its approval, this Privacy
and Confidentiality Policy superseded the 1989‐board approved
Confidentiality Policy since it both includes and extends those
A. MS Society of Canada property
Any and all records referred to in the document as being personal
information or personal health information are, and will remain
the property of the MS Society of Canada. Volunteers and staff
are required to maintain the privacy and confidentiality of all
records in any and all formats both while acting as an active
volunteer or staff member and after they leave the MS Society.
B. Compliance with relevant legislation
The MS Society will comply with all applicable provisions of
Federal and provincial privacy
The MS Society considers the Personal Information Protection and
Electronic Documents Act (PIPEDA) ‐ the federal privacy law for
private‐sector organizations ‐ the standard by which personal
information should be protected. PIPEDA sets out the rules for
how business must handle personal information in the course of
commercial activities. Most MS Society activities are not
“commercial activities” as defined by PIPEDA. One MS Society
activity that is regulated under the provisions of PIPEDA is “the
selling, bartering or leasing of donor, membership or other fund
raising lists”; as from time to time, the MS Society exchanges
donor lists (name and address only) with like‐minded
In provinces and / or territories with more stringent privacy
policies, MS Society of Canada activities within those
jurisdictions should meet the requirements of both the provincial
/ territorial legislation and PIPEDA.
Personal health information legislation
The MS Society considers information about whether a person has
multiple sclerosis to be personal health information. Several
Canadian provinces have legislation specific to the privacy of
health information which has been declared substantially similar
to PIPEDA with respect to health information custodians. While
the MS Society is not a health care custodian by law, it has
voluntarily adopted elements outlined in personal health
Canada’s Anti‐Spam Legislation (CASL)
This policy supports the MS Society’s compliance with Canada’s
C. Personal and health information collected
To achieve its mission, the MS Society collects certain personal
information about its members, donors, clients, event
participants, staff and volunteers, meeting legal obligations and
as otherwise permitted or required by law. Such information
enables the MS Society to deliver programs and services, pursue
government relations and advocacy initiatives, deliver MS public
education, fundraise, process donations, administer memberships,
conduct marketing efforts, undertake statistical reporting, etc.
MS Society collects the minimum amount of information needed to
establish and maintain a service, volunteer, participant, donor
or program relationship with an individual. Subject to the
application of the consent principle outlined in Section 3 below,
personal information collected by the MS Society may include, but
is not limited to:
- Contact and identification information, such as name,
address, telephone number and email address;
- MS diagnosis;
- A brief summary of the service requested and or received
(programs and services database);
- Membership status and history (date when one became a member,
current membership status, chapter affiliation, etc.);
- Participation in MS Society of Canada advocacy online
campaigns and fundraising events;
- Donation information such as date of gift, amount of gift,
the campaign to which one contributed;
- Financial information such as payment methods and
preferences, billing and banking information (credit card number
and expiry date or chequing account transit numbers which are
required to process a donation). We may provide restricted
information (name, address, partial credit card number) for
administrative purposes to vendors located in the United States;
- Other personal information used for purposes that a
reasonable person would consider appropriate in the
D. Privacy and Confidentiality Principles
The MS Society will abide by the following 10 principles when
collecting, using and disclosing personal information:
The MS Society is responsible for the personal information
under its control.
- The MS Society will designate an individual or
individuals to ensure the compliance with this Policy as
- A national privacy officer is designated by the
Executive Champion of this policy and confirmed by the
board of directors of the MS Society.
- Within each division, the most senior staff person
(president or executive director) will be accountable for
compliance within their respective division in
consultation with the national privacy officer.
- A division privacy officer will be appointed by the
respective division president to oversee the
implementation of the privacy program in that division.
- Chapters may designate an individual to be
accountable for compliance in consultation with their
division most senior staff person. Divisions have an
obligation to oversee how chapters carry out the present
- The MS Society will implement practices and procedures to
carry out the policy, including:
- Implementing procedures to protect personal
- Establishing procedures to receive and respond to
complaints and inquiries from individuals regarding their
- Training volunteers and staff and communicating to
volunteers and staff information about this Privacy and
Confidentiality policy and practices; and
MS Society of Canada will identify the purposes for which
personal information is collected. The identified purposes will
be specified at or before the time of collection to the
individual from whom the personal information is collected.
When personal information that has been collected is to be used
for a purpose not previously identified, the MS Society is
obligated to communicate the new purpose to each individual and
obtain their consent to use the information.
