Privacy Law and Governance in the
Non-profit Sector (Part 1 of 2)
October 20, 2003
By Jeffrey H. McCully
The Personal Information Protection and Electronic
Documents Act, S.C. 2000, c.5, and its impact on non-profit
organizations and charities.
With so much written in the past
couple of years and particularly in
the past few months, about new and impending privacy legislation, I
thought it important to clear up some misconceptions about
the various
laws and their applicability to the non-profit sector.
Being a corporate
lawyer, operating within the non-profit sector, I have
recently received
requests from other charitable and
non-profit leaders as to how these
laws will affect their organizations. I am not alone. The Office of
the Privacy Commissioner, since January of 2001, has
received well over
25,000 inquiries. Questions I have been asked include such ones as,
"How should we prepare?" and "What will we have to do
differently with
donor lists?" and "Can our Central Office in one province,
communicate
private information with offices in different
jurisdictions?" With this
paper, I will endeavour to answer many
of these questions and to give
an overview of the increasingly important area.
The Federal Legislation
Since January 2001, the federal Personal Information Protection
and Electronic Document Act (PIPEDA), Part 1, has been law and
has been in effect for banks, the RCMP, CSIS, airlines and airports,
railways, telecommunications industries, radio stations and other
cross-border undertakings, and similar undertakings for which the
federal government has constitutional legislative authority. Also
included are certain Crown corporations operating in these areas,
such as the CBC. Additionally, the legislation already applies to
every non-federally regulated organization that does the following
things:
(i) sells personal information that it has collected, used or
disclosed in one province outside that province; or
(ii) collects, uses or discloses personal information in connection
with the operation of a federally regulated private sector entity
(e.g., where Air Canada retains a non-federally regulated consultant
to collect personal information from the Airlines' customer list)
On January 1, 2004, the three-year phase-in of the PIPEDA will be
complete and will apply the legislation to most organizations in
Canada, including businesses and even non-businesses that are
conducting a "commercial activity". Indeed, the law will impact on
the way that certain organizations collect, use and disclose personal
information about individuals in the course of daily commercial
activities and even in larger one-time transactions such a business
acquisition.
Understanding the applicability of the federal legislation is a
matter of appreciating the federal-provincial division of powers.
Some matters are reserved for the exclusive legislative domain of the
federal government, some for the provincial governments. Is your
organization federally or provincially regulated?
Note that there are serious constitutional law issues about the extent
that the federal government has the authority to regulate privacy in a
province. For the purposes of this paper, federal authority
is assumed.
The phase-in of the federal PIPEDA was designed to allow the provinces
to put their own legislation into place.
As of date of writing, only the
Province of Quebec has actually enacted legislation. British Columbia
and Alberta have drafted and even
introduced Acts into their legislative
process. They may become law before
January 1st. Ontario has a draft Act,
but its process was interrupted by the recent provincial election, so,
it may likely be changed again. Thus,
analysis of the privacy law in this
province must of necessity focus on the federal PIPEDA. Does any part
of it affect your non-profit organization? If so, how?
The Law
The PIPEDA enacts into law ten general principles contained in the
Canadian Standards Association's Model Code for Protection of
Personal Information. It contains these ten principles that are to
be applied to commercial activities even now. They are as
follows:
- Accountability - An organization is responsible for
personal information under its control (and, importantly, this
includes third-party processors such as mailhouses, and fundraisers)
and shall designate an individual who is responsible for the
organization's compliance with the law. The legislators call this
person the "Chief Privacy Officer". This person will have to
understand policies procedures and deal with complaints. In my
opinion, this person should not be a junior person.
- Identify Purposes - The purposes for which the information
is collected should be identified by your organization at or before
the time the information is collected. I can provide precedent
"Purpose Statements" for organizations. They should be tailored to
each organization so that they fit an organization's mission or
business. Simply filling in a template will not be the best
approach, as purpose, use and consent levels are best linked.
- Consent - This may very well be the heart of the PIPEDA.
The knowledge and consent of the individual are required for the
collection, use or disclosure of personal information, "except where
inappropriate". Note here that PIPEDA replaces "except where
inappropriate" with specific exceptions, such as, for law
enforcement, emergencies and for scholarly and research purposes.
Reference must be made to PIPEDA here.
Reliance on the CSA Principles is not recommended. Your organization
would be well advised to know that consent could be given in various
ways, including express and implied consents. The way in which an
organization seeks consent may vary depending upon the circumstances
and the type of information collected. An organization should seek
express consent when the information sought is sensitive (medical,
grades, financial).
Consent may be given in various ways. An application form may be
used to seek consent, collect information and inform the individual
of the use(s) that will be made of the information. By completing
and signing the form, the individual is giving consent to the
collection and the specified uses. A check off box may be used to
allow individuals to request that their names, addresses and other
information not be given to other organizations. Those who do not
check it are assumed to consent to use for this purpose. Consent may
be given orally when information is given over the phone.
To date, however, the Privacy Commissioner has required express
consent in almost all instances where consent is required a higher
burden on the organization.
