Ontario Proposing Legislation To Better Protect Children

Sophisticated Cyber attacks on BC

Microsoft to make security a top priority

Ontario introduces cybersecurity bill

Ontario IPC probes government use of non-government email accounts

Federal Privacy Commissioner launches breach reporting tool

Ontario IPC issues guidelines on third party procurement

Sask. Privacy Commissioner asks for authority to compel compliance


Privacy in Organizations not Subject to Legislation

November 23, 2023 - Ron Kruzeniski, Information and Privacy Commissioner

I received a call a few days ago from someone who worked in an organization that is not subject to privacy legislation provincial or federally. The question posed to me was what are the organization’s privacy obligations? I first had to say, you are not subject to provincial legislation and so there are really no privacy obligations (in a legislative sense).

I should note that Saskatchewan does have a Privacy Act where one can be sued for an invasion of privacy (see section 2).

I then went on to say that privacy is given a different definition by almost every person and thus, their expectation as to what an organization should do can be varied. My best advice was that the organization’s executives get together and hammer out a privacy policy that would be good for the organization.

Does an organization have to develop such a policy? No, but if people are raising privacy questions, the organization needs to have one.

I tried to suggest things that might go into such a policy:

  • Rules relating to distribution of membership lists.
  • Rules related to posting names of the executive on the organization’s website.
  • Rules relating to providing people with email, telephone numbers and addresses.

I indicated caution around emails, telephone numbers and addresses should be exercised and should be disclosed only on a need-to-know basis and only if safe and appropriate to do so. It is quite possible someone involved in the organization is separated from a former partner who is abusive or violent. Accidently indicting where the person lives could be dangerous for that person.

Suggesting drafting a policy is daunting and I wanted to suggest where the person might find a good sample. I could not. So, after the telephone call I was able to find a couple of samples. First you might want to look at the Canadian Standards Association, model code for the Protection of Personal Information. Here are some sample privacy policies listed in no preferred order:

Canadian Cancer Society – https://cancer.ca/en/privacy-policy

St. John’s Ambulance – https://www.sja.ca/en/privacy-policy

Big Brothers Big Sisters of Regina https://bbbsregina.ca/privacy-statement/

Canadian Blood Services – https://www.blood.ca/en/mystory/privacy-policy

Remember, a sample policy might be a good start, but a policy has to be tailored to the needs and expectations of the organization. Also once drafted it needs to be widely accepted by executive and staff that it is a good policy and will be followed. A good privacy policy can lead towards developing a culture of privacy in the organization.

Categories: BlogTags: , ,

Back to Blog