Privacy and Confidentiality Policy
Document Version: 0.87
Last Update: November 29, 2023
Questions about this document should be directed to [email protected]
Our commitment to privacy and confidentiality
Kids Help Phone (KHP) is committed to protecting the confidentiality and privacy of the personal information and/or personal health information in its care. This includes the personal information and/or personal health information of its donors, employees, service users, service delivery partners, volunteers, and board members, collectively referred to as stakeholders. As part of that commitment, we have implemented this Privacy and Confidentiality Policy. This policy applies to full/part time permanent or contracted employees, volunteers, contractors, consultants, temporary employees from agencies, and all personnel affiliated with third-party service providers; hereinafter referred to as workers.
This Privacy and Confidentiality Policy covers all KHP protected data. The term “protected data” includes personal information, personal health information, and other privileged or sensitive data (including, but not limited to, commercial, financial, technical, operational, or other information which concerns the business and affairs of KHP, its employees, contractual workers, volunteers, or students).
In this Privacy and Confidentiality Policy, the term “service user data” refers to the personal information and personal health information of service users.
Scope
This policy sets out KHP’s commitment to privacy. It governs all of its services and interactions with stakeholders: in-person, digital, online, or off-line. KHP offers professional counselling; an interactive, personalised web experience; information; referrals; and volunteer-led, text-based support to young people. Services are offered in English and French, and phone counselling is also offered in over 100 languages with the help of trained interpreters.
Services are provided for youth of any age living in Canada. Our volunteer-led, text-based service is also available to adults living in Canada, and we comply with all applicable Canadian laws. KHP services are also available to youth who are resident in Canada while they are outside Canada.
KHP services are not offered as mental health services.
KHP does not require users to identify themselves; however, information collected from users may include information that could identify them. KHP will deal with all information as private, privileged, and confidential.
KHP has a Security Policy, stipulating various protection mechanisms, which governs all information under its custody and control. KHP hosts its own services directly, via third-party service providers, or on the cloud. Information may also be stored on mobile devices managed by KHP, or on devices owned by workers. All workers agree to this Privacy and Confidentiality Policy. Our publicly-available Terms of Service includes application-specific privacy notices and Terms of Use.
KHP leverages third-party tools such as Microsoft Power BI and Twilio to support service users. Each of these third-party tools has its own Privacy Policy and Terms of Service.
KHP is transparent about its data uses. When we receive a request about the data practices of a third party, we will redirect the question to the respective privacy contact information of that service provider. KHP cannot take responsibility for defending or representing such third-party providers. As well, KHP cannot make any claims regarding the accuracy and openness of third-party tools or their commitments regarding individual access.
KHP provides this Privacy and Confidentiality Policy in English and in French. Translations into other languages are available on demand.
KHP Privacy and Confidentiality Policy
Accountability
KHP collects, retains, uses, and discloses data for the purpose of providing services. It is responsible for the personal information and personal health information under its control. We have appointed a Privacy Officer and maintain a Privacy, Security, & Risk Program to ensure compliance with Canadian privacy legislation and fair information principles.
KHP has a full suite of privacy-related polices. Policies and governance instruments are updated at least once every calendar year.
To validate its accountability, KHP engages a third party to conduct Privacy Impact Assessments for any new projects.
Use of Artificial Intelligence (AI): KHP uses AIand machine learning tools to support its service delivery by triaging contacts based on severity. Using the Proportionality Test outlined in R v Oakes, the risks involved with utilizing AI are justified by the benefits of its use.
KHP policies exist to ensure that AI tools are from reputable third parties; that AI tools are limited in their ability to link data per service; and that they are tested to ensure ethical data management and reduction of bias.
Navigation Bot (“Kip”): KHP leverages Google’s AI for our website navigation chatbot to help service users find relevant resources.
Insights: KHP leverages Microsoft Power BI for the purpose of producing statistical analysis and graphs which map out audience priorities and demand (https://dev.kidshelpphone.ca/get-insights/home/).
Peer-to-Peer Service: KHP offers a platform that allows individuals to share and communicate through a forum-like interface. KHP manages the platform technology and moderates its content. Peer-to-Peer is not a substitute for our professional Counselling or volunteer-led Text based support.
Good2Talk: Good2Talk is a program delivered by KHP to support post-secondary institutions in Ontario. KHP acts as the data custodian.
Data Hub Service: KHP manages and implements an internal Data Hub service that provides analytics for operational and process improvement.
9-8-8: KHP is part of the crisis and suicide prevention network overseen by Centre for Addiction and Mental Health (CAMH), and takes calls and texts from 9-8-8.
