Those charities and nonprofits that operate only in jurisdictions in which PIPEDA applies, as opposed to provincial legislation, and which do not elect to apply the 10 Fair Information Principles to all of their operations, will be concerned with the meaning of “commercial activities” under PIPEDA because PIPEDA only applies to personal information collected, used and disclosed in the course of these activities.
“Commercial activities” is defined in PIPEDA specifically to include the selling, bartering or leasing of donor, membership or other fundraising lists. However, it also includes other activities of charities and nonprofits that are “commercial” in character.
Defining what activities of charities and nonprofit organizations will be considered commercial is not necessarily a straightforward task. Guidance in this area can be sought from Industry Canada information tools. While not legally binding, these information sources indicate the viewpoint of Industry Canada, the governmental body that administers PIPEDA.
Industry Canada has issued Updated Questions and Answers documents as part of its PIPEDA Awareness Raising Tools (PARTs) Initiative for the Health Sector (http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/vwapj/PARTS_QandA-e.pdf/$FILE/PARTS_QandA-e.pdf ). Although directed to the health sector, some of the comments may also provide guidance to other charities and nonprofit organizations.
Fundraising not commercial
Question 63 addresses how PIPEDA impacts on the ability of health care facilities to send fundraising letters to patients. The answer given by Industry Canada is that “fundraising, in this context, is not considered to be a commercial activity” and further that “there would be no impact from PIPEDA on this activity, unless the facility was selling, leasing or trading the fundraising list for some consideration.” (In contrast, the new Ontario Health Information Protection Act will specifically apply to fundraising activities of “health information custodians” (s. 31).)
It is unclear whether Industry Canada’s comments extend to other fundraising activities where value is exchanged, such as the carrying on of a related business by a charity (for example retail or online sales), fundraising dinners, raffles, lotteries and the like. The question will be whether the activity involves the making or provision of a product or service that is commercial in nature.
The Industry Canada document emphasizes (in Q. 24) that the applicability of PIPEDA is dependent on the nature of the activity (transaction) not the nature of the health organization, institution, or agency (public, private, commercial, nonprofit, etc.):
A nonprofit organization can be engaged in a commercial activity to which the PIPEDA would apply. For example, the sale of a fundraising list by a charity can trigger the application of PIPEDA with respect to that particular transaction. PIPEDA would not apply to a provincially funded hospital. Hospitals are beyond the constitutional scope of PIPEDA as their core activities are not commercial in nature. Charging for a private room would not bring a hospital within the scope of PIPEDA because the transaction is part of the hospital’s core activities, i.e. providing accommodation).
From these comments we can conclude that some activities carried on by a charity or nonprofit organization may be considered to be commercial in nature to which PIPEDA will apply. However, the comments also suggest that not every exchange for consideration will be considered a commercial activity for purposes of PIPEDA, where, according to Industry Canada, the transaction is part of the organization’s core noncommercial activities. The sale of fundraising lists is not core to any inherently charitable activity; such a sale is specifically addressed and included in the definition of “commercial activity”. In other cases, the question may be more difficult to assess.
Limited guidance on definition
In response to numerous enquiries, the Office of the Privacy Commissioner of Canada has issued a Fact Sheet on the application of PIPEDA to charitable and nonprofit organizations (http://www.privcom.gc.ca/fs-fi/02_05_d_19_e.asp, last updated March 31, 2004). Although that Fact Sheet confirms that nonprofit status does not automatically exempt an organization from the application of the Act, the guidance it provides relating to the meaning of “commercial activities” to which PIPEDA will apply is limited. The Fact Sheet states in part:
Most nonprofits are not subject to the Act because they do not engage in commercial activities. This is typically the case with most charities, minor hockey associations, clubs, community groups and advocacy organizations. Collecting membership fees, organizing club activities, compiling a list of members’ names and addresses, and mailing out newsletters are not considered commercial activities. Similarly, fundraising is not a commercial activity. However some clubs, for example many golf clubs and athletic clubs, may be engaged in commercial activities which are subject to the Act.
As previously noted, Alberta PIPA has special rules for those nonprofit organizations that fall within the meaning of that term as defined in Alberta PIPA. Alberta PIPA only applies to the personal information that is in the custody or control of a “nonprofit organization” if it is collected, used or disclosed by the organization in connection with a “commercial activity” carried out by the nonprofit organization. Like PIPEDA, Alberta PIPA defines “commercial activity” to include the “selling, bartering or leasing of membership lists or of donor and other fundraising lists”.
The definition of “commercial activity” in Alberta PIPA also contains other specific inclusions: the operation of a private school or an early childhood services program as defined in the School Act; and the operation of a private college as defined in the Colleges Act.
Doesn’t govern health information
It should also be noted that Alberta PIPA does not apply to health information as defined in the Health Information Act (Alberta).
