Privacy for Nonprofit Organizations

www.volunteeralberta.ab.ca

What we will cover today

• What is privacy and why should we care?• What is the Personal Information

Protection Act (PIPA)?– Who and what does PIPA apply to?

• PIPA and privacy principles• How to implement good privacy practices

Part 1 Privacy and PIPA Primer

© Volunteer Alberta

What is Privacy?

Public ExpectationsMarch 2009 survey – EKOS Research• Canadians are becoming more vigilant about guarding

their personal information • 62% agree that protection personal information will be

one of the most important issues in the next 10 years• 60% believe that their information is less protected than

it was 10 years ago• 34% believe companies have adequate mechanisms in

place to safeguard personal information

Privacy in the news

Privacy in the news

Threats to privacy

Impact of technology• Modern threats to privacy chiefly arise in the collection and use of

information about us• Privacy used to be protected by default – the nature of paper

records• Electronic records diminish the barriers of time, distance and cost

that once guarded privacy

Poor privacy practices have consequences

• For example• Financial fraud• Harm to reputation – organizational or personal• Social stigmatization • Loss of clients, customers or donors

The privacy landscape

• Health Information Act (HIA)– E.g., Hospitals, family doctors

• Freedom of Information and Protection of Privacy Act (the FOIP Act)– E.g., Government of Alberta, towns and cities, public schools

• Personal Information Protection Act (PIPA)– E.g., Retailers, non-profit organizations...more in a moment

• PIPEDA (federal)– E.g., Major banks, telecommunications companies

What is PIPA?

• The Personal Information Protection Act balances– the right of an individual to have his or her personal

information protected, and– the need of organizations to collect, use or disclose

personal information for purposes that are reasonable• Provides “common sense” rules for collection, use and

disclosure of personal information by private-sector organizations

• Provides a right of access to own personal information; right to have errors corrected

PIPA applies to “organizations”• Includes:

corporations

partnerships

unincorporated associations

trade unions

some non-profits (s. 56)

individuals acting in commercial capacity (e.g., sole proprietorship)

PIPA does not apply to…

• Does not include:personal or domestic uses

courts

journalistic, artistic, literary uses

public body or information under FOIP Act

information captured by PIPEDA

Non-profit organizations (s.56)

• “Non-profit organizations” are defined as organizations:– incorporated under the Societies Act– incorporated under the Agricultural Societies Act– registered under Part 9 of the Companies Act

• PIPA only applies to “non-profit organizations’” collection, use or disclosure personal information in connection with a commercial activity

• All other not-for-profit organizations must comply with PIPA for all their activities

“Commercial activity”

• Defined in the Act as…“…any transaction, act or conduct, or…any regular

course of conduct that is of a commercial character”

• Commercial activity:– selling, bartering, leasing membership, donor or other

fundraising lists– operating a private school, ECS program, or private

college

“Commercial activity”

• Commercial activity:– sale of merchandise by catalogue or Internet – offering a conference or training session for a fee

• Not likely to be commercial activity:– donations where no product or service is exchanged– offering free newsletter– providing free services– payment of membership fee

It’s all about “personal information”

• Information about an identifiable individual (e.g. members, clients, donors, employees, volunteers)

• Includes:– name– birth date– address– identification numbers (SIN, employee ID) – physical description– education qualifications– financial information

• Applies whether recorded or not (written, oral, video, pictures, biometrics, etc.)

PIPA principles

• Collect personal information only for reasonable purposes• Collect only the information that is needed• Collect directly from the individual (unless consent or Act permits

otherwise)• Inform the individual why information is being collected, and how it

will be used and disclosed• Obtain consent (unless Act permits otherwise) – respect withdrawal

of consent

PIPA principles

• Use and disclose personal information only for purposes for which it was collected (unless consent or Act permits otherwise)

• Ensure personal information is accurate for the purpose – reasonable effort

• Safeguard personal information from unreasonable risks• Keep information only for as long as it is reasonably

needed

PIPA principles

• On request, provide individuals with access to their own personal information, when reasonable; correct errors

• Designate a “privacy contact”• Develop policies and procedures for

compliance

PIPA Amendments

• In force May 1, 2010• No changes to the special rules for non-

profits• New security breach notification rules

Role of the Office of the Information and Privacy Commissioner

The OIPC is the independent oversight body for:

• The FOIP Act• HIA• PIPA

Part 2 Implementing

Privacy Practices to Protect Personal Information

Know your status• Is your

organization required to comply with PIPA?

Know what you have• What types of

personal information does your organization collect about its members, clients, donors, employees and volunteers?

Know why you have it• Organizations may

collect, use and disclose personal information only for reasonable purposes

Choose a privacy contact person• Choose someone in

the organization to be responsible for ensuring questions about collection of personal information and general privacy practices are answered

Get consent – give notice• Organizations subject

to PIPA need consent to collect, use or disclose personal information, unless the Act permits otherwise

• Tell (notify) individuals what information is being collected and how it will be used

Employees and volunteers• Organizations subject to

PIPA do not have to obtain consent from employees or volunteers to collect, use or disclose their personal information– when the information is

reasonably required for establishing, managing or terminating the employment or volunteer relationship, and

– notice has been given about the collection, use or disclosure

Safeguard personal information• An organization must

protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.

Access• An individual can ask an

organization– what personal information the

organization has about him or her

– how that information was used– to whom the information was

disclosed

• The individual can also request to see his or her own personal information

• Organizations must not give out information about other individuals

Privacy policy/statement• Privacy policy for

organizations subject to PIPA

• Privacy statement as best practice for organizations not subject to PIPA

Resources• PIPA website:

http://pipa.alberta.ca/• PIPA Information Line, Service Alberta

– email: pspinfo@gov.ab.ca– phone: 780-644-7422 (Toll free dial 310-0000 first)

• Office of the Information and Privacy Commissioner– website: www.oipc.ab.ca

• creating possibilities in Alberta’s voluntary

sector by strategically connecting leaders, members, organizations and networks.

Where are Alberta’s Volunteer Centres?

• Airdrie • Banff• Brooks• Calgary• Camrose• Canmore• Cochrane• Edmonton• Fort

Saskatchewan• Grande Prairie• Hanna • High River• Hinton• Leduc

• Lethbridge• Medicine Hat• Okotoks• Oyen• Red Deer• Rimbey• Rocky

Mountain• St. Albert• Stettler• Stony Plain• Strathcona

County• Sylvan Lake• Vegreville• Wood Buffalo

Online Resources – Bookmark Five for Free

Projects funded by Alberta Law Foundation, The Muttart Foundation, The Co-operators, Alberta Voluntary Sector Insurance Council, Insurance Bureau of Canada, and Government of Alberta

Support the sector by purchasing a Volunteer Alberta Membership

Online!

Visit our website!

Check out information on:

• Volunteer Alberta• Sector News• Resources• Volunteer Centres• Read VA’s Blog• And more!

www.volunteeralberta.ab.ca

Volunteer Alberta can provide access to resources &

experienceToll Free (877) 915-6336Phone (780) 482-3300 Emailvolab@volunteeralberta.ab.ca

www.volunteeralberta.ab.ca