Aselo: KHP leverages Aselo, a cloud-based, open-source contact centre for helplines that allows children and youth to reach out through webchat and by phone.
CTL: KHP leverages CTL a cloud based texting solution that allows children and youth to reach out through text.
AI Cloud Services: KHP leverages Google’s natural-language understanding (NLU), Dialogflow.
Other Cloud Services: KHP leverages cloud services from Microsoft, Dropbox, Raiser’s Edge, Financial Edge, Raisin, ADP, Salesforce, Mailchimp, and SurveyMonkey.
Virtual Marketplaces: KHP leverages Verint, Gratiflow, and Giveshop.
Purposes of data collection
KHP collects personal information and personal health information to provide users with the above-mentioned services. This information will only be used for the stated purposes for which it was collected. It will be securely stored, and will be accessed only by individuals who offer support to service users. Most KHP services are delivered directly to the individual; for these services, we collect and store data internally.
KHP will use the service user data it collects for data quality and service delivery improvement, and to share with research partners (row-level data). KHP is in the process of developing a Research Policy.
Data collected through website interaction will be used for AI training to inform content development.
Information regarding donors (in-kind and monetary), prospective donors, school staff, and partners (including those that assist in fundraising) is collected for: communications; requesting and managing donations; sending reminders, thank-you letters, and tax receipts; fundraising and gala events management; compliance; and for validating identity. We report back to fundraiser-organizing partners the staff participation count and amounts collected.
KHP workers’ data will be used for the purposes of managing our employment relationship with them.
Service users may interact with KHP in various ways: via phone, text, web application, surveys, etc. Each of these modes of interaction has different implications in terms of KHP’s ability to identify users.
Consent
KHP implements a privacy framework which complies with federal and provincial privacy legislation. Accordingly, a service user’s knowledge and consent are required for the collection, use, or disclosure of personal information and personal health information, except where inappropriate.
Service users agree that KHP will receive data transmitted in the course of service interactions for the purposes of providing users with personal support.
A service user’s consent to the collection of their protected data must be clear, free, and informed, and be given for specific purposes. It must be requested for each such purpose, in clear and simple language.
If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned. If the person concerned requests, assistance should be provided to help them understand the scope of the consent requested.
Consent may be given by a minor of 14 years of age or older. Personal information may be collected from a minor under 14 years of age where collecting the information is clearly for the minor’s benefit; for example, collecting data makes it possible to provide services to the minor.
Consent is valid only for the time necessary to achieve the purposes for which it was requested. By using KHP applications and services, users agree and consent to the collection, retention, use, and disclosure rules listed in this Privacy and Confidentiality Policy.
Limiting data collection
KHP will limit the collection of personal information and personal health information to the intended purposes covered by this policy.
KHP will not ask users for their name (we may ask for location if needed) to provide them with texting or counselling services; however, in the course of interaction, users may choose to provide information that is highly identifiable, such as their age, sex, gender, sexual orientation, or location. KHP will treat all user information as personal health information.
When service users or the public interact with KHP via phone, text, or the Web these communications media provide us with various pieces of information that may identify users (for example: IP address) as well as other metadata about the browsers used or applications through which a user contacts us.
Despite the fact that KHP may have access to identifying data, we will not use this data to identify service users. KHP doesn’t have the tools to ascertain service user identity from the data we collect.
KHP may use demographic data, including ethnicity, to measure our service commitment to diversity and inclusion.
After visiting or utilizing KHP services, KHP may invite you to fill in a survey, seeking your opinion of our services.
KHP works with partners to collect donations. Some partners collect donations on our behalf and provide donor information, amounts, addresses, and names. KHP may from time to time rent donor lists from not-for-profit organizations. People who do not wish to receive communications can contact KHP to be removed from the list.
KHP will limit collection of worker information according to worker role and function.
Good2Talk: For programs such as Good2Talk, implemented in partnership with other organizations, such as Ontario 211, ConnexOntario, and the Centre, KHP collects row level, transcripts and aggregate level data.
Limiting data retention, use, and disclosure
KHP is committed to the proper classification, secure retention, and timely and secure disposal of any record containing any information. KHP’s various services have varied retention schedules, depending on technology limits, legal obligations, and quality control and reporting requirements. These can be found in our Data Retention and Disposal Policy.
User information will not be disclosed except in accordance with KHP’s legal obligations to report to child services and policing agencies – see below. We share row level data with research partners.
We will disclose aggregate data for the following purposes: funding and impact reports; creating promotional material; formulating user experience stories; thought leadership publications including (but not limited to) our website, media publicity, motivational speaking presentations, and conference presentations; collecting feedback; and participating in approved research.
