V2.1 – Nov. 2015
Approved by the Board of Directors
Updated by the Executive Committee
Jewish Free Loan Toronto (JFLT, or the Agency, or the Association) is a community organization with the mandate to Help People Help Themselves by offering interest-free loans to members of the Jewish community of the Greater Toronto Area who are in need.
The purpose of this policy is to establish a framework of accountability and practices for the protection of clients, guarantors and volunteers personal information, based on applicable parts of the Freedom of Information and Protection of Privacy Act (FIPPA, or the Act).
According to the Act, “personal information” (PI) means recorded information about an identifiable individual. The following is a partial list of types of information that can be used to identify an individual, and constitutes “personal information”:
- the individual’s full name where it appears with other personal information
- relating to the individual
- the address, telephone number and email address of an individual
- information relating to national or ethnic origin, religion, age, gender, marital or family status of the individual
- information relating to the education and employment history
- correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence.
The objective of this policy is to ensure that the personal information of the Agency’s clients, guarantors and volunteers is protected against unauthorized access and it is collected, used and disclosed only for the purpose of conducting the Agency’s business.
The Agency is responsible for the protection of personal information under its control, information belonging to clients, guarantors, office staff and volunteers, and has designated the Executive Director as the individual who is accountable for the organization’s compliance with the requirements of this policy.
2. Identifying Purposes
The purposes for which clients’ personal information is collected are related entirely and exclusively to conducting the business of the Agency, e.g. the evaluation of basic eligibility for a loan (for instance, that the applicant lives in the geographic area served by the Agency), assessment of the financial needs of applicants, the lending decisions and operations, and, when necessary, the collection of loans in default. The Agency shall not collect, use or disclose the clients’ PI, for any other purpose except as stated in this policy.
The collection, use or disclosure of personal information, shall be done only with explicit or implicit client consent or as set out by this document.
4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the Agency. Information shall be collected by reasonable means, including, without limitation, by asking the clients to provide the required information themselves or by using standardized Loan Application Forms. Additional information may be required in order to complete and/or to clarify the clients’ current financial and personal situations.
5. Limiting Use, Disclosure and Retention
Information in the client database shall not be disclosed to other UJA Agencies or other organizations, without client consent.
All other forms of data use and disclosure must be in aggregate form, and anonymized, i.e. disclosed information shall have only statistical value, and shall not be traceable back to a specific individual.
Clients’ personal information will be disclosed during the Loan Committee discussions for the purpose of deciding on the outcome of the Loan Application.
Volunteers who participate in the Loan Committee shall be under obligation not to use or disclose any of the personal information discussed during the meetings to any other parties.
Personal information may be kept in archived form.
Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used. Changes in personal information shall be made as it becomes available or otherwise provided to the agency.
Client personal information shall be protected by reasonable security safeguards. Access to the client database shall require a user ID and password, and shall be limited to agency staff and designated volunteers only.
The Agency shall make a copy of this policy available on request, and post on its website
New volunteers shall be apprised of the Privacy Policies and Practices of the Agency.
9. Individual Access
Upon request, a client shall be informed of the existence, use and disclosure of his or her personal information, and shall be given access to that information. A client shall be able to verify the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance
A client shall be able to address a challenge concerning compliance with the above principles to the Executive Director. A response to the challenge, including a plan for corrective action, if applicable, shall be provided to client in writing, within maximum 30 days.
Policy Implementation and Maintenance
The Executive Committee shall review and update the Policy as needed.
The Executive Director is accountable for implementing the policy and developing the operational procedures needed for compliance with the privacy principles described herein.