All REACH Edmonton Council (known as REACH) management, staff, volunteers and members, when engaged in the business or activities of REACH.
To ensure that REACH's personal information collection, use and disclosure practices are reasonable, consistent, and comply with applicable privacy legislation (including, for example, the Personal Information Protection Act Alberta).
It is the policy of REACH to protect and respect the privacy of personal information under its custody and control. REACH is committed to protecting the privacy, accuracy and security of personal information that is collected, used and disclosed in the conduct of its business, and to complying with all privacy legislation applicable to such information. Such legislation may change from time to time; where such changes occur, this policy will be amended accordingly to ensure REACH's continued compliance.
Collection and Use of Personal Information
REACH primarily collects and uses personal information regarding an individual for the purpose of providing services to that individual; this is viewed as a reasonable purpose given REACH's Vision and Mission. More specifically, collection and use may occur to support REACH in:
Complying with applicable legal and regulatory requirements;
Administering, planning and managing the relationship of the subject individual with REACH, or communicating with the subject individual;
Facilitating delivery of REACH services to the subject individual, and participation of the subject individual in programs and events offered or hosted by REACH or its partner agencies;
Developing, enhancing or providing REACH products and services; and
Achieving other purposes reasonably connected with managing the subject individual's relationship with REACH, and supporting REACH's objectives.
REACH does not collect or use personal information for any other purpose, unless it has first obtained the consent of the individual to whom it relates. Such consent may be express or implied, as may be required pursuant to applicable law or as may be reasonable based upon the circumstances, and will always be informed so that the purpose for the collection or use is identified and communicated to the individual from whom the information is collected.
The personal information collected by REACH is limited to that which is reasonably required to fulfill the purposes above.
Method of Collection
REACH only collects personal information about individuals with the subject individual's knowledge and consent. Generally, this means that REACH collects personal information directly from the individual to whom it relates, whether via REACH's website, telephone, fax or in person. Occasionally, REACH may collect personal information from third party sources, including agencies that may be associated with or involved in REACH's programs and initiatives, but in such circumstances, only with the knowledge and consent of the subject individual or where such collection is otherwise authorized or supported by applicable law.
Disclosure of Personal Information
REACH only discloses personal information as may be reasonably required to facilitate the authorized purposes listed above. For example, as part of processing an application to participate in a REACH-administered activity or program, it may be necessary to disclose certain personal information regarding the participant to the agency or organization supporting or hosting the program.
REACH does not otherwise disclose personal information unless:
REACH has the consent of the subject individual;
REACH has a good faith belief that disclosure of the information is necessary to protect the rights or property of REACH; or
REACH has a legal duty or right to do so.
REACH does not rent, sell or trade personal information, including customer, member or client lists.
REACH does not disclose personal information to any third party partner agency unless it has entered into an appropriate information sharing agreement with such partner agency, and such partner agency has in place similar privacy policies and practices as those used by REACH.
Individuals can vary, deny or withdraw (in writing) their consent to REACH's collection, use and disclosure of their personal information at any time upon reasonable notice, subject to any legal or contractual requirements. However, if consent is denied or withdrawn, REACH may not be able to provide certain programs, products or services to the withdrawing individual.
REACH may use personal information to inform individual clients or members of new services, programs, events, initiatives or other developments that REACH believes will be of interest to its clients or members. Such communications may be made by way of telephone, e-mail, fax or regular mail. Individuals may opt-out of receiving such communications by contacting REACH (in writing) at the address noted below.
Security of Personal Information
REACH has in place reasonable practices and safeguards (including physical, technological and organizational measures) designed to help protect the security of personal information under its control. Such safeguards are appropriate to the sensitivity level of the information, and include the following:
Need to Know Access. REACH volunteers and staff are only permitted to access personal information as necessary to fulfill legitimate job responsibilities and functions.
Transmittal of Information. REACH volunteers and staff are required to use reasonable care to ensure that the method of receiving or transmitting personal information (whether by telephone, fax, e-mail or otherwise) is sufficiently secure, taking into account the sensitivity of the information being received or transmitted. Personal information may be transmitted by e-mail provided that the recipient's e-mail address has been confirmed or is on REACH's internal e-mail list. Sensitive information is required to be clearly marked as private and confidential.
