Purpose of Policy and scope of application
The purpose of the present Policy is to provide general guidelines regarding the protection of personal information, in compliance with articles 35 to 40 of the Civil Code of Québec S.Q. 1991, c. 64 and with the Act Respecting the Protection of Personal Information in the Private Sector chapter P-39.1.
The above-mentioned Acts define personal information as any information which relates to a natural person and directly or indirectly allows that person to be identified. Personal information includes but is not limited to name, address, email address, telephone number, financial status and/or banking details, employment, health or any other information of a medical, biometric or otherwise intimate nature.
The John R. McConnell Foundation (hereinafter referred to as “JRMF”) is a non-soliciting private foundation. To fulfill its purposes as a charitable entity, JRMF is not collecting personal information beyond personal information which by law is public, or personal information concerning the performance of duties of a person within an enterprise, such as the person’s name, title and duties, as well as the address, email address and telephone number of the person’s place of work. The mission of JRMF is to receive and maintain a fund, or funds and to apply all or part of the principal and income therefrom, from time to time, to qualified donees, as defined in the Income Tax Act (Canada) namely Canadian registered charities and other qualified donees which benefit the relief of poverty, health, education and other purposes beneficial to the community.
In the course of its operations and during interactions with qualified donees, JRMF will not use and/or retain personal information other than personal information which by law is public, or personal information concerning the performance of duties of a person within an enterprise, such as the person’s name, title and duties, as well as the address, email address and telephone number of the person’s place of work. Most of the information related to the qualified donees involved with JRMF is not considered personal information as it relates to organizations rather than individuals. Furthermore, most of the information related to qualified donees is publicly available through the CRA List of Charities and other qualified donees.
During the communications with the John R. McConnell Foundation, whether it is in person, by mail, email or any other mean of communication, the information related to the performance of duties of a person within an enterprise, or public body, must be used. During the communication of information to the John R. McConnell Foundation, it is the responsibility of the person providing the information to ensure that this information is not containing any personal information other than personal information which by law is public or concerning the performance of duties of a person within an enterprise, or that de-identification measures have been taken. These requirements are clearly exposed in the email signature of JRMF and individuals who complete the website contact Form must check a box at the end to confirm that they have read and accepted JRMF’s Privacy Policy.
Personal information provided to JRMF beyond what is required to fulfill its purposes as a charitable entity, whether voluntarily or inadvertently, will be promptly destroyed. The John R. McConnell Foundation has no legal obligation to retain unsolicited personal information.
Person in charge of the protection of personal information
The Chairman & CEO of the John R. McConnell Foundation shall see to ensuring that the provisions of the Civil Code and of the Act Respecting the Protection of Personal Information in the Private Sector are implemented and complied with. His coordinates are as follows:
Pierre-Hugues Fortin
John R. McConnell Foundation
1350 Sherbrooke St. W., Suite 1200
Montréal (QC) H3G 1J1
Telephone number: (514) 379-6292
Email address: [email protected]
Protection of personal information
The personal information held by JRMF is subject to governance policies and practices regarding personal information that ensure the protection of such information. These policies and practices are providing a framework for the keeping and destruction of the information, defining the roles and responsibilities of the members of its personnel throughout the lifecycle of the information, a procedure for managing confidentiality incidents and a detailed process for managing requests for access, correction, deletion of personal information and complaints regarding how personal information was used or stored.
The policies and practices are proportionate to the nature and scope of JRMF’s activities and are approved by the person in charge of the protection of personal information.
The policies and practices shall be available upon request from the person in charge of the protection of personal information.
Information that the John R. McConnell Foundation may collect from qualified donees
For any initiatives made by JRMF to support a qualified donee, or any grant application made by a qualified donee, JRMF may collect the following information:
- Name of Organization
- Name of contact person and coordinates
- Name of Executive Director and coordinates
- Charitable Organization registration number
- Financial statements and other financial documents
- Description of Organization
- Explanations regarding the purpose of the grant application and amount requested
- Any other information and/or document which may be required to evaluate a grant application and its follow-up.
No commercial use will be made of any personal information gathered by JRMF, and no personal information will be sent to a third party without a valid purpose and/or permission.
JRMF may be required to disclose qualified donees’ personal information to comply with any court order, law or legal process, including to respond to any government or regulatory request, in accordance with applicable law.
JRMF considers qualified donees, their representatives or any other person interacting with JRMF to have validly consented to the collection, use or disclosure of their personal information if this information was voluntarily provided for the purpose of addressing JRMF’s initiatives to support a qualified donee or philanthropic funding applications (grant applications) received from a qualified donee.
Information that the John R. McConnell Foundation may collect through its website and contact form
JRMF’s Website contains a contact form in which the sender must complete the following required fields:
- Name
- Email address
- Message of maximum 800 characters
The sender may also provide his phone number and attach documents with a maximum size of 33 MB. Individuals who complete the contact form must check a box at the end to confirm that they have read and accepted JRMF’s Privacy Policy.
