Multiple Sclerosis Society of Canada

Privacy and Confidentiality Policy

Rationale and Relationship to Mission, Principles and Values

The Multiple Sclerosis Society of Canada (MS Society) recognizes an individual’s right to privacy and is committed to maintaining the accuracy, confidentiality and security of the personal information in its custody. In pursuit of our mission, the MS Society pledges to treat everyone with respect and dignity and protect their privacy.

The MS Society adheres to the highest standards of quality, transparency, and accountability. To demonstrate this commitment, the organization has developed policies and procedures about the collection, use and disclosure of information that align with federal and provincial legislation and with industry standards.

Policy Objective

This Policy acts as the articulation of the MS Society of Canada’s privacy practices and standards about the collection, use and disclosure of personal information and personal health information in the course of its activities. It is intended to guide all staff, volunteers and third-parties who are given access to personal information in MS Society’s possession.

As used in this Policy, the term personal information is inclusive of personal health information, unless the latter term is used exclusively. In that case, it applies only to personal health information.

Policy Application

This policy applies to volunteers and staff at all levels and locations of the MS Society including the national office, divisions and chapters.

In addition, the MS Society requires that any individual or third-party who collects, uses or discloses personal information on behalf of the organization complies with the provisions of this policy in relation to the respective work.

Authorization

The policy was first approved by board of directors of the MS Society of Canada on May 4, 2002. Upon its approval, this Privacy and Confidentiality Policy superseded the 1989-board approved Confidentiality Policy since it both includes and extends those requirements.

Policy Details

A. MS Society of Canada property

Any and all records referred to in the document as being personal information or personal health information are, and will remain the property of the MS Society of Canada.  Volunteers and staff are required to maintain the privacy and confidentiality of all records in any and all formats both while acting as an active volunteer or staff member and after they leave the MS Society.

B. Compliance with relevant legislation

The MS Society will comply with all applicable provisions of privacy legislation.

Federal and provincial privacy legislation

The MS Society considers the Personal Information Protection and Electronic Documents Act (PIPEDA) - the federal privacy law for private-sector organizations - the standard by which personal information should be protected. PIPEDA sets out the rules for how business must handle personal information in the course of commercial activities.  Most MS Society activities are not “commercial activities” as defined by PIPEDA. One MS Society activity that is regulated under the provisions of PIPEDA is “the selling, bartering or leasing of donor, membership or other fund raising lists”; as from time to time, the MS Society exchanges donor lists (name and address only) with like-minded organizations.

In provinces and / or territories with more stringent privacy policies, MS Society of Canada activities within those jurisdictions should meet the requirements of both the provincial / territorial legislation and PIPEDA.

Personal health information legislation

The MS Society considers information about whether a person has multiple sclerosis to be personal health information. Several Canadian provinces have legislation specific to the privacy of health information which has been declared substantially similar to PIPEDA with respect to health information custodians. While the MS Society is not a health care custodian by law, it has voluntarily adopted elements outlined in personal health information legislation.

Canada’s Anti-Spam Legislation (CASL)

This policy supports the MS Society’s compliance with Canada’s Anti-Spam Legislation. 

C. Personal and health information collected

To achieve its mission, the MS Society collects certain personal information about its members, donors, clients, event participants, staff and volunteers, meeting legal obligations and as otherwise permitted or required by law.  Such information enables the MS Society to deliver programs and services, pursue government relations and advocacy initiatives, deliver MS public education, fundraise, process donations, administer memberships, conduct marketing efforts, undertake statistical reporting, etc.

MS Society collects the minimum amount of information needed to establish and maintain a service, volunteer, participant, donor or program relationship with an individual. Subject to the application of the consent principle outlined in Section 3 below, personal information collected by the MS Society may include, but is not limited to:

  • Contact and identification information, such as name, address, telephone number and email address;
  • MS diagnosis;
  • A brief summary of the service requested and or received (programs and services database);
  • Membership status and history (date when one became a member, current membership status, chapter affiliation, etc.);
  • Participation in MS Society of Canada advocacy online campaigns and fundraising events;
  • Donation information such as date of gift, amount of gift, the campaign to which one contributed;
  • Financial information such as payment methods and preferences, billing and banking information (credit card number and expiry date or chequing account transit numbers which are required to process a donation). We may provide restricted information (name, address, partial credit card number) for administrative purposes to vendors located in the United States;
  • Other personal information used for purposes that a reasonable person would consider appropriate in the circumstances.
D. Privacy and Confidentiality Principles

The MS Society will abide by the following 10 principles when collecting, using and disclosing personal information:

  1. Accountability

The MS Society is responsible for the personal information under its control. 