The knowledge and consent of the individual are required for
the collection, use, or disclosure of personal information,
except where consent is not required for very specific reasons.
It is anticipated that instances in which knowledge and consent
of the individual would not be required would be extremely rare
and would include legal, medical or security reasons which
would have to be fully documented.
Consent is considered valid only if it is reasonable to expect
that individuals to whom the MS Society’s activities are
directed would understand the nature, purpose and consequences
of the collection, use or disclosure, to which they are
- Typically, MS Society staff and volunteers will seek
consent for the use or disclosure of the information at the
time of collection. The form of the consent sought by the MS
Society of Canada may be either express or
implied, depending upon the circumstances
and the sensitive nature of the personal information.
Express consent is required from an
individual before the MS Society will disclose personal
health information about that individual to an external
organization or individual. Express consent can be provided
verbally or in writing.
- The provision of personal information to the MS Society
constitutes implied consent to collect, use
and disclose their personal information in accordance with
this policy, unless an individual expressly instructs
Implied consent can also be inferred where there is an
existing (i.e. past two years) business or non‐business
relationship between an individual and the MS Society.
Examples include but are not limited to a donor, a
volunteer, a member, an event participant, a research grant
applicant, someone who has contacted the MS Society for
Implied consent is considered to be
sufficient for fundraising purposes to allow the trade of
limited personal information (name and home address only)
about a donor to another charitable organization if the
individual has been informed that his/her personal
information might be used in this manner and he/she has
been given an opportunity in a clear and meaningful way to
Implied consent is also considered
sufficient for relevant commercial electronic messages
(CEM) under CASL, provided the individual receiving the
message has interacted with the MS Society in the immediate
two‐year period the day before the CEM is sent to the them,
the sender clearly identifies themselves
and the CEM receiver has been given an opportunity in a
clear and meaningful way to opt‐out.
Commercial electronic messages sent by the MS Society that
have fundraising as the primary purpose are exempt from
No consent: There are certain activities
for which consent is not required to use or disclose
personal information. These activities are permitted or
required by law. For example, we do not need consent from
individuals to (this is not an exhaustive list) respond to
legal proceedings or comply with mandatory reporting
obligations, investigations / fraud detection and
prevention, witness statements in insurance claims,
financial abuse, personal information produced in the
course of employment, business or profession, or other as
identified by law from time to time.
- The MS Society may use or disclose your personal
information without consent where the Society believes, upon
reasonable grounds, that it is necessary to protect the
rights, privacy or safety of an identifiable group or person
(including you) or the public.
Withholding or Withdrawal of Consent: If
consent is sought, an individual may choose not to give
consent (“withholding consent”). If consent is given, an
individual may withdraw consent at any time, but the
withdrawal cannot be retrospective. The withdrawal may also
be subject to legal or contractual restrictions and
The collection of
personal information will be limited to that which is necessary
for the purposes identified by the MS Society of Canada.
Information will be collected by fair and lawful means.
Limiting Use, Disclosure and Retention
Personal information will not be used or disclosed for purposes
other than those for which it was collected, except with the
consent of the individual or as required by law. Personal
information will be retained only as long as necessary for the
fulfillment of those purposes.
Whenever possible, access to personal information will be
limited to authorized users only. Personal information may only
be used within the limits of each staff and volunteer role.
Staff and volunteers may not read, look at, receive or
otherwise use personal information unless they have a
legitimate “need to know” as part of their position.
Personal information may only be disclosed within the limits of
each staff / volunteer role. Staff and volunteers may not
share, talk about, send to, or otherwise disclose personal
information to anyone else unless that activity is an
authorized part of their position.
Personal health information that is no longer required to
fulfill the identified purposes will be destroyed, erased, or
made anonymous safely and securely.
When the MS Society discloses personal information to
third‐party service providers with whom it has a contractual
relationship, the third‐party providers will only be given
access to personal information that is needed to perform the
related function and may not use it for any other purpose.
