Recommended by the HR & Administration Committee, Oct 14, 2021
Protecting the privacy and confidentiality of personal information is an important aspect of the way the NFU conducts business. Collecting, using, and disclosing personal information appropriately, responsibly, and ethically is fundamental to the organization’s daily operations.
The organization strives to protect and respect the personal information of its members, donors, employees, business partners, and so on in accordance with all applicable statutory requirements. All employees must abide by the procedures and practices set out below while handling personal information.
This policy outlines the organization’s commitment to privacy and establishes the methods by which privacy is ensured. This policy applies to all employee personal information in the organization’s care, custody, and control.
Personal information is any factual or subjective identifying information about an individual or group of individuals. This can include name, date of birth, address, income, e-mail address, social insurance number, gender, and so forth.
Consent occurs and is considered obtained by the NFU when an individual provides express consent orally, in writing, or through an applicable online action. Before being asked to provide consent, individuals will be provided with the reasons their personal information is being collected, how it will be used and stored, and any disclosure or possible disclosure of the information.
Implied consent is granted by the individual where consent may reasonably be inferred from the action or inaction of the individual. Where possible, this should always be followed up by an NFU representative to obtain express consent.
NFU collects and uses personal information solely for the purpose of conducting business and developing an understanding of its customers. The NFU hereby asserts that personal information may only be used for business purposes.
The NFU assumes full accountability for the personal information within its possession and control. The NFU has appointed the Executive Director as custodian of all privacy matters and legal compliance with privacy laws.
In the course of conducting its business, the NFU may have to obtain personal information directly from the individual to whom the information belongs. Individuals whose personal information is being collected are at all times entitled to know how the NFU uses their personal information and that the use of any personal information collected is limited to only what is needed for those stated purposes. If necessary, the NFU will obtain individual consent if personal information is to be used for any other purpose.
The organization will not use that information without the consent of the individual.
Under no circumstances will the organization sell, distribute, or otherwise disclose personal information, including personal contact information or employee lists, to third parties, unless required to do so by law. This may include consultants, suppliers, or business partners of the NFU, but only with the understanding that these parties obey and abide by this policy, to the extent necessary for fulfilling their own business duties and day-to-day operations.
The organization will retain personal information only for the duration it is needed for conducting its business and ensuring statutory compliance. Once personal information is no longer required, it will be destroyed promptly, safely, and securely. However, certain laws may require that certain personal information be kept for a specified amount of time. Where this is the case, the law will supersede this policy.
The NFU will take every reasonable precaution to protect personal information with appropriate security measures, physical safeguards, and electronic precautions. The NFU maintains personal information through a combination of paper and electronic files. Where required by legislation or disaster recovery or business continuity policies, older records may be stored in a secure, offsite location.
The NFU will ensure:
- Access to personal information is authorized only for the employees and other agents of the NFU who require the information to perform their job duties, and to those otherwise authorized by law;
- The NFU’s computer network systems and databases are secured by complex passwords and firewalls to which only authorized individuals may access;
- Active physical files are kept in locked filing cabinets;
- Routers and servers connected to the Internet are protected by a firewall, and are further protected against virus attacks or “snooping” by sufficient software solutions;
- Personal information is not transferred to employees, volunteers, summer students, or any other person in the NFU unless authorized.
The NFU may share compiled demographic information, but no personal information that can identify any individual person will be disclosed. While IP addresses will be logged in order to administer the site, track visitor movement, and gather demographic information, these IP addresses will not be shared, nor linked to any personally identifiable information. Any registration or order form asking site visitors to enter personal or financial information will be protected by SSL encryption.
In most instances, the NFU will grant individuals access to their own personal information in the care, custody, and control of the NFU upon presentation of a written request and satisfactory identification. If an individual finds errors of fact with their personal information, they should notify the NFU as soon as possible to make the appropriate corrections.
If the NFU denies an individual’s request for access to their personal information, the NFU will advise in writing of the reason for such a refusal. The individual may then challenge the decision.
The NFU may use personal information without the individual’s consent under particular circumstances. These situations include, but are not limited to:
- The collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- The personal information was produced by the individual in the course of their employment, business, or profession, and the collection is consistent with the purposes for which the information was provided;
- The collection is made for the purpose of making a disclosure required by law; or
- Any other reason as defined in applicable legislation
Individuals are entitled to know whether the organization holds their personal information, to see their information and ensure that it is accurate.