|
|
|
|
 |
|
Home |  |
Contacts | |
Editorial | |
Advertising | |
Subscribe | |
Archives | |
Search | |
CMA Canada | |
|
|
|
|
Features
Table of Contents
Printer Friendly
The new privacy legislation landscape is raising a number of questions for not-for-profit organizations. Although PIPEDA won’t affect everyone, it does have implications for many By Curtis McDonnell
The Federal Government originally enacted PIPEDA on January 1, 2001, to regulate federal organizations such as banks, telecommunications and transportation companies. However, on January 1, 2004, the Act expanded its scope and now applies to personal information collected, used or disclosed in the course of commercial activity by provincially regulated organizations in provinces that don’t have their own privacy legislation similar to PIPEDA. This means virtually all private sector organizations carrying on commercial activity are now regulated by PIPEDA (or similar legislation in certain provinces). PIPEDA applies to a very broad cross section of businesses, ranging from the sole proprietor who operates the corner video store to very large organizations, such as banks. Its definition of the term “organization” includes an association, a partnership, a person or a trade union. People might be surprised to learn PIPEDA covers the disclosure of all personal information except your name, your business address, your title, and your business phone number. In the case of the corner video store, PIPEDA applies because the video store collects personal information when consumers rent videos and provide their home address, home phone number and credit card information. The store also carries on a commercial activity when it charges a fee to rent a movie. Many not-for-profits undertake activities that could be considered commercial activity under the Act as well. Part of the definition of “commercial activity” includes the selling, bartering or leasing of donor or membership lists — something more likely to apply directly to not-for-profits than for-profit organizations. Commercial activity is also described as any particular transaction, act or conduct or any regular course of conduct that is of a commercial character. Money raising methods While for-profit organizations don’t usually have donor or membership lists, not-for-profit organizations regularly do. While fundraising itself isn’t considered a commercial activity, not-for-profits and charities sometimes barter, sell, or lease their lists to other organizations. This activity would be considered a commercial activity and is covered by the Act. For example, organizations can provide their lists to professional fundraisers for a fee to raise funds for the organization. The not-for-profit organization is seeking to raise money for its operation and support its core activities, without the goal of making a profit. The professional fundraisers would be acquiring the list and working with it to make a profit for themselves. Disclosing the personal information of members or donors would likely include personal information such as home address, home phone number, amount donated/contributed and perhaps credit card and/or bank information. This disclosure to professional fundraisers could be considered to be of a commercial nature and would likely be caught by PIPEDA as a commercial activity. Not-for-profit organizations also raise money in various other ways to ensure they have enough funds to maintain operations. Many of these activities could be considered commercial activity under PIPEDA, such as charging membership fees, access for facilities fees and service fees. For example, an exclusive golf club that charges membership and initiation fees as well as dining room and bar room charges may not be trying to make a profit. But members want the general manager to manage the organization in a way that ensures the operation continues — that members can enjoy the privilege of golfing at the club on well-maintained greens and fairways, or dine and socialize in a pleasant atmosphere. The payment of the membership fee in exchange for the benefit of membership, along with the payment of the dining room/bar room charges, can easily be understood as commercial activity even though the club doesn’t intend to make a profit. Driving forces PIPEDA addresses the government’s concern for the safety and security of Canadians’ personal information in an age of ever increasing use of e-commerce as a means of trans-acting business. The government is also concerned about European Union (EU) requirements that nations doing business with the EU have adequate legislation in place to protect the personal information of any EU citizens whose personal information was transmitted outside the EU. PIPEDA applies in any province that hasn’t enacted substantially similar legislation (as determined by the federal government’s Governor in Council) as of January 2004, which is why this date is a watershed of sorts. Presently, only Quebec has enacted legislation that is considered substantially similar. Alberta and British Columbia have also enacted legislation and the Federal Government intends to consider it substantially similar to PIPEDA. The legislation in those provinces will apply to personal information collected, used and disclosed by organizations