1. Know Your Status

The majority of non‐profit organizations in Alberta are not required to comply with PIPA. It is important to know whether your organization is subject to the Act. If your organization is subject to the Act, then it must comply with PIPA when collecting, using, disclosing, and safeguarding personal information. It must also respond to requests from individuals to access records containing personal information about them, and do this within the time frames set out in the Act.

If your organization is not required to comply with the Act, you may nevertheless choose to adopt certain best practices to protect the personal information in your care.

Worksheet 1

Is your organization subject to PIPA?

1. Is your Organization:

• Incorporated under Alberta's Societies Act,
• incorporated under Alberta's Agricultural Societies Act, or
• registered under Part 9 of Alberta's Companies Act?

 Yes. Got to question 2. No. Your organization is fully subject to PIPA (Go to next Worksheet 2.

2. Does your organization:

• Operate a private school (as defined by the School Act),
• operate an early childhood services program (as defined by the School Act), or
• operate a private college (as defined by the Post‐secondary Learning Act)?

 YES. Your organization is subject to PIPA for the collection, use and disclosure of personal information for that operation. NO. Go to question 3.

3. Does your organization sell, barter or lease a membership list, donor list, or other fund‐raising or client, volunteer or employee list?

 YES. Your organization is subject to PIPA for the collection, use and disclosure of personal information on that list. NO. Go to question 4.

4. Does your organization engage in any other "commercial activity"? For example, are you operating a day care centre or a fitness centre, or offering training or selling products for fees like those charged by the for‐profit sector?

 YES. Your organization is subject to PIPA for the collection, use and disclosure of the personal information connected to the commercial activity. NO. Your organization is not subject to PIPA. Your organization may choose to adopt best practices to protect the personal information of your clients and staff.

2. Know what you have:

The next step is to determine what kind of personal information your organization normally collects. All organizations should know the kind of personal information they collect.

Personal information is information about a particular individual. Name, contact information, birth date, work history and identification numbers are all examples of personal information.

Use the box below to create a list of the personal information your organization collects about employees, volunteers and clients.

Worksheet 2

Personal information list

Some of the personal information listed above is sensitive information, which could be used by criminals to commit identity theft. Particular care should be given to ensure the security of this information. Security measures are discussed later on in the workbook. The best security measure of all is not to collect the information if you do not need it.

When completing steps 2 and 3, refer to the forms your organization used to collect personal information in the first place. The forms will serve as a reminder of the activities carried out by your organization that involve the collection, use and disclosure of personal information.

3. Know Why You Have It

Under PIPA, organizations may only collect, use and disclose personal information for purposes that are reasonable. In simpler terms, you need a good reason to collect the information. Even organizations not subject to PIPA should have a good reason to collect personal information.

Your organization will have a reasonable purpose – or a good reason – for collecting personal information if the organization needs the information for a service or activity. For example, if your organization runs fitness classes, certain personal information is necessary to register the participants and operate the classes.

Use the box below to create a list of your organization's purposes for collecting personal information.

Worksheet 3

Purposes for collecting personal information

 Maintaining a membership list to administer membership benefits Mailing a newsletter Registering a participant Processing payment for a product or service Providing a receipt for a payment or donation Assessing or evaluating qualifications of potential staff Assigning duties to staff Determining eligibility for insurance coverage (vehicle, liability, bonding) Contacting a family member in case of an emergency Ensuring the health and safety of participants (e.g. collecting medical information, such as information about allergies, for children attending a camp) Deducting income tax and making other payroll deductions (for paid employees)

Now that you know what personal information you collect, and the purposes for collecting personal information, you should look at whether the information and purposes match each other.

If your organization collects personal information for several programs, it might be easiest to match the information to each program. Here is an example from a community league that runs a sports league for children, and runs a raffle for fundraising.

Worksheet 3B

Match it up

Is there any personal information that you collect where you could not identify a good reason for collecting it? If you cannot link the information to a purpose, consider whether you should be collecting it. PIPA requires organizations to collect only what they reasonably need.

If you have determined that you do not really need the information, what do you do? Stop collecting it. Change your forms so you're not asking for the information, or cross out that section of the form until the form is revised.

