Horizons Global Consulting
your privacy and security management partner
This involves an organization giving an individual information about themselves held by the organization. Giving access may include allowing an individual to inspect personal information or giving a copy of it to them.
CSA Model Code
The Canadian Standards Association Model Code for the Protection of Personal Information was developed for use as a voluntary code by businesses and organizations. It contains 10 principles to be respected and forms the backbone of PIPEDA and other privacy legislation.
An organization collects personal information if it gathers, acquires or obtains personal information from any source and by any means. Collection includes when an organization keeps personal information it has come across by accident or has not asked for.
As defined in PIPEDA (federal legislation) commercial activity is: "any particular transaction, act or conduct or any regular course of conduct that is of commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists." There is not a precise list of exactly what transactions would fall under the definition of commercial activity.
Permission to collect, use and share personal information for a stated purpose. People must understand what they are agreeing to and agree voluntarily. The consent is not valid or acceptable if there is extreme pressure or coercion, for example, where consent is given under threat. (See also definitions of implied and express consent.)
In general terms an organization discloses personal information when it releases it to others outside the organization. It does not include giving individuals information about themselves (this is 'access' see above).
Permission that is explicitly sought and applied to the collection, use or disclosure of information, particularly for sensitive information (i.e. health information) or when there has been a significant change from the original purpose for which information was collected. For example, where an organization has a long-standing practice of not sharing its mailing list(s) and has taken the decision to change the practice, seeking express consent is advisable. (See also: opt-in.)
The term refers to the treatment of data already in an organization's possession prior to legislation. Data already in an organization's possession when legislation comes into effect will be subject to the same rules as data you begin to collect following legislation. The data, therefore, is not being grandfathered. In some instances, however, it may be reasonable to continue using the information for the original purpose for which it was collected with an opt-out option.
Consent that can be inferred either through an ongoing relationship or through reasonable expectation. For example, consent could be implied for continuing to send a regular mail donor direct mail solicitations or for using the return address on a donation cheque to send a donor a receipt for income tax purposes. Implied consent is used to speak to one's own customers.
The use of express consent to collect, use or disclose personal information. Also known as positive consent, opt-in should be obtained by the organization before transfer of information that a reasonable person would consider sensitive to a third party (Example: financial, health information or certain video rentals or magazine subscriptions).
The practice of giving individuals the opportunity to be removed from selected or all contacts with your organization. Opt-out or negative option consent would typically be offered by an organization for the transfer of non-sensitive information to a third party (Example: a list rental of newspaper subscribers' names and addresses for marketing purposes).
Information that can be used to identify, distinguish or contact a specific individual. Specifically, "personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. This information would include opinions and beliefs, in addition to financial information, birthdates and other identifying data. Business contact information (title/position, company name, address, etc.) and certain publicly available information is excluded from the definition and therefore from the legislation.
Personal Information Protection and Electronic Documents Act or "PIPEDA"
Is the federal legislation introduced in phases starting January 1, 2001, which sets out ground rules for how organizations (including charities) may collect, use or disclose personal information in the course of commercial activities. As of January 1, 2004, where provinces have not yet enacted substantially similar legislation, PIPEDA will apply to the collection, use and disclosure of personal information within a province for commercial purposes.
Pertains to information that is accessible to the general public, such as telephone directories, and as such is excluded from the federal legislation if used for the purposes for which it was collected. There is still some confusion about what other information might be considered public domain and therefore excluded, including the wide range of government data available on the Internet (land registry listings, etc.).
The stated purpose for which personal information is being collected, used or disclosed. These may appear on a variety of materials including donor reply coupons, raffle tickets, websites, registration forms, etc.
A test that "will interpret substantially similar to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided. The federal law is the threshold or floor."
Greater care will be required in the handling and security of sensitive
information. Sensitive information is a subset of personal information. It
is information or opinion about a person and includes:
In general terms, use of personal information refers to the handling of personal information within an organization including 'the inclusion of information in a publication'.
Source: Privacy Commissioners of Canada and Australia, and other sources
Horizons Global Consulting, All Rights Reserved.
Horizons Global Consulting is a division of Horizons Global Enterprises Limited.