This is an archive of CharityVillage NewsWeek. To find a word on the page,
use your browser's "find" feature (CTRL-F or CMD-F).
To view other articles in the archive, use our Chronological Index.
Please note: While we ensure that all links and e-mail addresses are accurate
at their publishing date, the quick-changing nature of the web means that some
links to other web sites and e-mail addresses may no longer be accurate.
Privacy Law and Governance in the Non-profit Sector (Part
2 of 2)
November 3, 2003
By Jeffrey H. McCully
Click here to read
Part One of this article.
Governance - Chief Privacy Officer (CPO) - Essential New
Oversight
PIPEDA will require organizations to appoint compliance officers
responsible for overseeing the management of the organization's
information handling. Upon request, the compliance officer must be
identified. Again, I will emphasize that this person(s) should not
be a junior employee, but should be one who has a good understanding
of the overall activities of your organization, who has experience in
change management, who has public relations, negotiation and crisis
management skills and who is able to maintain knowledge of the
privacy laws and regulations. This person(s) must also be able to
communicate with every member of your organization and maintain
strict levels of confidentiality. The liaison function with the
privacy commissioner's office and with your constituencies is also
important.
The CPO need not necessarily be an in-house counsel or chartered
accountant (should your organization be large enough to have these
persons), but many large institutions have made the CPO role a
functional responsibility of these professional ranks. Be prepared
to properly train and educate your chosen delegate(s).
Applicability and Exclusions
What can one be certain is not covered by the legislation? Personal
information about employees of non-federally regulated organizations
is not subject and will not be subject to PIPEDA. Only provincial
privacy legislation will apply to those persons.
Some charities may be completely unaffected by the PIPEDA if they do
not engage in any commercial activity and they do not engage in
cross-border transactions. The act of gathering information about
donors in order to solicit them for gifts is not a commercial
activity and is not covered by the Act.
It is known, however, that the collection of personal information
shall be limited to that which is necessary for the purposes
identified. Remember, that before or at the time of collection of
information, the organization must document and identify in an easily
identifiable way to the individual, the purposes for which it is
being collected. (Schedule 4.4, 4.4.1)
When an organization wants to use already collected information for a
new purpose, it must document the purpose and obtain a consent for
the new use. (Schedule 4.3.1, 4.5.2)
A consent is not necessary for collection of information solely for
artistic, journalistic or literary purposes. (Section 7(1)(c))
An entity may disclose personal information without the knowledge or
consent of an individual if the disclosure is to a barrister or
solicitor who is representing the entity. (Section 7(3)(a))
A business may disclose personal information for the purpose of
collecting a debt owed by the individual to the organization.
(Section 7(3)(b))
An organization may disclose personal information to comply with a
subpoena or warrant issued or an order made by a court, person or
body with jurisdiction to compel the production of information.
(Section 7(3)(c))
As emphasized, an organization must be open about its policies and
practices, and said organization must respond to a request by an
individual for his or her information within a reasonable time and at
minimal or no cost to the individual. (Section 8, Schedule 4.9,
4.9.1, 4.9.4, 4.9.5) Thirty days is usually a maximum response time.
In fact, where a person suffers a form of sensory deprivation, a
business is obliged to provide personal information in an alternative
format, such as by audiotape or in Braille. (Section 10)
Other exceptions to providing access include information that is
prohibitively costly to provide, information that contains references
to other people, information that cannot be disclosed for legal,
security or commercial proprietary reasons and information that is
subject to solicitor-client privilege. (Schedule 4.9)
Notably for non-profits and charities, it is well worth
re-emphasizing that there is no exemption for third party processors.
So, for example, third party fundraisers should be made to sign
contracts ensuring compliance with PIPEDA with the organization if
the organization transfers information to the third party for
processing. If the organization fails to get such a contract
signed, it risks being liable for the actions of its agent, the third
party.
Broad or universal statements of applicability are difficult to make,
as individual organizational ties to government are relevant. For
example, some private non-profits may be subject to PIPEDA owing to
their ties with government. I recommend consultation with legal
counsel or with the Privacy Commissioner if questions still exist in
readers' minds.
Conclusion - How Should My Organization Respond?
The Privacy Audit
My best advice is to prepare as if legislation will inevitably apply
to your organization. Most generally, this means having a privacy
audit done to determine your organization's preparedness. This means
that it would be wise, initially, to develop a privacy policy. In
addition, your organization should be prepared to select a Chief
Privacy Officer, to train employees on the company's privacy policy,
to develop a procedure for handling requests for access to personal
information and for handling complaints. Confidentiality agreements
should be drafted for certain key employees to sign.
In the development of a policy, an organization should recognize that
fewer individuals believe that organizations are performing
adequately to protect their privacy. Consumers want clear and
readily accessible policies that are effective in protecting their
privacy rights. Consumers want dispute resolution systems, a
responsible person to whom they can go to with issues and complaints,
and independent audits or verifications of organizations'
compliance.
The most important thing that an organization can do to build client,
customer or public confidence is to have its public privacy policies
vetted by an independent auditor. Having a clear policy and a
capable individual in charge of privacy policies goes a long way to
ensuring confidence also. Independent verification means testing the
people, processes, technology and preventative measures, controls and
dispute resolution processes that are in place to ensure that a
company is following its stated privacy policies. Customers want
many things independently verified, such as security procedures to
protect personal information, release of personal information only
with explicit consent, and maintenance of internal controls to limit
access to personal information to proper and legal users.
Your organization will also want its privacy risks analyzed. What
risks exist? Beyond damage to relationships that bad practice will
cause, there are also penalty sections of the Act. There can be
charges of deceptive business practice, legal liability as well as
liability or sanction from within your governing industry
associations. Poor compliance will inevitably result in costs of
remedial compliance, costs that would not have been incurred had
things been done correctly in the first place. In the non-profit
sector, loss of trust is a death knell, particularly for fundraising
arms. Businesses will certainly lose profit and value, their very
raisons d'être.
The best organizations, be they non-profit or for-profit
organizations, recognize that they will want to develop privacy
policies that mirror their corporate visions, their business plan, or
the needs of their constituencies. They best understand the types of
information they are collecting, how they use and share it and
whether, in fact, they even really need that information at all.
Minimum legal compliance is a failing approach. Proactivity, the
anticipation of constituency needs, is always preferable to waiting
for bureaucratic rule-making to force organizational decision-making.
Jeffrey H. McCully, barrister & solicitor, is also chair
of the CAGP's
Ottawa Roundtable. He can be reached at jmccully@scotmor.ca.
Disclaimer: Please note that this memorandum is a general discussion
of certain legal and related developments and should not be relied
upon as legal advice. If you require legal advice, I would be
pleased to discuss with you the issues raised by this memorandum in
the context of your personal circumstances.
