Privacy in Organizations not Subject to Legislation
I received a call a few days ago from someone who worked in an organization that is not subject to privacy legislation provincial or federally. The question posed to me was what are the organization’s privacy obligations? I first had to say, you are not subject to provincial legislation and so there are really no privacy obligations (in a legislative sense).
I should note that Saskatchewan does have a Privacy Act where one can be sued for an invasion of privacy (see section 2).
Does an organization have to develop such a policy? No, but if people are raising privacy questions, the organization needs to have one.
I tried to suggest things that might go into such a policy:
- Rules relating to distribution of membership lists.
- Rules related to posting names of the executive on the organization’s website.
- Rules relating to providing people with email, telephone numbers and addresses.
I indicated caution around emails, telephone numbers and addresses should be exercised and should be disclosed only on a need-to-know basis and only if safe and appropriate to do so. It is quite possible someone involved in the organization is separated from a former partner who is abusive or violent. Accidently indicting where the person lives could be dangerous for that person.
Suggesting drafting a policy is daunting and I wanted to suggest where the person might find a good sample. I could not. So, after the telephone call I was able to find a couple of samples. First you might want to look at the Canadian Standards Association, model code for the Protection of Personal Information. Here are some sample privacy policies listed in no preferred order:
Canadian Cancer Society – https://cancer.ca/en/privacy-policy
St. John’s Ambulance – https://www.sja.ca/en/privacy-policy
Big Brothers Big Sisters of Regina https://bbbsregina.ca/privacy-statement/
Canadian Blood Services – https://www.blood.ca/en/mystory/privacy-policy