The MS Society will take
reasonable steps to ensure that personal information in its
custody is accurate, complete, and up‐to‐date as is necessary
for the purposes for which it is to be used. Personal
information that is used on an ongoing basis, including
information that is disclosed to third parties, will generally
be accurate and up‐to‐date, unless limits to the requirement
for accuracy are clearly set out. Individuals will always have
the opportunity to contact the MS Society to update their
MS Society will use appropriate
security safeguards (depending on the sensitivity of the
information) to protect personal information against loss or
theft, as well as unauthorized access, disclosure, copying,
use, or modification, regardless of the format in which it is
held. Safeguards will include: physical safeguards (such as
locked filing cabinets and rooms); organizational safeguards
(such as permitting access to personal health information by
staff on a "need‐to‐know" basis only); and technological
safeguards (such as the use of passwords, encryption, and
The MS Society requires that any individual or third‐party who
collects, uses or discloses personal information on behalf of
the organization complies with the provisions of this policy.
This will be done through the signing of confidentiality
agreements, privacy training and other contractual means.
Care will be used in the disposal or destruction of personal
information, to prevent unauthorized parties from gaining
access to the information.
Information about MS Society
privacy policies and practices relating to the management of
personal information will be available to the public,
- Contact information for our Privacy Officer[s], to whom
complaints or inquiries can be made;
- The process for obtaining access to personal information
held by the MS Society, and making requests for its
- A description of the type of personal information held by
the MS Society, including a general account of our uses and
- A description of how an individual may make a complaint
to the MS Society.
- Copies of any brochures or other information that explain
the MS Society’s policies, standards, or codes.
If an individual
requests, the MS Society will inform them of the existence,
use, and disclosure of their personal information. The
individual will be given access to that information, will be
able to challenge the accuracy and completeness of the
information and have it amended as appropriate.
In certain situations, the MS Society may not be able to
provide access to all the personal information it holds about
an individual. Exceptions to the access requirement will be
limited and specific. The reasons for denying access will be
provided to the individual upon request. Exceptions may include
information that is prohibitively costly to provide,
information that contains references to other individuals,
information that cannot be disclosed for legal, security, or
commercial proprietary reasons, and information that is subject
to solicitor‐client or litigation privilege.
An individual will be able to address a challenge concerning
the MS Society of Canada’s compliance with its own Privacy and
Confidentiality Policy to the MS national or division privacy
Privacy officers will receive and respond to complaints or
inquiries about organizational policies and practices relating
to the handling of personal information as outlined in the
Privacy Breach Management Procedures document. They will inform
individuals who make inquiries or lodge complaints of other
available complaint procedures.
The MS Society will investigate all complaints. If a complaint
is found to be justified, the MS Society will take appropriate
measures to respond.
The President and CEO is the executive champion for this policy
Monitoring and Compliance
The President and CEO is responsible for leading the monitoring
of the application of and compliance with this policy direction
and the related procedures in conjunction with other members of
the Executive Team.
On a quarterly basis, national vice‐presidents and division
presidents must acknowledge compliance with this policy direction
and the related procedures.
This policy is subject to change due to legal and regulatory
requirements, introduction of new technologies, business
practices and stakeholder needs.
Related Policies, Legislation
The policy direction is to be reviewed at a minimum every five
(5) years following its approval.
Privacy – the fundamental right of an individual
to control information about ourselves (including the collection,
use and disclosure of and access to that information).
Confidentiality – an obligation to protect
personal information, to maintain its secrecy and not misuse or
wrongfully disclose it.
Personal information – Personal information is
any information about an identifiable individual, other than an
individual’s business title, address or telephone number.
Examples of personal information are: name, home address, age,
health and financial information. It does not include information
that cannot be tracked back to a specific individual. In
addition, information that is publicly available, such as a
telephone book listing, is not considered to be personal
information. The history of an individual’s donations to the MS
Society of Canada is personal information.
Personal health information – Personal health
information is defined to mean, with respect to an individual,
whether living or deceased:
- Information concerning the physical or mental health of the
- Information concerning any health service provided to the
- Information concerning the donation by the individual of any
body part or any bodily substance of the individual or
information derived from the testing or examination of a body
part or bodily substance of an individual;
- Information that is collected in the course or providing
health services to the individual;
- Information that is collected incidentally to the provision
of health services to the individual.
Executive Team – The most senior level of staff
leadership within the MS Society comprised of the president and
chief executive officer, division presidents, national
vice‐presidents of talent, research, marketing and development,
programs and services, government relations, information
technology, shared services. One person may hold more than one
position. The president & chief executive officer may alter
the composition of the Executive Team as required from
MS Society of Canada Policy Manual
Applies to: all staff and volunteers
Approved on: May 2002
Approved by: board of directors of the MS Society
Frequency: every 5 years
Last reviewed on: December 2016, June 2017
Date of next review: 2021