Backgrounder on "PIPEDA" - Personal Information Protection and Electronic Documents Act

Published May 11, 2004

As of January 1, 2004 the Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to all organizations during the collection, use and disclosure of personal information in the course of any commercial activity within a province, as well as inter-provincial and international transactions. PIPEDA gives Canadians new legal rights when their personal information is collected, used or disclosed in the course of a commercial activity. The legislation addresses increasing public concerns over personal information practices of the private sector and establishes a new national privacy framework.

Purpose of the Legislation

The stated intent of PIPEDA is to establish rules that balance the right of privacy of individuals against the needs of organizations, but in practice such a perfect balance may not be achieved. A couple of things in PIPEDA push the scale in the favor of the individual. Firstly, PIPEDA states that privacy is a right of the individual. An organization, on the other hand, has needs and not rights. Secondly, the organization’s needs are defined to be the collection, use and disclosure of personal information but only for purposes that a reasonable person would consider appropriate.

PIPEDA applies in all provinces of Canada except those that have passed their own privacy legislation. Three provinces have done so (Québec, British Columbia and Alberta) and these provincial laws are very similar to PIPEDA. Sport organizations operating solely in these provinces should consult with their provincial legislation, in addition to becoming familiar with PIPEDA.

Definitions

A few of the key definitions of PIPEDA are reviewed here.

Organization

The word “organization” is used throughout PIPEDA and one must be aware that this word includes an association, a partnership, a person and a trade union. The definition of “person” in the Interpretation Act ensures that a “corporation” is included in the definition of “organization.” Also, PIPEDA is not limited to for-profit entities; therefore not-for-profit organizations are not excluded from the application of PIPEDA simply by virtue of being not-for-profit.

Personal Information

This definition requires that the information be about an identifiable individual and not merely associated with an individual. The individual must be identifiable and not necessarily identified such that the information need not be unique to the individual. The definition is open-ended as no specific examples are provided in the definition itself of what is personal information. Such personal information can be in several forms such as:

• Age, name, gender, ID number, ethnic origin, or blood type;
• Health history and conditions;
• Opinions, evaluations, comments, social status, or disciplinary actions; and
• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services or change jobs)

In contrast, it is explicitly described that “personal information” such as “name, title, business address or telephone number of an employee of an organization” is not considered personal information and PIPEDA does not apply.

Commercial activity

PIPEDA applies to every organization in respect of personal information collected, used, or disclosed in the course of a commercial activity. PIPEDA defines “commercial activity” as “ any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”.

The definition tells us that PIPEDA can apply to the handling of personal information with respect to a little as one transaction or as much as the organization’s entire business, assuming they are of a “commercial character”.

There is little information at this time as to the meaning of “commercial character”. The jurisprudence dealing with the meaning of “commercial” tends to be taxation related. However, the specific inclusion of the selling, bartering or leasing of donor, membership or other fundraising lists was to dispel any doubt as to whether PIPEDA would apply to activities of not-for-profit organizations whose main handling of personal information has historically arisen from these types of activities. It is only the transaction, act or conduct or a particular course of conduct that must be of a commercial character, and not the entire organization’s raison d’être.

In summary, the threshold for what is “commercial” is very low. The Privacy Commissioner has confirmed that all marketing activity is commercial, and it is safe to say that all sales of products and services (including courses, programs, clinics, manuals, equipment) represent commercial activity. We are of the view that sport organizations should presume that all personal information they deal with is subject to the requirements of PIPEDA, and should act accordingly.

Grand-fathering

Where the collection, use or disclosure of personal information that is at issue occurred before PIPEDA applied to the organization in question, then PIPEDA will not, in retrospect, apply to that collection, use or disclosure of the personal information. However, there is no grand-fathering provision in PIPEDA. Therefore, on a going forward basis, an organization is required to comply with PIPEDA even with respect to information that it already had in its possession or custody prior to PIPEDA’s application to the organization. In practical terms, this means that information obtained previously can only be used for purposes identified previously, at the time of its collection – any new uses will require new consent.

An Organization’s Responsibilities

Schedule 1 of PIPEDA lists ten principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. If an organization chooses not to follow the recommendations provided in Schedule 1 there are potential negative consequences such as providing grounds for an individual or the Commission to initiate a complaint against the organization or providing grounds of the Commission to conduct an audit of the organization’s personal information management practices.

1. Accountability

An organization has a responsibility to comply with all ten principles of Schedule 1. This includes appointing an individual (or individuals) to be responsible for the organization’s compliance and to ensure that all personal information held by the organization or transferred to a third party for processing is protected. An organization is also responsible to develop and implement personal information policies and practices to ensure safety and protection of personal information.