Any disclosure of aggregate data must be deidentified to include at least 100 people in the data set, thus greatly reducing the potential of re-identification.
KHP releases aggregate reports and row-level data about its services in the reports it submits to agencies such as Canada Health Infoway or to major funders.
Even though KHP shares data as stated above, we will not share data that is stigmatizing or puts a group or individual in a negative light based on our Ethical Data Management Policy. For research and publications, we will seek formal research ethics approval as per the Canadian Tri-Council Policy Statement of Ethical Conduct for Research Involving Humans.
Donor information will only be disclosed for the purposes of validating identity and collecting donations. However, we may report back to donating partners the number of staff participating in events, and how much was raised at a fundraising event. We will not disclose information pertaining to donors who request anonymity.
We will limit the use of worker information to identity validation, managing payroll, capturing demographic information, next of kin, and emergency contacts.
Through its Privacy Impact Assessments, KHP will document and assess the risk for any data extraction out of jurisdiction (including the province of Quebec and other Canadian provinces and territories).
Limits to Confidentiality
This sub-section applies to our 988 services. Certain situations require disclosure of caller/texter information. These situations encompass:
- Engagement of emergency services in situations where there is imminent risk of serious bodily harm or death to the caller/texter or to others, or medical emergency.
- Duty to report cases of child abuse or neglect (see below).
- Law enforcement submitting a court order to access notes, transcripts and/or audio files. CAMH is responsible for managing these requestsand will thoroughly review the request and oversee all necessary communications.
Other legal requirements under an Act of a province of Canada or an Act of Canada.
Duty to Report
At KHP, we are committed to creating a safe and supportive environment for young people seeking help. Part of our responsibility is to ensure the well-being of those we help, and this includes fulfilling our obligations known as our Duty to Report.
The Duty to Report is a legal and ethical obligation that requires adults like our professional staff and trained volunteers to speak up if we have any reason to believe that you or someone else is at risk of serious harm. This could include:
- If you tell us that someone is hurting you, has hurt you, or is likely to hurt you in the future; or
- If you tell us you are planning to hurt yourself and we are unable to keep you safe; or
- If you tell us you are planning on hurting someone else; or
- If you tell us that a young person is or may be in need of protection.
The Duty to Report is not about getting someone in trouble but about ensuring the safety and well-being of every young person, including you. Across Canada, our Duty to Report is for young people under the age of 18 or 19, depending on the province or territory where you live.
We are obligated to report to the appropriate authorities if we believe that a young person, including yourself, may be at risk. This may involve Child Protective Services, or other agencies responsible for ensuring the safety of young people, such as paramedics or the police.
We may be required to disclose your telephone number and other identifying information, if we have it, to these authorities during the process. Telecommunications companies may also be involved in the referral process.
KHP is committed to your well-being and wants to make sure you understand that your privacy is important. We do not share your personal information unless we have a Duty to Report. We will communicate with you about the Duty to Report and involve you in the process as much as possible.
Duty to Warn is applicable in cases of potential harm to others, and as such, would be reported.
AI and Data Intelligence Tools
KHP uses artificial intelligence (AI) technologies to guide website users and recommend content. Data intelligence is used to extract aggregate and statistical data for these purposes. Aggregate data is disclosed publicly via our Insights service. AI processing may occur on the premises of KHP or of third-party vendors. For further details, see our Terms of Service.
Ensuring Accuracy
KHP will ensure that accurate information is maintained in its systems, including HR, fundraising, and user services. It will validate data integrity either through periodic checks or updates, or by accepting requests from donors, employees, or service users to correct their data.
KHP will attempt to validate donor payment details and address information to ensure continuity of billing, and to provide tax receipts.
In contexts where KHP uses AI, the predictive analytics engine may not always comprehend or accurately assess user intent. KHP will continuously attempt to improve these systems’ accuracy and response. Members of the public (including service users) are invited to send KHP requests to update any errors encountered.
For Short Messaging and Chat Services, we will store “text” exchanges to ensure service quality and for training purposes. KHP relies on individuals providing accurate data; KHP does not have the means of ensuring the accuracy of information. Its counsellors assume that what they are told is accurate, and will document information based on service user statements.
Safeguards
We follow industry standards to safeguard data against loss or theft, as well as unauthorized use, access, disclosure, copying, modification, retention, or disposal. We use a variety of physical, electronic, and procedural safeguards to protect all captured information.
Our commitment to protecting privacy involves de-identifying service user data related to our services, products, or platforms. We implement appropriate measures, such as pseudonymization, aggregation, and data masking, to de-identify service user data. De-identified data is retained only as necessary (see our Terms of Service for data retention periods) and is securely destroyed when no longer needed. Designated personnel oversee the implementation of this provision, conducting regular audits and reviews. We ensure third-party processors comply with this provision.