You may also want to remove unnecessary information from current files. This is especially important if the information is sensitive (e.g. Social Insurance Numbers, medical information). Most organizations clean up their files periodically and it is acceptable to plan to remove unnecessary information during the periodic clean‐ups.

Before you get rid of the personal information, make sure you have proper processes for securely destroying the information: shred paper files (use a cross‐cut shredder) and permanently delete electronic files. The section of this workbook on safeguards will make some suggestions for destroying records.

Worksheet 3C

The Leftovers

Organizations subject to PIPA can keep personal information for as long as the information is needed for legal or business purposes. Personal information that your organization no longer needs (e.g. contact information for former clients or staff) must be securely destroyed after a reasonable amount of time – one year is a good guideline, but you might have legal reasons for keeping certain information (such as financial or tax records) for a longer time. Disposing of information that is no longer needed is a good practice for any organization.

How will your organization determine when to get rid of personal information that is no longer needed? One way is to have a dedicated spot – file cabinet for paper files, or a specific place on your hard drive or network – for "inactive" information to go. Date the file according to when you "shelved" it. If the information remains inactive (e.g. for a year), then destroy it using your safe‐destruction processes. Set a schedule for reviewing the inactive file for "past due" dates.

Worksheet 3D

Plan to dispose of the "leftovers"

4. Choose a privacy contact person

The majority of non‐profit organizations in Alberta are not required to comply with PIPA. It is important to know whether your organization is subject to the Act. If your organization is subject to the Act, then it must comply with PIPA when collecting, using, disclosing, and safeguarding personal information. It must also respond to requests from individuals to access records containing personal information about them, and do this within the time frames set out in the Act.

If your organization is not required to comply with the Act, you may nevertheless choose to adopt certain best practices to protect the personal information in your care.

Worksheet 4

Our privacy contact

The phone number can be a home, business or cell number; callers should be able to leave a message if the phone is not answered.

5. Get consent

Organizations subject to PIPA need consent to collect, use and disclose personal information about clients, unless the Act says otherwise. The consent process for these organizations is explained below. The use of consent by organizations not subject to PIPA is discussed on page 10. Consent is not normally required when dealing with the personal information of employees and volunteers; this is discussed on page 11.

Organizations subject to PIPA

When obtaining consent under PIPA, you must notify your clients of the information you collect, and how you use it. You must also give your clients the name and contact information of your privacy contact person in case they have questions. This notice can be included on a membership application or registration form, or may be given orally.

Obtaining express consent is the highest standard. You may obtain express consent in writing or orally. If the information is sensitive, it is a good idea to get consent in writing or to make a note that you asked for and received oral consent. Sensitive information includes: Social Insurance Numbers, medical information, financial information, reference checks, and date of birth together with name and address.

Your organization may, at times, collect information for one purpose and want to use it for another purpose later on. If so, you must obtain consent for that other purpose. For example, a sports facility collects an individual's contact information at the time of registration; the facility might want to use that information to promote other unrelated programs. The facility will need to obtain consent for that second purpose.

If your organization wants to disclose personal information outside of the organization for an unrelated purpose, the organization will need consent to do so.

You can often obtain consent for all these different purposes at the same time – when you initially collect the information.

In some situations, it is obvious what information is being collected and why. For example, if a client hands you a credit card to pay for her sports facility membership fee, you do not need to tell her that you are collecting her credit card information to process the payment! In this situation, there is implied consent to use the credit card information for that purpose. When can you rely on implied consent?

You may use implied consent if:

• a client voluntarily gives you information, and
• the reason you need the information is obvious, and
• it is reasonable in that situation to volunteer the information

You need to obtain consent for each purpose. Obtaining consent to use personal information for enrolment does not allow you to use the same information for marketing purposes later on – even if it is the same information.

Organizations subject to PIPA

Organizations that are not subject to PIPA do not have to follow the consent rules in PIPA when collecting personal information. It may not be practical for these organizations to follow the same consent process as organizations subject to PIPA. As a best practice, organizations not subject to PIPA may want to provide an explanation or notice to clients of how the organization normally uses and discloses the personal information it collects.

An organization considering implementing a consent process should obtain legal advice before doing so. Your organization might need to use or disclose personal information for unexpected purposes, or purposes unrelated to the normal operations of your organization, that were not listed on your consent form or notice.

