The Canadian Cancer Society (CCS) is committed to protecting the privacy and security of personal information under its control. This policy applies to all personal information collected, used or disclosed by the CCS with respect to donors, fundraisers, event participants, individuals who use the services of CCS, volunteers and staff.
In an effort to maintain appropriate standards of care in managing personal information, CCS commits to the following ten principles, as outlined in the Canadian Standards Association’s Model Code for the Protection of Personal Information (CAN/CSA-Q830-96) and that comply with provincial and federal legislation:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
This policy is subject to change due to changes in organizational practices or legal and regulatory requirements. We encourage you to periodically check our website for updates to this policy.
Definition of personal information
Personal information is any information recorded in any form that identifies or can identify an individual, other than an individual’s business contact information. Thus, personal information includes your name, gender, address, phone number, date of birth, credit card details or other financial information, health information, donation amounts and dates, volunteer information such as availability and areas of interest, history of involvement with CCS, and information required to maintain an employment relationship with CCS.
Personal information does not include anonymous or aggregate information that cannot be tracked back to you personally.
- 1. Accountability
1.1 CCS accepts full responsibility for protecting personal information under its possession or control. CCS’s Vice President, Human Resources is appointed as Senior Privacy Officer and is accountable for the organization’s compliance with this policy.
1.2. The Senior Privacy Officer delegates responsibilities relating to privacy management, oversight and compliance to provincial and regional privacy representatives on an as-needed basis. The provincial and regional privacy representatives are the first point of contact for privacy inquiries, concerns or incidents, and escalate privacy matters to the Senior Privacy Officer in accordance with CCS internal privacy incident management procedure.
1.3. The duties of the Senior Privacy Officer, and those of the provincial and regional privacy representatives, as delegated, include:
- developing and, on a regular basis, reviewing CCS policies and practices to ensure consistent implementation and compliance;
- ensuring all staff are trained on privacy best practices and are aware of the importance of safeguarding any personal information that they are privy to;
- ensuring that all inquiries and complaints relating to privacy are appropriately handled;
- ensuring all third parties to whom CCS provides access to personal information adhere to appropriate standards of care in managing that information; and
- informing the CEO and/or Board about significant privacy breaches that could potentially cause harm to CCS’s reputation.
- 2. Identifying purposes
2.1. Personal information is collected for purposes such as:
- providing cancer-related support services and running CCS events;
- responding to any concerns or inquiries about CCS’s activities;
- fundraising and promoting CCS events and services;
- communicating with the community, including communications with donors, funders, partners and individuals that participate in CCS events or use CCS services;
- determining an individual’s suitability to be in a position of trust, including the handling of cash or working with vulnerable persons;
- accounting and other financial purposes such as issuing tax receipts; and
- maintaining an employment relationship with employees of CCS.
2.2. Should you choose or are required as part of our support programs to provide us with your health information, CCS does not collect or use this information to provide you with opinions or endorse any particular treatment option or course of action, nor do we use this information to make decisions on your behalf or provide you with medical referrals or advice.
2.3. Aggregated information is used for service planning and delivery, health promotion, and the general administration of CCS’s business, including to assess the effectiveness of CCS programs and campaigns, improving donor experience and assisting in the developing new programs and channels. This information will be compiled and analyzed on an aggregate basis and, unless we have your specific consent to use identified information, does not identify any individual and therefore is not treated as personal information under this policy.
Each time an individual accesses a CCS website, we automatically receive and store certain types of non-personally identifiable information. Please refer to Website Practices on page 7 for more information.
- 3. Consent
3.1. Requirements for consent to the collection, use, or disclosure of personal information vary depending on circumstances and on the type of personal information. Consent can be obtained in person, by phone, by mail, or via the Internet.
