OVWCCC Privacy Policy and Your Consent

Overview

The purpose of  this page is to inform you of the why the OVWCCC collects your membership data, safeguards your data, uses your data to assist in club activities and shares your data with third parties, in our case WildApricot which is our communications management platform.  You will be requested to acknowledge you have reviewed the material below and give consent for the OVWCCC to use this information in its planning activities

Data Collection Laws in Canada

Data protection law in Canada is comprised of a complex set of federal and provincial statutes.  Some of these statutes include mandatory notification and reporting requirements in the case of a breach of personal information.  

The key data protection statutes in Ontario, Canada are Federal: Personal Information Protection and Electronic Documents Act (S.C., 2000, c. P-5) ('PIPEDA').  In addition, Canadian anti-spam law, Canada's Anti-Spam Legislation (SC, 2010, c 23) ('CASL'), frequently comes into play in relation to electronic marketing activities.

PIPEDA applies to every organization that collects, uses, or discloses personal information in the course of commercial activities. Commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists.

The following are the primary authorities that issue data protection guidance pursuant to the private sector privacy statutes listed above:

The Office of the Privacy Commissioner of Canada ('OPC') and PIPEDA is administered by the OPC.

Under PIPEDA and the provincial privacy laws, organizations are required to designate an individual(s) responsible for privacy compliance. This individual is conventionally known as the 'privacy officer'.  For the OVWCCC the privacy officer is the treasurer of the club. Also known as the Data Protection Officer (DPO).

OVWCCC LEGAL OBLIGATIONS:

Consent - consent is required prior to the collection, use, and disclosure of personal information. Implied consent is reasonable for low risk data while explicit consent is needed for sensitive personal information, such as health information and financial information.  onsent under PIPEDA is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting. 

For clarity purposes the OVWCCC specifies that the membership data collected is used solely for our legal requirements to:

OVWCCC Legal obligations - PIPEDA permits organizations to collect, use, and disclose personal information without consent where required by law and to disclose information, for example: to investigate a breach of an agreement or a law that has been, or is about to be, committed; or to detect or suppress fraud, or to prevent fraud that is likely to be committed. 

Public Interest - Under PIPEDA, consent is not required where it is reasonable to expect that the collection with the consent of the individual would compromise the availability of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the Canada's federal or provincial laws.

Further, consent is not required if the collection of the information is for the purpose of disclosing the information as required by law or made to a Federal Government/government institution that has identified its lawful authority and has indicated that it suspects the information relates to national security, the defense of Canada, or the conduct of international affairs.

Legitimate interest of the data controller - Under PIPEDA, consent is not required in a range of circumstances such as with data transfers.  An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. In general terms, organizations must use contractual or other means, which usually include technical measures, to provide a comparable level of protection while the information is being processed by a third-party service provider or other entity. 

Giving consent for others

The club is given permission to provide information and consent for others in unique situations such as:

YOUR RIGHTS:

Date Breach - There is a general obligation for data breach notification. Under PIPEDA, notification of a privacy breach must be given to individuals, the OPC, and potentially other organizations (e.g. another organization, a government institution, or a part of a government institution) if that organization, government institution, or part concerned may be able to reduce the risk of the harm that could result from it or mitigate that harm, in the event of a breach of security safeguards where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Notification must be given as soon as feasible. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.

Data Retention - PIPEDA states that personal information must be retained only for as long as is necessary to fulfil the purposes for which it was collected, after which it should be securely destroyed, erased, or rendered anonymous.

Processor (third party) contracts - Privacy sector privacy laws require that organizations enter into contractual agreements which take into account privacy considerations when outsourcing the processing of personal information.

Right to Rectification and erasure - Under PIPEDA, individuals should have the ability to remove information that they have posted online and has suggested that PIPEDA currently includes this right in relation to the right to withdraw consent. 

Right to object / opt out - Individuals have the right to submit complaints to organizations, to withdraw consent (subject to some limitations), and to file complaints with the OPC.

Third-parties applications -  if OVWCCC shares any personal data with third-party applications such as WildApricot,  they are prepared to respond to data requests from members.

More information on this topic can be found at https://www.dataguidance.com/notes/canada-data-protection-overview 

Contact us

If you, as a member of the OVWCCC have any concerns over your consent in providing us with membership data, or with our use of that data, kindly contact the treasurer of the club, identified on the Executive page of the website.