Confidentiality Policy Development Tool
Developed by the City of Toronto
1) Appoint a Privacy Officer and document the officer's duties
- Reviewing the corporation’s policies and practices regarding the collection and storage of personal information.
- Implementing the necessary changes to guarantee that collecting and retrieving personal information follows the corporation’s policy.
- Telling tenants/members and public how the corporation treats personal information.
- Handling complaints. The Privacy Officer should respond to all requests for access to and correction of personal information within 30 days of the request being made. The Privacy Officer should advise the complainant what action was taken.
Making recommendations to the Board of Directors in connection with the resolution of the complaint when necessary.
2) Establish how you plan to collect personal information
3) Have all staff, board members and volunteer committee members sign a confidentiality agreement
The agreement will help ensure the protection of information used by your corporation.
It should be signed and dated.
Here is a sample template:
4) Document your corporation’s confidentiality procedures
Consider the following:
In your building, how are applicant, tenant/member and employee files (including information on databases) safeguarded against unauthorizedaccess?
How are your databases containing files with personal information, and other confidential electronic files protected against unauthorized access?
How do you dispose of personal information?
When do you release personal information?
Who has access to and is responsible for correcting personal information?
Breach of Confidentiality
A breach of confidentiality may be grounds for staff to be disciplined or terminated and a board member to be removed as a director of the corporation. The Board must determine the penalty for breach of confidentiality and include this in the policy. The penalty must be communicated to all persons affected by the Confidentiality Policy.
5) Request and review status reports
The Board should review monthly status reports from the Privacy Officer to ensure the Confidentiality Policy is being followed.