that are provincially regulated. PIPEDA applied PIPEDA has been described as a form of human rights legislation. The purpose of PIPEDA is to try to protect the personal information of individuals when it’s collected, used or disclosed by an organization. It’s reasonable to conclude that the legislation will be interpreted to give it broad application in those areas of the country where there is no, or no adequate, legislation in place to protect our personal information. It applies and fills a void in Ontario, Manitoba, Saskatchewan and the Maritime provinces. It’s expected that it will be broadly applied, and will include not-for-profit organizations that fall within the broadly interpreted definition of commercial activity. Legislation in British Columbia and Alberta may help determine how broadly PIPEDA will be applied. The B.C. act specifically includes not-for-profits in the definition of an organization. Accordingly, in B.C. there is no question that the personal information collected, used or disclosed by B.C. not-for-profits is covered by the B.C. privacy legislation (Personal Information Protection Act — PIPA). Alberta’s legislation is a little more complicated. The definition of commercial activity is quite similar to PIPEDA’s, in that it is circular. But, in addition to referring to selling, leasing or bartering membership or donor lists, the legislation also includes the operation of a private school, an early childhood services program or a private college. The Alberta Personal Information Protection Act (PIPA) has a definition of a not-for-profit organization that limits these organizations to those incorporated under the Societies Act, the Agricultural Societies Act or Part 9 of the Companies Act. Organizations set up under these statutes will only be covered if they carry on commercial activities as defined in the Alberta Act — otherwise, the Alberta PIPA doesn’t cover them. However, Alberta PIPA’s personal information collection statutes cover not-for-profit organizations that aren’t set up under one of these three acts. These provinces are prepared to extend the coverage of their respective acts to not-for-profits that carry on commercial activities. This may assist the Privacy Commissioner of Canada when considering the application of PIPEDA to a provincially regulated organization in provinces without legislation. Steps for not-for-profits With the implementation of PIPEDA in various provinces on January 1, not-for-profits that carry on a commercial activity ought to take the following steps to comply with the 10 fair information principles referenced in the Act:
Principle I of the Act deals with accountability and requires organizations to have policies and procedures in place to deal with privacy issues and to appoint a privacy officer responsible for compliance with the privacy principles (for a complete list of the 10 principles, refer to the October 2003 issue of CMA Management). It makes good sense for organizations to have a privacy policy in place now that the issues of personal information and privacy are so clearly before the public. When drafting a policy, it’s important to keep the 10 fair information principles in mind so that the policy is sufficiently comprehensive and detailed to be compliant with the requirements of the Act. An organization that decides to have its privacy policy apply to its entire organization, including its employees and volunteers, should indicate in its policy that it complies with all applicable legislation and with the 10 fair information principles. The role of the privacy officer Not-for-profits that carry on commercial activity should have already appointed a privacy officer, who is responsible for carrying out an evaluation of the information that the organization collects and, from that, developing policies and procedures. The evaluation should consider what information has been and is being collected and ask the following questions:
These questions are important for formulating a privacy policy, which is the next step once the evaluation is complete. Once the evaluation is complete and the policies drafted and revised, the organization must ensure that its staff, including volunteers, officers and directors are trained on the privacy policy. These practices will reduce the number of unpleasant surprises when the organization receives a request for access to information or a notice from the Privacy Commissioner’s office that a complaint has been filed and an investigation is under way. These practices ensure that your organization is viewed positively by the public and demonstrates that you value the trust of your customers and employees. They are good practices and are good for public relations. Curtis McDonnell is a consultant with Fraser Milner Casgrain’s Employment and Labour Group.
|
Although the Personal Information Protection and Electronic Documents Act (PIPEDA) has been in
effect since January 1, 2004, many organizations are still trying to assess its impact. Many not-for-profit
and charitable organizations have been wrestling with the question of what it means to them. The most concise
answer is that it depends on what the non-profit does. The scope of the Act and, in particular, its broad
definition of commercial activity could have implications for some.