Published May 11, 2004
As of January 1, 2004 the Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to all organizations during the collection, use and disclosure of personal information in the course of any commercial activity within a province, as well as inter-provincial and international transactions. PIPEDA gives Canadians new legal rights when their personal information is collected, used or disclosed in the course of a commercial activity. The legislation addresses increasing public concerns over personal information practices of the private sector and establishes a new national privacy framework.
Purpose of the Legislation
The stated intent of PIPEDA is to establish rules that balance the right of privacy of individuals against the needs of organizations, but in practice such a perfect balance may not be achieved. A couple of things in PIPEDA push the scale in the favor of the individual. Firstly, PIPEDA states that privacy is a right of the individual. An organization, on the other hand, has needs and not rights. Secondly, the organization’s needs are defined to be the collection, use and disclosure of personal information but only for purposes that a reasonable person would consider appropriate.
PIPEDA applies in all provinces of Canada except those that have passed their own privacy legislation. Three provinces have done so (Québec, British Columbia and Alberta) and these provincial laws are very similar to PIPEDA. Sport organizations operating solely in these provinces should consult with their provincial legislation, in addition to becoming familiar with PIPEDA.
A few of the key definitions of PIPEDA are reviewed here.
The word “organization” is used throughout PIPEDA and one must be aware that this word includes an association, a partnership, a person and a trade union. The definition of “person” in the Interpretation Act ensures that a “corporation” is included in the definition of “organization.” Also, PIPEDA is not limited to for-profit entities; therefore not-for-profit organizations are not excluded from the application of PIPEDA simply by virtue of being not-for-profit.
This definition requires that the information be about an identifiable individual and not merely associated with an individual. The individual must be identifiable and not necessarily identified such that the information need not be unique to the individual. The definition is open-ended as no specific examples are provided in the definition itself of what is personal information. Such personal information can be in several forms such as:
In contrast, it is explicitly described that “personal information” such as “name, title, business address or telephone number of an employee of an organization” is not considered personal information and PIPEDA does not apply.
PIPEDA applies to every organization in respect of personal information collected, used, or disclosed in the course of a commercial activity. PIPEDA defines “commercial activity” as “ any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”.
The definition tells us that PIPEDA can apply to the handling of personal information with respect to a little as one transaction or as much as the organization’s entire business, assuming they are of a “commercial character”.
There is little information at this time as to the meaning of “commercial character”. The jurisprudence dealing with the meaning of “commercial” tends to be taxation related. However, the specific inclusion of the selling, bartering or leasing of donor, membership or other fundraising lists was to dispel any doubt as to whether PIPEDA would apply to activities of not-for-profit organizations whose main handling of personal information has historically arisen from these types of activities. It is only the transaction, act or conduct or a particular course of conduct that must be of a commercial character, and not the entire organization’s raison d’être.
In summary, the threshold for what is “commercial” is very low. The Privacy Commissioner has confirmed that all marketing activity is commercial, and it is safe to say that all sales of products and services (including courses, programs, clinics, manuals, equipment) represent commercial activity. We are of the view that sport organizations should presume that all personal information they deal with is subject to the requirements of PIPEDA, and should act accordingly.
Where the collection, use or disclosure of personal information that is at issue occurred before PIPEDA applied to the organization in question, then PIPEDA will not, in retrospect, apply to that collection, use or disclosure of the personal information. However, there is no grand-fathering provision in PIPEDA. Therefore, on a going forward basis, an organization is required to comply with PIPEDA even with respect to information that it already had in its possession or custody prior to PIPEDA’s application to the organization. In practical terms, this means that information obtained previously can only be used for purposes identified previously, at the time of its collection – any new uses will require new consent.
An Organization’s Responsibilities
Schedule 1 of PIPEDA lists ten principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. If an organization chooses not to follow the recommendations provided in Schedule 1 there are potential negative consequences such as providing grounds for an individual or the Commission to initiate a complaint against the organization or providing grounds of the Commission to conduct an audit of the organization’s personal information management practices.
An organization has a responsibility to comply with all ten principles of Schedule 1. This includes appointing an individual (or individuals) to be responsible for the organization’s compliance and to ensure that all personal information held by the organization or transferred to a third party for processing is protected. An organization is also responsible to develop and implement personal information policies and practices to ensure safety and protection of personal information.
2. Identify the Purpose
An organization will be responsible to identify before or when collecting personal information as to why it is needed and how it will be used. It will be necessary to document why the information is collected and to inform the individual from whom the information is collected as to this purpose. See Appendix 1 for examples of some reasonable purposes for collecting personal information in the sport context.
3. Obtain Consent
An organization is responsible to notify an individual the purposes for the collection, use or disclosure of personal data. Consent must be obtained before or at that the time of collection, as well as when a new use of the personal information is identified. Whether consent is obtained is determined upon the basis of the “reasonable person’ test. Consent may be either explicit or implied but should not be obtained by deceptive means. As well, consent may not be a condition for supplying a product or a service, unless the information requested is to fulfil an explicitly specified and legitimate purpose. See Appendix 2 for some examples of wording for obtaining consent.
4. Limit Collection
Personal information should not be collected indiscriminately. An organization must limit its collection of personal information to only the necessary information for its stated purposes. An organization must specify the type of information that it collects for its stated purposes as part of its information-handling policies and practices, required by the first privacy principle.