In its Information Sheet (published Dec. 2003 and posted at http://www.pipa.gov.ab.ca/pdf/InfoSheet1.pdf) the Access and Privacy Branch of Alberta Government Services provides some guidance for nonprofits operating in the province and the factors which will be considered in determining whether a transaction is a commercial activity for the purposes of Alberta PIPA:
- is the activity conducted for the purpose of fundraising for charitable purposes (rather than to raise funds for regular operations or non_charitable purposes)?
- is the activity financially supported by the activities of the organization or operated on a cost recovery basis rather than intended to make a profit to be used to support other activities)?
- is the activity one that tends to be provided only by the government or non_profit sector (rather than by private sector businesses)?
- is the primary purpose of the activity to provide a public benefit (rather than benefit individual participants or clients)?
- does the activity involve consideration by one party (rather than consideration for both parties)?
The recently-released “FAQ for Non-Profit Organizations” (dated June 2004 and posted at http://www.psp.gov.ab.ca/index.cfm?page=faqs/NonProfitFAQs.html) provides further examples of what Alberta’s Access and Privacy Branch considers to be a “commercial activity” within the meaning of Alberta PIPA. The FAQ indicates that it is the view of the Access and Privacy Branch that fundraising is not a commercial activity, with the caveat that ultimately, the province’s Information and Privacy Commissioner will determine the issue. Examples of commercial activities include the sale of merchandise by catalogue or Internet sale and running a conference, seminar or training session for fees set at levels competitive with services offered by private sector organizations.
Further experience under the new legislation will help to define further what activities of charitable and nonprofit organizations are considered to be “commercial activities” for the purposes of application of PIPEDA and Alberta PIPA.
As previously noted, organizations which choose to apply the privacy principles throughout their organization’s operations, whether in commercial or non-commercial activities, will not need to concern themselves with these distinctions.
Many charities are concerned with how to deal with third party service providers in a manner which complies with the privacy law requirements. These entities perform services for charitable and nonprofit organizations that either use personal information held by those organizations or collect such information on their behalf. Examples include payroll services, mailing houses, third party fundraisers or telephone solicitors and technical contractors having access to an organization’s database of personal information.
The question that presents itself is how these disclosures and uses can be handled without breaching the rules established under the applicable privacy legislation. This is of greatest concern in the provinces of BC, Quebec and in some cases Alberta.
BC PIPA, which applies to all operations of charitable and nonprofit organizations in the Province of British Columbia, has specific exceptions permitting these types of disclosures and uses but the organization which engages the service provider remains responsible for the safekeeping of its personal information even when in the custody of the third party service provider.
Information provided to a third party service provider may only be used for the purposes for which the information was previously collected and to assist the third party service provider in carrying out work on behalf of the organization. Appropriate agreements are required to be put in place for third party service providers in order to ensure that an organization’s obligations are met in respect of information transferred to, used or collected by third party service providers.
Third party provisions
While PIPEDA and Alberta PIPA do not contain express provisions permitting such uses and disclosures to third party service providers, Principle 4.1.3. of Schedule A to PIPEDA provides that
An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
and the provisions of subs. 5(2) of Alberta PIPA convey a similar intent:
For the purposes of this Act, where an organization engages the services of a person, whether as an agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person’s compliance with this Act.
Communication and consent strategies
In these early days of the application of Canada’s new privacy laws, charitable organizations are continuing to work out their communication strategies with individuals in their databases, including clients and donors. These issues will, of course, be much more limited in jurisdictions where compliance is required only in respect of commercial activities. However, in those jurisdictions where the privacy rules apply to all operations, and for those organizations which choose to adopt the model privacy code as “best practices”, these are important issues for consideration. Issues include:
- How will the organization communicate with individuals in its database in order to ensure that adequate notice of purposes and consent is provided for the existing uses for which this information is made?
- What type of consent (express, implied) is appropriate for specific circumstances? What consent documents are required (opt-in, opt-out)?
For example, in the area of fundraising lists and records, organizations which are subject in all of their operations to the new privacy rules are well advised to communicate with their existing donor database explaining how the personal information held by the organization is currently being used and obtaining consent for the ongoing use. Although the sensitivity of the information must always be considered, in many cases providing an opportunity for individuals to decline to receive further communications (an opt_out consent) will be sufficient.
Another issue of importance is an organization’s internal communication strategies. It is important to put in place procedures to deal with complaints, access requests and withdrawals and variations of consent and to have in place well-thought-out implementation procedures and internal communication programs, so that an organization’s staff knows how to deal with these issues when they do arise.
Our experience under Canada’s new privacy laws is still evolving. Many charitable and nonprofit organizations are still in the process of working through their approach to protection of personal information in view of the limited application of privacy law principles to charities under PIPEDA.