In the beginning of April, the federal government introduced Bill S-4—otherwise known as the Digital Privacy Act—to the Senate. The amendments proposed by the bill, if passed, will affect the way that charities and nonprofits disclose personal information.
The bill is very similar to previous legislation intended to amend the Personal Information Protection and Electronic Documents Act (PIPEDA), such as Bill C-12 (September 2011) and Bill C-29 (May 2010). Many activities of charities and nonprofits would not be considered ‘commercial activities’ and may be exempt from the application of PIPEDA. However, as there is no categorical exemption for registered charities or nonprofits, there are many circumstances in which the law will apply to personal information collected, used, or disclosed by these types of organizations.
What the bill would allow
The amendments proposed by Bill S-4 would permit organizations to disclose personal information to another organization without knowledge or consent of the individual—in cases where the disclosure is necessary to investigate a breach of an agreement or a contravention of the laws of Canada. The bill proposes that it would be reasonable to expect that disclosure with the individual’s knowledge or consent would compromise the investigation.
Furthermore, proposed amendments would permit disclosure of personal information to other organizations where it would be reasonable in order to detect or suppress fraud, or prevent fraud that is likely to be committed. This would occur in circumstances where it would be reasonable to expect that disclosure with an individual’s knowledge or consent would compromise the ability to prevent, detect or suppress the fraud.
As such, these proposed amendments would expand the circumstances under which personal information could be disclosed without individual knowledge or consent. These circumstances could include both past breaches of contract and violations of law as well as potential violations that could occur in the future.
The amendments would also permit organizations to disclose personal information to an individual’s next of kin, authorized representative, or to a government institution where the organization believes that the individual has been the victim of financial abuse. In such instances, the disclosure must be made solely for purposes related to preventing or investigating the suspected financial abuse and where disclosure with knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse.
What the bill would restrict
If passed, Bill S-4 would restrict organizations from informing individuals that their personal information has been shared with enforcement and security agencies where the government institution to whom the information was disclosed objects. This includes situations involving government institution requests for information under the national security, law enforcement or policing services exemptions, including a request for disclosure under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
New responsibilities under new division
The bill also contains new responsibilities under Division 1.1, “Breaches of Security Safeguards,” such as notification requirements that necessitate reporting on breaches of security safeguards involving personal information—if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. In such circumstances, and unless prohibited by law, the bill would also require the notification of individuals where the security safeguards involving their personal information were breached. Furthermore, in such circumstances, organizations would also be required to notify other organizations, government institutions or a part of a government institution of the breach if the notifying organization believed it would be able to reduce the risk of harm that could result.
More authority for the Federal Privacy Commissioner
Also of note, Division 1.1 would grant greater authority for enforcement of PIPEDA to the Federal Privacy Commissioner, which could then enter into compliance agreements with organizations regarding the protection of personal information. Once a compliance agreement is entered into, the Commissioner would be prohibited from applying for a section 14 of 15 court hearing, although other individuals would not be precluded from applying for section 14 court hearings or from being prosecuted for offences under PIPEDA.
Where the commissioner is of the opinion that a compliance agreement has been complied with, all section 14 and 15 applications will be withdrawn. However, where an organization has not complied with the compliance agreement, the commissioner may apply to the court for an order to require the organization to comply. Alternatively, the commissioner may begin or reinstate a section 14 or 15 hearing against a non-compliant organization.
As more and more charities and nonprofits turn to electronic means in order to collect and handle individuals’ personal information, privacy laws will need to evolve to further monitor compliance efforts and information practices.
Colin J. Thurston, B.A. (Hons.), J.D., is an associate in the Orangeville office of Carters Professional Corporation practicing intellectual property, information technology and privacy law, and can be reached at cthurston@carters.ca.
Terrance S. Carter, B.A., LL.B., TEP, Trade-mark Agent, is managing partner of Carters Professional Corporation, practicing charity and not-for-profit law, and intellectual property law, is editor of www.charitylaw.ca and can be reached at tcarter@carters.ca.