Kitchener Waterloo Community Orchestra
Privacy Policy
kwcommunityorchestra@gmail.com
Updated May 2019
Purpose
In the course if its activities, it is necessary for KWCO to record, store, process, transmit, and otherwise handle private information which it receives and stores about individuals. This policy addresses and is concerned with private information, which is the sort of information allowing the subject of the information to be identified. KWCO takes these activities seriously and provides fair, secure, and lawful systems for the appropriate handling of this private information. All such activities of KWCO are intended to be consistent and compliant with standard practices of a non-profit organization such as KWCO.
Scope
This policy applies to all KWCO members, volunteers and employees, as well as contractors and consultants with access to private or sensitive information about individuals.
References in this policy statement to employees or members of the board of directors of KWCO, shall apply equally to all volunteers performing authorized functions and activities for KWCO.
KWCO Responsibilities
KWCO through its board of directors must take reasonable efforts to ensure that all private information maintained by KWCO is accurate, timely, relevant, and complete. KWCO also must make reasonable efforts to ensure that all private information is used only as intended by the reasons for its legal collection of the information in a manner consistent with this policy, and that precautions preventing misuse are both effective and appropriate. KWCO is responsible for establishing appropriate controls to ensure that private information is accessible by and disclosed only to those who have an authorized need for such access. KWCO must establish and maintain sufficient controls to ensure that all KWCO stored information is free from a significant risk of undetected alteration.
Disclosure Of Private Information
Revealing Information About Policies and Procedures - As a general rule, information security policies and procedures should be revealed only to board members of KWCO whose functions require it, and to its employees and professional consultants such as accountants/auditors or legal consultants, who have a legitimate business need for this information. A notable exception involves the policies that deal with private information about individuals. All involved individuals have a right to review an officially-approved statement of KWCO policies and procedures regarding the handling of information about them Such a statement may be available on the KWCO web site. In addition, KWCO must disclose the existence of systems containing private information and the ways that this information is used. With the exception of criminal and policy-violation investigations, there must be no system of personnel records within KWCO whose very existence is kept secret from the people described therein.
Handling Private Information Requests - All requests for private information coming from a person or organization outside KWCO, must be forwarded to the KWCO board of directors for determination. All requests for private information that fall outside normal functions or activities of KWCO, and that come from a KWCO insider, must be forwarded to the board of directors. The board will decide whether the requests will be granted.
Appropriate Handling Of Private Information
Collect Only Necessary Information - In general, KWCO may collect, process, store, transmit, and disseminate only that private information that is necessary for the proper functioning of its activities.
Destruction Of Private Information - When storage of private information is no longer required, it must be destroyed by shredding, or by other effective destruction methods. Destruction of private information resident on computer disks and other magnetic media must be accomplished with an overwriting process. A simple erase process is not sufficient. To assure the proper destruction of private or confidential information, disposal of computers with embedded hard disk drives or other data storage systems may proceed only once the hard drive has had all information removed as well as any ability to subsequently retrieve same.
Removal Of Private Information - Private or confidential information must not be removed from approved KWCO storage facilities. Permission to remove such information may be granted only by the board of directors. Signed third-party non-disclosure agreements may additionally be required when private information is removed from KWCO storage facilities. Private information must not be moved to another country, for purposes of storage or otherwise.
Private Information On Computer And Communication Systems
Examination Of Stored Information - At any time and without prior notice to whomever may be in control or in charge of storing same, KWCO reserves the right to examine archived electronic mail, private file directories, hard disk drive files, and other information stored on or on behalf of KWCO information systems. Such examinations are typically performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the function of the KWCO information systems.
Changing Information Resident on Systems - KWCO reserves the right to delete, summarize, or edit any information posted to KWCO computers, web sites, or communication systems.
Routine Usage of Backup Systems - All files and messages stored on KWCO systems are routinely copied to storage media. Such back-up storage activities shall be duly recorded by KWCO. Information stored on current KWCO information systems, even if an employee has specifically deleted it, is often recoverable and may be examined at a later date from the back-up storage. Information intended to be permanently deleted shall also be permanently removed from all back-up storage media.
Encryption Of Electronic Mail - Employees and other authorized persons communicating on behalf of KWCO, must consider electronic mail to be the computerized equivalent of a postcard. Unless material sent by electronic mail is encrypted, employees and volunteers and other acting on behalf of KWCO must refrain from sending private or confidential information through electronic mail.
Testing With Sanitized Data - All software testing for systems designed to handle private data must be accomplished exclusively with production information that no longer contains specific details that might be valuable, critical, or sensitive.
Handling Personnel Information
Access to Own Personnel File - Upon written request, every employee must be given access to his or her own personnel file. Employees must be permitted to both examine and make a copy of the information appearing in their personnel file.