Most texting user information is stored in Canada. Some companies providing services to KHP are located outside of Canada (including the US) and so information may flow through those jurisdictions. Under the laws of some countries (including the US) information may be made available to the government, or its agencies, under a court order made in that country. For further information, please contact us at [email protected]. Donor information is stored in Canada.
In its Data Protection Annex: Vendor Data Protection Obligations, KHP establishes with its vendors contractual safeguards which:
- Ensure that vendors access information solely for the purpose of delivering services.
- Ensure that the vendor complies with a KHP investigation or audit if needed.
- Ensure that the vendor notifies KHP of any privacy or security incident immediately.
- Ensure that vendors destroy protected data within a week of contract end, or immediately on demand.
Openness
KHP can make accessible its full suite of data protection policies on demand.
Individual access
KHP voluntarily implements access to information procedures so that relevant parties can access their own data. KHP will not release data unless the identity of the requester is authenticated, and we are able to ascertain that the information requested is linked to the requester.
Any person may, if protected data concerning them is inaccurate or incomplete, require that the information be rectified or deleted.
A request for access or rectification will not be considered unless it is made in writing by a person who proves that they are the person concerned, or the representative, heir, or successor of that person, the liquidator of the succession, a beneficiary of life insurance or of a death benefit, the person having parental authority even if the minor child is deceased, or the spouse or a close relative of the deceased person.
A Request for Access to Information, Correction, or Deletion Form may be downloaded from the Access to Information page.
Individuals may access their information in person, at a pre-arranged date and time, at the Kids Help Phone National Office, 300‐439 University Avenue, Toronto, ON M5G 1Y8. There is no fee for access. Alternatively, and for a fee, they may request a copy or transcription in electronic or paper format. After a request has been made, the Privacy Officer will give the requestor an approximate amount that will be charged.
Requests must be addressed to the Privacy Officer. If required, the Privacy Officer can assist the requestor in identifying the protected data sought.
The Privacy Officer will reply in writing to the request for access or rectification, not later than 30 days after the date the request is received.
Failure to respond within 30 days of the receipt of a request is deemed to be a refusal to grant the request.
Where a request for data rectification is granted, the Privacy Officer will issue free of charge to the requestor a copy of any protected data modified or added; or, if the data has been deleted, a written attestation of the deletion.
If the Privacy Officer refuses the request, they must give the requestor the reasons and legal basis for that refusal, and the remedies available to the requestor, including any time limits. If the requestor does not understand the refusal, the Privacy Officer will explain the situation clearly.
If the Privacy Officer does not grant the request, they will retain the information for such time as is necessary to allow the requestor to exhaust the recourses provided by law.
For donors, KHP has a documented procedure, with clear accountabilities, to comply with applicable legislation allowing an individual to access their information. Systems and documented processes are in place, with controls and audit trails, to respond to individual requests for data access.
Data Hub: Access to information or correction requests will not be processed for the Data Hub. Data inside the Hub is not linked to individuals, and individuals cannot be identified from it.
Good2Talk: Service users may request their record level data if the record contains uniquely identifying information.
Governance
In order to meet its obligations under privacy legislation, and to service users and funders, KHP has:
- Created a Privacy, Security, and Risk Program and assigned a Privacy Officer to ensure compliance with legal obligations related to privacy and security.
- Used or developed practices and procedures to:
- Develop key performance indicators to assess and report on privacy or security metrics.
- Review KHP privacy and security policies, practices, and procedures annually to ensure that they comply with applicable legal, industry, and regulatory standards and requirements and to determine whether changes are necessary or appropriate based on changes in laws or significant legal or other developments.
In the event of a security incident or breach, the Privacy, Security, and Risk Program team will immediately form a response team. This team includes the Privacy Officer or delegate, the program/project/executive involved with the breach, and the Director of IT, as well as any other participants decided on by the Privacy Officer. The team will ensure that the incident or breach is immediately addressed, that risk is minimized, and that affected individuals are notified in a timely manner.
PHIPA and CYFSA OBLIGATIONS
To meet the obligations outlined in the Ontario Personal Health Information Protection Act (PHIPA) and the Ontario Child, Youth and Family Services Act (CYFSA), KHP will implement the following measures:
Consent: KHP will obtain consent from children or youth (if capable) before collecting, using, or disclosing protected data. Protected data may be collected from a minor under 14 years of age where collecting the information is clearly for the minor’s benefit; this protected data may only be used or disclosed for the clear benefit of the minor.
