Canadian Baptist of Western Canada

Impact of Privacy Legislation on Churches

bigstock-Confidential-text-surrounded-b-30908498All churches and non-profit organizations should have a privacy policy as a matter of Best Practice. In British Columbia, it is the law. In all other western provinces and territories, privacy laws do not apply to churches — unless they engage in commercial activities.

Protecting privacy makes sense in any organization that relies on confidentiality and trust in its relationships. The CBWC encourages all churches to adhere to the principles and practices set out in federal and provincial privacy legislation.

Background

In 2004, the federal government introduced privacy legislation to address the issues around the
collection, use and storage of personal information for commercial purposes. This law is known as the
Personal Information Protection and Electronic Documents Act (PIPEDA). British Columbia and Alberta
enacted their own legislation, both called the Personal Information Protection Act (PIPA), the same year.
(BC and Alberta also enacted other legislation that applies only to public agencies but have no bearing
on churches.)

These laws respond to growing public concern about how private information is gathered, held
and used, concerns that have been heightened because of the new capabilities to gather and share
information using electronic technologies such as the internet, servers and computers. The legislation
protects individuals’ personal information from unauthorized access and use while enhancing
individuals’ rights to gain access to information about themselves.

Since the enactment of federal and provincial legislation, most churches have complied. However, there
has been much confusion and misinformation. Must churches follow the same rules as businesses? Can
we hold information on a server outside of Canada? Are we allowed to have a church directory? Does
national security legislation trump privacy? What information can we collect? What information can we
share, and with whom?

This document attempts to clarify what churches can do to protect the privacy of their congregants.

Disclaimer: The following document is a brief summary of legal opinion for the purpose of providing
background information. Readers are advised that they are responsible to determine for themselves the
requirements and implications of any and all federal, provincial or territorial legislation. This document is
not intended as a substitute for legal advice.

Why Do Churches and Non-Profits Need to be Concerned About Privacy?

  • As Christians, we esteem and value each individual. One way to express this is by honouring each individual’s desire to control their own personal information.
  • Congregants expect churches to be safe, secure places where personal information is used only as intended.
  • Protecting privacy is a simple, common courtesy.
  • Relationships in churches are complex and change over time, so confidentiality must be respected in ways that are appropriate to the information.
  • The capacity of new technologies to share information globally with the click of a button means extra diligence is necessary to protect privacy.
  • Everyone has the right to have their personal information protected, to have access to that information and to know and control how it is used.
  • In British Columbia, it is the law.

What Does Personal information Include?

Personal information includes both facts and subjective information about an individual:

  • name, gender, race, ethnic origin, marital status, educational level
  • religion
  • political affiliations or beliefs
  • personal e-mail address and messages, IP (Internet protocol) address
  • age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint
  • income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns
  • Social Insurance Number (SIN) or other identification numbers.
  • Photographs and videos that identify the person
  • Opinions about a person (such as held in counselling session)

Personal information does not include: (partial list)

  • Work emails, address or phone number
  • Correspondence, information and documents related to work
  • Information that can be found through public sources, like a phone book or website
  • Information voluntarily disclosed, such as in a public interview
  • There are exemptions for information collected literary, journalistic & artistic purposes, as well as genealogical research.

Issues Covered by Privacy Legislation

Federal and provincial protection of privacy laws all share the same purpose: to govern the collection,
use and disclosure of personal information by the private sector, balancing the right of an individual to
have personal information protected with the needs of certain organizations to collect, use and disclose
that information.

Federal and provincial laws are founded on the same basic privacy principles relevant to all churches,
whether or not the actual legislation applies to them. They include:

  • Organizations are accountable to protect personal information under their control.
  • The purposes for which the personal information is being collected must be identified during or prior its collection.
  • Personal information may only be collected, used or disclosed by an organization with the knowledge and consent of the individual (with limited exceptions as specified in the legislation.)
  • The collection of personal information is limited to what is necessary for the identified purposes and will be collected by fair and lawful means.
  • Personal information must only be used and disclosed for the purposes for which it was collected, except with consent or as required by law. It can be retained only as long as it is necessary to fulfill those purposes.
  • Personal information must be as accurate, complete and up-to-date as is necessary.
  • Personal information must be protected by adequate safeguards appropriate to the information.
  • Information about an organization’s privacy policies and practices must be readily available to individuals upon request.
  • An individual has the right of access to personal information about himself or herself and has the right to seek correction. Both these rights are subject to some exceptions as specified in each statute.
  • Organizations must provide the means for an individual to challenge an organization’s compliance of the above principles.

All churches should strive to meet or exceed public standards in these areas as a matter of Best Practice.

Federal Legislation

There are 2 federal privacy laws in Canada:

  • Personal Information Protection and Electronic Documents Act
  • Privacy Act

Both are overseen by the Privacy Commissioner of Canada. www.priv.gc.ca

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is federal legislation came into partial effect in 2001 and was expanded in 2002 and 2004. It
determines how private sector organizations may collect, use and disclose information for commercial
activities and gives individuals the right to access and correct information held about them.

This legislation can be thought of as default legislation since it applies everywhere in Canada – unless
a province or territory enacts its own ‘substantially similar’ or stronger legislation. In Western Canada,
British Columbia and Alberta have enacted their own legislation. In these 2 cases, provincial legislation
applies to provincially regulated organizations, including churches. Manitoba, Saskatchewan and the
territories do not have their own privacy legislation, so they use PIPEDA.