  • The MS Society will designate an individual or individuals to ensure the compliance with this Policy as follows:
  1. A national privacy officer is designated by the Executive Champion of this policy and confirmed by the board of directors of the MS Society.
  2. Within each division, the most senior staff person (president or executive director) will be accountable for compliance within their respective division in consultation with the national privacy officer.
  3. A division privacy officer will be appointed by the respective division president to oversee the implementation of the privacy program in that division.
  4. Chapters may designate an individual to be accountable for compliance in consultation with their division most senior staff person. Divisions have an obligation to oversee how chapters carry out the present policy.
  • The MS Society will implement practices and procedures to carry out the policy, including:
  1. Implementing procedures to protect personal information;
  2. Establishing procedures to receive and respond to complaints and inquiries from individuals regarding their personal information;
  3. Training volunteers and staff and communicating to volunteers and staff information about this Privacy and Confidentiality policy and practices; and
  4. Developing information to explain its Privacy policy and practices.
  1. Identifying Purposes

MS Society of Canada will identify the purposes for which personal information is collected. The identified purposes will be specified at or before the time of collection to the individual from whom the personal information is collected. When personal information that has been collected is to be used for a purpose not previously identified, the MS Society is obligated to communicate the new purpose to each individual and obtain their consent to use the information.

  1. Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where consent is not required for very specific reasons. It is anticipated that instances in which knowledge and consent of the individual would not be required would be extremely rare and would include legal, medical or security reasons which would have to be fully documented.

Consent is considered valid only if it is reasonable to expect that individuals to whom the MS Society’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure, to which they are consenting.

  • Typically, MS Society staff and volunteers will seek consent for the use or disclosure of the information at the time of collection. The form of the consent sought by the MS Society of Canada may be either express or implied, depending upon the circumstances and the sensitive nature of the personal information.
  • Express consent is required from an individual before the MS Society will disclose personal health information about that individual to an external organization or individual. Express consent can be provided verbally or in writing.
  • The provision of personal information to the MS Society constitutes implied consent to collect, use and disclose their personal information in accordance with this policy, unless an individual expressly instructs otherwise.

    Implied consent can also be inferred where there is an existing (i.e. past two years) business or non‐business relationship between an individual and the MS Society. Examples include but are not limited to a donor, a volunteer, a member, an event participant, a research grant applicant, someone who has contacted the MS Society for services, etc.

Implied consent is considered to be sufficient for fundraising purposes to allow the trade of limited personal information (name and home address only) about a donor to another charitable organization if the individual has been informed that his/her personal information might be used in this manner and he/she has been given an opportunity in a clear and meaningful way to opt-out.

Implied consent is also considered sufficient for relevant commercial electronic messages (CEM) under CASL, provided the individual receiving the message has interacted with the MS Society in the immediate two‐year period the day before the CEM is sent to the them, the sender clearly identifies themselves and the CEM receiver has been given an opportunity in a clear and meaningful way to opt-out. Commercial electronic messages sent by the MS Society that have fundraising as the primary purpose are exempt from CASL.

  • No consent: There are certain activities for which consent is not required to use or disclose personal information. These activities are permitted or required by law. For example, we do not need consent from individuals to (this is not an exhaustive list) respond to legal proceedings or comply with mandatory reporting obligations, investigations / fraud detection and prevention, witness statements in insurance claims, financial abuse, personal information produced in the course of employment, business or profession, or other as identified by law from time to time.

    The MS Society may use or disclose your personal information without consent where the Society believes, upon reasonable grounds, that it is necessary to protect the rights, privacy or safety of an identifiable group or person (including you) or the public.
  • Withholding or Withdrawal of Consent: If consent is sought, an individual may choose not to give consent (“withholding consent”). If consent is given, an individual may withdraw consent at any time, but the withdrawal cannot be retrospective. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.
  1. Limiting Collection

The collection of personal information will be limited to that which is necessary for the purposes identified by the MS Society of Canada. Information will be collected by fair and lawful means.

  1. Limiting Use, Disclosure and Retention

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

Whenever possible, access to personal information will be limited to authorized users only. Personal information may only be used within the limits of each staff and volunteer role. Staff and volunteers may not read, look at, receive or otherwise use personal information unless they have a legitimate “need to know” as part of their position.

Personal information may only be disclosed within the limits of each staff / volunteer role. Staff and volunteers may not share, talk about, send to, or otherwise disclose personal information to anyone else unless that activity is an authorized part of their position.

Personal health information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous safely and securely.

When the MS Society discloses personal information to third-party service providers with whom it has a contractual relationship, the third-party providers will only be given access to personal information that is needed to perform the related function and may not use it for any other purpose.

  1. Accuracy

The MS Society will take reasonable steps to ensure that personal information in its custody is accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out. Individuals will always have the opportunity to contact the MS Society to update their personal information.

