The CHU Sainte-Justine Foundation is firmly committed to safeguarding the privacy of all Sainte-Justine employees, donors, volunteers, patients and families.

Confidentiality Policy

Purpose of the policy

The CHU Sainte-Justine Foundation is firmly committed to safeguarding personal information and being transparent about the information we hold on all Sainte-Justine Foundation donors and stakeholders. A better understanding of our donors allows us to provide them with the best possible experience as donors and users of Foundation platforms and services.

The purpose of this policy is to clearly explain how we collect and handle personal information, including information donors may provide when making a donation, requesting a tax receipt or subscribing to our newsletters. We use the information that we collect in accordance with the following two pieces of legislation:

  • The federal Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Quebec’s Bill 64, enacted An Act to modernize legislative provisions as regards the protection of personal information, scheduled to come into force on September 22, 2023.

This policy explains the following:

  1. The kind of personal information that we are permitted to collect
  2. How personal information is collected
  3. Lawfully permitted use of personal information
  4. Limitation on disclosure of personal information to third parties
  5. The security of personal information
  6. Data retention
  7. Donor rights
  8. Notification of changes to our Donor Confidentiality Policy
  9. Addresses and additional information

If you have any questions concerning this policy, contact the CHU Sainte-Justine Foundation’s data protection officer at the address indicated at the end of this policy.

1. The Kind of Personal Information that we are Permitted to Collect

Personal information means information about an identifiable individual. It does not encompass anonymous data, which is data that does not contain any identifying information. We are permitted to collect, use, store and transfer various kinds of personal information, which we have categorized as follows:

  • Identifying information: includes a donor’s first name, surname, title, user name or similar identifier, date of birth and gender;
  • Contact information: includes a donor’s billing address (for tax receipts), email address and telephone numbers;
  • Payment information: includes credit or debit card details;
  • Donation details: includes past donations made by donors or on their behalf, along with other donation-related details and services received by individual donors;
  • Technical data: includes the donor’s Internet Protocol (IP) address, login information, browser type and version, time-zone setting and location, browser plug-in type and version, operating system and platform, and other technologies on donor devices used to access our websites;
  • Usage data: includes information on how donors use our websites and our services;
  • Marketing and communications information: includes donor preferences regarding receiving marketing communications from the Foundation and from third parties, as well as donor communication preferences and the fact that we may take note of conversations we have had with donors in person and/or donor communications sent to the Foundation. This helps us to manage donor relations and ensure that they will receive only relevant communications in accordance with their stated preferences.
  • Job applicant data: includes all data submitted by a job applicant in an application for employment with the CHU Sainte-Justine Foundation.

Aggregate data derived from personal data
We also collect, use and share aggregate data, such as statistical or demographic data, for all purposes. Although aggregate data may be derived from personal information, it is not regarded in law as personal information as it is not, directly or indirectly, identifying. For example, donor usage data can be aggregated to calculate the percentage of users who access a specific functionality of our websites. However, should we combine or connect the aggregated data with a donor’s personal data in such a way that, directly or indirectly, it could identify the donor, we would treat the combined data as personal information to be used in accordance with this Donor Confidentiality Policy.

We do not collect any information regarding a donor’s race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions or physical health. Nor do we collect any genetic or biometric data.

2. How Personal Information is Collected

We collect different types of information in several ways.

Personal information provided by donors
When someone makes a donation, subscribes to our newsletter, registers for an event or contacts our customer service, we store the personal information provided to us by that person such as first and last name, email address, mailing address, phone number and payment card details. We also keep track of all donations and, occasionally, a donor’s communications with us.

Personal information collected via technologies or automated interactions
When donors interact with our website, we can automatically collect technical data regarding their computer equipment and their browsing activities and patterns. We collect such personal information using cookies and other similar technologies.

Personal information provided by third parties
Occasionally we receive personal information from third parties as described below:

  • analytics providers such as Google Analytics;
  • advertising networks such as Facebook and Google Ads;
  • search information providers such as Google;
  • publicly available personal information.

