Personal Information Protection and Electronic Documents Act
|Publication Date:||August 2005|
|Last Reviewed:||August 2005|
|Written by:||Denise Edwards - Agriculture Organization Specialist/OMAFRA|
Table of Contents
- What is Personal Information?
- Does PIPEDA Apply to Your Organization?
- Principles of PIPEDA
- How to Comply with PIPEDA
- Role of Board of Directors
- Related Links
The Personal Information Protection and Electronic Documents Act (PIPEDA) is federal legislation passed in 2001 and fully implemented on January 1, 2004. While some provinces have passed their own privacy legislation, Ontario has not, so the federal legislation applies here. Increasingly, organizations and businesses rely on personal information to connect with their customers and members. Respecting and protecting customers' and members' privacy is part of good customer and member relations.
The purpose of the Act is "to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."
PIPEDA requires that you:
obtain the clear consent of an individual before you collect, use or disclose personal information about that individual
use the information only for the purposes for which you have consent
protect the information from unauthorized access and use
keep the information up to date and correctly filed so that decisions are based on correct information
destroy information when you no longer need it for the original purpose and
implement accountability mechanisms in your organizations to ensure compliance with the above.
Note: The legislation is intricate, so be sure to obtain legal advice to fully understand the requirements. As legislation is reviewed and amended periodically, ensure you are referring to the most current version.
What Is Personal Information?
The Act aims to protect information about an individual, including information such as:
age, name, income, ethnic origin, religion or blood type
opinions, evaluation, comments, social status or disciplinary actions
credit records, employment history and medical records.
Personal information does not include the name, title, business address or telephone number of an employee of an organization.
For many organizations, this means that the information collected to establish eligibility for membership, programs, donor histories, personnel files of staff and volunteers may be considered personal information.
Does PIPEDA Apply To Your Organization?
PIPEDA applies to most organizations and businesses in Ontario that are conducting "commercial activity," with commercial activity being defined very broadly. The law affects the way organizations collect, use and disclose personal information about individuals. You will have to comply with PIPEDA if your organization engages in "commercial activity," which is defined in Section 2 as:
" . . . any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."
According to the Office of the Privacy Commissioner of Canada in the Factsheet "The Application of the PIPEDA to Charitable and Non-Profit Organizations," a non-profit organization is not automatically exempt. Most non-profits such as charities, minor hockey associations, clubs, community groups and advocacy organizations are not subject to the Act because they do not engage in commercial activities. Collecting membership fees, organizing club activities, compiling a list of members' names and addresses, and mailing out newsletters are not considered commercial activities. Fundraising is not considered a commercial activity unless lists are exchanged.
Some clubs may be engaged in commercial activities by selling, bartering or leasing a membership list or a list of donors. In these situations, consent is required for the disclosure of the information. Assuming the information is not considered sensitive, an organization can use a clear, simple and easy-to-execute opt-out process as a means of obtaining consent.
Although the Act may not apply to charities, associations and other similar organizations, it is recommended that such organizations provide their members, donors or supporters with an opportunity to decline to receive further communications. If you have paper or computer files that contain information about your employees, clients, donors, volunteers, exhibitors or others, your method of collecting, protecting and using that information must comply with the Act.
Principles Of PIPEDA
The Act is based on 10 principles that are applied to an organization's activities.
Accountability: An organization is responsible for the personal information under its control and shall designate an individual who is responsible for the organization's compliance. This Chief Privacy Officer will understand the policies and procedures and deal with complaints.
Identify Purposes: The purposes for which the information is collected should be identified on or at the time of collection. Organizations should develop "purpose statements."
Consent: The knowledge and consent of the individual are required for collection, use or disclosure of personal information in a commercial activity. Consent can be expressed or implied. The Privacy Commissioner recommends expressed consent in most instances. Some examples of expressed consent are:
An individual completes and signs a form giving consent to the collection of information for specified purposes, its use and if it is to be disclosed.
A check-off box allows individuals to request their personal information not be given.Note: Although entering into competitions may be classified as implying consent, this is not clear enough, and organizations are advised to include consent in their rules and on their exhibitor registration forms.
Limiting Collection: Information is to be collected for specific purposes and can only be used for those purposes. Information cannot be collected by misleading or deceiving the individuals about the purpose for which it is intended.
Limiting Use, Disclosure and Retention of Personal Information: Organizations can only use, disclose and retain personal information for the specific purposes it was collected for and must not retain it longer than needed for those specific purposes.
Accuracy: Personal information shall be accurate, complete and up to date.
Safeguards: The organization must protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification. The level of security should be appropriate to the sensitivity of the information. People with access should sign confidentiality agreements.Note: The organization should ensure the security of its computers and paper files.
Openness: The organization's privacy policies must be readily available to anyone.
Individual Access: Individuals have the right to know what personal information about them has been collected, how it is being used, to whom it has been disclosed, and to challenge the accuracy and completeness and to have errors corrected.
