Effective January 1, 2004, the Personal Information Protection and Electronic Documents Act ("PIPEDA") applies to all organizations that use, collect or disclose personal information in the course of commercial activities. Although it is a federal Act, it applies in those provinces that lack substantially similar privacy legislation. As of today, the federal government has decreed that the privacy legislation in British Columbia, Alberta, Quebec and, in matters relating to health information, Ontario as substantially similar to PIPEDA.
PIPEDA only applies to private sector organizations that use, collect and disclose personal information in the course of commercial activities. "Commercial activities" is defined in PIPEDA to include "the selling, bartering or leasing of donor, membership or other fundraising lists." Due to the use of the word "commercial", one of the most often asked questions is whether PIPEDA applies to non-profit and charitable organizations. The Privacy Commissioner has stated, and the courts have agreed, the use of the word "commercial" does not automatically exempt non-profit and charitable organizations from the application of PIPEDA.
Unfortunately, neither the Privacy Commissioner nor the courts have fleshed out an exhaustive list nor provided a definitive test to determine what actually constitutes a commercial activity. The Privacy Commissioner has stated the following will not be considered commercial activity:
- the collection of membership fees, organizing club activities;
- compiling a list of members’ names and addresses; and
- mailing out newsletters.
What is certain is that PIPEDA will apply if a non-profit or charitable organization sells, leases or barters membership, donor or fundraising lists.
Faced with such uncertainties, it is most prudent a non-profit or charitable organization comply with PIPEDA. Not only is this good business practice but it is also sound risk management. Failure to comply with PIPEDA may result in the organization having to compensate either an individual or organization as a consequence of such non-compliance. As well, a complaint investigated by the Privacy Commissioner may become public.
The obligations PIPEDA imposes on an organization can found in the Model Code for the Protection of Information ("Model Code"), which is Schedule I to PIPEDA. The three most important obligations that the Model Code imposes are:
- the requirement that an organization state the purpose for which the personal information is being used, collected or disclosed;
- obtaining the individual's consent for such use, collection or disclosure; and
- to not use, collect or disclose personal information for purposes other than which the individual consented.
Other obligations under the Model Code include the appointing of a privacy officer; ensuring the accuracy of records; allowing individuals to access their records; and retention policies.
The obligations and recommendations are onerous and important. A good place to start would be to appoint a privacy officer whose duties should include:
- reviewing and familiarizing him/herself with PIPEDA and the Model Code;
- review personal information already held by the organization for accuracy and consent;
- ensure that collection, use or disclosure of information is limited to the stated purpose;
- ensure consent is being obtained for any personal information that is used, collected or disclosed;
- create policies for the retention of personal information and safeguards against their prohibited use, collection or disclosure;
- provide for a manner in which an individual can access his/her information;
- create policies to deal with complaints be it in house or those lodged with the Privacy Commissioner ; and
- train staff in policies and privacy obligations imposed by PIPEDA.
At first, this task might seem daunting but once the proper policies and procedures are in place, compliance becomes a routine matter. By taking these initial first steps and establishing procedures and policies, your organization not only complies with PIPEDA but also engages in the good business practice of keeping customers and members satisfied in knowing that their personal information is not being used, collected or disclosed for improper purposes.
[This article was originally published in the April/May 2007 issue of CSAE Ottawa-Gatineau Executive Newsletter.]