Nathan Garber & Associates
Governance & Planning Support for the Not-for-Profit Sector

Nonprofit News from Nathan: December 2003

Special Issue on Complying with the Personal Information Protection and Electronic Documents Act

It seems that many nonprofit organizations are not yet prepared for the federal Personal Information Protection and Electronic Documents Act (PIPEDA) that will apply in Ontario and most other provinces as of January 1, 2004. If your paper or computer files contain personal information about your employees, clients, donors, volunteers, or others, it is important that your methods of collecting, protecting, and using that information comply with the Act.

This newsletter summarizes what I have learned from a number of articles written by lawyers, and conversations with several organizations affected by the Act. It talks about how to comply with the Act and what the Board of Directors needs to do.

Contents:

Warning
Purpose
What Is “Personal Information”
Does it Apply to Your Organization?
Principles
How to Comply
Role of the Board of Directors
Online References
To Cancel this Newsletter

 

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA)

WARNING / DISCLAIMER

This newsletter is about an important federal law. I have tried to confirm anything I was uncertain about but please be aware that I am not a lawyer and am not pretending to be. Don’t take this information for something it is not. Even the lawyers whose articles I list below caution not to rely on the articles to make decisions that have legal implications. Take their advice! For specific information about how the law affects YOUR organization, talk to a knowledgeable lawyer.

PURPOSE

The purpose of the law, as it is explained in the Act is “to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

In a nutshell, PIPEDA requires

• that you obtain the clear consent of an individual before you collect, use or disclose personal information about that individual, except when it is unreasonable to obtain consent or when the information is public knowledge;
• that you use it only for the purposes for which you have consent;
• that you protect that information from unauthorized access and use;
• that you keep it up-to-date and correct so as not to make decisions based on wrong information;
• that you destroy it when you no longer need it for the original purpose; and
• that you implement accountability mechanisms in your organizations to ensure compliance with the above.

Some of the details are clear, while others remain open to interpretation.

WHAT IS “PERSONAL INFORMATION”

 The Act aims to protect all information about an individual except their name, title or business address or telephone number. Personal information includes race, age, marital status, religion, employment history, credit history, assets, home address, home telephone number and notes in the individual’s file. For nonprofit organizations, this means that information you collect to establish eligibility for membership, programs, or discounts would be considered to be personal information. Also covered might be identifiable photos, donor histories, and other information maintained on donors and prospects. Personnel files on staff and volunteers are also likely to contain personal information.

DOES IT APPLY TO YOUR ORGANIZATION?

Although it seems primarily aimed at businesses, unless superceded by a provincial privacy law, PIPEDA will apply to charities and nonprofit organizations that collect, use or disclose personal information in the course of “commercial” activities. It defines “commercial” very broadly. It appears that you will have to comply with PIPEDA if your organization:

• collects personal information about clients, donors, board members, or employees;
• runs a related business, holds golf tournaments, sells books, magazines, religious items, gifts, clothing, food, or promotional items; or
• sells, leases, or trades membership or donor lists,

The definition of commercial activities will be further clarified by the Privacy Commissioner and federal courts over the next few years, and may end up with a narrower or wider definition. In the meantime, it would be prudent to comply unless you are certain that it doesn’t apply to you.

PRINCIPLES OF PIPEDA

The law is based upon ten principles described in Schedule 1 of Part 6. of the Act.

1. Accountability
   Organizations must designate someone to be accountable for compliance with PIPEDA and provide the name of that person upon request. The organization must establish privacy protection policies and practices and ensure that personnel are trained in their implementation.
    
2. Identifying Purposes
   Organizations must inform individuals of their purpose in collecting personal information at or before the time the information is collected, and cannot use the information for any other purpose without obtaining consent.
    
3. Consent
   Whenever possible and reasonable, organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used and agrees to its use. Consent can be withdrawn at a later date
    
4. Limiting Collection
   Organizations can only collect personal information related to the specified purpose and can only collect what is needed for that purpose. Organizations cannot collect personal information by misleading or deceiving individuals about the purpose for which information is being collected.