Challenging Compliance: Individuals should be able to address any challenges concerning compliance to the organization's Chief Privacy Officer.
How To Comply With PIPEDA
The principles of PIPEDA make good sense for any organization that relies upon the trust of donors, clients and the community. If you're starting from scratch, following the steps listed below should help your organization comply with the spirit and intent of the Act.
Ensure you understand the Act and the principles set out in it. The web sites listed at the end of this Factsheet contain links to the official version, commentary and legal interpretations of the principles. Seek legal advice to determine how specific points may affect your organization
- Appoint a compliance officer. This should be someone who has authority in the organization and can deal with the public.
- Conduct a review of your organization's current practices concerning
the personal information it collects and maintains. Some of the
questions you should be asking include:
What personal information is collected and why?
How is it collected?
What is it used for?
How do we ensure that it can only be used for the intended purposes?
How do we ensure that we have the consent of the individual to collect and use the information?
Where is this information kept now?
Who has access?
What security measures are in place?
With whom do we share the information?
What do we do with the information when it is no longer needed?
Update any forms (paper and electronic) that you use to collect personal information, i.e., exhibitor's registration cards and contracts you have with employees, suppliers, marketing firms, fundraising companies and other organizations that involve the collection or transfer of personal information.
Ensure you have a way to deal with opt-outs. You don't want to be sending appeal letters to people who have said they don't want to receive them.
Update your data security systems and file management procedures to ensure that personal information is protected from unauthorized access.
Train your employees and volunteers. If they have access to personal information, they should sign a confidentiality agreement statement and have a good understanding of your policies and practices. They should know who is responsible for dealing with inquiries and complaints.
Make your policy available. It should be easily accessible to anyone who wants to see it.
Role Of Board Of Directors
Ensure that directors receive appropriate training in privacy concepts and that there is some privacy expertise on their board.
Ensure that at least one person has been designated to be accountable for the organization's privacy compliance.
If it is a staff person who is assigned the responsibility, ensure that privacy compliance is a part of their performance evaluation and compensation.
Undertake periodic privacy self-assessments and audits of directors and report to the board on a regular basis.
Some examples of privacy policies for organizations can be found on the following web sites (all links are found in related links section):
World Wildlife Fund
Compasstax Chartered Accountants
An article on data security entitled "Basic Information Security" is available at http://www.peaceworks.ca/ under "articles."
The author would like to acknowledge the following resources that were used in the development of this Factsheet and encourage people to refer to the web sites for more information.
"Personal Information Protection and Electronic Documents Act." Government of Canada. 2000.
Easier-to-read-online version is on the web site of the Office of the Privacy Commissioner of Canada
"Application of the Personal Information Protection and Electronic Documents Act to Charitable and Non-Profit Organizations." Factsheet. Office of the Privacy Commissioner of Canada. May 2004.
"Court Considers Application of PIPEDA to Non-Profit Club." The Canadian Association. January 2005. Rachel Bumenfeld.
Focus on Privacy - Does PIPEDA Apply to My Company? McInnes Cooper. September 2003. David T.S. Fraser.
"Donor Lists Protected as Charitable Property Under Canadian Law." Charity Law Bulletin. No. 15, July 25, 2002. Jacqueline M. Connor, Mervyn F. White, and Terrance S. Carter.
"Impact of the Personal Information Protection and Electronic Documents Act (PIPEDA) on Charitable and Non-Profit Organizations." The Canadian Association. 2003. Mark Wong and others.
The PIPEDA Privacy Principles: A Guide for Associations and Nonprofit Organizations. Association Xpertise Inc. 2001.
"Privacy 101: A Guide to Privacy Legislation for Fundraising Professionals and Not-For-Profit Organizations in Canada." Version I. Prepared by a cross-sector working group representing: Association of Fundraising Professionals (AFP), Association for Healthcare Philanthropy (AHP), Association of Professional Researchers for Advancement (APRA), and Canadian Centre for Philanthropy (CCP).
"Privacy and Boards of Directors: What You Don't Know Can Hurt You." Information and Privacy Commissioner/Ontario. November 2003. Ann Cavoukian.
"Privacy Compliance: What Churches and Charities Need to Do by January 1, 2004." The 2003 Annual Church and the Law Seminar. Power Point Presentation. November 2003. Mark J. Wong.
"Privacy Law and Governance in the Non-Profit Sector." Charity Village News Week. October 20, 2003. Jeffrey H. McCully.
"Special Issue on Complying With the Personal Information Protection and Electronic Documents Act." Nonprofit News from Nathan: December 2003. Nathan Garber & Associates. Nathan Garber.
Disclaimer: The purpose of this Factsheet is to inform organizations about this important federal legislation. This document is for general information and should not be relied upon as legal advice. The legislation is intricate; consult with your lawyer as to how it may affect your organization.
For more information:
Toll Free: 1-877-424-1300