3. Lawfully Permitted Use of Personal Information

We use personal information only to the extent permitted by law. We most commonly use personal information in the following circumstances:

  • when it is required for the legitimate interests of the Foundation (or those of a third party) unless a donor’s interests and fundamental rights take precedence over such interests;
  • when we are required to comply with a legal or regulatory obligation;
  • when we have obtained a donor’s express consent to use his or her personal information in a specific situation. Generally, we do not rely on donor consent as the legal basis for handling personal information, and donors can withdraw their consent at any time by contacting us. The relevant contact information is provided at the end of this policy.

The purposes for which we use personal information

The following table provides a description of all the ways in which we plan to use personal information, and the legal basis for doing so. We have also indicated what our legitimate interests are, where relevant. It should be noted that we may process personal information for more than one lawful purpose in relation to the specific purpose for which we use the information. Please contact us if you would like greater detail of the specific lawful purpose for which we process personal information where more than one purpose is identified in the table below.

Purpose/Activity

Type of data

Legal basis for processing personal information, including the basis of our legitimate interest

To register individuals as donors

(a) Identifying information
(b) Contact information

(a) (b) Signing contracts with donors

To process donations and issue tax receipts

(a) Identifying information
(b) Contact information
(c) Payment details
(d) Donation details
(e) Marketing and communications information

(a) Signing contracts with donors
(b) Required for our legitimate interests

To solicit donations

(a) Identifying information
(b) Contact information
(c) Payment details
(d) Donation details
(e) Marketing and communications information

(a) (b) (c) (d) (e) Required for our legitimate interests (developing and expanding our services and activities)

To manage donor relations, including:
(a) informing donors of changes to our Conditions of Use or our Donor Confidentiality Policy
(b) seeking donor participation in surveys

(a) Identifying information
(b) Contact information
(c) Donor profiles
(d) Marketing and communications information

(a) Entering into contracts with donors
(b) Required for compliance with a legal obligation
(c) Required for our legitimate interests (keeping our records up to date and analyzing donor preferences)

To manage and protect the Foundation and its websites (including troubleshooting, data analysis, tests, system maintenance, user assistance, data reporting and data hosting).

(a) Identifying information
(b) Contact information
(c) Technical information

(a) (c) Required for our legitimate interests (management of the Foundation, administrative, technological and IT services, system security, fraud prevention)
(b) Required for our legitimate interests and legislative compliance

To provide donors with relevant content and marketing through external websites, social platforms and our newsletters, and to assess or gain insight into the effectiveness of our marketing.

(a) Identifying information
(b) Contact information
(c) Donor profiles
(d) Use of information
(e) Marketing and communication information
(f) Technical information

(a) (b) (c) (d) (e) (f) Required for our legitimate interests (analyzing how donors use our services, build on them, focusing on Foundation growth and shaping our marketing strategy).

To use data analysis to improve our websites, our services, our marketing and our communications, relations and interactions with donors.

(a) Technical information
(b) Use of information

(a) (b) Required for our legitimate interests (defining the types of donors for services, keeping our websites current and relevant, expanding our core activity and shaping our marketing strategy).

To make suggestions and recommendations regarding donations or services and events that may be of interest to donors.

(a) Identifying information
(b) Contact information
(c) Technical information
(d) Usage
(e) Donor profiles

(a) (b) (c) (d) (e) Required for our legitimate interests (developing our services and expanding our core activity)

To receive and consider donor job applications.

