Nathan Garber & Associates
Governance & Planning Support for the Not-for-Profit Sector

Home

About Nathan Garber & Associates

Articles 

Board members wanted

Conferences 

Help sheets

Frequently Asked Questions

Learning Opportunities

Links to Great Sites

Management Support Organizations

Newsletter

Recently added items

United Way Leadership Training  Workshops

Home

About pdf files
Most of our free Helpsheets and articles by Nathan Garber are available in both printer friendly Adobe Acrobat (pdf) and web browser friendly formats (html). To view and print PDFs, you must have the free Acrobat Reader installed on your computer. To download it, click here.

 

Nonprofit News from Nathan: December 2003

Special Issue on Complying with the Personal Information Protection and Electronic Documents Act

It seems that many nonprofit organizations are not yet prepared for the federal Personal Information Protection and Electronic Documents Act (PIPEDA) that will apply in Ontario and most other provinces as of January 1, 2004. If your paper or computer files contain personal information about your employees, clients, donors, volunteers, or others, it is important that your methods of collecting, protecting, and using that information comply with the Act.

This newsletter summarizes what I have learned from a number of articles written by lawyers, and conversations with several organizations affected by the Act. It talks about how to comply with the Act and what the Board of Directors needs to do.

Contents:

Warning
Purpose
What Is “Personal Information”
Does it Apply to Your Organization?
Principles
How to Comply
Role of the Board of Directors
Online References
To Cancel this Newsletter

 

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA)

WARNING / DISCLAIMER

This newsletter is about an important federal law. I have tried to confirm anything I was uncertain about but please be aware that I am not a lawyer and am not pretending to be. Don’t take this information for something it is not. Even the lawyers whose articles I list below caution not to rely on the articles to make decisions that have legal implications. Take their advice! For specific information about how the law affects YOUR organization, talk to a knowledgeable lawyer.

PURPOSE

The purpose of the law, as it is explained in the Act is “to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

In a nutshell, PIPEDA requires

  • that you obtain the clear consent of an individual before you collect, use or disclose personal information about that individual, except when it is unreasonable to obtain consent or when the information is public knowledge;
  • that you use it only for the purposes for which you have consent;
  • that you protect that information from unauthorized access and use;
  • that you keep it up-to-date and correct so as not to make decisions based on wrong information;
  • that you destroy it when you no longer need it for the original purpose; and
  • that you implement accountability mechanisms in your organizations to ensure compliance with the above.

Some of the details are clear, while others remain open to interpretation.

WHAT IS “PERSONAL INFORMATION”

 The Act aims to protect all information about an individual except their name, title or business address or telephone number. Personal information includes race, age, marital status, religion, employment history, credit history, assets, home address, home telephone number and notes in the individual’s file. For nonprofit organizations, this means that information you collect to establish eligibility for membership, programs, or discounts would be considered to be personal information. Also covered might be identifiable photos, donor histories, and other information maintained on donors and prospects. Personnel files on staff and volunteers are also likely to contain personal information.

DOES IT APPLY TO YOUR ORGANIZATION?

Although it seems primarily aimed at businesses, unless superceded by a provincial privacy law, PIPEDA will apply to charities and nonprofit organizations that collect, use or disclose personal information in the course of “commercial” activities. It defines “commercial” very broadly. It appears that you will have to comply with PIPEDA if your organization:

  • collects personal information about clients, donors, board members, or employees;
  • runs a related business, holds golf tournaments, sells books, magazines, religious items, gifts, clothing, food, or promotional items; or
  • sells, leases, or trades membership or donor lists,

The definition of commercial activities will be further clarified by the Privacy Commissioner and federal courts over the next few years, and may end up with a narrower or wider definition. In the meantime, it would be prudent to comply unless you are certain that it doesn’t apply to you.

PRINCIPLES OF PIPEDA

The law is based upon ten principles described in Schedule 1 of Part 6. of the Act.

  1. Accountability
    Organizations must designate someone to be accountable for compliance with PIPEDA and provide the name of that person upon request. The organization must establish privacy protection policies and practices and ensure that personnel are trained in their implementation.
     
  2. Identifying Purposes
    Organizations must inform individuals of their purpose in collecting personal information at or before the time the information is collected, and cannot use the information for any other purpose without obtaining consent.
     
  3. Consent
    Whenever possible and reasonable, organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used and agrees to its use. Consent can be withdrawn at a later date
     
  4. Limiting Collection
    Organizations can only collect personal information related to the specified purpose and can only collect what is needed for that purpose. Organizations cannot collect personal information by misleading or deceiving individuals about the purpose for which information is being collected.
     
  5. Limiting Use, Disclosure, and Retention
    Personal information cannot be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information must not be retained longer than needed for the specified purposes.
     
  6. Accuracy
     Information must be sufficiently accurate and complete so as to minimize the possibility that decisions are based upon incorrect information.
     
  7. Safeguards
    The organization must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The level of security should be appropriate to the sensitivity of the information.
     
  8. Openness
    The organization’s privacy policies must be made readily available to anyone.
     
  9. Individual access
    Wherever reasonable, individuals have the right to know what personal information about them has been collected, how it is being used, to whom it has been disclosed, to challenge its accuracy and completeness, and to have it corrected.
     
  10. Challenging Compliance
    Individuals may address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance through a simple and accessible complaints procedure – and the organization must investigate and act upon complaints.

