In Alberta, both federal and provincial privacy statutes govern the collection, use and disclosure of personal information. These are the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Alberta Personal Information Protection Act (PIPA), which impact for-profit entities as well as charities and not-for-profit organizations. When an organization falls within the scope of either PIPEDA or PIPA, it must obtain an individual’s consent before collecting, using and disclosing that individual’s personal information (subject to certain exceptions).
In addition, the Alberta Charitable Fund-raising Act (CFA) affects the way that charitable organizations and fund-raising businesses deal with personal information. It is important that charities and non-profits be aware of each of these statutes and how they apply.
What is Personal Information?
The definition of “personal information” is broad and refers to information about an identifiable individual. Examples of personal information include personal descriptors such as an individual’s name; health information; identification numbers; financial information and other information such as marital status.
Personal information does not include the name, title or business address or telephone number of an employee of an organization.
When do PIPEDA and PIPA apply to charities and not-for-profit organizations?
PIPEDA applies to all private sector organizations, including charities and not-for-profit organizations, that collect, use or disclose personal information in the course of “commercial activity”, unless a “substantially similar” provincial law is in effect. Because PIPA has been declared substantially similar to PIPEDA, PIPA will instead apply where the collection, use and disclosure of personal information occur within Alberta.
Similar to PIPEDA, PIPA applies to personal information that is in the custody or control of a non-profit organization if it is collected, used or disclosed by the organization in connection with a commercial activity carried out by the non-profit organization.
Unlike PIPEDA, PIPA has separate rules that apply to “non-profit organizations”, which are defined as organizations incorporated or registered under specific Alberta legislation – the Societies Act, the Agricultural Societies Act, or Part 9 of the Companies Act. These rules confirm that PIPA applies only to non-profit organizations to the extent that the organization collects, uses or discloses personal information in connection with commercial activities.
It is possible for a given charity or not-for-profit organization to be subject to one, both or neither of these Acts. This will depend on the activities of the organization, particularly whether it engages in “commercial activity” and the way in which that commercial activity is carried out.
What is Commercial Activity?
“Commercial activity” refers to any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Other examples of commercial activity include the sale of merchandise or services and events or performances for which an admission fee is charged. The acceptance of donations or the provision of free services would not fall within the definition of commercial activity.
Sometimes it will not be clear whether a charity or non-profit organization is collecting, using or disclosing personal information in the course of or in connection with a commercial activity such that PIPEDA or PIPA will apply. For this reason, it may be practical for organizations to use a consent process in relation all personal information that it collects, uses or discloses.
When PIPEDA or PIPA apply, how must consent be obtained?
PIPEDA and PIPA contain similar requirements for obtaining consent to the collection, use and disclosure of personal information. Organizations must generally obtain the consent directly from the individuals whose information they will collect, use or disclose. Personal information can only be collected from another source if the individual consents to the collection of the information from the other source.
Consent may be given in writing or orally and may be given subject to reasonable terms, conditions or qualifications. Consent may be withdrawn or varied by an individual who gives reasonable notice to the organization. This can be done in the same manner in which consent was given.
Both PIPEDA and PIPA describe situations in which an organization may collect, use or disclose personal information without an individual’s express consent, though these rules will only apply in limited circumstances.
An organization may not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. Consent cannot be obtained by providing false or misleading information or using deceptive or misleading practices. Any consent provided or obtained under those circumstances will be void.
What must an organization do with the information it has collected?
Once collected, organizations are limited to using personal information for purposes that are reasonable. Generally, an organization cannot use or disclose personal information for any purpose other than the particular purposes for which the information was collected.
An organization must protect personal information that is in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of the information. Recent amendments to PIPA require organizations subject to this Act to notify the Privacy Commissioner without unreasonable delay in the event of loss or unauthorized access to or disclosure of such information where there is a “real risk of significant harm to an individual as a result”. Failing to do so will constitute an offence and the organization could be liable for a fine of up to $100,000.00.
Application of Charitable Fund-raising Act to Personal Information
In Alberta, the fundraising activities of certain charitable organizations and fundraising businesses are also subject to the CFA. While the CFA primarily deals with how these organizations can conduct fund-raising activities (including the solicitation of donations and the keeping of records) and the information that must be provided to donors and potential donors, it also impacts how these organizations must handle the information that they collect in the process. Most notably, sections 4 and 5 of the Standards of Practice created pursuant to the CFA provide that:
- Charitable organizations and fund-raising businesses must give donors the opportunity to have their names removed from lists that are sold, rented, or exchanged with other organizations.
- Charitable organizations and fund-raising businesses must not disclose any personal and confidential information about donors or prospective donors outside the work environment, and within the work environment only as appropriate.
The CFA and Standards of Practice must be followed by organizations formed for a charitable purpose, regardless of whether they are a registered charity. Organizations that fail to comply risk suspension or cancellation of their registration (in the case of a charitable organization) or license (in the case of a fund-raising business). Alternatively, terms and conditions may be imposed on the organization’s registration or license.
Miller Thomson’s lawyers would be pleased to assist with all privacy related questions and issues.