Privacy Commission of Canada launches new strategic plan –watch video

English Information Commissioner consults on draft guidance on generative AI

Nunavut’s privacy commissioner investigates government’s mail practices

Alberta promises increased privacy protections

British Columbians facing longer wait times to access records from BC Government

Ontario IPC blog on AI and the public sector

England’s ICO issues Tech Horizons Report

Guidelines for use of AI by lawyers

Federal Privacy Commissioner issues report on RCMP collection of data from third parties

Ontario IPC issues guidance on police use of facial recognition and mug shots

Blog

Privacy in Organizations not Subject to Legislation

November 23, 2023 - Ron Kruzeniski, Information and Privacy Commissioner

I received a call a few days ago from someone who worked in an organization that is not subject to privacy legislation provincial or federally. The question posed to me was what are the organization’s privacy obligations? I first had to say, you are not subject to provincial legislation and so there are really no privacy obligations (in a legislative sense).

I should note that Saskatchewan does have a Privacy Act where one can be sued for an invasion of privacy (see section 2).

I then went on to say that privacy is given a different definition by almost every person and thus, their expectation as to what an organization should do can be varied. My best advice was that the organization’s executives get together and hammer out a privacy policy that would be good for the organization.

Does an organization have to develop such a policy? No, but if people are raising privacy questions, the organization needs to have one.

I tried to suggest things that might go into such a policy:

  • Rules relating to distribution of membership lists.
  • Rules related to posting names of the executive on the organization’s website.
  • Rules relating to providing people with email, telephone numbers and addresses.

I indicated caution around emails, telephone numbers and addresses should be exercised and should be disclosed only on a need-to-know basis and only if safe and appropriate to do so. It is quite possible someone involved in the organization is separated from a former partner who is abusive or violent. Accidently indicting where the person lives could be dangerous for that person.

Suggesting drafting a policy is daunting and I wanted to suggest where the person might find a good sample. I could not. So, after the telephone call I was able to find a couple of samples. First you might want to look at the Canadian Standards Association, model code for the Protection of Personal Information. Here are some sample privacy policies listed in no preferred order:

Canadian Cancer Society – https://cancer.ca/en/privacy-policy

St. John’s Ambulance – https://www.sja.ca/en/privacy-policy

Big Brothers Big Sisters of Regina https://bbbsregina.ca/privacy-statement/

Canadian Blood Services – https://www.blood.ca/en/mystory/privacy-policy

Remember, a sample policy might be a good start, but a policy has to be tailored to the needs and expectations of the organization. Also once drafted it needs to be widely accepted by executive and staff that it is a good policy and will be followed. A good privacy policy can lead towards developing a culture of privacy in the organization.

Categories: BlogTags: , ,

Back to Blog