Published August 5, 2004
On January 1, 2004, all sport organizations in much of Canada, including national bodies, provincial bodies, and local clubs became subject to a new piece of federal legislation relating to privacy rights. The statute is called Personal Information Protection and Electronic Documents Act, or PIPEDA, and it has come into force in all but the three provinces – British Columbia, Alberta and Quebec – which recently passed their own, similar privacy legislation. Ontario is currently in the process of implementing similar legislation which will supersede PIPEDA.
The purpose of this legislation is to set out rules to govern the collection, use and disclosure of personal information in a way that balances the individual’s right to privacy with the need of organizations to collect and use personal information. The legislation is in part a response to the growing ease with which information can be exchanged using new technology and the unprecedented growth of e-commerce transactions in Canadian society.
Overnight PIPEDA has created a whole new set of legal responsibilities. While for some time there have been laws restricting the use of personal information by governments and public institutions, we now have a law that imposes significant administrative obligations on the entire private sector including even the smallest business establishment.
There has been considerable debate in recent months about whether PIPEDA would apply to the not-for-profit segment of the private sector. Although the authors of the legislation have stated that it was not their intention to cover non-profits, the way the law is written it is quite clear that it will apply to the extent that the non-profit organization collects and uses personal information in the course of “commercial activity”, where commercial activity is defined as any transaction of a commercial character, including marketing, fundraising or solicitation of donations.
There is an emerging consensus that sport organizations engage routinely in commercial activities when they register members for a membership fee, deliver instructional programs or clinics, sell coaching manuals and rule books, sell sports equipment, solicit donors, or market their programs through direct mail, a Web site or e-mail lists.
All organizations, no matter their size, must be aware of the administrative impacts of compliance with PIPEDA. The new law sets out 10 principles of “fair information practices” that form the ground rules and responsibilities for managing personal information. In the remainder of this column, we’ll touch on three of these principles.
Principle #1 – Accountability
Initially, all organizations will have to appoint an individual (or individuals) to be responsible for the organization’s compliance with PIPEDA. This individual will be titled the privacy officer of the organization. The privacy officer is responsible to develop and implement personal information policies and practices to ensure safety and protection of personal information and compliance with PIPEDA. Once policies and practices are implemented, the privacy officer must ensure that staff are trained and informed of their responsibilities to protect personal information.
It will then be necessary to analyze all personal information handling practices including ongoing activities and new initiatives. To do so, determine what personal information is collected, why it is collected, how it is collected, what it is used for, where it is kept, how it is secured, who has access to or uses it, to whom is it disclosed, and when it is disposed of.
Upon answering the above questions, the organization will be responsible to develop and implement policies and procedures to protect this personal information. It will be necessary to define the purposes of the collection, obtain consent, and limit its collection, use and disclosure. Finally, the organization must ensure that the information is correct complete and current, adequate security measures are implemented, a destruction and retention timetable is established to update or destroy personal information, personal information requests are processed, and inquires and complaints are answered.
Principle #2 - Identify the purpose
An organization is responsible for identifying, before or at the time of collecting personal information, why the information is needed and for what purpose it will be used. Once collected, personal information cannot be used for a different purpose without obtaining consent.
Here’s an example of how this will affect a sport organization – imagine that a running club hosts a road race, and collects personal information on a registration form in order to manage entries in the road race. To date, it has been common practice for such clubs to use that information for other reasonable purposes, such as promoting future road races or related events of interest to runners in the community. Under PIPEDA, this will not be permitted, unless at the time of registration it was made clear that the information would be used for future promotional purposes.
Principle # 3 - Obtain consent
PIPEDA states that “the knowledge and consent of the individual are required for the collection, use or disclosure of personal information”. Consent can be explicit (a written acknowledgement, signature or initials on a form) or implied (a verbal acknowledgement). Consent applies not only to the collection but also to the use and disclosure of the information to third parties. Minors cannot give consent, nor can consent be construed as a condition for supplying a product or service; in other words, an individual cannot be turned away simply because they have refused to supply personal information.
Here’s an example of how this might affect a sport organization – when athletes register in a program or join a league or a team, it is common practice to collect health insurance and other medical information from them. In order to collect, use and disclose this information, consent must be obtained, and a lack of consent cannot be used as the basis for excluding the athlete from the program or activity.
There are some exceptions to the principle of consent that relate to disclosure to authorities for legal purposes, and disclosure in emergency situations where an individual’s life, health or security is threatened. Information may also be used for scholarly or research purposes without the individual’s consent, provided that Canada’s Privacy Commissioner is notified in advance.
In summary, PIPEDA has the potential to cause dramatic change to the ways that organizations gather information from their members, market and promote their programs, and communicate with the world on their Web sites. In most cases, sport organizations in the future will be able to do all the things they have done in the past: they’ll just have to do some homework first and become more diligent in their administrative practices. This is a good thing, as individuals are rightly concerned about their privacy and out of respect for their concerns, steps should be taken to comply with the principles of fair information practices.
Originally published: Coaches Report (2004) Vol. 10(3)