3.2. In determining whether implied or explicit consent is required and, if so, which form of consent is appropriate, CCS will take into account the sensitivity of the personal information at issue, the purposes for which CCS will use the information and any legal requirements. Consent may be implied based upon the reasonable expectations of the individual. For example, if you provide personal information in response to a fundraising communication, consent may be implied for the purposes of using the information for fundraising. In determining the appropriate form of consent, CCS will take into account the sensitivity of the personal information. Implied consent will generally be appropriate where the personal information is non-sensitive in nature and context. Express consent will always be sought should the primary purpose of collection be to promote a corporate partner products or should we wish to disclose your personal information to a third party, such as another charity.
3.4. CCS will usually obtain your informed consent at the time that we collect your personal information. If your personal information will be used or disclosed for any additional purposes that are not outlined in this policy, CCS will advise you of these new purposes before such use or disclosure, unless otherwise required by law.
3.5. Consent may be time-limited and may be revoked by the individual who gave it, subject to legal restrictions, limited exceptions and reasonable notice. Withdrawal of consent will not exclude an individual from service delivery, unless the information requested is required to fulfill an explicitly specified and legitimate purpose.
- 4. Limiting collection
4.1. CCS only collects personal information for the purposes outlined under Principle 2.
4.2. Every CCS department or business unit is responsible for ensuring that all information collected is limited, both in amount and type, to what is needed to fulfill the identified purposes.
4.3. CCS usually collects personal information directly from the individual in the course of its business through various means including, but not limited to:
a) registration and application forms;
b) CCS programs and services;
c) donor and fundraising forms; and
d) on-line applications, services and systems.
4.4. CCS may also collect personal information from other sources (including personal references and family members), with the consent of the individual or where permitted or required by law (for example, when the information is about a minor) or is publicly available.
- 5. Limiting use, disclosure and retention
5.1. Personal information is only used and disclosed for the purposes for which it was originally collected (as outlined under Principle 2) unless specific consent has been obtained or if otherwise required by law. There are circumstances where a disclosure without consent is justified or permitted, for example in the context of a legal investigation or a request from law enforcement authorities, or where CCS believes, upon reasonable grounds, that the disclosure is necessary to protect the rights or safety of an identifiable person or group.
5.2. Also, note that your personal information may be shared with volunteers and service providers (collectively “Affiliates”). Such Affiliates assist us in establishing, managing and maintaining our relationship with you and providing products and services to CCS, such as mailing and fulfillment organizations and third party fundraising agencies. Such Affiliates will only use your personal information for the purposes identified above and are bound by confidentiality agreements and commit to safeguarding your personal information. Note that in working with our service providers, your personal information may be transferred to a foreign jurisdiction to be processed or stored. Such information may be provided to law enforcement or national security authorities of that jurisdiction upon request, in order to comply with foreign laws.
5.3. Personal information is only retained as long as it is necessary for the fulfillment of the purposes identified in this policy (under Principle 2) and as required by law. CCS has established retention timelines for staff to follow and also periodically reviews CCS’s retention needs.
5.4. The retention period may extend beyond your relationship with us. When your personal information is no longer required for CCS’s purposes, the information is either physically destroyed or deleted.
- 6. Accuracy
6.1. CCS makes reasonable efforts to keep personal information as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used.
6.2. We rely on our donors, fundraisers, event participants, individuals who use the services of CCS, volunteers and employees to provide us with accurate information and to notify us if their information needs to be updated.
- 7. Safeguards
7.1 CCS takes reasonable measures to ensure that personal information is kept safe from loss or theft, unauthorized access, use, copying, disclosure or modification. Safeguards include physical, organizational and technical measures, such as (but not limited to):
- security card access to premises;
- restriction of employee access to files on a “need to know” basis;
- confidentiality undertakings by all employees;
- locking up personal information and not leaving it unattended or in plain view;
- firewalls, anti-virus, strong passwords and software solutions for technical security (including secure, 128-bit encrypted Secure Socket Layer sessions on our website); and
- regular reviews of privacy compliance initiatives.
