Policy Statement

The Rick Hansen Foundation (RHF) is committed to protecting personal information in accordance with all applicable legislative and regulatory requirements. We understand that upholding the trust people accord us to protect their privacy requires us to be transparent and accountable about our practices. This document describes the applicable requirements that RHF must comply with, how we comply with these requirements, and what individuals can do if they have a complaint about how their personal information was handled.  

2.0 Scope

This privacy policy applies to RHF and all of its staff, volunteers and consultants as well as all other organizations with whom we contract. It covers all personal information that RHF collects, uses or discloses – regardless of format – in the course of its activities to achieve its charitable purpose.

3.0 Context

 

3.1 Our Commitment

To fulfill our charitable purpose, we may, from time to time, collect and use personal information as defined in this policy. In doing so, we comply with the BC Personal Information Protection Act (PIPA) – which applies to all private sector organizations in British Columbia including non-profit organizations – as well as other applicable privacy legislation. We also embrace privacy best practices as well as the ethical guidelines established by the Association of Fundraising Professionals (AFP) and Imagine Canada. 

 

3.3 What is Personal Information? 

Personal information is information that is collected or recorded about an identifiable individual. 

Information about an identifiable individual means information that reveals something of a personal nature about an individual. The information can be stand-alone or in combination with other information including but not limited to: a person’s name (legal, new or dead), home address or phone number, personal email address, social insurance or passport number, gender, education background including level and school(s) attended, income, family status and/or donation information. For example, while it may not be possible to identify a person based on their education history alone, it may be possible when combined with the person’s email address and gender. 

Information can be collected verbally (e.g., through a phone call) and recorded in various formats including: paper records, electronic records, photographs, videos and maps. 

Personal health information is personal information related to an individual’s health or the provision of health services to that individual. Examples of personal health information include patient survey data, patient reported outcomes, and abstracted health information. At RHF, we consider whether a person has a disability, including but not limited to a spinal cord injury, to be personal health information. 

Employee personal information is personal information that is collected, used or disclosed for the purpose of establishing, maintaining or managing a relationship between RHF and its personnel. For the purposes of this document, personnel include employees and volunteers. In accordance with PIPA, information that allows an individual to be identified or contacted at work as well as work product information is not considered personal information. ‘Work product’ means information prepared or collected by an individual or group of individuals as a part of the individual’s or group’s responsibilities or activities related to the individual’s or group’s employment or business. See the table below for examples of work product versus personal information: 

 

Work Product	Personal Information
Jane made this decision based on certain criteria.  It was her role to make the decision.	Even though Jane made the decision based on certain criteria, her opinion was that she would have preferred a different opinion.
The public body has awarded a contract to Bill for a service.	The public body did not award Bill this contract because he did not have favorable references.
Jill gave the following advice to her supervisor when asked to do so.	Jill’s performance evaluation suggests that she should do more research before providing advice.
Board Member Joe made a motion in the meeting.	Board Member Joe resigned from the Board for personal reasons.

 

3.3 RHF’s Privacy Protection Practices

 

RHF has implement a RHF’s Privacy Management Program to protect personal information. This program complies with the ten principles of privacy, a set of internationally recognized fair information practices found in most privacy legislation around the world. These principles, which inform the way personal information is collected, secured, used, and disclosed at RHF, are discussed below.

3.3a Accountability

 

RHF is responsible for all personal information under its custody and/or control. 

Custody generally refers to the physical possession of a work-related record by RHF. There may be situations where RHF uses a record storage centre or an employee or volunteer retains work files at their home. In these circumstances, RHF still retains custody of the records. Control generally refers to situations when RHF has the authority to manage the records throughout its life cycle, including directing and administering its use and/or disclosure. For example, a record held by a consultant contracted by RHF may still be under RHF’s control. 

Indicators that a record may be in RHF’s custody or control include the following:

• Did an RHF employee or volunteer create the record?
• Does the content of the record relate to RHF’s vision, mission, strategy, activities or operations?
• Does RHF have a right to possession of the record?
• Does RHF have the authority to regulate the content, use and disposal of the record?

All RHF personnel are responsible for protecting personal and personal health information in their custody and/or control, in particular:

• RHF’s Board Directors are responsible for acting in good faith with a view to ensuring the best interests of RHF and upholding its reputation and good governance. 
• RHF’s Privacy Officer is responsible for developing, implementing and continuously improving RHF’s Privacy Management Program; ensuring RHF’s overall compliance with this Policy; and, acting as RHF’s arbitrator on information and information security matters.

• RHF’s Unit Leads and Budget Managers are responsible for overseeing compliance of their respective areas of responsibility to this Policy. 
• RHF’s employees and volunteers are responsible for reading, understanding and complying with this Policy. 
• RHF’s third parties are responsible for adhering to this Policy. 