HOW TO COMPLY WITH PIPEDA

The principles of PIPEDA make good sense for any organization that relies upon the trust of donors, clients, and the community. If you collect very little personal information, complying with the act will not likely be too difficult. The more sensitive the information, the more stringent you must be in protecting the privacy of the individual. If you have been dealing with vulnerable populations will already be following many of the principles. If you’re starting from scratch, following the steps listed below should help you comply with the spirit and the words of the Act.

  1. Make sure you understand the principles of the Act. This links to the full text. The websites listed at the end of this article contain commentary and interpretations of the principles by several different lawyers.
     
  2. Appoint a compliance officer. This should be someone who has authority in the organization and can deal with the public The compliance officer can lead you through the next steps.
     
  3. Conduct a review of your organization’s current practices concerning the personal information it collects and maintains. Some of the questions you should be asking include:
    • For what purposes do we collect it?
    • How do we ensure that it can only be used for those purposes?
    • How do we ensure that we have the consent of the individual to collect and use it?
    • How can it be kept secure?
    • What do we do with it when we don’t need it any more?
    • With whom do we share it?
       
  4. Based upon the review, develop a privacy policy and complaints process. For some examples of privacy policies, see the following websites.

Optimum Frontier Insurance Company

Association for Information Management Professionals

United Way of Greater of Toronto   (click on Privacy Policy)

Siteopath Web Services

World Wildlife Fund

 Compasstax Chartered Accountants

  1. Update any forms (paper or electronic) that you use to collect personal information and any contracts you have with employees, suppliers, marketing firms, fundraising companies, and other organizations that involve collection or transfer of personal information.
     
  2. Make sure you have a way to deal with opt-outs. You don’t want to be sending appeal letters to people who have said they don’t want to receive them.
     
  3. Update your data security systems and file management procedures to ensure that personal information is protected from unauthorized access.
     
  4. Train your employees and volunteers. They should sign a confidentiality statement (see the example on the volunteer application of the Alberta Shock Trauma Air Rescue Society ) and have a good understanding of your policies and practices. They should know who is responsible for dealing with inquiries and complaints.
     
  5. Make your policy available. It should be easily accessible to anyone who wants to see it.

ROLE OF THE BOARD OF DIRECTORS

In a booklet titled  “Privacy and Boards of Directors: What You Don’t Know CAN Hurt You” (PDF),  the Ontario Privacy Commissioner lists five actions that boards must take:

  1. Directors should ensure that they receive appropriate training in privacy and that there is some privacy expertise on their board.
     
  2. Directors should ensure that at least one senior manager has been designated to be accountable for the organization’s privacy compliance.
     
  3. Directors should ensure that privacy compliance is a part of senior management performance evaluation and compensation.
     
  4. Directors should ask senior managers to undertake periodic privacy self-assessments and privacy audits and to report to the board on these activities on a regular basis.
     
  5. Directors should ensure that they ask senior management the right questions about privacy practices in their organization.

ONLINE REFERENCES

 Personal Information Protection and Electronic Documents Act  (complete)

 Privacy Law and Governance in the Non-profit Sector (part 1) by Jeffrey H. McCully.

 Privacy Law and Governance in the Non-profit Sector (part 2)  by Jeffrey H. McCully.

 “Donor Lists Protected As Charitable Property Under Canadian Charity Law Charity Law Bulletin No. 15 – July 25, 2002, By Jacqueline M. Connor, Mervyn F. White, and Terrance S. Carter

 Privacy Compliance: What Churches and Charities Need to Do by January 1, 2004  (PDF) By Mark J. Wong, B.A., LL.B. 

 “January 1, 2004: Privacy Legislation. Are You Ready?” . Privacy Communiqué Newsletter, November 2003 by Jennifer E. Babe

Information and Privacy Commissioner/Ontario

 Federal Privacy Commissioner

 Privacy 101: A Guide to Privacy Legislation for Fundraising Professionals and Not-For-Profit Organizations in Canada (Version I)  (PDF) by a cross-sector working group representing: Association of Fundraising Professionals (AFP), Association for Healthcare Philanthropy (AHP), Association of Professional Researchers for Advancement (APRA), and Canadian Centre for Philanthropy (CCP)

The PIPEDA Privacy Principles: A Guide for Associations and Nonprofit Organizations  (PDF) by Association Xpertise. Inc.

Does The New Privacy Law Apply To My Organization? by David T. S. Fraser.

TO CANCEL THIS NEWSLETTER

Nonprofit News from Nathan is an irregular e-newsletter that I prepare when I have both time and some genuinely interesting news for managers and board members of nonprofit organizations.

If you don’t want to receive more e-mails from me, send a "remove-me"  message.

If you feel like dropping me a line for some other purpose, send me an e-mail message.

Nathan Garber Nathan Garber & Associates
 Training and Consulting for the Nonprofit Sector
http://garberconsulting.com 

ABOUT NATHAN GARBER & ASSOCIATES

We offer training and consulting services, specializing in board development and strategic planning for nonprofit organizations.

Our website contains many free help-sheets, articles, and links to useful resources on governing and managing nonprofit organizations.

If you are thinking about board training, evaluation, or strategic planning, I hope you’ll give us an opportunity to discuss your needs. Find out more at http://garberconsulting.com  or phone (519)439-3008

Nathan Garber & Associates
Training and Consulting for the Nonprofit Sector
1071 Richmond Street, London, Ontario, Canada  N6A 3K1
tel: (519) 439-3008  fax: (519) 439-3008
Nathan@GarberConsulting.com