How anyone’s private information is handled in today’s time poses a big question for everyone, including non-profit organizations and charitable organizations.
Generally, non-profits such as charities, clubs, community groups, and associations find some relief regarding PIPEDA (Personal Information Protection and Electronic Documents Act). However, non-profits that deal with commercial activities are subject to PIPEDA and must strictly comply with it.
PIPEDA specifically applies to employment in federal works, undertakings, or businesses.
According to Canada’s PIPEDA Act, any activity which includes transaction, sale, barter, fundraisers, and leasing of donors or membership classifies under commercial activity.
PIPEDA came into existence on January 1, 2004. PIPEDA is the privacy law of Canada that was brought into effect to protect the collection, utilization, and disclosure of personal information regarding commercial activities.
Read our previous blog, “How to Comply with PIPEDA When Doing Business in Canada?“ for a more in-depth understanding of PIPEDA.
Let’s understand why non-profits must adhere to PIPEDA in depth through this blog.
PIPEDA applies to the following:
- Any organization that gathers uses, or reveals personal information to people must do it with people’s consent.
- The organization can only disclose personal data for the reason it has earned the concerned person’s consent.
- The organization must only collect relevant data that the people find appropriate under the circumstances.
- People have the right to see what personal data is held about them and request rectification in case of inaccuracies.
Personal information about an individual refers to the following:
- Personal identification numbers, individual’s name, blood group, and gender.
- Loan and credit records, wealth, and income information.
- Dispute between consumer and an organization.
- Intention to acquire goods, services, evaluations, and opinions.
However, exemptions are made to the business title, business number, business address, or whatever else is given on the business card.
What does PIPEDA comprise?
PIPEDA comprises ten principles:
First Principle – Accountability
An organization holds the sole responsibility to safeguard the personal data of the clients.
Second Principle – Recognizing the purposes
Before collecting personal data, an organization must identify why it should collect or retain any particular type of personal information.
Third Principle – Consent
This is one of the key principles of PIPEDA which specifies that an individual’s data cannot be collected unless the consent of the individual is taken.
Fourth Principle – Limiting collection
This principle regulates the collection of personal information as per the purposes identified.
Fifth Principle – Limiting Use, disclosure, and retention
Organizations under PIPEDA must not disclose personal data outside the scope of its purposes.
Sixth Principle – Accuracy
An organization must always ensure that the personal data collected and retained is accurate and if not then must be rectified.
Seventh Principle – Safeguards
Following this principle, an organization must protect personal data by adopting necessary measures.
Eighth Principle – Openness
An organization must remain transparent regarding its data collection and usage.
Ninth Principle – Individual access
An organization must make provisions for individuals to access their data as needed.
Tenth Principle – Challenging compliance An organization must be ready to respond to challenges.
When PIPEDA applies to non-profits?
It is to be noted that charities and non-profits are not exempt from PIPEDA. Any organization that collects data uses, or discloses it for commercial activity must adhere to PIPEDA.
Further, non-profits in some provinces might be subject to provincial legislation such as Quebec, Alberta, Ontario, British Columbia, and others.
Why should non-profits be compliant with PIPEDA?
The reason why charities and non-profits must adhere to PIPEDA guidelines lies in the increased awareness of stakeholders. Not only is this, but the increased knowledge of people around privacy, transparency, and accountability nowadays compelling non-profits to remain PIPEDA compliant.
Clients and stakeholders expect non-profit organizations to be accountable for storing their data and keeping their sensitive data protected from misuse.
Thus, when non-profits are framing their privacy practices, they should take these factors into account.
This would help them from avoiding getting into risks like data breaches, privacy violations, court actions, and class action litigation. It would also prevent non-profits from getting into reputational and court-ordered damages.
Non-profits can also avoid getting fined or penalized under the relevant jurisdiction. They can also prevent breaching PIPEDA guidelines accidentally.
So, PIPEDA will help non-profit organizations to shape themselves as per client expectations and most importantly court expectations.
Thus, non-profits must consider incorporating PIPEDA requirements into their privacy policies to uphold their reputation and manage their legal liability effectively.