Privacy for Nonprofit Organizations
www.volunteeralberta.ab.ca
What we will cover today
• What is privacy and why should we care?• What is the Personal Information
Protection Act (PIPA)?– Who and what does PIPA apply to?
• PIPA and privacy principles• How to implement good privacy practices
Part 1 Privacy and PIPA Primer
© Volunteer Alberta
What is Privacy?
Public ExpectationsMarch 2009 survey – EKOS Research• Canadians are becoming more vigilant about guarding
their personal information • 62% agree that protection personal information will be
one of the most important issues in the next 10 years• 60% believe that their information is less protected than
it was 10 years ago• 34% believe companies have adequate mechanisms in
place to safeguard personal information
Privacy in the news
Privacy in the news
Threats to privacy
Impact of technology• Modern threats to privacy chiefly arise in the collection and use of
information about us• Privacy used to be protected by default – the nature of paper
records• Electronic records diminish the barriers of time, distance and cost
that once guarded privacy
Poor privacy practices have consequences
• For example• Financial fraud• Harm to reputation – organizational or personal• Social stigmatization • Loss of clients, customers or donors
The privacy landscape
• Health Information Act (HIA)– E.g., Hospitals, family doctors
• Freedom of Information and Protection of Privacy Act (the FOIP Act)– E.g., Government of Alberta, towns and cities, public schools
• Personal Information Protection Act (PIPA)– E.g., Retailers, non-profit organizations...more in a moment
• PIPEDA (federal)– E.g., Major banks, telecommunications companies
What is PIPA?
• The Personal Information Protection Act balances– the right of an individual to have his or her personal
information protected, and– the need of organizations to collect, use or disclose
personal information for purposes that are reasonable• Provides “common sense” rules for collection, use and
disclosure of personal information by private-sector organizations
• Provides a right of access to own personal information; right to have errors corrected
PIPA applies to “organizations”• Includes:
corporations
partnerships
unincorporated associations
trade unions
some non-profits (s. 56)
individuals acting in commercial capacity (e.g., sole proprietorship)
PIPA does not apply to…
• Does not include:personal or domestic uses
courts
journalistic, artistic, literary uses
public body or information under FOIP Act
information captured by PIPEDA
Non-profit organizations (s.56)
• “Non-profit organizations” are defined as organizations:– incorporated under the Societies Act– incorporated under the Agricultural Societies Act– registered under Part 9 of the Companies Act
• PIPA only applies to “non-profit organizations’” collection, use or disclosure personal information in connection with a commercial activity
• All other not-for-profit organizations must comply with PIPA for all their activities
“Commercial activity”
• Defined in the Act as…“…any transaction, act or conduct, or…any regular
course of conduct that is of a commercial character”
• Commercial activity:– selling, bartering, leasing membership, donor or other
fundraising lists– operating a private school, ECS program, or private
college
“Commercial activity”
• Commercial activity:– sale of merchandise by catalogue or Internet – offering a conference or training session for a fee
• Not likely to be commercial activity:– donations where no product or service is exchanged– offering free newsletter– providing free services– payment of membership fee
It’s all about “personal information”
• Information about an identifiable individual (e.g. members, clients, donors, employees, volunteers)
• Includes:– name– birth date– address– identification numbers (SIN, employee ID) – physical description– education qualifications– financial information
• Applies whether recorded or not (written, oral, video, pictures, biometrics, etc.)
PIPA principles
• Collect personal information only for reasonable purposes• Collect only the information that is needed• Collect directly from the individual (unless consent or Act permits
otherwise)• Inform the individual why information is being collected, and how it
will be used and disclosed• Obtain consent (unless Act permits otherwise) – respect withdrawal
of consent
PIPA principles
• Use and disclose personal information only for purposes for which it was collected (unless consent or Act permits otherwise)
• Ensure personal information is accurate for the purpose – reasonable effort
• Safeguard personal information from unreasonable risks• Keep information only for as long as it is reasonably
needed
PIPA principles
• On request, provide individuals with access to their own personal information, when reasonable; correct errors
• Designate a “privacy contact”• Develop policies and procedures for
compliance
PIPA Amendments
• In force May 1, 2010• No changes to the special rules for non-
profits• New security breach notification rules
Role of the Office of the Information and Privacy Commissioner
The OIPC is the independent oversight body for:
• The FOIP Act• HIA• PIPA
Part 2 Implementing
Privacy Practices to Protect Personal Information
Know your status• Is your
organization required to comply with PIPA?
Know what you have• What types of
personal information does your organization collect about its members, clients, donors, employees and volunteers?
Know why you have it• Organizations may
collect, use and disclose personal information only for reasonable purposes
Choose a privacy contact person• Choose someone in
the organization to be responsible for ensuring questions about collection of personal information and general privacy practices are answered
Get consent – give notice• Organizations subject
to PIPA need consent to collect, use or disclose personal information, unless the Act permits otherwise
• Tell (notify) individuals what information is being collected and how it will be used
Employees and volunteers• Organizations subject to
PIPA do not have to obtain consent from employees or volunteers to collect, use or disclose their personal information– when the information is
reasonably required for establishing, managing or terminating the employment or volunteer relationship, and
– notice has been given about the collection, use or disclosure
Safeguard personal information• An organization must
protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
Access• An individual can ask an
organization– what personal information the
organization has about him or her
– how that information was used– to whom the information was
disclosed
• The individual can also request to see his or her own personal information
• Organizations must not give out information about other individuals
Privacy policy/statement• Privacy policy for
organizations subject to PIPA
• Privacy statement as best practice for organizations not subject to PIPA
Resources• PIPA website:
http://pipa.alberta.ca/• PIPA Information Line, Service Alberta
– email: [email protected]– phone: 780-644-7422 (Toll free dial 310-0000 first)
• Office of the Information and Privacy Commissioner– website: www.oipc.ab.ca
• creating possibilities in Alberta’s voluntary
sector by strategically connecting leaders, members, organizations and networks.
Where are Alberta’s Volunteer Centres?
• Airdrie • Banff• Brooks• Calgary• Camrose• Canmore• Cochrane• Edmonton• Fort
Saskatchewan• Grande Prairie• Hanna • High River• Hinton• Leduc
• Lethbridge• Medicine Hat• Okotoks• Oyen• Red Deer• Rimbey• Rocky
Mountain• St. Albert• Stettler• Stony Plain• Strathcona
County• Sylvan Lake• Vegreville• Wood Buffalo
Online Resources – Bookmark Five for Free
Projects funded by Alberta Law Foundation, The Muttart Foundation, The Co-operators, Alberta Voluntary Sector Insurance Council, Insurance Bureau of Canada, and Government of Alberta
Support the sector by purchasing a Volunteer Alberta Membership
Online!
Visit our website!
Check out information on:
• Volunteer Alberta• Sector News• Resources• Volunteer Centres• Read VA’s Blog• And more!
www.volunteeralberta.ab.ca
Volunteer Alberta can provide access to resources &
experienceToll Free (877) 915-6336Phone (780) 482-3300 [email protected]
www.volunteeralberta.ab.ca
Top Related