Disclosure To Third Parties - Disclosure of private information about KWCO employees to third parties must not take place unless required by law or permitted by explicit consent of the employee. KWCO must not disclose the names, titles, phone numbers, locations, or other contact particulars of its employees without consent or otherwise required by law. The reason for termination of employees must not be disclosed to third parties, except where the disclosure is required by law. Every disclosure of private information to third parties must be recorded by the board of directors and these records must be maintained for at least five years.
Summary Of Disclosures - If they request it, employees must be provided with a summary of all disclosures of their private information to third parties. In addition, employees must be given sufficient information, as may be maintained by KWCO, to permit them to contact such third parties to rectify errors or supply additional explanatory information.
Change Of Status Information - Detailed employee change of status information is strictly confidential, and must not be disclosed to anyone except those people who have a genuine need to know. Detailed change of status information includes the reasons for terminations, retirements, resignations, leaves of absence whether or not pending the results of an investigation, and changes to consultant or contractor status.
Part Time Employees - All provisions of this Policy concerning employees of KWCO, apply equally to part time or temporary employees.
Private Information From Job Seekers or Members
Gathering Unnecessary Information - Private information about a prospective employee or member may not be gathered unless it is both necessary to make a related decision and also relevant to the prospective position or job. This policy addresses marital status, family planning objectives, gender or sexual orientation, off-hours activities, political affiliations, performance on previous jobs, previous employers, credit history, education, and other personal details.
Credit And Background Checks - Whenever a credit report will be examined or a background check will be performed, prospective employees or members of the board of directors, must provide a written release indicating their approval of the process. These prospective employees or board members must be given an opportunity to withdraw their application if they choose not to disclose such private information to KWCO.
Permissible Tests - Candidates for a job with KWCO must not be subjected to drug tests, AIDS tests, psychological tests, or other tests that may illuminate the candidates’ lifestyle, political associations, or religious preferences, or a form of disability. An exception may be made if this information is legitimately needed to determine a candidate’s suitability for a certain position.
Private Information About Customers
Consent For Collection Required - The collection of private information on prospects, customers, and others with whom KWCO does business, is customary and expected. However, KWCO representatives must not collect private information from prospects or customers without having obtained their knowledge and consent in advance of doing so.
Consent For Uses Required - Before a customer discloses private information, all KWCO representatives must inform the customer about the ways that this private information will be used, and the third parties, if any, to whom the information may be disclosed.
Collection Of Unnecessary Information - KWCO employees or representatives or by operation of information systems, must never require the provision of prospect or customer private information that is unnecessary for the relevant purpose of its collection.
Opting Out From Unsolicited Contacts - KWCO customers or other prospects must be given an opportunity to inform KWCO that they do not wish to be contacted by any means or that they withdraw previous consent for contact initiated by KWCO. KWCO employees and other representatives must faithfully observe and act on these customer requests.
Sharing Of Customer Information - KWCO does not disclose specific information about customer accounts, transactions, or relationships to unaffiliated third parties for their independent use.
Change Of Business Structure - Should KWCO go out of business, merge, be acquired, or otherwise change the legal form of its organizational structure, KWCO may need to share some or all of its customer information with such other entity. If such a change and associated information transfer takes place, customers must be promptly notified.
Use Of Outsourcing Organizations - KWCO may outsource some or all of its information handling activities, and it may be necessary to transfer prospect and customer information to third parties to perform work under an outsourcing agreement. In all such cases, the third parties involved must sign a confidentiality agreement prohibiting them from further dissemination of this information and prohibiting them from using this information for unauthorized purposes, and compliance with this policy.
Violations
Any violation of this policy may result in disciplinary action, up to and including termination of membership or of employment with KWCO, as the case may be. KWCO reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. KWCO does not consider conduct in violation of this policy to be within an employee’s or a volunteers course and scope of duties or functions performed for or on behalf of KWCO, or the direct consequence of the discharge of such duties.
Any employee or a member or volunteer who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to the source of the request and to the board of directors, where appropriate, as soon as possible.
Definitions
Confidential Information (Sensitive Information) – Any KWCO information that is not publicly known and includes information in any forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form. Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent or trademark applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pricing and product costs, and membership and employee information and lists including organizational charts. Confidential Information also includes any confidential information received by KWCO from a third party under a non-disclosure or confidentiality agreement.
Information Asset – Any KWCO data in any form, and the equipment used to manage, process, or store KWCO data, that is used in the course of executing its activities. This includes, but is not limited to, corporate, customer, and member data.
Member – Any non-employee of KWCO who participates in the activities of KWCO and is current in payment of membership fees.
User - Any KWCO employee, member, consultant or volunteer who has been authorized to access any KWCO electronic information resource.