2. Identify the Purpose

An organization will be responsible to identify before or when collecting personal information as to why it is needed and how it will be used. It will be necessary to document why the information is collected and to inform the individual from whom the information is collected as to this purpose. See Appendix 1 for examples of some reasonable purposes for collecting personal information in the sport context.

3. Obtain Consent

An organization is responsible to notify an individual the purposes for the collection, use or disclosure of personal data. Consent must be obtained before or at that the time of collection, as well as when a new use of the personal information is identified. Whether consent is obtained is determined upon the basis of the “reasonable person’ test. Consent may be either explicit or implied but should not be obtained by deceptive means. As well, consent may not be a condition for supplying a product or a service, unless the information requested is to fulfil an explicitly specified and legitimate purpose. See Appendix 2 for some examples of wording for obtaining consent.

4. Limit Collection

Personal information should not be collected indiscriminately. An organization must limit its collection of personal information to only the necessary information for its stated purposes. An organization must specify the type of information that it collects for its stated purposes as part of its information-handling policies and practices, required by the first privacy principle.

5. Limit use, disclosure and retention

Personal information should only be used or disclosed for the purpose for which it was collected, unless the individual consents, or if the use of the disclosure is authorized by PIPEDA. Personal information should not be disclosed to third parties unless the individual has consented to this disclosure. In sport settings, this is important as information is typically collected by local sport organizations (clubs or leagues), provincial sport organizations or national sports organizations and then shared among all three parties. Personal information should only be disclosed in this manner if consent for such disclosure has been obtained, and if all parties are compliant with PIPEDA.

Once collected, personal information should only be kept as long as necessary to satisfy the purpose of the organization. Guidelines and procedures should be in place for retaining and destroying personal information. Information that is no longer required should be destroyed, erased or returned back to the individual.

6. Be Accurate

An organization is responsible to keep personal information as accurate, complete and up-to-date as necessary, taking into account its use and the interests of the individual. To prevent the use of out-of-date information, organizations should record the date when the personal information was obtained or updated and thereafter record the steps taken to verify accuracy, completeness and timeliness of the information.

7. Use Appropriate Safeguards

It is essential to protect personal information against loss or theft. Information must be safeguarded against unauthorized access, disclosure or copying. In order to prevent such occurrences, an organization must develop and implement appropriate security safeguards to provide the necessary protection. Proper steps include having locked filing cabinets, restricting access to offices and installing an alarm system to prevent burglary. In regards to computers, passwords should be required to access terminals, firewalls should be established to eliminate hacker’s access to computers systems, and encryption codes should be implemented where necessary.

8. Be Open

Individuals have the right to view any personal information retained by an organization. Front-line staff should be familiar with the procedures for responding to individual inquiries, and information should be available to the public to determine which person within the organization is accountable for the organization’s privacy policies.

The information made available to individuals upon request shall include:

the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;

• the means of gaining access to personal information held by the organization;
• a description of the type of personal information held by the organization, including a general account of its use;
• a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
• what personal information is made available to related organizations (such as branches, subsidiaries, national offices, etc.).

9. Give Individuals Access

Individuals have a right to examine their personal information and challenge its accuracy and completeness. Organizations must describe what personal information they possess, providing an account of how it is used, and third parties to whom it has been disclosed. When it is not possible to list actual parties, a list must be provided of parties to whom the information may have been disclosed. If asked, organizations must also assist individuals to prepare a written access request.

10. Challenging Compliance

An organization must develop and implement a simple and easily accessible complaint procedure. Individuals should be aware of the recourses available to them, which would include the organization’s complaint procedure, those of industry associations, regulatory bodies and the Privacy Commissioner of Canada. An organization is required to investigate all complaints. If an organization finds that a complaint is justified, then the organization must take appropriate measures, including amending its policies and practices if necessary, to resolve the complaint.

Audits

PIPEDA gives the Privacy Commissioner the authority to audit an organization’s personal information management practices when he/she has reasonable grounds to believe the organization is not fulfilling its obligations under Part 1 of PIPEDA or is not respecting the recommendations of Schedule 1.

It is important for an organization to be aware of the circumstances that may lead the Commissioner to audit the personal information management practices of an organization. They include a series of complaints about a particular organization’s practice(s), information provided by an individual within the organization and any privacy-related issue receiving media attention.