- 8. Openness
8.1. CCS always makes information available about our privacy practices upon request. CCS also takes steps to ensure that all staff/volunteers can answer inquiries about our information-handling practices and appropriately refer unanswered questions or privacy complaints to CCS’s Privacy Officer.
- 9. Individual access
9.1. An individual should direct a request for access to their personal information to the Privacy Officer in writing (contact information is set out at the end of this policy). The written request must provide sufficient detail so that the Privacy Officer can properly and efficiently respond to the request.
9.2. In order to safeguard personal information, an individual may be required to provide sufficient identification information in order for CCS to authenticate the individual and to authorize access to the individual’s file.
9.3. CCS will respond to access requests in a timely manner, and in accordance with the timeframe prescribed by any relevant legislation.
9.4. An individual may challenge the accuracy and completeness of the information obtained, if appropriate. CCS shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, CCS shall transmit to third parties having access to the personal information in question, any amended information or information regarding the existence of any unresolved differences.
9.5. Individuals will be provided with any help needed to access their personal information, including clarifying exactly what they are looking for. Requested information will be provided in a timely manner, and in a form that is generally understandable. Depending on the amount of information requested, there may be a nominal fee charged to cover any costs associated with responding to the request.
9.6. If CCS does not have custody of the personal information requested or must decline to provide an individual with access to their personal information for legal, regulatory or other reasons, an explanation will be provided.
- 10. Challenging compliance
10.2. CCS has procedures in place to receive, investigate, respond to and track concerns or complaints about its management of personal information. By following these procedures, a remedy or corrective action will be undertaken to resolve the issue, including, if necessary, amending CCS’s policies and procedures.
10.3. Within a reasonable time of conclusion of the investigation, the Privacy Officer will inform the complainant of:
a) the results of the investigation; and
b) any appropriate measures CCS will take to rectify the source of the complaint.
- Usage tracking
Our websites may automatically record some general information about your visit in order for CCS to engage in web statistical analysis using Google Analytics. We want to make sure our sites are useful to visitors and make the most efficient use of donor dollars in our marketing efforts through targeted advertising. This information may include the:
- internet domain for your internet service provider, such as “company.com” or “service.ca” and the IP address of the computer you are using to access CCS’s website;
- type of browser you are using, such as Internet Explorer, Firefox or Chrome;
- type of operating system you are using such as Windows or Macintosh;
- date and time of the visit to our site, the pages of our site that were visited, and the address of the previous website you were visiting if you linked to us from another website;
- age category, gender, and affinity interests as determined by demographic and interest reports available through Google Analytics.
Data collected for web analytics purposes may be processed in any country where Google operates servers, and thus may be subject to the governing legislation of that country.
We also use “cookies” that identify you as a return visitor and which can help us tailor information to suit your individual preferences. A cookie is a small text file that a website can send to your browser, which may then store the cookie on your hard drive. The goal is to save you time next time you visit, provide you with a more meaningful visit, and measure website activity. Cookies in and of themselves cannot be used to reveal your identity. Many browsers, however, allow you to disable cookie collection if you wish, or inform you when a cookie is being stored on your hard drive.
- Targeted advertising
- When you are not on CCS sites
CCS also provides links to other websites which we believe may be of interest to you. CCS is not responsible for the privacy practices of these other sites. We encourage you to read the privacy statements of each and every website that
requests personal information from you.
Third party social media
CCS’s use of social media serves as an extension of its presence on the internet. Social media account(s) are public and are not hosted on CCS’s servers. Users who choose to interact with CCS via social media should read the terms of service and privacy policies of these third-party service providers and those of any applications used to access them.
Senior Privacy Officer contact information
If you have any questions about this policy, CCS’s privacy practices, please contact us. Please note that we cannot guarantee the security of email communications over the internet.
Phone number: 416-488-5400 x 2257
For any change of address or requests to remove your contact information from our database, please contact our Donor Care team by email