Confidentiality: KHP will respect the confidentiality requests of youth regarding their personal health information, only disclosing it if necessary to protect the youth’s life, health, or safety.
Record-keeping: KHP will maintain records of all requests for access to personal health information made by children and youth, including decisions to deny access.
Research consent: KHP will obtain consent from the child, youth, or their parent or guardian before using personal health information for research purposes.
Quality care and privacy protection: KHP will use personal health information to provide quality care and support to children and youth while taking measures to protect their privacy and confidentiality. This includes implementing secure data storage, access controls, and encryption to safeguard personal health information.
Emergency and abuse reporting: In specific circumstances, such as emergencies or reporting abuse, KHP will follow PHIPA and CYFSA guidelines for disclosing personal health information without consent. Disclosure will be limited to necessary information, and KHP will ensure that the information is accurate and up-to-date.
Staff training and awareness: KHP will provide training and resources to staff and volunteers to ensure they understand and adhere to the requirements of PHIPA and CYFSA. This includes maintaining confidentiality, obtaining consent, and handling information disclosure.
Regular reviews and updates: KHP will regularly review and update its privacy policies and practices to ensure ongoing compliance with PHIPA and CYFSA requirements. This may involve conducting Privacy Impact Assessments and consulting with legal experts as needed.
Human resources
KHP uses and develops practices and procedures to ensure that workers who perform services or otherwise have access to confidential information will:
- Sign a Confidentiality Agreement.
- Receive training in all privacy- and security-related policies and procedures relevant to their position.
Training and awareness
KHP believes that a culture of privacy and security is necessary to meet the individual and collective responsibilities of the organization, and delivers comprehensive privacy training and ongoing privacy awareness initiatives to all workers as required.
Auditing policy and procedures
KHP is establishing an overarching audit policy. Until such a policy is developed, we will audit access on an as-needed basis.
Breach response protocol
KHP affirms its ability to promptly and appropriately respond to, contain, and mitigate the impact of a privacy or security breach or incident. Accordingly, KHP has a documented breach response protocol to identify, manage, and resolve privacy and security breaches. Systems and documented processes are in place, with controls and audit trails, to respond to privacy and security breaches which occur as the result of loss, theft, unauthorized use, access, disclosure, copying, modification, or unauthorized or unsecured disposal of collected information.
Complaint management
KHP responds to privacy and policy complaints within twenty-eight calendar days of initial receipt. The public is asked to send their privacy-related complaints to [email protected] or via letter addressed to: Privacy Officer, Kids Help Phone, National Office, 300‐439 University Avenue, Toronto, ON M5G 1Y8.
Donors can send requests for changes or complaints via email, telephone, or regular mail addressed to: Privacy Officer, Kids Help Phone, National Office, 300‐439 University Avenue, Toronto, ON M5G 1Y8, or through the online form visible at dev.kidshelpphone.ca.
Service-related complaints are addressed in our complaints policy, available on the web at https://dev.kidshelpphone.ca/kids-help-phones-complaints-policy/.
Operating procedures
KHP has practices and procedures in place to ensure that it meets all provincial and federal privacy regulations. The Privacy, Security, and Risk Program at KHP administers and manages privacy, security, and risk processes.
Web-tracking disclosure statement
The KHP website uses cookies, web beacons, and tagging technologies, in order to improve usability, evaluate content popularity, personalize service user experience, improve the quality of our chatbot recommendations, and measure our advertising return on investment. Our AI processes also analyze the conversations between service users and the KHP chatbot and create internal tags for each conversation.
Newsletter Tracking
KHP may sometimes use an online external platform to send out newsletters to those who have signed up for them. This platform tracks users’ interaction with the newsletter, includingdelivery and open and click rates, and can generate reporting on which device readers are using to open the newsletters.
Your Web Consent
By communicating with us through our website, you are providing us, our agents or partners, or other third parties (e.g., Google Analytics) with your information, and are thus consenting to the collection, use, and disclosure of your information in accordance with this Privacy and Confidentiality Policy.
The website Terms of Service are posted at https://dev.kidshelpphone.ca/terms-service/.
If You Have Questions About Your Personal Data
If you want to view your personal information or personal health information, or have any concerns about the way in which your personal data is used or disclosed, please contact the person responsible for privacy protection at Kids Help Phone:
Privacy Officer
Kids Help Phone, National Office, 300‐439 University Avenue, Toronto, ON M5G 1Y8
Toll Free Number: 1-800-268-3062
Email: [email protected]
We will make every effort to address your concerns. Concerns and complaints may also be addressed to the Information and Privacy Commissioner of Ontario.