Provincial Privacy Developments
The following is an update on privacy developments in Canada's provinces as of March 2004. For an update on the federal PIPEDA law, refer to the story on our website.
Alberta's Bill 44 is similar to PIPEDA in its impact on charities. It specifically exempts most nonprofits from its requirements unless they are engaged in a commercial activity. Opt-out mechanisms are allowed as long as charities give the individual 'a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed.'
Information that organizations had gathered about individuals before the law came into effect are 'grandfathered' (i.e. exempt), but only to the extent that the information is being used for the purpose intended. Thus, if a charity wants to sell or exchange a donor list, it needs to consider whether or not that was a purpose for which the personal information was gathered in the first place. Equally important is whether or not that purpose was communicated to the individuals on the list.
Note, PIPEDA does NOT provide for grandfathering of personal information collected prior to the legislation taking effect. Therefore, unless the Alberta legislation is deemed 'substantially similar,' the standard set by PIPEDA should be followed.
The Office of the Information and Privacy Commissioner of Alberta is offering a series of implementation workshops across the province throughout the month of March.
British Columbia's Bill 38, the Personal Information Protection Act, is much stricter than the federal privacy law. There is no reference to commercial activity nor is there an exemption for charities. Any organization gathering, using or disclosing an individual's personal information must have the individual's consent. Under the legislation, the only exemption was 'contact information," defined as data enabling an organization to contact an individual at work. Contact information includes: name, position name or title, business telephone number, business address, business email or business fax number.
However, the regulations for Bill 38 that were later developed by the province are quite broad. The definition of 'public information' (information that can be gathered without consent) includes:
- The name, address, telephone number and other personal information that appears in telephone directories, if the individual is allowed to refuse to have his/her information made available;
- Personal information that appears in a professional or business directory that is available to the public, if the individual has the right to refuse to have his/her information included in the directory;
- Personal information that appears in a registry to which the public has a right of access; and
- Personal information that appears in a printed or electronic publication that is available to the public, including magazines, books and newspapers. Charities can collect, use and disclose the information found in the sources above without an individual's consent.
Charities can gather information outside of the 'public information' realm so long as they give the individual 'a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed.' Reasonable and clear opt-out mechanisms are permissible depending on the sensitivity of the information - medical and salary information, for example, would always require express, opt-in consent.
For more information on British Columbia's legislation refer to the Office of the Information and Privacy Commissioner of British Columbia's website.
The Minister of Health has launched a discussion document on The Personal Health Information Act (PHIA) and is seeking input from the public. PHIA became law on December 11, 1997. The scope of the legislation primarily relates to 'the persons and organizations regulated by the act (trustees) and the type of information the act applies to (personal health Information).' Personal health information includes any identifying information about the individual (e.g. name, address, date of birth) that is collected in the course of providing or paying for health care. Grateful patient programs in health facilities have been severely impacted by PHIA because foundations were completely reliant on an opt-in consent process. Fundraising is not specifically addressed in PHIA.
The input process is an opportunity to respond and participate in the invitation to address support for grateful patient programs. The review document 'Tell Us What You Think' is organized section by section with specific questions. You can respond electronically, and although the deadline is April 2, 2004, there are public hearings planned for this year. AFP strongly encourages organizations to respond and address the healthcare philanthropic interests.
The Freedom of Information and Protection of Privacy Act (FIPPA) is also under review. The Minister of Culture, Heritage and Tourism has invited the public to review and respond to a discussion paper. The review is designed to obtain feedback on FIPPA and how it has worked over the past five years. Like PHIA, the document is organized section-by-section with specific questions. There will also be public hearings in 2004. This is a timely opportunity to inform government of the impact of privacy legislation on philanthropy.
