The Effect of Bill
C-6 “Privacy Act” Legislation
By TERRANCE S. CARTER, B.A., LL.B.
(assisted by Mervyn
F. White)
CHARITY LAW BULLETIN No. 5 – April 29th, 2001
Bill C-6, otherwise known as the Personal
Information Protection and Electronic Documents Act (the “Privacy Act”) was
passed on April 4th, 2000, and Part I came into effect on January 01, 2001. It
is the first privacy legislation dealing with the private sector in Canada. The
following is a brief introduction to the legislation, and an illustration of
some of the ways that it will impact upon charities.
Purpose
of the Privacy Act
The Privacy Act is concerned
with the protection of personal information in the context of electronic
commerce, as well as the electronic means by which such information is
communicated and recorded. There is a myriad of different ways in which
personal information is gathered over the internet on a daily basis. Through
registration and contest entry forms, when on-line purchases take place,
through the use of “cookies” and data mining, and through the use of various
software that can create “pictures” of domain users for their hosts. This brief
summary will focus on Part 1 of the Privacy Act which has as its stated
purpose:
“to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Part
1 will have an obvious effect on charities that engage in fundraising
activities on the internet. In order to understand the applicability of this
legislation, it is necessary to look at s.4(1) which sets out the scope of Part
1:
s.4(1) This part
applies to every organization in respect of personal information that:
(i) the organization collects, uses or
discloses in the course of commercial activities, or
(ii) is about an employee of the organization
and that the organization collects, uses or discloses in connection with the
operation of a Federal work, undertaking or business
In order to understand the relevance of s.4( 1), some definitions must be understood. First, “Organization” is defined in the Act as including:
an association, a partnership, a
person, a trade union, and both
unincorporated and incorporated
charities.” [emphasis
added]
Secondly, “Commercial Activity” is
defined in the Privacy Act as.
“Any
particular transaction, act or conduct or any regular course of conduct
that is of a commercial character
including the selling, bartering or leasing
of donor, membership or other
fundraising lists.” [emphasis
added]
It should be noted that the Privacy Act will only apply to personal information that is collected, used or disclosed inter-provincially or internationally and will apply to intra- provincial transactions three years after it has come into force. Nevertheless, the reality of the internet is that it is global in scope, so Charities using the internet to solicit fundraising should consider its message as extending beyond the boundaries of the province in which it operates.
It is therefore evident that the Privacy Act will apply to Charities that engage in fundraising on the internet. Specifically, it may impact as follows:
(a) Commercial
“Conduct”:
In the broader sense, Charities may
be engaging in “conduct that is of a commercial character” over the internet
through fundraising campaigns that include some benefit coming to the donor.
For instance, if raffle tickets or tickets to a charity dinner and auction are
being sold, or other similar transactions are taking place via the internet,
then this could fall within the parameters of commercial conduct. Moreover,
when the Charity requests that order forms, etc., are completed on-line, it is
‘collecting’ and ‘using’ that personal’ information. In this regard, Charities
must ensure that they are complying with the legislation in the way that they
are collecting, using and disclosing the information.
(b) Donor.
Membership or other Fundraising Lists:
The definition of commercial activity
in the legislation includes the “selling, bartering or leasing of donor,
membership or other fundraising lists.” Therefore, the legislation will apply
to charities which have acquired lists of names from other organizations for
the purpose of contacting those persons as prospective donors. Conversely, the
legislation would apply to charities from which other organizations have
acquired name lists as well. In this regard, charities that are involved in the
acquisition or distribution of name lists must ensure that they are complying
with the legislation in the way that the information contained in those lists
is collected, used and disclosed.
Complying With the Privacy Act:
For those charities to which the Privacy Act applies, there are very strict information control and management provisions that must be complied with. These provisions are adopted from the National Standard of Canada Model Code for the Protection of Personal Information (the “CSA Model Code”), which is included as Schedule 1 to the Privacy Act. The CSA Model Code is comprised often principles which are briefly set out below:
1. Accountability: The
organization must be responsible for complying with the CSA Model Code, and
must designate an individual or individuals to be accountable in this regard.
The organization must also implement policies to give effect to the CSA Model
Code including means of establishing procedures to:
-
protect personal information;
- receive and respond to complaints;
- train staff regarding these policies; and
- develop explanatory information regarding these
policies.
2. Identifying Purposes:
The purposes for which information is collected must be identified,
documented, and communicated to the individuals whose personal information is
being collected either prior to or at the time of its collection. Furthermore,
where the information collected is going to be used for a new purpose not
originally communicated, the individual whose information is going to be used
must be informed of such, and his or her consent must be obtained.
3. Consent:
The individual whose information an organization wishes to collect, use or
disclose must give prior consent of this happening. In addition, the
organization must make a reasonable effort to ensure that the individual
consents freely. In this regard, the purposes for which and individual’s personal
information is being collected, used or disclosed must be communicated to the
individual in a manner which he or she can reasonably be expected to
understand. Furthermore, an organization must not require an individual to
consent to the collection, use or disclosure of personal information as a
condition of the organization supplying a product or service, except that
information that is required to fulfil the explicitly specified and legitimate
purposes connected to that product or service. Finally, an individual may
withdraw consent at any time subject to legal or contractual restrictions and
reasonable notice.
4. Limiting
Collection: Personal Information must only be collected for necessary
and identified purposes, and only by fair and lawful means.
5. Limiting Use. Disclosure and
Retention: Personal information must only be used for consented to
purposes, and may only be retained as long as is necessary to fulfill those
purposes.
6. Accuracy:
Personal information must be routinely kept up to date and accurate.
7. Safeguards:
Safeguards appropriate to the nature and form of personal information must
be implemented.
8. Openness:
An organization must ensure that its policies and practices for the
management of personal information is made readily available.
9. Individual
Access: Upon
request from an individual, the organization must inform that individual of the
existence, use and disclosure of his or her personal information and provide
access thereto.
10. Challenging
Compliance: The organization must have a process in place to receive,
investigate and address complaints from individuals who wish to challenge the
organization’s compliance with the CSA Model Code principles.
Consequences of Non-Compliance:
An individual may submit a written complaint to the Privacy Commissioner who may conduct an investigation if there are reasonable grounds. The Privacy Commissioner will submit a report within one year, after which the individual may apply to the court for a hearing. The court may impose various penalties on an organization found to be in contravention of the Privacy Act, including:
· ordering
an audit of the personal information management practices of the organization;
· publishing
information regarding the information management practices of the organization;
· ordering
that the organization correct its practices, and publish steps taken by the
organization to do so; and
· awarding
damages to the Complainant, including damages for humiliation suffered.
It
is clear that Bill C-6 will have an impact in the future, and charities should
consider the new Privacy Act to determine if it applies to them, and if so,
that they are in compliance with it.
Terrance S. Carter practices at
Carter and Associates in Orangeville, Ontario and is affiliated with and
counsel to Fasken, Martineau, DuMoulin LLP in Toronto, Ontario. He specializes
in the area of charity and not-for-profit law.
DISCLAIMER:
This Legal Update is
provided as an information service to our clients and is a summary of legal matters.
It is not meant to be a legal opinion. Readers are cautioned not to act on
information provided herein without seeking specific legal advice with respect
to their unique circumstances. Comments and suggestions are welcome.
BARRISTERS,
SOLICITORS & TRADE-MARK AGENT
211
Broadway, P.O. Box 440
Orangeville,
Ontario, L9W 1K4
Telephone:
(519) 942-0001
Fax:
(519) 942-0300