CHILD DEVELOPMENT INSTITUTE
GENERAL PRIVACY POLICY
INTRODUCTION
Child Development Institute (referred to as “CDI”, “we”, “us”, and “our”) is committed to protecting the privacy of its employees, students, clients and other stakeholders through the enforcement of safeguards and security measures and in adherence to relevant privacy legislation. CDI will never knowingly collect, use or share personal information from minor children without the express parental or legal guardian consent.
CDI complies with all relevant privacy legislation and have privacy policies that ensure the security of all personal information. CDI’s privacy policies are grounded in the recommended ten (10) privacy principles as best practices (Schedule 1 of the Ontario Personal Health Information and Protection Act – PHIPA), as well as other applicable personal information protection laws (“Privacy Laws”). These overarching principles help to inform CDI’s clients, employees, students, volunteers, and the public, of its commitment to protect the privacy of, and govern the process for the management of personal information, from the time of collection until destruction. CDI’s policies set out clear requirements for personal information, including but not limited to consent, use, notification of breaches (including theft, unauthorized access) and the appointment of a Chief Privacy Officer.
CDI’s privacy policies:
– Apply to any personal information (including personal health information) about an individual that is collected, used, disclosed or shared in the course of CDI’s activities.
– Do not apply to exceptions set out under Section 7 of the Ontario Personal Health Information and Privacy Act (PHIPA) or Part X of the Ontario Child, Youth and Family Services Act (CYFSA).
This Privacy Policy applies to any personal information (including personal health information) about CDI’s clients, employees, students, volunteers, agents and the public that is collected, used or disclosed by CDI. It also applies to the management of personal information in any form whether oral, electronic or written. Nothing in this Privacy Policy will limit CDI’s rights and obligations under such Privacy Laws.
YOUR CONSENT
Subject to legal and contractual requirements, you may refuse or withdraw your consent to certain of the identified purposes at any time by contacting your worker or the CDI Chief Privacy Officer. If you refuse or withdraw your consent, we may not be able to provide you or continue to provide you with certain services or information which may be of value to you. If you provide CDI or its service providers, partners and agents with personal information of another individual, you represent that you have all necessary authority and/or have obtained all necessary consents from such person to enable us to collect, use and disclose such personal information for the purposes set forth in this Privacy Policy.
BY SUBMITTING PERSONAL INFORMATION TO CDI OR ITS SERVICE PROVIDERS, PARTNERS AND AGENTS, YOU AGREE THAT CDI, ITS SERVICE PROVIDERS, PARTNERS AND AGENTS MAY COLLECT, USE AND DISCLOSE SUCH PERSONAL INFORMATION IN
ACCORDANCE WITH THIS PRIVACY POLICY AND AS PERMITTED OR REQUIRED BY PRIVACY LAWS.
PERSONAL INFORMATION DO WE COLLECT
Personal information is information about an identifiable individual, as defined in applicable Privacy Laws. Generally, personal information does not include:
- anonymous or collected information that does not allow an individual to be identified;
- information regarding companies and other “legal entities”; or
- business contact information such as your name, title or position, business address, telephone number, fax number or email address that is available to the public.
The types of personal information that CDI may collect from you from time to time include: your name, certain health information, your home address, telephone number, personal email address, gender, birthdate, and your mailing preferences. CDI will also collect the personal information you provide for you to access our services. Additionally, from time to time, we may ask you to provide us with more detailed information such as your interests, occupation and background or to complete . surveys in order to get a better sense of who you are and what issues or services may be of interest to you.
THE PRIVACY PRINCIPALS CDI FOLLOWS
CDI collects uses and discloses your personal information by employing “fair information practices” as described in the following ten privacy principles and embodied in Privacy Laws:
1. Accountability: CDI is responsible for personal information under its control and as a result has designated an individual as the person who is accountable for CDI’s compliance with the ten principles (“Chief Privacy Officer”). As such:
- accountability for CDI’s compliance with the principles rests with the Chief Privacy Officer, even though other individuals within CDI may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within CDI may be delegated to act on behalf of the Chief Privacy Officer;
- the identity of the Chief Privacy Officer designated by CDI to oversee CDI’s compliance with the principles shall be made known upon request; and
- CDI is responsible for personal information in its possession or custody, including information that has been transferred to or from a third party for processing and has implemented policies and practices including:
- implementing processes to protect personal information;
- Establishing procedures to receive and respond to complaints and inquiries;
- access to personal information records;
- notification of privacy breaches to affected individuals;
- ongoing training for employees;
- communication about its privacy policies and practices, including changes to legislation and revisions to existing or new policies.
2. Identifying Purposes: In general, CDI collects uses and discloses personal information about you in order to provide services. More specifically, CDI collects, uses and discloses your personal information for the following purposes to provide you with appropriate child and youth mental health programs and services, or refer you to other organizations that can provide you with such programs or services.
- to develop and manage our business and operations. This may include the sharing of personal information by and between CDI personnel and affiliated organizations, and with third party service providers and agents, for such purposes;
- to detect and protect CDI and other third parties against error, fraud, theft and other illegal activity, and to audit compliance with CDI’s policies and contractual and legal obligations;
- to distribute our newsletters and other material to individuals on our mail and email lists, including via third party mailing houses and email service providers;
- to engage in business transactions, including the purchase, sale, lease, merger, amalgamation or any other type of acquisition, disposal, securitization or financing involving CDI;
- to understand and respond to clients, suppliers, partners and other third party needs and preferences, including to contact and communicate with such parties and to conduct surveys, research and evaluations;
- to develop, enhance, market, sell or otherwise provide CDI’s products and services;
- as permitted by, and to comply with, any legal or regulatory requirements or provisions; and
- for any purpose to which you consent.