(a) Identifying information
(b) Contact information
(c) Job applicant data

(a) (b) (c) Required for our legitimate interests (assessing job applications, arranging job interviews)

4. Limitation on Disclosure of Personal Information to Third Parties

In some circumstances, we are legally entitled or legally obliged to disclose donors’ personal information to the following third parties:

Foundation service providers and fund-raising partners who process data for us at our direction
We require all third parties to respect the confidentiality of personal information and to process it as required by law. We do not permit third party service providers to use a donor’s personal information for their own purposes. They are authorized only to process that information for specific purposes and as per our instructions

Government bodies and law enforcement agencies
We may be under a legal obligation to disclose personal information to government authorities and law enforcement agencies further to legislation or a court order. We do not sell personal information to third parties for any purpose whatsoever.

5. Security of Personal Information

We have implemented appropriate safeguards (both in our information collection practices and in the technology we use) to ensure the security of all personal information. We require that the third parties to whom we subcontract the processing of donors’ personal information do the same and that they process personal information in accordance with our instructions. They are also subject to a strict confidentiality obligation.

Credit or debit card information
When a donor uses a credit or debit card to make a donation to the Foundation, we ensure that the transaction is secure and in compliance with Payment Card Industry Data Security Standard (PCI-DSS). We never store credit or debit card numbers or their three- or four-digit security codes in our systems.

6. Data Retention

We retain donors’ personal data only as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, accounting or reporting requirements. In determining the appropriate retention period for personal data, we consider the amount, type and sensitive nature of the personal information, the risk of possible harm from unauthorized use or disclosure, the purposes for which it was collected and the possibility of achieving those purposes by other means, as well as all applicable legal requirements.

7. Donor Rights

In certain circumstances, donors have the following rights under data protection legislation regarding their personal information:

(a) The right to access personal information
Donors are entitled to request a copy of the personal information that the Foundation holds on them. Any donor wishing to exercise this or any of the following rights should contact the data protection officer whose contact information is indicated at the end of this policy.

(b) The right to correct personal information
Donors are entitled to ask us to correct the personal information we hold on them, but it should be noted that we may need to verify the accuracy of the new information donors may provide. Any donor wishing to exercise this right should contact the data protection officer whose contact information is indicated at the end of this policy

(c) The right to removal of personal information (“the right to be forgotten”)
Donors are entitled to ask us to remove or delete personal information if we no longer have a valid reason for continuing to use it. However, we may not always be able to comply with a request for deletion if we have specific legal reasons for retaining the information, in which case we would provide those reasons on request.

(d) The right to object to the processing of personal information
Donors may object to the processing of personal information despite the legitimate interest of the Foundation or a third party in having that information if, because of their particular situation, they believe that their fundamental rights and freedoms are or will be adversely affected. Donors are also entitled to object where their personal information is used for direct marketing purposes. Note that in certain cases, we may be able to argue that our legitimate interests in processing personal information overrides personal rights and freedoms.

(e) The right to request a restriction on the processing of personal information
Donors are entitled to request that the processing of their personal information be suspended in the following situations: (a) where a donor wants us to establish the accuracy of that information; (b) where our use of the information may be unlawful, but a donor nevertheless does not want it deleted; (c) where a donor wants us to retain the information even though we no longer have any use for it because the donor wishes to establish, exercise or defend certain legal claims; or (d) where a donor objects to our use of the personal information but we want to verify if we have preponderant legitimate reasons for using it.

(f) The right to withdraw consent
Where we require donor consent to process personal data, donors are entitled to withdraw their consent at any time. However, note that information processed before consent is withdrawn is lawful. Note that where consent is withdrawn, we may be unable to provide the donor with certain products or services. If this is the case, we would advise the donor when consent is withdrawn.

As a general rule, we do not charge a fee for exercising any of the above rights
Donors are entitled to access their personal information (or to exercise any of the other rights listed above) free of charge. An exception to that rule is if a request for access is clearly unfounded, repetitive or excessive, in which case we may charge a reasonable fee or refuse to comply with the request.

What we may need from a donor wishing to exercise any of the above rights
We may request specific information to help us confirm the donor’s identity in order to ensure that the donor is entitled to access the personal information (or exercise any other right). This security measure ensures that personal information is not disclosed to someone not entitled to receive it. We may also contact donors and request additional information related to their requests to expedite our response.