JRMF’s Website collects limited personal information, such as unique browsing identifiers and cookies captured by the ReCAPTCHA module. This information also includes navigation tracking data captured by the Google Analytics module, contingent on user consent. Consent management to cookies is handled using the Byscuit service through integration with the web content management system WordPress, offering to accept, reject, or customize cookie preferences. Cookie categories include:
- Functional cookies: Help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedback and other third-party features. Functional cookies enabled the operation of the Google ReCAPTCHA module and the retention of the website’s language preference, facilitating navigation in a single language. The ReCAPTCHA module is a service that protects website from spam and abuse.
- Analytics cookies: Used to understand how visitors interact with the website. These cookies help provide information on metrics, number of visitors, bounce rate, traffic source, etc.
- Advertisement cookies: Used to deliver visitors with customized advertisements based on the pages they visited before and analyse the effectiveness of the ad campaign. Google’s advertising cookie allows Analytics to function. When consent is not recorded, the Google Analytics module is disabled.
- Other cookies: Other uncategorized cookies that are being analysed and have not been classified into a category yet.
Data security
The Microsoft 365 office suite and email service are used for JRMF’s day-to-day operations. The TEAMS software features are used by JRMF for video conferencing, but calls are not recorded, and no automated transcriptions are produced or saved following the calls.
All JRMF’s data, including personal information, is sent to Cloud Service Providers, who operates as Data Processors on behalf of JRMF. All working documents of JRMF are saved in OneDrive, included with the Microsoft 365 subscription. Microsoft’s storage policy specifies that when an account is created from Canada, the data for online services—such as Exchange Online email, the Office suite, Office Web, OneDrive storage, and Teams instant messaging—reside in Canada, in accordance with their privacy and security conditions.
In addition to OneDrive stockage, two backups of all JRMF data are made on a weekly basis on USB keys stored at different sites. The backups are encrypted with BitLocker using AES (Advanced Encryption System) with 256-bit encryption to secure the data on the USB drive. BitLocker requires a password to unlock the USB key, preventing unauthorized access in case of loss or theft.
To ensure the security of personal information collected from and/or submitted by qualified donees, all data is stored in a secure information system and JRMF have put into effect appropriate procedures to safeguard and secure the information collected.
All security settings on computers used for JRMF operations are continuously updated, and specific measures have been implemented for all users to ensure data protection. These measures include the use of passwords, enabling two-factor authentication for Microsoft 365, encrypting the main system drive with BitLocker using a password, and an optimization and update process for firewalls.
The ReCAPTCHA bot detection mechanism is present on the JRMF website to prevent automated attacks on the contact form and other interactive components of the site. The JRMF website has a TLS certificate signed by the trusted authority Google Trust Service, enabling end-to-end encrypted communication with the site. The website has successfully passed all tests by the provider ImmuniWeb and shows no known vulnerabilities to SSL and TLS encryption protocols. JRMF’s website operates with the web content management system WordPress. Monthly maintenance protocols are implemented to enhance website security and performance through systematic plugin updates.
To ensure compliance with the obligations arising from the Act Respecting the Protection of Personal Information in the Private Sector, JRMF consulted a firm specialized in support for alignment with the legal framework and ethical standards regarding data. The purpose of this consultation was related to the development and overhaul of JRMF information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information. The person in charge of the protection of personal information was involved in the evaluation process and supervised the implementation of the resulting recommendations. The above-mentioned consultation made by JRMF as well as the resulting recommendations were proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, and the medium on which it is stored.
Despite the above-listed precautions, no method of transmission or storage is 100% secure or error-free. As a result, JRMF cannot guarantee absolute security. If JRMF becomes aware of a security breach involving personal information, the concerned person(s) and the appropriate authorities shall be notified as soon as possible, in accordance with the provisions of the Act Respecting the Protection of Personal Information in the Private Sector and with JRMF’s procedure for managing confidentiality incidents.
Changes to the Privacy Policy
JRMF reserves its right to modify the present Privacy Policy as legislative or technological developments require.
Requests to obtain, rectify, delete data and complaints regarding how personal information was used or stored
The personal information gathered by JRMF is subject to the rights exposed in sections 35 to 40 of the Civil Code of Québec and the provisions of the Act Respecting the Protection of Personal Information in the Private Sector. The person in charge of the protection of personal information shall address any request to obtain, rectify or delete data. Complaints regarding how personal information has been used or stored can also be addressed to the person in charge of the protection of personal information.
Requests and Complaints shall be treated as quickly as possible, in an impartial and fair manner. If necessary, the person concerned has a right to file a complaint to the Commission d’accès à l’information du Québec.
Any request for further information on JRMF’s Privacy Policy can be addressed to the person responsible for the protection of personal information.