Locking Filing Cabinets. When not in use, REACH volunteers and staff are required to ensure that member files and records containing personal information are stored in appropriate filing cabinets. Such filing cabinets should be locked outside of regular business hours.
Passwords/Access Cards. REACH volunteers and staff are required to protect the security of their computer passwords, office codes and keys, building access cards and any other codes or devices issued to them, and to refrain from sharing such codes or devices with any other person.
Security Incidents. REACH volunteers and staff who become aware of any security-related incident, or suspect the occurrence of any security-related incident, are required to report the matter to appropriate management immediately, and to cooperate in the investigation of any such incidents.
Computer Workstations. REACH volunteers and staff are required to activate a power-on password and a screen lock password (activated automatically after a set period of inactivity) on any computer used by them in the course of REACH-related business or activities. Computers are not to be left unattended.
Mobile Devices and Applications. REACH requires all mobile devices used by volunteers and staff in the transmission or storage of personal information to be equipped with suitable passwords, and any auto-lock feature to be enabled. REACH also requires that personal information stored on such devices be limited to only that which is reasonably necessary for its intended purposes and functions. Information is purged from mobile devices on upload to the REACH 24/7 Outreach Worker application server. Up-to-date encryption technology is required to be enabled on such devices, both with respect to the information being transmitted to and/or from the device via any mobile application, in order to protect the privacy and security of personal information contained in any mobile application is monitored for compliance.
Breach Reporting. In the event of an incident involving the loss of, unauthorized access to, or disclosure of personal information, and where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of such loss or unauthorized access or disclosure, REACH will provide notice of the incident to the Office of the Privacy Commissioner of Alberta.
Access and Amendment to Personal Information
Upon request, REACH will provide individuals with access to the personal information REACH holds about them, including the details of any personal information REACH has disclosed about them, in accordance with applicable law.
REACH reserves the right to require that any request for access to personal information be made in writing. Generally, there is no cost for such access. However, REACH reserves the right to charge a reasonable fee for access on a case-by-case basis in accordance with applicable law. The individual making the request for access will be notified in advance if such a fee is determined to apply.
REACH will correct or amend personal information in its files and records where it can be demonstrated that the information is incorrect or incomplete. The individual making the request for correction will be notified if the information was changed. If REACH makes a determination not to make the requested correction or amendment, REACH will annotate the personal information under its control with the correction or amendment that was requested, but not made.
If REACH has disclosed incorrect information to another organization, it will send a notification containing the corrected information to that organization if it is reasonable to do so.
Storage of Personal Information
REACH stores the personal information it collects at its main office, located at the address noted below, or in a secure data centre. The personal information collected by REACH is retained only for such period of time as may be necessary to fulfill the purpose for which it was collected, or as may be required for statutory or other legal purposes. Personal information is destroyed or disposed of in a secure manner.
REACH uses reasonable efforts to update personal information in its custody whenever possible, and where may be necessary for the ongoing administration of the subject individual's relationship with REACH or otherwise to support the purposes outlined in this Policy.
In the event that a breach of this Policy or applicable privacy law occurs, or a client, customer or member of REACH submits a written complaint regarding REACH's compliance with this Policy, REACH will take appropriate steps to record the breach/complaint, address the breach/complaint, and if necessary, investigate the breach/complaint. REACH staff and volunteers will cooperate in any such investigation, as may be required. A response will be provided to the complainant in all applicable circumstances.
Notwithstanding any complaint process followed by REACH, or response provided by REACH, a complainant is permitted to make a complaint regarding REACH's compliance with this Policy or applicable privacy law to the Alberta Office of the Information and Privacy Commissioner (OIPC). REACH will cooperate in any review or investigation initiated by the Alberta OIPC.
For further information about REACH's privacy practices, to make inquiries regarding to REACH's privacy policies and practices, or to make a request for access to personal information, please contact REACH's Privacy Officer, who is the person responsible to ensure that REACH complies with applicable privacy law and this policy, at the following address:
REACH Edmonton Council for Safe Communities
Suite 901, Baker Centre
10025 - 106 Street
Edmonton, AB T5J 1G4
ATTENTION: Privacy Officer
Telephone: (780) 498-1231
Fax: (780) 498-1266