5. Limit use, disclosure and retention
Personal information should only be used or disclosed for the purpose for which it was collected, unless the individual consents, or if the use of the disclosure is authorized by PIPEDA. Personal information should not be disclosed to third parties unless the individual has consented to this disclosure. In sport settings, this is important as information is typically collected by local sport organizations (clubs or leagues), provincial sport organizations or national sports organizations and then shared among all three parties. Personal information should only be disclosed in this manner if consent for such disclosure has been obtained, and if all parties are compliant with PIPEDA.
Once collected, personal information should only be kept as long as necessary to satisfy the purpose of the organization. Guidelines and procedures should be in place for retaining and destroying personal information. Information that is no longer required should be destroyed, erased or returned back to the individual.
6. Be Accurate
An organization is responsible to keep personal information as accurate, complete and up-to-date as necessary, taking into account its use and the interests of the individual. To prevent the use of out-of-date information, organizations should record the date when the personal information was obtained or updated and thereafter record the steps taken to verify accuracy, completeness and timeliness of the information.
7. Use Appropriate Safeguards
It is essential to protect personal information against loss or theft. Information must be safeguarded against unauthorized access, disclosure or copying. In order to prevent such occurrences, an organization must develop and implement appropriate security safeguards to provide the necessary protection. Proper steps include having locked filing cabinets, restricting access to offices and installing an alarm system to prevent burglary. In regards to computers, passwords should be required to access terminals, firewalls should be established to eliminate hacker’s access to computers systems, and encryption codes should be implemented where necessary.
8. Be Open
Individuals have the right to view any personal information retained by an organization. Front-line staff should be familiar with the procedures for responding to individual inquiries, and information should be available to the public to determine which person within the organization is accountable for the organization’s privacy policies.
The information made available to individuals upon request shall include:
the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
9. Give Individuals Access
Individuals have a right to examine their personal information and challenge its accuracy and completeness. Organizations must describe what personal information they possess, providing an account of how it is used, and third parties to whom it has been disclosed. When it is not possible to list actual parties, a list must be provided of parties to whom the information may have been disclosed. If asked, organizations must also assist individuals to prepare a written access request.
10. Challenging Compliance
An organization must develop and implement a simple and easily accessible complaint procedure. Individuals should be aware of the recourses available to them, which would include the organization’s complaint procedure, those of industry associations, regulatory bodies and the Privacy Commissioner of Canada. An organization is required to investigate all complaints. If an organization finds that a complaint is justified, then the organization must take appropriate measures, including amending its policies and practices if necessary, to resolve the complaint.
PIPEDA gives the Privacy Commissioner the authority to audit an organization’s personal information management practices when he/she has reasonable grounds to believe the organization is not fulfilling its obligations under Part 1 of PIPEDA or is not respecting the recommendations of Schedule 1.
It is important for an organization to be aware of the circumstances that may lead the Commissioner to audit the personal information management practices of an organization. They include a series of complaints about a particular organization’s practice(s), information provided by an individual within the organization and any privacy-related issue receiving media attention.
PIPEDA attempts to create a level playing field by establishing identical rules for all businesses. It promotes the growth of electronic commerce by establishing a consistent, enforceable and consumer-friendly privacy environment.
Furthermore, an organization that protects personal information will likely satisfy government and regulatory requirements in Canada and also meet the requirements of a foreign jurisdiction’s privacy laws. For example, many European countries do not allow the transfer of personal information to an organization outside the country unless that organization has adequate privacy protection, such as is established through PIPEDA.
Commercial organizations in Canada have shown a tendency to turn the matter of PIPEDA compliance over to their law firm or their legal department. It should be noted that when preparing a privacy compliance strategy, the first step should NOT be to pull up a precedent policy, or talk to the managers, but to talk to the people who actually collect the information.
In a sport organization, the people who collect information are the front line staff and volunteers taking phone calls, receiving registration forms, and distributing membership packages, as well as people who work on your web site. A strategy to become compliant will typically require a consultation among most, if not all of an organization’s staff and key volunteers.
In conclusion, PIPEDA will, in the short term, require that organizations take substantive steps to change and improve the way they gather information from their members, market and promote their products and services, and communicate with the world through their web sites. Organizations that are proactive and do their homework in the short term, will find that achieving compliance in the long term is fairly easy. They can also derive satisfaction from having become more diligent and professional in their administrative and management practices.
Appendix 1 - Reasons to Collect Information
Appendix 2 - Statements to Obtain Consent
A sport organization may collect, use and disclose any personal information if the purpose of the collection, use and disclosure is reasonable and the individual supplying the information has consented to such purpose. If an organization wishes to disclose personal information to a third party for solicitation, marketing or advertising, expressed consent is necessary.
The following statements are examples that can be used on web sites, and in application and registration forms to obtain consent:
1. I, [enter name], consent to the collection, use and disclosure of my personal information for the following purposes [identify the purposes] … followed by signature.
2. I, [enter name], consent to the collection, use and disclosure of my personal information for the following purposes [identify the purposes]. I further consent to the disclosure of my personal information to the following parties [identify the third parties] … followed by signature.
3. I grant ABC permission to collect, use and disclose my personal information for the following purposes. Such permission is indicated by my placing a check mark in the box below:
4. By providing ABC with your personal information on this [type of form], you are giving consent to ABC to collect and use your personal information for the following purposes [identify the purposes] and to disclose your information to the following parties [identify the parties].
5. By entering personal information on this web site, you are consenting to the collection, use and disclosure of your personal information for the following purposes… [identify purposes].
Originally published: Centre for Sport and Law website (May 2004)