3.3.b Why We Collect and Use Personal Information

 

RHF collects and uses personal information to further our charitable purpose and comply with legal requirements. This includes the following purposes:

• To share information about our work, results and organization with funders, donors, stakeholders and others who may be interested in our activities
• To thank and publicly recognize funders, donors, partners, supporters and other stakeholders 
• To process financial transactions as well as track and issue tax receipts for donations received in accordance with Canada Revenue Agency requirements
• To establish, maintain and manage relationships with current and prospective employees and volunteers 
• To determine the eligibility of an applicant to receive a grant, scholarship or award 
• To share the stories, videos and/or images of our personnel or other people taken at RHF activities and events in our publications including our website, communication (including social media) channels, electronic and print newsletters, reports and other publications (e.g., advertisements and/or editorials) as well as electronic and print application and registration forms
• To manage our business and protect our organizational assets 

 

RHF also sometimes funds spinal cord injury and/or health systems-focused researchers who, as part of their research, collect personal health information. 

To achieve the above stated purposes, RHF collects the following types of information:

• Contact information including name, address, phone number, and email so that we may contact the individual
• Demographic information including age, gender, Indigenous or racial identity to inform our planning and programming 
• Health-related information including whether or not an individual has a disability to inform our planning and programming as well as to support the research that we fund to find a cure for spinal cord injury
• Financial information required to process payments and donations 
• Personal stories, quotes and/or opinions, videos, photographs and/or maps which may be used in our newsletters, registration forms, and/or on our website.

 

3.3.c Limits on Collection, Use and Disclosure 

RHF will only collect, use, and disclose personal information for the purposes stated above and in accordance the Personal Information Protection Act (BC) and other applicable privacy legislation and regulations.  In the case of employee home contact information, no employee is authorized to share this information with anyone outside of RHF unless authorized by that employee. 

If we require your personal information for any purpose other than for which it was originally collected, we will ask your permission to do so first. 

Exceptions (i.e., when personal information can be used or disclosed without the knowledge and consent of an individual) are only possible in very specific circumstances including: 

• If the individual is considered by law to be in the public domain
• To investigate a breach of an agreement or contravention of a federal or provincial law
• In the case of an emergency where the life, health or security of an individual is threatened
• To comply with a subpoena, warrant or court order
• As may otherwise be required or authorized by law.

Any individual may withdraw their consent at any time. Subject to legal or contractual restrictions and reasonable notice, RHF will comply with the request.

 

3.3.d How We Obtain Consent to Collect, Use and Disclose Personal Information

 

Personal information can be collected directly or indirectly. Direct collection is when the information comes from either the person or their substitute decision-maker about whom the information is being collected. Indirect collection is when the information comes from a third party, and not from the individual him/her/themself or their substitute decision-maker.

When RHF finds it necessary to collect, use and/or disclose personal information, consent will be obtained either through express consent or by giving the individual an opportunity to ‘opt-out’. Express consent means that an individual or their substitute decision-maker has given their written or verbal consent to RHF to collect, use or disclose their personal information for a specific purpose. ‘Opt-out consent’ means that an individual is provided with information regarding the intended use of their personal information and that person can choose to not participate by un-checking an agreement box. In all instances, RHF will prioritize the collection of written versus verbal consent.

In the case of videos and photographs taken by RHF at events, notification will be provided including but not limited to signs placed at entrances to notify people that this will be taking place and what the videos and photographs will be used for. RHF will make efforts to ensure notification is provided in accessible formats, for example, through on-site ASL translators or included in event registration forms. Notification will include the contact information for RHF’s Privacy Officer or delegate.

If RHF acquires personal information from other organizations (e.g., the purchase of mailing lists of prospective donors or personal contact information for prospective Advisory and/or Committee members), the organization providing the list is expected to obtain the required consent before disclosing personal information to RHF.

 

3.3.e How We Disclose Personal Information

The only times in which personal information will be disclosed to another organization is when service providers are contracted on our behalf to process your information or assist us with various other services such as mail distribution and research, if it is to help an individual in receiving a grant or service in accordance with our mission, or if we are required to do so by law.

In the case where another organization is contracted to process your information or assist us with other services, we require those organizations to enter into legally binding confidentiality agreements and strictly adhere to RHF’s Privacy Policy.

RHF will not rent, sell, lease, or barter your information to any organization or individual.

 

3.3.f Retention of Personal Information

RHF acts in accordance with the Canada Revenue Agency’s guidelines for retaining donor information for a period of six years from the end of the year in which the donation was made. Any other personal information used to make a decision about an individual is retained for a minimum of one year. Permission to use or disclosure this information can be withdrawn at any time. 

 

3.3.g Accuracy of Information 

RHF ensures that personal information in our custody or control is accurate and up to date. In most instances we rely on individuals to notify us of any changes to their information.

 

3.3.h Safeguards

RHF maintains appropriate security measures to safeguard personal information depending upon the sensitivity of the information and how it is stored. Measures include locked cabinets, restricted access to certain records on a need-to-know basis, the use of passwords, the use of encryption, and legally binding confidentiality agreements and/or non-disclosure agreements with all RHF personnel. RHF personnel are also required to exercise caution in the disposal and destruction of personal information to prevent unauthorized parties from gaining access. RHF protects personal information disclosed to third parties through contractual agreements which require that personal information is treated in compliance with PIPA and this Policy. Examples of third parties include mailing services and data analysis providers. 

