Privacy Update
By Esther Shainblum and Martin U. Wissmath Sep 2023 Charity & NFP Law Update
Published on September 28, 2023
Federal Privacy Commissioner Promotes Privacy as ‘Fundamental Right’ in Annual ReportProtecting children’s privacy and online safety, keeping up with the impact of artificial intelligence on privacy, and preparing for potential privacy law reform are three strategic priorities identified by Canada’s privacy commissioner in the Office of the Privacy Commissioner of Canada’s (“OPC”) 2022–23 annual report to Parliament (the “Annual Report”) that will be of interest to charities and not-for-profits. The OPC’s Annual Report, Protecting and promoting privacy in a digital world, published on the OPC website on September 19, 2023, reports on privacy issues arising under the federal Privacy Act, which applies to federal government institutions, and under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which applies to federal works, undertakings or businesses and to the collection, use and disclosure of personal information in the course of a commercial activity and across borders. In the opening message of the Annual Report, Privacy Commissioner Philippe Dufresne promoted his “vision of privacy based on 3 key pillars”:
The Privacy Commissioner also outlined three “strategic priorities”:
The Annual Report includes a Year in Review of the investigations that the OPC had undertaken under PIPEDA. The OPC’s focus for investigations as stated in the Annual Report “remains on the need to protect Canadians’ fundamental right to privacy and to foster increased trust in the Canadian digital economy by helping private-sector organizations comply with privacy law.” The OPC received and accepted 454 complaints under PIPEDA, an increase of 6% over the previous year, according to the Annual Report, including two complaints against not-for-profit organizations. Data breach reports also increased by 6% over the previous year, with 681 breach reports under PIPEDA, according to the Annual Report, while the OPC suspects that many breaches go unreported, or even undetected. The majority of breaches related to unauthorized access to personal information, more than half of which were attributed to cyber attacks using phishing, malware or compromised credentials to access organizations’ systems. The OPC advises organizations to make security a priority in order to protect against such attacks, and to deploy enhanced safety measures such as enhancing protections for employee credentials, applying security patches as they become available, and requiring two-factor or multi-factor authentication. The not-for-profit sector is not immune to data breaches, as 36 reports – 5% of the total detach breach notifications – were related to not-for-profit organizations, according to the Annual Report’s statistical tables. In addition, the Annual Report also highlighted a 2021 OPC report of findings relating to a complaint about a charity that relied on opt-out, implied, consent to enlist donors in a donor list trading program. A donor on the list complained that the opt-out check box on the charity’s mail-in donation form was inadequate. The OPC found that sharing donors’ names and addresses with third parties fell “outside the donors’ reasonable expectations”, that the donor’s name and address was sensitive information when combined with the information that they had donated to the respondent charity, that the information given to donors about the fact that their donation history and mailing address would be shared with third parties was “not sufficient to support meaningful consent”, that express opt-in consent was required to share such information and that the charity did not obtain meaningful consent for its disclosure of donor information to other not-for-profit organizations . The charity agreed to implement the OPC’s recommendation to seek opt-in, express, consent, “and later elected to exit the donor list sharing program.” The Annual Report provides very useful information for charities and not-for-profits, which should be looking to PIPEDA as setting out privacy best practices, and learning from the examples of the breach investigations carried out by the OPC over the year. |