Time limit for responding to requests or objections
Our goal is to respond to all legitimate requests or objections within 30 days. Occasionally, it may take up to 60 days if a request or objection is particularly complex or if multiple requests or objections are involved, in which case, we would notify the donor keep him or her informed of the progress of the request or objection.

8. Notification of changes to our Donor Confidentiality Policy

Please check this page of our website regularly for changes to our Donor Confidentiality Policy.

9. Contact Details and Additional Information

If you have any questions about any aspect of this Donor Confidentiality Policy, and in particular if you wish to object to any processing of personal information for our legitimate organizational interests, feel free to contact us.

Also, please contact us if you have any questions concerning the personal information we hold on you or to change your donor contact preferences.

Send us an email: protection@fondationstejustine.org

OR

Write to:
Pierre-André Vungoc
Data Protection Officer
5757 Decelles Avenue, Suite 500
Montreal, Quebec H3S 2C3 Canada

Use of session cookies and web beacons

In order to deliver an optimal site navigation experience, the CHU Sainte-Justine Foundation uses session cookies.

This information is used for various purposes, for example, to dynamically adapt the site content based on your browsing habits.

  • Performance cookies are used by the Foundation to learn more about how users use the site in order to be able to make changes and improvements as required.
  • Targeting cookies allow the Foundation to monitor the sites you have visited to measure the effectiveness of its advertising campaigns.

Most Web browsers automatically accept cookies. You can opt out by changing the corresponding settings in your browser, if the system permits it. Doing so, however, may interfere with the functionality of our site.

The Foundation's website may also use web beacons to compile data on users' profiles, including demographic data and browsing patterns. The data gathered by the Foundation is not linked to the identity or other personal information of individual users.

Protection of Information by the CHU Sainte-Justine Foundation

The CHU Sainte-Justine Foundation complies with PCI security standards for processing credit card donations to protect donors’ confidential data and prevent fraud.

Donors Bill of Rights

We, at the CHU Sainte-Justine Foundation, pledge to treat our donors with the utmost respect and consideration, in a manner benefitting their status as benefactors. As such, we declare that all individuals, organizations and corporations that give to the Foundation are entitled to the following rights:

  1. To be informed of the Foundation’s mission and of the way the Foundation intends to use donated resources.
  2. To have access to the identity of the volunteers serving on the Board of Directors, and to expect the Board to exercise prudent judgement in its stewardship responsibilities.
  3. To have access to the Foundation’s most recent annual report and financial statements.
  4. To be assured that their donations will be used for the purposes for which they were given.
  5. To receive appropriate and recognition, in accordance with the Foundation’s donor recognition policy.
  6. To be assured that information about their donation is handled with all due care and confidentiality.
  7. To expect a high level of professionalism from all of the Foundation’s representatives.
  8. To have the opportunity for their names and addresses to be removed from the Foundation’s contact lists if they so wish.
  9. To feel free to ask any questions they deem appropriate when making a donation and to receive prompt, truthful and forthright answers in return.

Code of Ethics and Professional Conduct

The members of the Board of Directors and its committees as well as the volunteers and staff members of the CHU Sainte-Justine Foundation recognize that they have a role to play in protecting the Foundation’s donors, who constitute the driving force behind its mission.

By complying with this Code of Ethics and Professional Conduct, these individuals will ensure that the CHU Sainte-Justine Foundation is deserving of donors’ trust and remains committed to embracing concrete solutions for fostering this trust.

This Code outlines the duties and obligations to be discharged by the members of the Board of Directors and its committees, volunteers serving the Foundation in an official capacity and all Foundation employees in their various relations associated with the performance of their functions. The Board is responsible for enforcing the Code. A copy of the Code will be available to any person who requests it. The Code may be amended by a two-thirds vote of the members of the Board at a special meeting called for this purpose.

All those to whom this Code applies are required to sign a declaration of adherence.