Ontario has yet to pass any privacy legislation similar to PIPEDA. However, in December 2003, the Personal Health Information Protection Act (Bill 31) was introduced. Section 31 addresses fundraising and states a requirement for express consent (i.e. opt-in) for the collection, use and disclosure of personal health information by any organization. The Bill has only received its first reading. In January 2004, representatives from AHP and AFP made oral presentations to the Standing Committee on General Government and submitted written responses to the draft legislation. Both submissions recommended implied consent for fundraising through notice with an opt-out opportunity.
In February, the Standing Committee initiated the process of drafting amendments. We are pleased to report that all Parties supported the following amendment and confirmed the intent for consultation with the fundraising groups vis-à-vis the amendments.
Bill 31, Section 31, Fundraising
(I) Subject to subsection (2), a health information custodian may collect, use or disclose personal health information about an individual for the purpose of fundraising activities only where, (a) the individual expressly consents; or (b )the individual consents by way of an implied consent and the information consists only of the individual's name and the prescribed types of contact information.
(2) The manner in which consent is obtained under subsection (I) and the resulting collection, use or disclosure of personal health information for the purpose of fundraising activities shall comply with the requirements and restrictions that are prescribed, if any.
In early March, staff from the Policy Branch of the Ministry of Health met with sector representatives to review the proposed amendment. These representatives presented the rationale for access to personal, non-health contact information to be able to respond to the increasingly broad range of ways in which the individuals prefer to be contacted. The recommendation was that defining 'prescribed types of contact' in legislation would be limiting. The opportunity for further consultation on any amendments and drafting of regulations was reiterated. In addition, when the Act is proclaimed it will take effect in January 2005 and not July 2004 as was previously planned.
Saskatchewan's Health Information Protection Act (HIPA) was proclaimed on September 1, 2003. The Policy and Planning Branch, Saskatchewan Health issued a Draft for Consultation on the Regulations. The regulations are still in draft form and AHP members in Saskatchewan are working together to ensure that the relevant sections of the regulations are adopted at the earliest opportunity.
Excerpt from the Regulations: Many districts and/or hospital foundations in Saskatchewan have historically contacted discharged patients to ask for donations. Use of patient lists for fundraising is not among the acceptable reasons for use or disclosure of personal health information in The Health Information Protection Act. Three options were proposed to enable disclosure of patient lists.
The first option allows a district or affiliate to use registration information to conduct its own fundraising and allows for disclosure of limited registered information to an affiliated hospital foundation. This option seems the most preferable.
5(1)For the purpose of clause 28(8) of the Act, and subject to subsections (2), (3) and (4), registration information may be used or disclosed without the consent of the subject individual by a district health board or affiliate for fundraising purposes provided:
(a) the purposes of the use or disclosure is to support the health services provided by the district health board or affiliate; and
(b) the registration information is limited to name, address and date of discharge of individuals who have received services from the district health board or affiliate.
This option has attached conditions to the disclosure. The conditions addresses exclusion of names where it may be considered unreasonable invasion of privacy, notice at the time of collection of anticipated use and the requirement for an agreement with the recipient for the information that it will be used only for fundraising. One of the conditions specifically states 'Where a disclosure is made in accordance with this section, it must only be to a registered member of the Hospital Foundations of Saskatchewan and/or the Association for Healthcare Philanthropy in Canada.'
The second option allows for the use of information for fundraising purposes but would not allow disclosure to a foundation. The third option requires expressed consent.
In closing, AFP and AHP Government Relations Committees will continue to monitor and encourage responses to privacy legislation development, amendments and opportunities for consultation. We are planning to research and update our members on privacy legislation in all provinces and territories across Canada.
There is a growing, open, public consultation process and it is incumbent on us all to be aware of new developments and opportunities for input to maximize philanthropy and promote best practice, supporting a shared value for the protection of personal information and effectively partnering with governments to ensure public accountability.
AFP thanks Susan Mullin, CFRE, Chair, AFP Privacy Task Force and Pearl Veenema, CFRE, Chair, AHP Canada Government Relations, for developing this update.