Confidentiality Policy Development Tool

Developed by the City of Toronto

A Confidentiality Policy sets standards for the collection, use, disclosure and safeguarding of privacy of personal information. It also contains standards for a person’s access to his or her personal information

As a social housing provider, you need to collect personal information to decide if a household is eligible for Rent-Geared-to-Income (RGI) assistance. In doing so, you must follow the Municipal Freedom of Information and Protection of Privacy Act and follow the Housing Services Act (HSA) O. Reg. 367/11 (s.145-147) which sets out standards for collecting, using, disclosing, keeping, and disposing of personal information.

The Board must establish a Confidentiality Policy that will meet all legislative requirements and ensure that the policy is being followed by everyone who handles personal information. All staff (including those employed by a property management company) and volunteer committee members who handle sensitive personal information must be aware of and follow the corporation’s Confidentiality Policy.

1) Appoint a Privacy Officer and document the officer's duties

A Privacy Officer can be a board member who will be responsible for the organization’s compliance with all privacy legislation. The Privacy Officer’s duties should be clearly outlined and include:

Reviewing the corporation’s policies and practices regarding the collection and storage of personal information.
Implementing the necessary changes to guarantee that collecting and retrieving personal information follows the corporation’s policy.
Telling tenants/members and public how the corporation treats personal information.
Handling complaints. The Privacy Officer should respond to all requests for access to and correction of personal information within 30 days of the request being made. The Privacy Officer should advise the complainant what action was taken.
Making recommendations to the Board of Directors in connection with the resolution of the complaint when necessary.

2) Establish how you plan to collect personal information

When you ask for personal information, you must give the person a written notice that tells them why you need the information. You must also tell them that you may share it with certain legislated agencies

There are special rules for handling personal information about people experiencing domestic violence. If you collect information to determine if a person is eligible for special priority, you can only use the information for that purpose. See HSA O. Reg. 367/11, s.146 (10) and (11), and s.147 for more information.

3) Have all staff, board members and volunteer committee members sign a confidentiality agreement

The agreement will help ensure the protection of information used by your corporation.

It should be signed and dated.

Here is a sample template:

CONFIDENTIALITY AGREEMENT

I understand that in the course of conducting my responsibilities as a staff person, director or volunteer of (insert name of corporation), I may have access to personal information about applicants, tenants and employees of the corporation. I understand that there are legal restrictions on how this information

may be collected, used, stored and disposed of and that privacy of personal information must be respected.

I hereby agree to abide by the corporation’s policy regarding confidentiality attached to this agreement and by the restrictions placed on this information by the Personal Information Protection and Electronic Documents Act and the Housing Services Act and any other statute which is now or may later be in force.

4) Document your corporation’s confidentiality procedures

Consider the following:

In your building, how are applicant, tenant/member and employee files (including information on databases) safeguarded against unauthorized

access?
How are your databases containing files with personal information, and other confidential electronic files protected against unauthorized access?
How do you dispose of personal information?
When do you release personal information?
Who has access to and is responsible for correcting personal information?

Breach of Confidentiality

A breach of confidentiality may be grounds for staff to be disciplined or terminated and a board member to be removed as a director of the corporation. The Board must determine the penalty for breach of confidentiality and include this in the policy. The penalty must be communicated to all persons affected by the Confidentiality Policy.

5) Request and review status reports

The Board should review monthly status reports from the Privacy Officer to ensure the Confidentiality Policy is being followed.