Personal Information Protection and Electronic Documents Act
Table of Contents
The Personal Information Protection and Electronic Documents Act (PIPEDA) is federal legislation passed in 2001 and fully implemented on January 1, 2004. While some provinces have passed their own privacy legislation, Ontario has not, so the federal legislation applies here. Increasingly, organizations and businesses rely on personal information to connect with their customers and members. Respecting and protecting customers' and members' privacy is part of good customer and member relations.
The purpose of the Act is "to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."
PIPEDA requires that you:
Note: The legislation is intricate, so be sure to obtain legal advice to fully understand the requirements. As legislation is reviewed and amended periodically, ensure you are referring to the most current version.
The Act aims to protect information about an individual, including information such as:
Personal information does not include the name, title, business address or telephone number of an employee of an organization.
For many organizations, this means that the information collected to establish eligibility for membership, programs, donor histories, personnel files of staff and volunteers may be considered personal information.
PIPEDA applies to most organizations and businesses in Ontario that are conducting "commercial activity," with commercial activity being defined very broadly. The law affects the way organizations collect, use and disclose personal information about individuals. You will have to comply with PIPEDA if your organization engages in "commercial activity," which is defined in Section 2 as:
" . . . any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."
According to the Office of the Privacy Commissioner of Canada in the Factsheet "The Application of the PIPEDA to Charitable and Non-Profit Organizations," a non-profit organization is not automatically exempt. Most non-profits such as charities, minor hockey associations, clubs, community groups and advocacy organizations are not subject to the Act because they do not engage in commercial activities. Collecting membership fees, organizing club activities, compiling a list of members' names and addresses, and mailing out newsletters are not considered commercial activities. Fundraising is not considered a commercial activity unless lists are exchanged.
Some clubs may be engaged in commercial activities by selling, bartering or leasing a membership list or a list of donors. In these situations, consent is required for the disclosure of the information. Assuming the information is not considered sensitive, an organization can use a clear, simple and easy-to-execute opt-out process as a means of obtaining consent.
Although the Act may not apply to charities, associations and other similar organizations, it is recommended that such organizations provide their members, donors or supporters with an opportunity to decline to receive further communications. If you have paper or computer files that contain information about your employees, clients, donors, volunteers, exhibitors or others, your method of collecting, protecting and using that information must comply with the Act.
The Act is based on 10 principles that are applied to an organization's activities.
The principles of PIPEDA make good sense for any organization that relies upon the trust of donors, clients and the community. If you're starting from scratch, following the steps listed below should help your organization comply with the spirit and intent of the Act.
Some examples of privacy policies for organizations can be found on the following web sites (all links are found in related links section):
An article on data security entitled "Basic Information Security" is available at http://www.peaceworks.ca/ under "articles."
The author would like to acknowledge the following resources that were used in the development of this Factsheet and encourage people to refer to the web sites for more information.
"Personal Information Protection and Electronic Documents Act."
Government of Canada. 2000.
Easier-to-read-online version is on the web site of the Office
of the Privacy Commissioner of Canada:
"Application of the Personal Information Protection and Electronic
Documents Act to Charitable and Non-Profit Organizations." Factsheet.
Office of the Privacy Commissioner of Canada. May 2004.
"Court Considers Application of PIPEDA to Non-Profit Club." The
Canadian Association. January 2005. Rachel Bumenfeld.
Focus on Privacy — Does PIPEDA Apply to My Company? McInnes Cooper.
September 2003. David T.S. Fraser.
"Donor Lists Protected as Charitable Property Under Canadian
Law." Charity Law Bulletin. No. 15, July 25, 2002. Jacqueline
M. Connor, Mervyn F. White, and Terrance S. Carter.
"Impact of the Personal Information Protection and Electronic
Documents Act (PIPEDA) on Charitable and Non-Profit Organizations."
The Canadian Association. 2003. Mark Wong and others.
The PIPEDA Privacy Principles: A Guide for Associations and Nonprofit
Organizations. Association Xpertise Inc. 2001.
"Privacy 101: A Guide to Privacy Legislation for Fundraising
Professionals and Not-For-Profit Organizations in Canada." Version
I. Prepared by a cross-sector working group representing: Association
of Fundraising Professionals (AFP), Association for Healthcare
Philanthropy (AHP), Association of Professional Researchers for
Advancement (APRA), and Canadian Centre for Philanthropy (CCP).
"Privacy and Boards of Directors: What You Don't Know CAN Hurt
You." Information and Privacy Commissioner/Ontario. November 2003.
"Privacy Compliance: What Churches and Charities Need to Do by
January 1, 2004." The 2003 Annual Church and the Law Seminar.
Power Point Presentation. November 2003. Mark J. Wong.
"Privacy Law and Governance in the Non-Profit Sector." Charity
Village News Week. October 20, 2003. Jeffrey H. McCully.
"Special Issue on Complying With the Personal Information Protection
and Electronic Documents Act." Nonprofit News from Nathan: December
2003. Nathan Garber & Associates. Nathan Garber.
Disclaimer: The purpose of this Factsheet is to inform organizations about this important federal legislation. This document is for general information and should not be relied upon as legal advice. The legislation is intricate; consult with your lawyer as to how it may affect your organization.
For more information:
Toll Free: 1-877-424-1300