  1. Members of the Board of Directors and volunteers serving the CHU Sainte-Justine Foundation will provide their services free of charge and receive no financial or material incentive.
  2. Members of the Board of Directors, volunteers and employees of the Foundation will work actively and collaboratively toward the implementation of the Foundation’s overall objectives. They will conduct themselves with composure and dignity in all activities of a public nature associated with the Foundation.
  3. Members of the Board of Directors, volunteers and employees of the Foundation will respect the confidentiality of all discussions and interactions, as well as all contributions to the Foundation, unless donors have given their explicit consent to having such information disclosed.
  4. Members of the Board of Directors, volunteers and employees of the Foundation will be transparent in their actions and attitudes toward the Foundation’s undertakings, provided that the principles of privacy and confidentiality are upheld at all times. Accordingly, they will respond promptly to all requests concerning the Foundation’s activities and financial statements.
  5. Members of the Board of Directors, volunteers and employees of the Foundation will avoid all conflicts of interest, as defined in the Foundation’s policy on this subject.
  6. Members of the Board of Directors, volunteers and employees of the Foundation will avoid engaging in any form of discrimination based on gender, race, ethnicity, religion, disability or political belief.
  7. All fundraising activities must be tasteful and consistent with recognized philanthropy standards. Children must never be depicted in a demeaning or inappropriate way for promotional purposes or during the course of an activity. All actions undertaken must be legal and ethical.
  8. Members of the Board of Directors, volunteers and employees of the Foundation will commit to keeping abreast of current legislation and major studies concerning the development and implementation of philanthropy-related practices.

Members of the Board of Directors, volunteers and employees of the Foundation will abide by the wishes expressed by certain donors to direct their donations to a specific purpose, unless said donors have consented to an alternate use.

Complaints Policy

If you wish to file a complaint against a Foundation employee or volunteer, or in response to a situation you feel is inappropriate, we urge you to familiarize yourself with the terms of our Complaints Policy.

Receipt of Complaints

Verbal Complaints
A verbal complaint will be handled immediately by a member of our staff.

If a complaint requires a more in-depth assessment, a written request will be sent to the manager responsible for the concerned activity or team. This request will include the name, phone number, street address and email address of the person filing the complaint and a description of the circumstances, including the incidents and/or individuals involved.

The manager must acknowledge receipt of the complaint within two business days.

Written Complaints
A complaint received in writing must contain the aforementioned information. It will be transferred to the manager responsible for the concerned activity or team.

Response and Resolution

Every effort will be made to address the complaint as quickly as possible, and all parties will be treated in a fair, impartial and respectful manner.

The person responsible for the complaint must attempt to settle the matter within 10 business days. If it is still unresolved after this time, the file will be turned over to the corresponding director or vice president.

If the vice president is unsuccessful in bringing about a resolution, the complaint will be escalated to the president/executive director. If the president/executive director is a party to the complaint, the matter will be transferred to the chair of the governance committee.

The complainant must be kept abreast of the status of their complaint and provided with a clear, detailed explanation of the final decision when it is issued.

Should a complainant be dissatisfied with the process or the outcome, they may request that the matter be escalated to a more senior staff member. This must occur within 10 business days, and the complaint must be resolved within one month of receipt.

Complaints Documentation

The manager must keep a copy of all complaints that could not be resolved immediately (i.e., upon receipt).

The Finance, Human Resources and Administration Department will keep a detailed log of incoming complaints, along with all relevant information on the subsequent response and resolution. A summary report will be presented to the Board of Directors on a yearly basis.

General brand usage guidelines

Depending on the nature of the involvement and the category to which the partner or the organizer belongs, the authorization process for a benefit event or a cause-related marketing initiative, as well as the rights for using the “CHU Sainte-Justine Foundation” brand, may differ.

However, benefit events and cause-related marketing initiatives are both subject to the policies set out in the brand usage guidelines [French only].