A note from Adam
A publication's mark of a well-received first edition is that there is a second issue. I want to thank all you readers for your comments both complimentary and constructive, please keep them coming. I send a special thanks to the many of you who sent the last edition on to their friends and associates.
This newsletter is intended as an aid and source of information to that sector of our society most actively involved in helping others, by forwarding this newsletter to them you are helping them to carry on their good work.
Thanks again,
Adam
Practical PIPEDA for Charities and NPOs - Part I
In my last newsletter, I discussed the applicability of the Personal Information Privacy and Electronic Documents Act ( PIPEDA ) to charities and not-for-profit organizations. In this edition, I will point out some of the practical aspects of PIPEDA that apply to for-profits, not-for-profits, and charities. This newsletter is the first part of what will be a three part series on the topic.
PIPEDA is based on the Canadian Standards Association's Model Code for the Protection of Personal Information. The code has ten principles, which, loosely categorized, govern the collection, use, and handling of personal information. A list of these principles and commentary on each of them is available at the website of the Privacy Commissioner of Canada .
There are three principles which deal with the collection of information, they are:
1) Identifying the purpose for which the information is collected.
2) Obtaining the consent of the person whose information you are collecting.
3) Limiting the collection of information.
1. Identifying the purpose
An organization must identify the reasons for which it is collecting personal information, and must do so before or at the time of collection. This may mean a purpose statement on a collection document, or it may mean a whole webpage dedicated to the purpose.
While I can provide precedent "Purpose Statements" for your organization's information collection, it is a dangerous practice to use non-customized statements and procedures. Therefore, I would recommend a statement customized for your organization's purposes. If at some point in the future the purpose for which you intend to use the information changes, you must notify the individual (and obtain their consent, see below). Please contact me if you would like to discuss your organization's particular needs.
2. Consent
Under PIPEDA , the organization must inform the individual of the purposes for the collection, use or disclosure of personal data and obtain their consent to do so. In practice, this will likely mean a check off box indicating consent beside a statement of purpose. The organization should keep records of consent given in case there is ever a complaint by an individual. Also , it should go without saying that that the individual must give consent willingly (i.e. consent is not obtained deceptively). Individuals must also be able to withdraw consent at any time (although you may explain the implications of withdrawing consent). If at any time your organizations wishes to use the data collected for some new purpose (for which you do not have consent), you must first obtain the individual's consent for this new purpose.
From a practical perspective, organizations should design consent clauses that are understandable and as explicit as possible. When obtaining consent from someone who does not have legal capacity to give consent (such as a minor or a mentally incapacitated individual) a legal guardian can give consent on his or her behalf. Finally, with respect to information your organization has already collected prior to PIPEDA coming into force, you do not need to recollect the information, but if you intend to use the information, you do need to inform the individual of the purposes for which you intend to use the information and obtain their consent.
Issues regarding consent may prove to be the most problematic for organizations, especially if they collect information from websites or by telephone, if you have any questions about what your particular situation please contact me.
3. Limit Collection
The collection of personal information must be limited to that personal information which is necessary for the purposes identified by the organization and must be collected by fair and lawful means only. This objective is rather straightforward. Organizations should not be involved in warehousing information about individuals and must only collect the information they need for the purposes disclosed.
Being Charitable Tip:
In the new year tax rates are going to drop. While this is good news in general, it also means that the after-tax value of charitable donations will be worth less next year than this year. Consider informing your donors that they may be better off filling their pledge before the year-end. |