Conclusion

PIPEDA attempts to create a level playing field by establishing identical rules for all businesses. It promotes the growth of electronic commerce by establishing a consistent, enforceable and consumer-friendly privacy environment.

Furthermore, an organization that protects personal information will likely satisfy government and regulatory requirements in Canada and also meet the requirements of a foreign jurisdiction’s privacy laws. For example, many European countries do not allow the transfer of personal information to an organization outside the country unless that organization has adequate privacy protection, such as is established through PIPEDA.

Commercial organizations in Canada have shown a tendency to turn the matter of PIPEDA compliance over to their law firm or their legal department. It should be noted that when preparing a privacy compliance strategy, the first step should NOT be to pull up a precedent policy, or talk to the managers, but to talk to the people who actually collect the information.

In a sport organization, the people who collect information are the front line staff and volunteers taking phone calls, receiving registration forms, and distributing membership packages, as well as people who work on your web site. A strategy to become compliant will typically require a consultation among most, if not all of an organization’s staff and key volunteers.

In conclusion, PIPEDA will, in the short term, require that organizations take substantive steps to change and improve the way they gather information from their members, market and promote their products and services, and communicate with the world through their web sites. Organizations that are proactive and do their homework in the short term, will find that achieving compliance in the long term is fairly easy. They can also derive satisfaction from having become more diligent and professional in their administrative and management practices.

Appendix 1 - Reasons to Collect Information

• A sport organization may collect, use and disclose any personal information if the purpose of the collection, use and disclosure is reasonable and the individual has consented to such purpose. Some examples of reasonable purposes and uses are shown below.
• Name, address phone number, cell phone number, fax number and e-mail address for communication of events, programs, fundraisers and information.
• NCCP number, education, resumes and experience for database entry at the Coaching Association of Canada to determine level of certification and coaching qualifications.
• Credit card information for registration at conferences, reserving hotel rooms, purchasing equipment, ordering manuals and other resources.
• Date of birth for athlete biography, media releases and to determine age group eligibility.
• Banking information, social insurance number, health card number, and beneficiaries for payroll, company insurance and health plan.
• Personal health information including provincial health card numbers, allergies, emergency contacts and past medical history for use in the case of medical emergency.
• Athlete information including height, weight, dietary supplements taken, uniform size, shoe size, feedback from coaches and trainers, performance results and biographical information for required registration forms, outfitting uniforms, media relations, and components of selection.
• Athlete whereabouts information including sport/discipline, training times and venues, training camp dates and locations, travel plans, competition schedule, and disability, if applicable, for Canadian Centre for Ethics in Sport inquiries for the purpose of out-of-competition doping testing.
• Personal measurements for adjusting sporting equipment.
• Body weight, mass and body fat index to monitor physical response to training and to maintain an appropriate weight for competition.
• Marketing information including attitudinal and demographic data on individual members to determine membership demographic structure, and program wants and needs.
• Passport numbers and Aeroplan/frequent flyer number for travel purposes.
• Other

Appendix 2 - Statements to Obtain Consent

A sport organization may collect, use and disclose any personal information if the purpose of the collection, use and disclosure is reasonable and the individual supplying the information has consented to such purpose. If an organization wishes to disclose personal information to a third party for solicitation, marketing or advertising, expressed consent is necessary.

The following statements are examples that can be used on web sites, and in application and registration forms to obtain consent:

1.        I, [enter name], consent to the collection, use and disclosure of my personal information for the following purposes [identify the purposes] … followed by signature.

2.        I, [enter name], consent to the collection, use and disclosure of my personal information for the following purposes [identify the purposes]. I further consent to the disclosure of my personal information to the following parties [identify the third parties] … followed by signature.

3.        I grant ABC permission to collect, use and disclose my personal information for the following purposes. Such permission is indicated by my placing a check mark in the box below:

• Receiving solicitations from ABC sponsors such as XYZ;
• Receiving advertisements from ABC’s sponsors about their products or services that may be of interest to the members of ABC;
• Receiving direct solicitations from ABC for fundraising or other commercial activities.

4.        By providing ABC with your personal information on this [type of form], you are giving consent to ABC to collect and use your personal information for the following purposes [identify the purposes] and to disclose your information to the following parties [identify the parties].

5.        By entering personal information on this web site, you are consenting to the collection, use and disclosure of your personal information for the following purposes… [identify purposes].

6.        By entering personal information on this on-line registration system, you are consenting to ABC collecting, using and disclosing personal information for the purposes identified in ABC’s Privacy Policy [provide link to policy].

Originally published: Centre for Sport and Law website (May 2004)