All this written, I would advise getting written consent whenever
possible and express consent in most situations. Reliance upon
implied consent looks likely to prove problematic, given the
decisions of the Commissioner so far.
Note also that consents may also be withdrawn at any time!
- Limiting Collection - The amount and type of information
is limited to what is necessary for an identified purpose. If new
purposes develop, new consents are required, too. Naturally,
information collection shall be collected by fair and lawful
means.
- Limiting Use, Disclosure and Retention of Personal
Information - An organization can only use, disclose and retain
for the purposes for which the information was collected.
Information shall be retained only as long as necessary for the
completion of those purposes.
For the purposes of planned giving, the information given will be
needed for a long time, in many circumstances. Therefore, it would
be wise to explain the need to keep the sensitive information at time
of collection and the security measures in place to protect it.
Keeping it is essential for its purpose. Disclosure is the key in
this circumstance.
The organization should also publish guidelines for the destruction
of information that is no longer of use.
- Accuracy - Personal information shall be as accurate,
complete and up-to-date as is necessary for the purposes for which it
is used. This is just good business practice anyway.
- Safeguards - Take real steps to prevent the loss, theft,
unauthorized access, disclosure, copying and use of personal
information. Safeguards should be appropriate to the sensitivity of
the information. Relevant staff should sign confidentiality
agreements.
- Openness - An organization
must make its privacy practices
and policies concerning management of personal information easily
accessible to the public. A website is the ideal place to set out
a purpose statement, as would be Annual Reports and other
direct mailings.
Planned giving mailings would even
benefit from such disclosure, as
they are evidence that the organization is trustworthy
and responsible,
respectful of persons' privacy.
- Individual Access - Upon request, individuals are to be
informed of the existence, use and disclosure of all of their
personal information and be given access to it. Persons may
challenge the accuracy of their information and have it changed if it
is wrong.
- Challenge Compliance - A person shall be able to address a
challenge concerning compliance with all of these principles to the
designated individual(s) accountable for the organization's
compliance. The Chief Privacy Officer's liaison role will activate
at this point.
Purpose and Definitions
Section 3 of the Act sets out the law's purpose. It reads, "The
purpose of this Part is to establish, in an era in which technology
increasingly facilitates the circulation and exchange of information,
rules to govern the collection, use and disclosure of personal
information in a manner that recognizes the right of privacy of
individuals with respect to their personal information and the need
of organizations to collect, use or disclose personal information
that a reasonable person would consider appropriate in the
circumstances".
As one can read, there are many definitions that are necessary in order
to understand this law. Additionally note that it refers to "this Part",
or Part 1. Part 2 of the Act concerns electronic documents, and will be
dealt with in a subsequent paper of mine.
Section 4 of the Act is the Application section of the Act. It sets
out that this first part of the Act applies to, "...every
organization in respect of personal information that,
(a) the organization collects, uses or discloses in the course of its
commercial activities; or
(b) is about an employee of the organization and that the
organization collects, uses or discloses in connection with the
operation of a federal work, undertaking or business"
This applicability is limited in certain ways, including by the
Federal Parliament declaring in a later Act that said Act applies
notwithstanding the PIPEDA.
Section 2 of the Act is the definitions section. There, one can
clarify meanings.
"Commercial activity" is defined as, "...any particular transaction,
act or conduct...that is of commercial character, including the
selling, bartering or leasing of donor, membership or other
fundraising lists". So, for example, a charity that sold its
membership list to a magazine publisher or to another charity would
be engaged in commercial activity.
This definition alone is one that will cause great consternation, as
entities that would not normally be thought of as undertaking
commercial activities as a rule, can engage in single instances of
commercial activity and therefore be caught by the Act. Thus,
caselaw in Federal Court will be important (again, assuming federal
jurisdiction at all).
"Personal information" is defined as, "information that can be used
to identify, distinguish or contact a specific individual". Publicly
available information would be excluded from the scope of the Act, as
it is already "out there" in the public realm.
Another definition with which the reader should be familiar is the
term "Grandfathering". It refers to information that is already in
your organization's possessions, prior to the enactment of the
legislation, such as client, donor or alumni files. Be aware that
this existing information will be subject to the same rules as data
collected subsequent to the legislation. Lawyers would say that the
information will not be "grandfathered". In fact, going even
further, if the collection of this information did not comply with
PIPEDA requirements (even though PIPEDA did not necessarily exist at
the time it was collected), organizations may have to re-contact
individuals to obtain their consent to the collection, use or
disclosure of the information in compliance with PIPEDA.
**Look for part two of this article on
November 3. It will explain what
is required of organizations once the legislation goes into effect in
January, and how they should respond to a privacy audit.
Jeffrey H. McCully, barrister & solicitor, is also chair
of the CAGP's
Ottawa Roundtable. He can be reached at jmccully@scotmor.ca.
Disclaimer: Please note that this memorandum is a general discussion
of certain legal and related developments and should not be relied
upon as legal advice. If you require legal advice, I would be
pleased to discuss with you the issues raised by this memorandum in
the context of your personal circumstances.