  1. Safeguards

MS Society will use appropriate security safeguards (depending on the sensitivity of the information) to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held. Safeguards will include: physical safeguards (such as locked filing cabinets and rooms); organizational safeguards (such as permitting access to personal health information by staff on a "need-to-know" basis only); and technological safeguards (such as the use of passwords, encryption, and audits).

The MS Society requires that any individual or third-party who collects, uses or discloses personal information on behalf of the organization complies with the provisions of this policy. This will be done through the signing of confidentiality agreements, privacy training and other contractual means.

Care will be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.

  1. Openness

Information about MS Society privacy policies and practices relating to the management of personal information will be available to the public, including:

  1. Contact information for our Privacy Officer[s], to whom complaints or inquiries can be made;
  2. The process for obtaining access to personal information held by the MS Society, and making requests for its correction;
  3. A description of the type of personal information held by the MS Society, including a general account of our uses and disclosures; and
  4. A description of how an individual may make a complaint to the MS Society.
  5. Copies of any brochures or other information that explain the MS Society’s policies, standards, or codes.
  1. Individual Access

If an individual requests, the MS Society will inform them of the existence, use, and disclosure of their personal information. The individual will be given access to that information, will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

In certain situations, the MS Society may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

  1. Challenging Compliance

An individual will be able to address a challenge concerning the MS Society of Canada’s compliance with its own Privacy and Confidentiality Policy to the MS national or division privacy officer.

Privacy officers will receive and respond to complaints or inquiries about organizational policies and practices relating to the handling of personal information as outlined in the Privacy Breach Management Procedures document. They will inform individuals who make inquiries or lodge complaints of other available complaint procedures.

The MS Society will investigate all complaints. If a complaint is found to be justified, the MS Society will take appropriate measures to respond.

Executive Champion

The President and CEO is the executive champion for this policy direction.

Monitoring and Compliance

The President and CEO is responsible for leading the monitoring of the application of and compliance with this policy direction and the related procedures in conjunction with other members of the Executive Team.

On a quarterly basis, national vice-presidents and division presidents must acknowledge compliance with this policy direction and the related procedures.

This policy is subject to change due to legal and regulatory requirements, introduction of new technologies, business practices and stakeholder needs.

Related Policies, Legislation

Federal Personal Information Protection and Electronic Documents Act (PIPEDA)
Provincial privacy laws
Canada’s Anti-Spam Legislation (CASL)
Privacy and Confidentiality Procedures
Privacy Breach Management Procedure
Retention of Records Procedure
Code of Conduct and Ethical Behaviour
IT Security Policy direction and related procedures
Resolving stakeholder concerns Policy
CASL: What you need to know and do

Policy Review

The policy direction is to be reviewed at a minimum every five (5) years following its approval.


DEFINITIONS:

Privacy – the fundamental right of an individual to control information about ourselves (including the collection, use and disclosure of and access to that information).

Confidentiality – an obligation to protect personal information, to maintain its secrecy and not misuse or wrongfully disclose it.

Personal information – Personal information is any information about an identifiable individual, other than an individual’s business title, address or telephone number.  Examples of personal information are: name, home address, age, health and financial information. It does not include information that cannot be tracked back to a specific individual. In addition, information that is publicly available, such as a telephone book listing, is not considered to be personal information. The history of an individual’s donations to the MS Society of Canada is personal information.  

Personal health information – Personal health information is defined to mean, with respect to an individual, whether living or deceased:

  1. Information concerning the physical or mental health of the individual;
  2. Information concerning any health service provided to the individual;
  3. Information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of an individual;
  4. Information that is collected in the course or providing health services to the individual; or
  5. Information that is collected incidentally to the provision of health services to the individual.

Executive Team – The most senior level of staff leadership within the MS Society comprised of the president and chief executive officer, division presidents, national vice-presidents of talent, research, marketing and development, programs and services, government relations, information technology, shared services. One person may hold more than one position. The president & chief executive officer may alter the composition of the Executive Team as required from time-to-time.

Personal health information – Personal health information is defined to mean, with respect to an individual, whether living or deceased:

  1. Information concerning the physical or mental health of the individual;
  2. Information concerning any health service provided to the individual;
  3. Information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of an individual;
  4. Information that is collected in the course or providing health services to the individual;
    or
  5. Information that is collected incidentally to the provision of health services to the individual.

Executive Team – The most senior level of staff leadership within the MS Society comprised of the president and chief executive officer, division presidents, national vice‐presidents of talent, research, marketing and development, programs and services, government relations, information technology, shared services. One person may hold more than one position. The president & chief executive officer may alter the composition of the Executive Team as required from time‐to‐time.


MS Society of Canada Policy Manual
Applies to: all staff and volunteers
Approved on: May 2002
Approved by: board of directors of the MS Society

Review process
Frequency: every 5 years
Last reviewed on: December 2016, June 2017
Date of next review: 2021