Organizations subject to PIPA have the benefit of the provisions in PIPA for circumstances where it would be unreasonable or impractical to obtain consent (e.g. when collecting a debt, disclosing information to a government department, notifying others in an emergency, or carrying out an investigation). Organizations not subject to PIPA cannot rely on these provisions; for this reason, there may be situations where obtaining consent would be problematic.

At the same time, there may be situations where it could be appropriate to obtain consent, particularly when the disclosure of personal information is for a discretionary purpose, that is, not necessary for the program or service for which the information was collected. For example, an organization may wish to disclose the mailing addresses of its team members to a sports retailer that wants to provide a discount coupon to team members in exchange for receiving the mailing addresses for marketing purposes. Because this disclosure is optional, the team organization may wish to obtain written consent to disclose the addresses to the retailer.

Your legal advisor can assist you in determining when your organization should consider obtaining consent and what needs to be included in a consent form.

Worksheet 5A

Forms your organization uses to collect personal information

Notice of the purposes for which an organization collects personal information, and a consent statement, if needed, can be included in the forms the organization uses to collect personal information.

List the forms your organization uses to collect personal information.

Worksheet 5B

Sample notice and consent statements

[Add the information for your privacy contact person and obtain a signature]

For further information, contact __________________________ [Privacy contact person]

I consent to the collection of my/my child's personal information for the purposes stated above.

Signature

Name (print)

Date ___________________________________

A child under the age of 18 can provide consent if he or she understands the nature and consequences of giving consent; otherwise a parent or guardian can provide consent.

Sample notice for sports registration used by a community league:

The information collected above will be used to register the participant in the organization's sports league. The information will be used by staff and the coach to assign the participant to a team, to contact parents/guardians concerning the game schedule and changes, and to contact individuals as necessary in the case of an emergency.
For further information, contact our office manager at 780‐555‐5555 or privacy@league.ca
We require the above information to ensure that our membership list is current and to send you information about our programs and services, as well as renewal notices. Membership in our local branch requires membership in the provincial chapter; we will pass on your information to the provincial chapter.

Sample notice for sports registration used by a community league:

The information collected above will be used to register the participant in the organization's sports league. The information will be used by staff and the coach to assign the participant to a team, to contact parents/guardians concerning the game schedule and changes, and to contact individuals as necessary in the case of an emergency.
For further information, contact our office manager at 780‐555‐5555 or privacy@league.ca
We require the above information to ensure that our membership list is current and to send you information about our programs and services, as well as renewal notices. Membership in our local branch requires membership in the provincial chapter; we will pass on your information to the provincial chapter.

Sample script used by staff of a community league for accepting registrations over the telephone:

The personal information that I will be asking you for will be used to register the participant in the organization's sports league. The information will be used by staff and the coach to assign the participant to a team, to contact parents/guardians concerning the game schedule and changes, and to contact individuals as necessary in the case of an emergency.
[Collect personal information]
If you need any additional information about our privacy policies, you can contact our office manager at 780‐555‐5555 or privacy@league.ca

For the convenience of parents, the organization compiles a team list that includes the parent's name, your child's name and contact information to distribute to other parents. Would you like your information to be included in the team list? Yes/No

Name of person giving consent ______________________________

Name of staff member ______________________________

Date information collected ______________________________

6. Employees and Volunteers

An organization subject to PIPA does not have to obtain consent from employees or volunteers to collect, use or disclose their personal employee information. Notice is enough if the information is related to establishing, managing, or terminating the employment or volunteer relationship. Notice should be given before the information is collected. Giving notice means telling your employees and volunteers what information you collect, use or disclose and why.

Under PIPA, your organization can collect, use or disclose that information without consent, with two conditions:

• the purpose is related to the employees' or volunteers' work (consent is required for other purposes); and
• you tell (provide notice to) your employees or volunteers about the collection, use or disclosure, along with the purposes.

If the information is not reasonably required for employment or volunteer work purposes, the organization must follow the rules in PIPA regarding consent.

An example of an employee notice is provided in the sample privacy policy at the end of the workbook.

