Privacy in Organizations not Subject to Legislation
I received a call a few days ago from someone who worked in an organization that is not subject to privacy legislation provincially or federally. The question posed to me was what are the organization’s privacy obligations? I first had to say, you are not subject to provincial legislation and so there are really no privacy obligations (in a legislative sense).
I should note that Saskatchewan does have a Privacy Act where one can be sued for an invasion of privacy (see section 2).
I then went on to say that privacy is given a different definition by almost every person and thus, their expectation as to what an organization should do can be varied. My best advice was that the organization’s executives get together and hammer out a privacy policy that would be good for the organization.
Does an organization have to develop such a policy? No, but if people are raising privacy questions, the organization needs to have one.
I tried to suggest things that might go into such a policy:
- Rules relating to distribution of membership lists.
- Rules related to posting names of the executive on the organization’s website.
- Rules relating to providing people with email, telephone numbers and addresses.
I indicated caution around emails, telephone numbers and addresses should be exercised and should be disclosed only on a need-to-know basis and only if it is safe and appropriate to do so. It is quite possible someone involved in the organization is separated from a former partner who is abusive or violent. Accidently indicting where the person lives could be dangerous for that person.
Suggesting drafting a policy is daunting and I wanted to suggest where the person might find a good sample. I could not. So, after the telephone call I was able to find a couple of samples. First you might want to look at the Canadian Standards Association, model code for the Protection of Personal Information. Here are some sample privacy policies listed in no preferred order:
Canadian Cancer Society – https://cancer.ca/en/privacy-policy
St. John’s Ambulance – https://www.sja.ca/en/privacy-policy
Big Brothers Big Sisters of Regina https://bbbsregina.ca/privacy-statement/
Canadian Blood Services – https://www.blood.ca/en/mystory/privacy-policy
Remember, developing a policy is a good start, but a policy has to be tailored to the needs and expectations of the organization. Also once drafted it needs to be widely circulated and accepted by executive and staff that it is a good policy and will be followed. That policy should be posted on the organization’s website. A good privacy policy can lead towards developing a culture of privacy in the organization.