Aug 2019 Charity & NFP Law Update
Federal Government Announces Cybersecurity Voluntary Certification Program
In a news release issued on August 12, 2019, the federal government announced the establishment of CyberSecure Canada, a new voluntary federal certification program that will make cyber security more accessible to small to medium enterprises, including charities and NFPs. To obtain certification, organizations will be required to implement thirteen baseline security controls outlined by the Canadian Centre for Cyber Security, including, among others, developing an incident response plan, using strong user authentication, securing cloud and outsourced IT services, securing portable media and implementing access control and authorization. Organizations will be evaluated on their implementation of the criteria and, if certified, will be given a CyberSecure Canada certification identifier/logo to use on their website to demonstrate compliance. Organizations will have to recertify periodically. CyberSecure Canada is part of a larger National Cyber Security Strategy and supports the “Safety and Security” principle – focused on keeping Canadians safe in the digital world – part of Canada’s Digital Charter that was reported on in Charity & NFP Law Bulletin No. 449.
Certification is no guarantee of protection from cyber threats. However, charities and NFPs that implement the baseline security controls may reduce cyber threats and may be better prepared and equipped to deal with any breaches that may occur. Further, boards of directors of charities and NFPs should be prepared to manage cyber security risk just as they manage other enterprise risks. Ensuring that their organization obtains certification could demonstrate that the board of directors of a charity or NFP is acting with due diligence to oversee and manage organizational cyber risk.
Ontario Privacy Commissioner Releases 2018 Annual Report
On June 27, 2019, the Information and Privacy Commissioner of Ontario (“IPC”) presented the 2018 Annual Report, Privacy and Accountability for a Digital Ontario (“Report”), providing an overview of developments in access to information and privacy matters in Ontario during 2018. In terms of privacy, the Report touches on a broad range of topics. Among others, it cites the increasing number of cyberattacks and reminds organizations of the importance of having appropriate security measures in place as well as a privacy breach protocol. The Report also indicates that the increased use of video surveillance by both government and the private sector has resulted in the collection of more personal information and increased tracking of individuals in their daily lives and has significant privacy implications. In this regard, the IPC recommends balancing privacy and public safety interests by limiting surveillance and the amount of personal information retained. The Report also touches on the European Union’s General Data Protection Regulation (“GDPR”), which was implemented in May 2018 and which, as outlined in Charity & NFP Law Bulletin No. 419, may have implications for Canadian charities and NFPs. While the GDPR is not overseen or enforced by the IPC, it has developed a Privacy Fact Sheet on the GDPR that may be of assistance to charities and NFPs seeking general information about it.
The Report also addresses a broad range of health privacy matters, including new breach reporting requirements and cyberattack concerns, among others. Finally, the Report provides various recommendations going forward, including tests being carried out on the use of artificial intelligence to detect and deter snooping and inappropriate access related to personal health information. The Report also indicates that over 6,000 health-related information privacy breaches came as a result of misdirected faxes, and recommends that Ontario implement a strategy to eliminate dependence on the use of fax machines for the delivery of personal health information.
Canadian Bar Association Submission on Transfers of Information for Processing
As discussed in the June 2019 Charity & NFP Law Update, the Office of the Privacy Commissioner of Canada (“OPC”) initiated a consultation on data transfers for processing (“Consultation”), reversing its own longstanding position by characterizing the cross-border transfer of personal information for processing as a “disclosure” of personal information within the meaning of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which would require consent, rather than as a “use”, which would not. In response to the Consultation, the Canadian Bar Association’s Privacy and Access Law and Charities and Not-for-Profit Law Sections made a joint submission (“CBA Submission”) addressing the larger issues raised by the Consultation. At a high level, the CBA Submission takes the position that (1) transfers for processing are “uses” rather than “disclosures” under PIPEDA; (2) consent is not required under PIPEDA for such transfers; and (3) most cases do not fit the unique facts of the Equifax Report of Findings discussed in the September 2017 Charity & NFP Law Update, and a reinterpretation of PIPEDA should therefore not be required. The CBA Submission concludes that this significant change in the OPC’s position would eliminate the existing consistency in the legal regime and introduce uncertainty in the law and states that if this change is to be made, it should occur through the federal Parliamentary process.
Of particular note to charities, the CBA Submission specifically addresses the potential impact of this policy change on organizations such as charities and NFPs that are either subject to or that voluntarily follow PIPEDA or the underlying CSA Model Code, as discussed in Charity & NFP Law Bulletin No. 437. The CBA Submission points out that by reversing its well-settled position that a transfer for processing is a “use” of information and not a “disclosure”, and by requiring meaningful consent, and possibly even express consent, to such transfers, the OPC would impose additional costs and onerous requirements on a sector needing “to do more with less” and facing a steady decline in charitable giving. The CBA Submission advises that these requirements would consume resources that could otherwise be deployed for charitable or not-for-profit purposes, cause delays and curtail a charity’s ability to fulfill its mandate, especially in the international context. Rather, the CBA Submission indicates that the resources that would be devoted to compliance could otherwise be better used by charities in achieving their charitable purposes.