CDI will collect, use and disclose personal information only necessary for the purposes that have been identified.
3. Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where consent is not legally required. Pursuant to this Privacy Policy, you acknowledge your informed consent to CDI’s collection, use and disclosure of your personal information, or the personal information of another individual which you provide to CDI, as stated above. Generally, should a different purpose to the collection, use or disclosure of your personal information be proposed by CDI, CDI shall seek your consent before collecting the information. CDI may also seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed, for a new purpose. You may withdraw consent at any time to some or all of the purposes indicated below, subject to legal or contractual restrictions and reasonable notice. PLEASE NOTE THAT IN SOME CIRCUMSTANCES, WE MAY NOT BE ABLE TO PROVIDE YOU WITH OUR SERVICES IF YOU WITHDRAW YOUR CONSENT TO OUR USE OF YOUR PERSONAL INFORMATION.
In certain circumstances under Privacy Laws, personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information.
4. Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by CDI. Information shall be collected by fair and lawful means and may be collected from other sources including but not limited to other third parties who are authorized to disclose the information (such as a legal guardian, substitute decision-maker, or a person having legal power of attorney for health purposes). Additional use requires specific consent and clarity about the purpose for the information.
5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by Privacy Laws. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Where it is for a new purpose, CDI may collect from and/or disclose your personal information to a person who, in the reasonable judgment of CDI, is providing or seeking the information as your agent (for example, an attorney);
Except as permitted in this principle, CDI does not provide or sell its customer or client or donor lists to any outside company for use in marketing or solicitation.
6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as possible. CDI will update personal information as and when necessary to fulfill the identified purposes or upon notification from you. CDI will not routinely update personal information, unless such process is necessary to fulfill the identified purposes. If ever your contact and/or other personal information changes please feel free to contact us so that we can update our records.
7. Safeguards: Personal information shall be protected by security safeguards appropriate to the level of sensitivity of the information. CDI has security safeguards that are designed to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. The methods of protection include:
- physical measures, such as locked filing cabinets and restricted access to offices;
- organizational measures, such as security clearances and limiting access on a “need-to-know” basis; and
- technological measures, such as the use of passwords, firewalls and encryption.
Openness: CDI shall make readily available to you information about its Privacy Policy and practices relating to the management of personal information. For example:
- CDI shall be open about its Privacy Policy and practices with respect to the management of personal information. This information shall be made available in a form that is generally understandable;
- the information made available shall include:
- the name or title and the address of the Chief Privacy Officer to whom complaints or inquiries can be forwarded;
- the means of gaining access to personal information held by CDI;
- a description of the type of personal information held by CDI, including a general account of its use;
- a copy of any brochures or other relevant information that explain CDI’s policies or practices; and
- what personal information is made available to partner or related organizations (affiliates); and
- CDI may make information on its Privacy Policy and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, CDI may choose to make brochures available in its physical locations, mail information to its clients, or provide online access,.
Complaints or inquiries relating to privacy may be verbal or in writing and addressed to the Chief Privacy Officer.
9. Individual Access: Upon request, subject to certain exceptions under Privacy Laws, you shall be informed of the existence, use, and disclosure of your personal information and shall be given access to that information. You may wish to challenge the accuracy and completeness of the personal information and have it amended as appropriate.
In certain situations, under Privacy Laws, CDI may not be able to provide access to all of your personal information it holds. The reasons for denying access will be provided to you upon request. Exceptions may include information that is too costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or other proprietary reasons, and information that is subject to attorney-client privilege or legal action.
A response to an individual’s request for personal information shall be within thirty (30) days, unless extra time is required to obtain and provide that information.
10. Challenging Compliance: You may wish to address a concern regarding CDI’s compliance with the above principles to CDI’s Chief Privacy Officer. CDI shall investigate all complaints. If a complaint is found to be justified, CDI shall take appropriate measures to resolve the complaint, including, if necessary, amending this Privacy Policy and practices.
Online Communications – In order to provide you with products, services or information, you may voluntarily submit personal information to us through our websites for purposes such as conducting business online, donating, purchasing items, asking a question, obtaining information, reviewing or downloading a publication, participating in an event, and participating in contests and surveys. If you are known to CDI as a registered user of an online service, we may combine and store personal information about your use of our websites and the online information you have provided with certain other online and offline information we may have collected. All collection, use and disclosure of personal information obtained through our websites shall be subject to this Privacy Policy and Privacy Laws.
Email Communications – Occasionally, we may send marketing or promotional email communications to you with information that may be useful, including information about the services of CDI and other third parties with whom we have a relationship. We will include instructions on how to unsubscribe and inform us of preferences if you decide you do not want to receive any future marketing or promotional e-mails from CDI.
Links – Our websites may contain links to other websites which are provided as a convenience only. Visitors are advised that other third party websites may have different privacy policies and practices than CDI, and CDI has no responsibility for such third party websites regarding its privacy policies on its content generally.
CHANGES TO THE PRIVACY POLICY
CDI reserves the right to modify or supplement this Privacy Policy at any time. If we make a change to this Privacy Policy, we will post the revised Privacy Policy on our websites. We will provide to you such revised Privacy Policy upon request to the Chief Privacy Officer. However, CDI will obtain the necessary consents required under applicable Privacy Laws if it seeks to collect, use or disclose an individual’s personal information for purposes other than those to which your consent has previously been obtained unless otherwise required or permitted by Privacy Laws.
APPLICABLE PRIVACY LAWS
In addition to Ontario Personal Information laws, Privacy Laws include, but is not limited to, other jurisdictions, such as Canada’s federal privacy laws, European Privacy Laws (GDPR), state and federal privacy laws of the United States of America, and other applicable privacy laws.