The Anglican Diocese of Calgary (“Diocese”) was ordered to review its privacy policies by the Alberta Office of the Information and Privacy Commissioner (“OIPC”). An order published March 26, 2021 (the “OIPC Order”) describes the case of a minister of the Diocese, who complained to the OIPC (the “Complainant”). He alleged that his personal information was mishandled when it was sent to over 100 other clergy and employees of the Diocese in contravention of the Alberta Personal Information Protection Act (“PIPA”).

The Complainant participated in a blessing of a same-sex couple’s civil marriage along with several other Anglican ministers in September 2016. The Complainant and the other participating ministers sent a memo to the Archbishop, Anglican Synod, and parishioners with information about the blessing and their reasons for participating in it (the “Memo”). In a meeting on September 30, 2016, the Complainant received a letter, signed by the Archbishop, warning him that further participation in blessing same-sex unions would result in disciplinary measures (the “Response Letter”). On November 24, 2016, the Archbishop sent an e-mail to “the entire Clergy of Calgary,” according to the OIPC Order, with attachments including a letter (“Clergy Letter”), a copy of the Memo and the Response Letter (collectively, the “Attachments”). The Complainant stated that the Memo included his personal information and was sent to approximately 65 parishes, each with clergy, curates and associates, in addition to retired clergy and employees of the Diocese. An investigation by the OIPC was requested.

The OIPC found that the Diocese is an “organization” for the purposes of PIPA. Although some “non-profit organizations”, as defined in s 56(1)(b) of PIPA, are not subject to PIPA, in this case, the OIPC found that the Diocese did not fall within that definition and that therefore PIPA applies to the Diocese “in full.” The OIPC considered whether the information released about the Complainant constituted “personal employee information”. Finding that the Complainant was an employee of the Diocese, the OIPC concluded that the release of the information concerning the Complainant was not provided for the purpose of managing the Complainant’s employment, as required to permit disclosure of personal employee information without consent under PIPA. Although the Diocese took the position that the Response Letter was not a formal disciplinary letter, the OIPC found it to be the “type of communication that would be filed on an employee’s personnel file, as a written warning preceding formal disciplinary action.” As the Response Letter clearly had disciplinary or corrective implications, it had a personal dimension and was therefore the Complainant’s personal information for the purposes of PIPA. Therefore, the Diocese “used or disclosed the Complainant’s personal information” when the Archbishop sent the Attachments.

On the issue of consent, the OIPC stated that it was clear that the Complainant had not explicitly consented to the use or disclosure of the Response Letter under section 8(1) of PIPA and rejected the Diocese’s argument that he could be deemed to have consented to the circulation of  the Response Letter. The OIPC concluded that the Response Letter did not fall within any of the categories of “publicly available information” under PIPA and that therefore the Diocese did not have authorization to disclose the Complainant’s personal information on that basis, nor was there any information to demonstrate that the use of disclosure was for the purposes of an “investigation” into the Complainant’s activities. The OIPC found no other statutory authorization and concluded that the Diocese did not meet its burden to show that the use and disclosure of the Complainant’s personal information was authorized.

According to the OIPC Order, “all organizations must follow the same rules.” As Section 6(1) of PIPA requires an organization “to develop and follow policies and practices that are reasonable” to meet obligations under PIPA, the OIPC ordered the Diocese to “review its current policies, or create policies, regarding how it handles the personal information of clergy.” The OIPC also ordered the Diocese to train its staff regarding its privacy obligations under PIPA.

This order demonstrates the potential pitfalls of disclosing personal information. Charities and not-for-profits should ensure that they understand their obligations with respect to the use and disclosure of personal information, that they have appropriate policies and procedures in place with respect to these obligations and that their staff and volunteers receive ongoing privacy training.