info@pyc.net
Newsletter Archive

What’s Important about the new Privacy Law?
March 2004

Most organizations handling personal information already do a pretty good job of ensuring that its confidential nature is respected. What the new privacy regime does is reinforce our existing practices, and establish some basic standards for how we meet our responsibilities. 

First, some background: the legal regime is federal legislation, which took effect January 1, 2004 in Ontario. There was an opportunity for the Ontario government to enact legislation which would have supplanted the federal one for most organizations, but it chose not to. 

Privacy obligations, as legal responsibilities, are being imposed, ultimately, in response to initiatives taken by the European Community, which has insisted that its trade in personal information with other jurisdictions can only be with those which have enacted similar rules to its rules. That’s why the federal government has enacted the Personal Information Protection and Electronic Documents Act (PIPEDA), and why its scope is restricted to "commercial transactions."

 "Commercial Transactions"

Since PIPEDA’s scope is restricted to commercial transactions, much of what non-profit and non-profit organizations do is not affected by the legal regime.  

It is clear that the renting of accommodation is a commercial transaction – money changes hands, and in return for that, a service – accommodation – is provided.  

But providing social services is not normally a commercial transaction – while money may be given, or applied to assist someone in need, there’s no responding service or good provided for the money – in law, "consideration" - which would bring the transaction into the commercial realm.

 If They Don’t Apply, Why Bother?

However, that doesn’t mean that non-profits can, or should ignore the new rules. The principles underlying the rules are sound, and are certainly worth implementing in your organization, whether you are required to or not. 

For one thing, the mere existence of these rules, and their widespread application, means that everyone is increasingly attuned to the issue. If your organization is perceived as not being "up to speed," its reputation will suffer. 

And, fundamentally, the rules engender trust, between your organization and those who provide it with their private, or personal, information. The better your compliance with the principles, the more trust you will earn. And your organization will be much more effective, as a result. 

Applying the principles also has the potential to help your organization address some of its administrative procedures – record-keeping and retention often need more attention – this can be used as an opportunity to reconsider them. 

The Ten Principles

They’re mostly common sense.  

And your efforts should match the type of personal information you’re dealing with: the privacy of some personal information is critical – health information, for example. Some information may not lead to much damage – an address, for example. The effort to comply with the principles should match the harm that could result from disclosure. 

Don’t go overboard: privacy principles apply only to information about individuals, not organizations.  

Here’s a brief summary: 

1.  Accountability
     Appoint someone to be responsible for privacy issues. Ensure that person is knowledgeable – and interested – in the issue. Inform those whose personal information you hold that that person is the person to contact with concerns about privacy. 

2. Identifying purposes
     When you collect personal information from someone, state clearly why you are collecting it. This is new – we are not used to explaining why we’re collecting the information. Under these principles, the stated use is key – it governs how you use it, and whom you can give it to. State it to broadly, and it may not be effective. Too narrowly, and you may impede your organization’s effectiveness.  

3.  Consent
     You can only use, or share, personal information if you have obtained consent to use it for that purpose. For high-level information – personal health information, for example – the consent must be explicit and clear. Less important personal information may need only an implied consent, and a negative option ("If you don’t tell us not to use it, we will assume it’s OK to use it") may be acceptable. Best to err on the side of explicit, written consent, and avoid the negative option entirely. 

     Note that there’s no "grandparenting". Personal information collected before PIPEDA came into effect is still subject to the consent requirement, even though you collected it without consent. Obviously, there’ll have to be a transitional period in which you bring your organization onside.

4. Limits on collection
     Collect only the information you need for the purpose you have stated, and no more.  

5. Limits on using, sharing, and keeping information
     You can use personal information only for the purpose that you stated when you collected it. You can keep the information only as long as you need it for this purpose. When you no longer need it for this purpose, you must destroy it. 

     If your organization doesn’t have a records destruction policy, now’s the time to develop one. 

6. Accuracy
     You should take reasonable care to ensure the information you collect is accurate. 

7. Safeguards
     Keep personal information secure – only those with a need to know should have access. 

8. Openness
     Provide your privacy policies, and the contact information of the person you’ve designated to address privacy issues for your organization. If a breach occurs, tell those affected what happened, and what you’re doing to fix it and prevent future breaches. 

9. Individual access
     Individuals should be able to verify the accuracy of – and correct – the information you have about them. 

10.Handling complaints
     You should have a procedure in place to deal with complaints about how they collect and use personal information. 

Enforcement
For the most part, this will be self-enforcing. As expectations rise, you’ll have to meet them. 

At this stage, don’t worry much about legal consequences – the important thing is to learn what’s expected of you, and start applying it. 

Resources
The Federal Privacy Commissioner is responsible for the administration of PIPEDA. The website has lots of resources available: http://www.privcom.gc.ca/index_e.asp 

For housing co-ops, the Co-op Housing Bookstore has recently published Protecting Personal Information: A Housing Co-op’s Guide to thePersonal Information Protection and Electronic Documents Act. Order it online at http://www.coophousing.com/bookstore/index.html 

Organizations that do fundraising will find the Canadian Centre for Philanthropy’s website on privacy issues helpful: http://www.ccp.ca/display.asp?type=1&id=70 

The publication Privacy 101: A Guide to Privacy Legislation for Fundraising Professionals in Canada, is available there for downloading.  

Brian Iler
Iler Campbell
700-890  Yonge Street, Toronto Ontario Canada M4W 3P4 
Phone (416) 598-0103  /  Fax (416) 598-3484
www.ilercampbell.com