1. Purpose of the Privacy Policy
PIPEDA Principles Supported: Principle 8 (Openness), Principle 1 (Accountability)
Community Futures Grenville (“CFG”) is a federally supported, community-based, nonprofit corporation with a volunteer Board of Directors and professional staff whose purpose is to develop and diversify local economies.
CFG is committed to protecting the privacy, confidentiality, and security of personal information entrusted to it. This Privacy Policy describes how CFG collects, uses, discloses, retains, and safeguards personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and related regulatory guidance.
2. Accountability
PIPEDA Principles Supported: Principle 1 (Accountability)
CFG is accountable for all personal information under its control. The organization has designated a Chief Privacy Officer, who is responsible for overseeing compliance with privacy legislation, responding to access requests and complaints, and coordinating privacy practices across the organization.
CFG’s privacy accountability is supported by Board-approved cybersecurity and information security policies, which operationalize safeguards, risk management, training, vendor oversight, and incident response.
3. Identifying Purposes
PIPEDA Principles Supported: Principle 2 (Identifying Purposes)
CFG collects personal information for the following purposes: Providing business development advice, assessing eligibility for loans, non-repayable financing, and related services; administering and servicing approved financial assistance; meeting reporting and accountability requirements to government funders; complying with legal and regulatory obligations.
Personal information is collected only to the extent necessary to fulfill these identified purposes.
4. Consent
PIPEDA Principles Supported: Principle 3 (Consent)
CFG obtains an individual’s express or implied consent prior to or at the time of collecting personal information, except where otherwise permitted or required by law.
Individuals may withdraw consent at any time, subject to legal, contractual, or operational restrictions. Withdrawal of consent may affect CFG’s ability to provide services or administer existing agreements.
5. Limiting Collection
PIPEDA Principles Supported: Principle 4 (Limiting Collection)
CFG limits the collection of personal information to what is necessary for the identified purposes. Information is collected directly from individuals whenever possible, or from authorized third parties where required.
6. Limiting Use, Disclosure, and Retention
PIPEDA Principles Supported: Principle 5 (Limiting Use, Disclosure, and Retention)
Use and Disclosure
Personal information is used and disclosed only for the purposes for which consent has been obtained, except where permitted or required by law. CFG may disclose personal information to government agencies, service providers, or legal authorities as necessary to deliver programs or meet legal obligations.
Third-party service providers are required to protect personal information through contractual safeguards and are subject to due diligence and ongoing risk assessment appropriate to the sensitivity of the information involved.
Retention
Personal information is retained only for as long as necessary to fulfill identified purposes and meet legal, regulatory, and funding requirements. Secure destruction methods are used once information is no longer required.
7. Accuracy
PIPEDA Principles Supported: Principle 6 (Accuracy)
CFG endeavours to ensure that personal information in its possession is accurate, complete, and up to date as necessary for the purposes for which it is used. Individuals are encouraged to notify CFG of any changes to their personal information.
8. Safeguards
PIPEDA Principles Supported: Principle 7 (Safeguards), Principle 1 (Accountability)
CFG uses physical, organizational, and technological safeguards appropriate to the sensitivity of the personal information it holds. These safeguards are implemented through CFG’s comprehensive cybersecurity framework, which includes secure system configuration, access controls, encryption, network security, secure cloud and mobile device management, and ongoing monitoring.
9. Privacy Breach Management
PIPEDA Principles Supported: Principle 1 (Accountability), Principle 7 (Safeguards)
CFG maintains formal procedures to identify, contain, investigate, and remediate privacy and security incidents.
Where a breach of personal information poses a real risk of significant harm, CFG will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by law and will maintain records of all privacy breaches in accordance with legislative requirements.
10. Openness and Transparency
PIPEDA Principles Supported: Principle 8 (Openness)
CFG makes information about its privacy policies and practices readily available through its website and upon request. This Privacy Policy is supported by internal procedures and governance practices designed to ensure consistent application.
11. Individual Access
PIPEDA Principles Supported: Principle 9 (Individual Access)
Individuals have the right to request access to their personal information held by CFG and to request corrections where information is inaccurate or incomplete. Requests must be made in writing to the Chief Privacy Officer. CFG will respond within the timeframes prescribed by law.
12. Complaints and Recourse
PIPEDA Principles Supported: Principle 10 (Challenging Compliance)
Individuals may direct privacy-related complaints to the Chief Privacy Officer. Complaints will be investigated promptly and fairly.
If an individual is not satisfied with CFG’s response, they may bring a complaint to the Office of the Privacy Commissioner of Canada.
13. Training and Awareness
PIPEDA Principles Supported: Principle 1 (Accountability), Principle 7 (Safeguards)
CFG provides mandatory, role-based privacy and cybersecurity training to employees, Board members, and relevant contractors. Training is documented and reviewed periodically to support ongoing awareness and compliance.
14. Policy Review and Updates
PIPEDA Principles Supported: Principle 1 (Accountability), Principle 8 (Openness)
This Privacy Policy is reviewed periodically and updated as required to reflect changes in legislation, regulatory guidance, organizational practices, technology, and CFG’s cybersecurity and risk management framework. Material changes will be posted on CFG’s website.
Approved by the Board of Directors: March 25, 2026
Reviewed December 2023