PIPEDA applies to the personal information collected, used or disclosed by organizations engaged
in commercial activities and to agencies under government jurisdiction. If there is no commercial
activity, PIPEDA does not apply. This means PIPEDA does not specifically apply to churches or non-
profits, unless they are engaged in commercial activities. (Tithing and donations are not considered to
be commercial activities. Selling a membership list would be considered to be a commercial activity.
Running a daycare for fees, or a school would be considered commercial activity.) However, it is
good for churches to be aware of the principles and provisions in the Act so that Best Practices can be
followed.

For more information on PIPEDA, go to: http://www.priv.gc.ca/information/02_05_d_08_e.cfm

Privacy Act

The Privacy Act took effect on July 1, 1983. This Act deals with privacy rights relating to
federal government departments and agencies, limiting the collection, use and access to personal
information. Individuals have the right to access and correct personal information held by these
federal organizations.

Churches are not considered federal government organizations – so the provisions do not apply.

For more information on the Privacy Act, go to: http://www.priv.gc.ca/legislation/02_07_01_01_e.cfm

Provincial and Territorial Legislation

Alberta

Alberta’s privacy legislation is overseen by the office of the Information and Privacy Commissioner of
Alberta www.oipc.ab.ca

Personal Information Protection Act (PIPA)

Most non-profits and churches are not required to comply with PIPA in Alberta unless engaged in
commercial activities; however, churches may choose to comply with PIPA in an effort to adhere to Best
Practices. PIPA does not apply to churches if all of the following 4 conditions are met:

    • The church is incorporated under Alberta’s Society’s Act
    • The church does not operate:
      • Private schools
      • Early childhood services (as defined by School Act)
      • Colleges (as defined by the Post-Secondary Learning Act)
      • Does not barter, sell or lease membership or client lists
      • Does not engage in any commercial activity.

Under Alberta’s PIPA, fundraising, tithes and donations, sending out newsletters or creating member
directories are not considered commercial activities.

Despite PIPA, Alberta organizations that engage in commercial trans-border flows of information must
follow PIPEDA regulations concerning this.

The website servicealberta.ca/pipa/ provides free copies of the Act, a workbook for non-profits,
and documents like 10 Steps to Implement PIPA.

Freedom of Information and Protection of Privacy Act (FOIP Act)

The FOIP Act applies to public agencies in Alberta, like government agencies and commissions, boards,
universities and colleges. It does not apply to churches, private businesses or non-profits.

www.servicealberta.ca/foip/

British Columbia

BC’s privacy legislation is overseen by the Office of the Information and Privacy Commissioner for British Columbia www.oipc.bc.ca

Personal Information Protection Act (PIPA)

PIPA applies to all organizations in BC including churches, non-profits and corporations. It governs how
these organizations may collect, use and disclose personal information about individuals. BC’s PIPA is
very similar to Alberta’s PIPA but is considered more strict. Where the Alberta PIPA does not include
churches and non-profits unless they are engaged in commercial activities, BC’s PIPA legislation does
include churches and makes no distinction between commercial and non-commercial activities. PIPA
requires all organizations, including churches to:

  • Get consent for collecting, using and disclosing personal information. Consent must be in a form appropriate to the sensitivity of the information. There are exemptions to consent, such as emergencies, criminal investigations, information required for employment.
  • Collect information only for reasonable purposes
  • Use and disclose personal information only for the purposes for which consent was given
  • Provide individuals with information about the existence, use and disclosure of their personal info and provide access to that information.
  • Ensure that personal information obtained and held is as accurate and complete as necessary for the purpose you use it for.
  • Ensure the security of information and keep it only as long as reasonable for business or legal reasons.
  • Designate a privacy officer to ensure your organization complies with PIPA regulations.
  • Develop policies and procedures necessary for your organization to meet its PIPA obligations.
  • Develop a complaint process respecting the application of PIPA, and make these available to individuals upon request.
  • Make attempts to resolve complaints quickly and in good faith.

Despite PIPA, BC organizations that engage in commercial trans-border flows of information must follow PIPEDA regulations concerning this.

Read the law at: http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/00_03063_01

Freedom of Information and Protection of Privacy Act (FOIPPA)

FOIPPA is British Columbia’s Privacy legislation for public organizations such as government agencies,
court records, colleges and universities established by provincial charter. It does not apply to churches.

The purpose of FOIPP is to make public bodies more accountable for the information they keep and to
ensure members of the public have the right to information about themselves.

One aspect of FOIPP that confuses churches is that it prohibits public agencies (but not churches) from
holding electronic information on servers or archives in another country such as the United States. This
does not apply to churches , but does apply to colleges such as Carey Theological College.

Personal information that is subject to FOIPPA is excluded from B.C. PIPA legislation.

Read the law here.

Manitoba, Saskatchewan, all Territories

Manitoba, Saskatchewan, Nunavut, Yukon and the Northwest Territories have no privacy legislation
of their own, so the principles of federal legislation, PIPEDA, apply. This means churches are not
technically subject to the legislation because of the PIPEDA’s focus on commercial activities. Churches
should implement privacy policies as a Best Practice.

For a detailed comparison of PIPEDA, Alberta’s PIPA and BC’s PIPA – without legal commentary or
interpretation – go to http://servicealberta.ca/pipa/documents/PIPAcompared.pdf .