As privacy breaches become more common, Canada’s non-profit sector find themselves in a questionable area of expected responses to data breaches. Most non-profits operating in Canada are not required to comply with federal or provincial privacy legislation. For example, the Personal Information Protection and Electronic Documents Act (PIPEDA) does not cover most non-profit activities, unless they are of a commercial nature, and non-profits that operate in provinces without their own privacy legislation (which is most of them) all fall under this stipulation. A number of provinces have drafted their own, similar legislation, and, in most cases, non-profits are treated the same way. However, Alberta’s privacy commissioner is signaling a potential new trend in non-profit privacy legislative compliance in the country.
The province, which has legislation very similar to the federal policy, is currently pushing for non-profits to be brought under the legislation, as, according to the Calgary Herald, the province’s privacy commissioner is concerned about her office’s inability to act on the majority of complaints related to non-profits that it receives from the public. Importantly, this statement from March of this year was not the first time Jilly Clayton expressed her desire to see non-profits brought under the Freedom of Information and Protection of Privacy Act (FOIP Act). In a formal review of the Act from July 2013, Clayton issued an opinion that she was “concerned that the personal information of Albertans may not be protected” in cases of service delivery partnerships between non-profits and the public sector (2). She recommended that, in such partnerships, the public sector should be more responsible for handling the personal information, as non-profits are not yet subject to the Act. These issues speak to growing concerns about the amount of personal information that organizations possess, as well as how effectively it is protected. As privacy breaches become more common, people want to know that when they provide their information to an organization it will be securely stored and responsibly managed.
This is not to say that non-profits are being irresponsible with the information they possess. Many have their own publicly-available privacy policies, and groups like the Ontario Non-Profit Network help members bring their privacy and security systems up to a higher standard. In a recent survey, members of the public responded saying they now expect more out of the organizations that handle their personal information, and it is important for the country’s non-profits to be more aware of trends in compliance.
If Alberta’s pursuit of mandatory compliance becomes a trend across Canada, non-profits will be expected to improve their response to privacy breaches, and improve their technical capabilities.
And even if other provinces are slow to adapt their own legislation, it is important that non-profits develop proactive strategies for handling privacy breaches, before personal information they possess ends up in the wrong hands.