An organization that is not subject to PIPA may decide, as a best practice, to give notice of its purposes for collecting, using or disclosing the personal information of employees and volunteers when the organization needs to collect, use or disclose that information (i.e. it is not optional). For example, an organization must report certain information of employees to the Canada Revenue Agency, or to the organization's insurance benefit provider. In these circumstances, the notice would inform the employee or volunteer why the personal information was being disclosed and to whom.

In other circumstances, an organization may decide to allow employees and volunteers to choose whether their personal information is collected, used or disclosed for a particular purpose. For example, the organization may give employees a choice about whether to be added to another organization's mailing list or whether to have their photographs posted on the organization's website.

Worksheet 6

Purposes for collecting personal employee information

7. Safeguard personal information

Organizations subject to PIPA must protect the personal information the organization has about clients and staff by using reasonable safeguards. Organizations not subject to PIPA should also, as a best practice, protect the personal information of their clients and staff.

In determining what safeguards are reasonable for your organization, you will want to consider how sensitive the information is. All personal information should be protected from loss, theft, and inappropriate use or disclosure, but information like credit card numbers, Social Insurance Numbers, Alberta health care numbers, driver's licence numbers and birth dates can be used to cause harm if they are lost or stolen.

Common-sense security practices

• File cabinets should be locked when unattended. Computers should have password protection to limit access to files containing information about staff and clients. More sensitive information will require additional safeguards.
• Limit access to personal information. Only those staff who need access to the information should have a key to the file cabinet or know computer passwords.
• The best safeguard is to not collect or keep more information than you need. For example, if you need to verify a child's age for a program, consider making a note on the registration form stating that the age was verified by viewing a birth certificate (or relevant document) instead of keeping a copy of the certificate on file.

Many of the security tips in the next worksheet will also ensure the security of your organization's business assets and records (e.g. computers and financial accounts).

Worksheet 7

Security Practices

 We keep records in paper files Locked file cabinets and desk drawers protect information in paper files. Keys are only provided to staff who need access to the files to perform their work. Paper files are cross‐cut shredded (or otherwise destroyed) before being disposed of.

The Edmonton Police Service found thousands of credit and debit card receipts from one retail store in the possession of known criminals. The store had failed to shred or otherwise destroy the receipts before throwing them into the back‐alley dumpster. Since the store's point of sale equipment did not truncate – or black out – some of the credit and debit card numbers, the thieves were able to use some of the information to commit fraud (IPC Investigation Report 2006‐IR‐003).

 Computers are password‐protected. Staff must log in to access personal information. Personal information is accessible only to those who need it. Computers are physically secured (e.g. secured to a desk by a cable lock) and doors are locked. Networks have adequate encryption according to current encryption standards (this will protect personal information, along with any other confidential information of your organization).

 We send or receive personal information via fax or email Cover sheets are used to instruct a recipient to contact the organization if a fax is received in error. Frequently used numbers are programmed into the fax machine to avoid dialling errors. We call in advance of sending a fax containing sensitive information to ensure the intended recipient knows it is coming, and then to confirm the fax was received. We only use secure email to send or receive personal information, especially when the information is sensitive.

 We store personal information on portable media devices (e.g. laptops or flash drives) Personal information is stored on portable devices like laptops, flash drives and CDs or DVDs only when necessary; only as much personal information is stored as is necessary for the task. Portable media devices are password‐protected and encrypted according to current encryption standards. Portable media devices are not left unattended and are securely locked away when not in use.

 Our volunteers/employees sometimes take files containing personal information home to work on Our policy is to only take home records if necessary and with approval. Staff must make sure the records are kept locked up and are not accessible to other household members.

 Our staff members are aware of their obligation to protect privacy Our board members, employees and volunteers receive information about their obligation to protect personal information. Our board members, employees and volunteers know who our privacy contact is.

 We accept credit or debit cards for payment Point of sale machines truncate, or black out, part of the credit or debit card numbers on the receipt. Our copies of credit and debit card receipts are shredded (or otherwise destroyed) when they are no longer needed.

 We post membership, team lists, team schedules, etc. on our website Consent is obtained to post names, photographs, and other personal information on our website.

One option is to set up a separate password‐protected web page for each team, with only coaches and team members having the password.

Safeguarding tips to implement

Now that you have completed the Workbook For Getting Started, let's look at Access Request.

Would you like a email of your results?

Name:

Email: