Developed by the City of Toronto
A Confidentiality Policy sets standards for the collection, use, disclosure and safeguarding of privacy of personal information. It also contains standards for a person’s access to his or her personal information
As a social housing provider, you need to collect personal information to decide if a household is eligible for Rent-Geared-to-Income (RGI) assistance. In doing so, you must follow the Municipal Freedom of Information and Protection of Privacy Act and follow the Housing Services Act (HSA) O. Reg. 367/11 (s.145-147) which sets out standards for collecting, using, disclosing, keeping, and disposing of personal information.
The Board must establish a Confidentiality Policy that will meet all legislative requirements and ensure that the policy is being followed by everyone who handles personal information. All staff (including those employed by a property management company) and volunteer committee members who handle sensitive personal information must be aware of and follow the corporation’s Confidentiality Policy.
1) Appoint a Privacy Officer and document the officer's duties
A Privacy Officer can be a board member who will be responsible for the organization’s compliance with all privacy legislation. The Privacy Officer’s duties should be clearly outlined and include:
2) Establish how you plan to collect personal information
When you ask for personal information, you must give the person a written notice that tells them why you need the information. You must also tell them that you may share it with certain legislated agencies
There are special rules for handling personal information about people experiencing domestic violence. If you collect information to determine if a person is eligible for special priority, you can only use the information for that purpose. See HSA O. Reg. 367/11, s.146 (10) and (11), and s.147 for more information.
3) Have all staff, board members and volunteer committee members sign a confidentiality agreement
The agreement will help ensure the protection of information used by your corporation.
It should be signed and dated.
Here is a sample template:
I understand that in the course of conducting my responsibilities as a staff person, director or volunteer of (insert name of corporation), I may have access to personal information about applicants, tenants and employees of the corporation. I understand that there are legal restrictions on how this information
may be collected, used, stored and disposed of and that privacy of personal information must be respected.
I hereby agree to abide by the corporation’s policy regarding confidentiality attached to this agreement and by the restrictions placed on this information by the Personal Information Protection and Electronic Documents Act and the Housing Services Act and any other statute which is now or may later be in force.
4) Document your corporation’s confidentiality procedures
Consider the following:
In your building, how are applicant, tenant/member and employee files (including information on databases) safeguarded against unauthorized
How are your databases containing files with personal information, and other confidential electronic files protected against unauthorized access?
How do you dispose of personal information?
When do you release personal information?
Who has access to and is responsible for correcting personal information?
Breach of Confidentiality
A breach of confidentiality may be grounds for staff to be disciplined or terminated and a board member to be removed as a director of the corporation. The Board must determine the penalty for breach of confidentiality and include this in the policy. The penalty must be communicated to all persons affected by the Confidentiality Policy.
5) Request and review status reports
The Board should review monthly status reports from the Privacy Officer to ensure the Confidentiality Policy is being followed.