The purpose of this policy is to ensure that all staff of Right To Play (also referred to as RTP) are informed about personal data and their responsibilities for the proper collection, handling and storage of personal data to ensure the safeguarding of personal information. Right to Play is committed to processing data in accordance with its responsibilities under current legislative compliance acts and applicable industry governance compliance programs and best practices including, but not limited to, PIPEDA (Personal Information Protection Electronic Documents Act), PHIPA (Personal Health Information Protection Act), PCI DSS (Payment Card Industry Data Security Standard) and GDPR (General Data Protection Regulation).
This policy applies to all Right To Play employees, both domestic and international (including National and Country field offices). It also applies to interns, volunteers or consultants who are provided with RTP equipment and/or technology systems access to perform duties that access, transmit or store any personally identifiable information about any individuals.
Note: RTP recognizes that certain areas of this policy will be superseded by local legislation and laws and will be amended accordingly.
Personal Data and Unique Identifiers Definition
GDPR defines personal information as:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
This policy is overseen by the IT Services and Solutions (ITSS) department and is provided to all new employees by the Human Resources (HR) department as part of the onboarding process. The specific responsibilities for each of HR, and RTP employees include but are not limited to:
Responsibility of Human Resources (HR):
- Informing all new employees of this policy; and
- Collecting sign off that new employees have read and reviewed the policy.
Responsibility of employees:
- Understanding and following the policies and procedures set out to safeguard data under RTP’s control; and
- Inquiring with the ITSS team, or their supervisor if unsure about the contents of this document.
Lawful, fair and transparent processing
- To ensure Right To Plays processing of data is lawful, fair and transparent, Right To Play will maintain a Register of Systems;
- The Register of Systems will be reviewed annually;
- Individuals have the right to access their personal data and correct any inaccuracies;
- RTP will have 30 days from the date of the request to respond to the requester. If an extension is necessary, RTP must inform the requester of the extension for an additional 30 days before providing the response;
- If a request for access is refused, RTP must tell the individual why and that they have the right to complain to the supervisory authority and to judicial remedy – this must be done without undue delay (within a month).
- All data processed by Right To Play will be processed expressly for one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests;
- Right To Play will note the appropriate lawful basis in the Register of Systems;
- Where consent is relied upon as a lawful basis for processing data, evidence of consent will be kept with the personal data;
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent will be clearly available and systems will be in place to ensure such revocation is reflected accurately in Right To Play systems.
- Right To Play will take every reasonable step to ensure personal data is accurate and up to date;
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
- To ensure that personal data is not kept any longer than necessary, Right To Play will put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The Record Retention and Destruction policy will consider what data should/must be retained, for how long, and why.
- Right To Play will ensure that personal data is stored securely based on information security best practices.
- Access to personal data will be limited to personnel who need access and appropriate access management to information systems will be in place to avoid unauthorized sharing of information.
- When personal data is no longer required RTP will conform to the destruction of this data by following the RTP Record Retention and Destruction policy.
- RTP will employ the use of appropriate data back-up and disaster recovery solutions.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Right To Play will promptly assess the risk to individuals rights and freedoms and if appropriate report this breach to required authorities complying with relevant legislative acts.
Right To Play is committed to protecting the privacy of the personal information of its employees, volunteers, members, customers, donors and other stakeholders. We value the trust of those we deal with, and of the public, and recognize that maintaining this trust requires that we be transparent and accountable in how we treat the information that you choose to share with us.
Defining Personal Information
Personal information is any information that can be used to distinguish, identify or contact a specific individual. This information can include an individual’s opinions or beliefs, as well as facts about, or related to, the individual. Exceptions: business contact information and certain publicly available information, such as names, addresses and telephone numbers as published in telephone directories, are not considered personal information.
Information in the public domain is not subject to privacy legislation and as such is not included in this policy.
Where Right To Play customers and clients use their home contact information as business contact information, Right To Play considers that the contact information provided is business contact information, and is not therefore subject to protection as personal information.
We consider donor and volunteer information always to be personal information, and do not disclose information about donors or volunteers without consent.
Right To Play observes the following practices when collecting, maintaining and using personal information:
An individual’s consent is required regarding the collection and proposed use of personal information when information is collected. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction. An individual’s consent is required before confidential information is released to outside parties.
Right To Play’s websites use persistent cookies within visiting browsers to enable the functions of the website and for tracking performance. Specifically, cookies are used the following ways:
- Preserving and expiring visitor sessions on the site (e.g. preserving data between steps of a process; and ending the session after a period of inactivity)
- Storing font size preferences on the site
- Enabling web analytic tools (such as Google Analytics, Clicktale, and iPerceptions – see below)
Cookies are used anonymously and without storing Personally Identifiable Information (PII). Visitors that wish to opt-out of cookies should review the help documentation for their browser software to decline or selectively decline cookies. Note that declining cookies may adversely impact site performance.
Webpage and Mobile Analytics
The Right To Play website uses Google Analytics and to track performance. Analytic applications use persistent cookies to track visitor sessions, visitors across multiple sessions, and referral sources to our sites. We also track the performance of promotional links to our site using analytics. At no time is personally identifiable information (PII) passed to Google Analytics. Note that Google Analytics stores its data within the United States of America and is subject to US laws. We use this data to understand site performance to serve you better. Those wishing to opt out of Google Analytics data collection should use the Google Analytics Opt-out Browser Add-on.
The collection of personal information is limited to that which is relevant and necessary to our programs and fundraising efforts. Right To Play shall not make unwarranted or intrusive inquiries into a donor or prospect’s gift history or personal life. Right To Play attributes all data that it collects.
Limited Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information shall be as complete, accurate and up-to-date as possible. Donors are encouraged to review, correct and update personal information.
Personal information gathered by Right To Play shall be kept in confidence. Right To Play’s personnel shall be authorized to access personal information based only on their need to deal with the information for the reason(s) for which it was obtained.
Appropriate physical and electronic measures shall be used to ensure personal information is secure. Access to donor and volunteer records shall be limited to those who require such information to fulfil their job responsibilities. Special protection shall be given to all records pertaining to anonymous donors. The confidentiality of donor and volunteer records shall continue after the relationship with the individual has ended.
Donors who request that their name and/or the amount of the gift not be publicly released shall remain anonymous.
Upon request, individuals shall be given access to the information in their donor record.
Further information on privacy and your rights in regard to your personal information may be found on the website of the Privacy Commissioner of Canada at www.priv.gc.ca and at the European Commission Website for GDPR (General Data Protection Regulation) https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en