Privacy and Confidentiality Policy
International Conservation Fund of Canada – “Biome Conservation”
1.)PURPOSE
The purpose of this Privacy and Confidentiality Policy is to safeguard the personal and sensitive information of all individuals associated with Biome, including staff, members of the Board of Directors, volunteers, donors, and beneficiaries. This policy ensures that Biome complies with applicable privacy laws and regulations, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) and upholds the highest standards of data protection. By implementing robust privacy and confidentiality measures, Biome aims to foster trust and transparency, protect the rights of individuals, and maintain the integrity and security of all information entrusted to the organization.
2.) SCOPE
This policy covers both the privacy and confidentiality rights of donors, members, and partner organizations from unwanted public disclosure (“Public Privacy”), as well as protecting the confidentiality of private information within the organization so that it is only disclosed on a need-to-know basis (“Internal Privacy”).
3.) PUBLIC PRIVACY
Donor-related
Biome’s website declares to potential donors:
Biome will not sell, lease, trade or share your contact or personal information to any other entity.
We will use your postal address to issue a charitable donation receipt and we will use your email address or postal address to send the receipt to you. We retain donors’ contact information and donation history for purposes of keeping you informed and inviting further support. Your private and confidential information is only shared within Biome on a need-to-know basis. We maintain this information securely to protect it from unauthorized access both within the organization and externally.
We ask donors to advise us if they wish to remain anonymous; otherwise we will assume that we may recognize you in our donors lists in our annual report and other communications.
We keep mailings to a minimum and use an opt-out system for our communications to supporters. We will respect a request to stop receiving Biome communications at any time.
Program-related
Detailed agreements address privacy and confidentiality around sharing media assets from field partners and other third parties. Biome will not publicly post any shared program information that could affect individual privacy and confidentiality without obtaining permission from the field partners and affected individuals. Examples include:
- Photos of individuals in which the faces are recognizable
- Names of individuals within partner organizations
4.) INTERNAL PRIVACY
Donor and donation information
Access to donor general information and donation financial information within Biome is limited to those who need this information.
The following personnel need full access to donor and donation information:
- Top executive(s) – Executive Director
- Development officer or Executive Assistant
- Administrative Support (person handling donations to Biome)
- Controller
At the discretion of the Executive Director, other staff will be provided with donor and donation information on a need-to-know basis for donor stewardship. Because program staff are involved in donor stewardship and support-raising, they receive information on donors making designated donations to projects they lead and their level of support. This enables program staff to update donors on the projects they have supported, as the staff member most knowledgeable about the project.
Donor information is retained in accordance with data retention standards and applicable legal requirements. When no longer required, personal data is securely deleted or anonymized.
Donor recognition
Donors are asked to notify us if they wish to remain anonymous. Biome acts immediately upon such notice by entering the anonymity condition in our donor database. We use that information in the filter for generating lists of our donors.
When Biome wishes to give special recognition to a donor, this requires the donor’s approval. The form of the proposed recognition will be discussed with them in advance and their explicit permission sought.
Securing information
Personal and sensitive information shall be collected, stored, and used in compliance with privacy laws such as PIPEDA (Personal Information Protection and Electronic Documents Act).
Donor Information Management Biome maintains donor information using a secure customer relationship management (CRM) system. Access to donor data is limited to authorized personnel based on role and need. Full access is currently restricted to core staff responsible for fundraising and administration. Program staff may be granted limited access to view donor information related to designated donations supporting relevant project portfolios, as appropriate. All personnel are expected to handle this information in accordance with Biome’s confidentiality standards.
Access controls and user permissions are reviewed and updated periodically to ensure alignment with Biome’s privacy and confidentiality standards.
Paper copies of receipts are kept in Biome’s administrative office, which is locked when not in use by staff. These records are stored within a locked file cabinet as stipulated in the PIPEDA Guidelines.
Staff information
All personal and sensitive information collected from Biome staff members, Directors, volunteers, and regular contractors/consultants will be securely stored and accessible only to authorized personnel as defined by the Controller. Member information will be used solely for legitimate organizational purposes and will not be disclosed to third parties without explicit consent, except as required by law. Regular training will be provided to all employees, Directors, and regular contractors/consultants on the importance of confidentiality and the proper handling of sensitive information. Additionally, Biome will conduct periodic audits to ensure compliance with privacy policies and address any potential breaches promptly and effectively.
Privacy Breach Protocol
In the event of a suspected or actual breach of privacy, Biome will notify affected parties as required, investigate the incident promptly, and take corrective action to prevent recurrence.
5.) CONFIDENTIALITY
All members (Board, employees, consultants, and volunteers) must respect the confidentiality of information pertaining to donors, partners, and fellow members. All signed member agreements will contain confidentiality clauses.
Remote Work & Data Security Staff and volunteers accessing Biome systems or handling sensitive information and working remotely must take appropriate precautions to protect data confidentiality. This includes using password-protected devices, enabling multi-factor authentication, avoiding the use of public Wi-Fi without a VPN, and securely storing or disposing of printed documents. Staff are expected to lock screens when away from devices and avoid discussing sensitive information in public or shared spaces.
- Governance and Review
- Approver: Biome Board of Directors
- Frequency of Review: Every 2 years, or sooner if required by legal, ethical, or strategic considerations
Approval Date: June 12, 2025 Effective Date: June 20, 2025 Next Review Date: June 12, 2027