Use of “Cookies”, “Web Beacons”, “Pixels” and “Tags”

RHF may use a standard technology called “cookies”, “web beacons”, “pixels”, “tags” and other technologies to collect information. This information is used to improve the experience of our website, measure the effectiveness of marketing campaigns, and to personalize online content. Aggregate data may be shared in publications produced by RHF.

Use of Internet Protocol (IP) Addresses

RHF may use IP addresses to assist in diagnosing server problems. We reserve the right to perform statistical analyses of user behaviour and characteristics, to measure interest in and user traffic patterns to the various sections of our website and/or to help us improve design, layout and navigation.

Links to Other Websites

RHF’s website may contains links to other websites that may be of interest to visitors to our site. RHF is not responsible for the privacy practices, content, transactions, and functioning of the linkages of these sites. Our Privacy Policy is no longer in effect when you use a link to another website from our website and users submitting information to these third-party websites should review the privacy statements of these sites before providing them with personally identifiable information.

RHF sometimes funds researchers who, as part of their research, collect personal health information. In these situations, RHF requires that researchers safeguard the information in accordance with the requirements of both RHF and their own organization through the use of legally enforceable agreements. 

 

3.3.i Request for Information

 

Requests by individuals to access to their personal information fall into the following three categories: 

Category	RHF’s Response
Access requests that are allowed	Provide access to their personal information in the form of a copy of the information requested, within 30 business days (unless an extension of time is permitted in the legislation) Provide an explanation of how their personal information is or has been used Provide a list of any individuals or organizations to whom their personal information has been disclosed
Access requests that are refused	Provide a response that includes the legal reason(s) for the refusal, within 30 business days Provide the title and contact information of RHF’s Privacy Officer should the applicant have questions about the refusal Provide information on how to request a review by the Information and Privacy Commissioner
Access requests to correct personal information	Correct any personal information discovered to be inaccurate or incomplete If a correction is made, forward a copy of the corrected personal information to each organization to which the incorrect or incomplete information was disclosed in the past year If no correction is made, annotate the personal information to indicate that a correction was requested but not made

3.3.j Complaints

In accordance with privacy best practices, RHF has established a privacy complaints process. Complaints should be submitted by email to RHF’s Privacy Officer who manages the complaints process. RHF is committed to ensuring that all complaints will be promptly acknowledged and fairly, thoroughly and confidentially investigated. If the matter is not resolved to the complainant’s satisfaction, we encourage the complainant to contact the Information and Privacy Commissioner in British Columbia (OIPC) for assistance. 

 

4.0 Communication to the Public

A public-facing version of RHF’s commitment to protecting privacy is available on its website at https://www.rickhansen.com. 

 

5.0 Training

All employees and volunteers are required to complete privacy training as part of their on-boarding process and additionally as may be required by the Privacy Officer and/or Manager. As a condition of their engagement, consultants are required to comply with RHF’s privacy requirements, which are described in their contract. Training logs for employees and volunteers are managed by Human Resources. 

 

6.0 Policy Violations 

RHF employees and volunteer, who fail to comply with this policy will be subject to disciplinary action up to and including termination of their employment or volunteer relationship. Examples of violations of this policy include but are not limited to:

• Accessing information that is not required for job purposes;
• Misusing, disclosing without proper authorization, or altering donor information; and,
• Disclosing to another one’s password for accessing electronic records.

Consultants and grant recipients who fail to comply with this policy will be subject to termination of consultant or grant recipient relationship.

7.0 Policy Updates and Changes

We review our privacy practices every two years and more frequently as required. As a result, changes to this policy may be made from time to time. The most current version of this policy can be accessed on our website or by contacting our Privacy Officer.

 

8.0 Contact

For more information on any privacy-related matter, please contact RHF’s Privacy Officer, France Gagnon, at:

Privacy Officer

Rick Hansen Foundation

3820 Cessna Drive

Richmond, BC  V7B 0A2

Email: privacy@rickhansen.com

 

9.0 References

• https://fipa.bc.ca/get-help/privacy-rights-in-canada/
• https://www.dataguidance.com/ 
• https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-privacy/resources/policies-guidelines/privacy_management_program_guidance.pdf   
• https://www.oipc.bc.ca/guidance-documents/2286 
• https://www.oipc.bc.ca/guidance-documents/1545  
• https://www2.gov.bc.ca/gov/content/employment-business/business/managing-a-business/protect-personal-information/privacy-audit 
• https://www2.gov.bc.ca/gov/content/employment-business/business/managing-a-business/protect-personal-information/principles 

 

10.0 Tools

• Privacy Impact Assessment Guidance, PRI-Guidance-001-v1
• Privacy Impact Assessment Form