Wednesday, December 14, 2005

Churches and the federal privacy law

Focus on the Family is running the following article in their "Today's Family News":

Churches fear breaching privacy laws

December 14, 2005

Recent privacy legislation is causing some churches to fear they could be breaking the law simply by circulating the addresses of members, praying aloud for people by name, and – at least in Ontario – making hospital visits, the Ottawa Citizen reported.

At the heart of their concern, which some think is exaggerated, is the Personal Information Protection and Electronic Documents Act, which Parliament passed in January 2004. It primarily affects businesses and would only apply to churches that sold their parish or membership lists or charged for their services.

Even so, it has prompted some pastors to question whether even making public the names and addresses of the people in their congregations might be deemed illegal under the Act.

One church in Halifax, for example, removed a “prayer board” in its foyer listing the names of people in hospital. Others have adopted privacy policies and some have even appointed privacy officers to oversee the correct handling of information.

For clergy in Ontario, the province’s year-old Personal Health Information Protection Act has made it more difficult from them to visit hospital patients, even if they belong to the same denomination.

Patients when being admitted have the option of indicating their faith background, which James Christie, dean of the faculty of theology at the University of Winnipeg, says clergy have assumed indicated they would welcome “some sort of pastoral presence.” But now, as he told the Citizen, “that graciousness is gone.”

But London, Ontario, lawyer Janet Allinson, a specialist in privacy law, believes many churches “are misunderstanding the legislation altogether. I get quite a few calls from people very concerned, they are so afraid of the Privacy Act.”

"I think it's important that they don't lose the spirit and treat it like a business" added Allinson.

The impact of the federal private sector privacy law has been very misunderstood by churches and other non-profits.

The Personal Information Protection and Electronic Documents Act, or PIPEDA as it is commonly known, applies to the collection, use and disclosure of personal information in the course of commercial activities, except in those provinces that have enacted substantially similar legislation. Ontario has not enacted legislation that is substantially similar to PIPEDA (other than the Personal Health Information Protection Act which may hinder the abilities of health information custodians to share information with visiting clergy, but does not regulate churches directly). In short, PIPEDA applies to personal information that is handled in connection with commercial activities, other than in Alberta, BC and Quebec.

The reason for the commercial activity connection is that the Federal Government is relying upon its constitutional jurisdiction over general trade and commerce in Canada to implement PIPEDA. It can use this power to regulate commerce generally, but is not able to regulate the non-profit sector using this power except to the extent that the non-profit organization actually is engaged in commercial activity. There are some activities that a non-profit can engage in that are deemed commercial activities and some activities can be sufficiently commercial to invoke PIPEDA. The deemed activities are generally limited to certain kinds of dealing with membership and donor lists. If a church exchanges, sells, trades or leases its membership list, that is a deemed commercial activity and PIPEDA applies (including requiring consent for the transfer). The key is an exchange of value. If a list is freely given with no expectation of any value in return, there is no commercial activity and PIPEDA is not triggered. Also, if a church veers away from its core not-for-profit objectives, it can be seen to be engaged in commercial activity. Charging admission to a benefit concert for the church is not commercial activity. Operating a business within the church may be commercial. Church fund-raising is not a commercial activity, nor is praying out loud or listing members in a directory.

This does not mean that a church or a non-profit shoudn't follow fair information practices. This is not because it is required by PIPEDA or any other law, but rather because it is just the right thing to do. Churches are entrusted with sensitive personal information. Having a privacy policy that is reasonable and consistently followed sends a positive message to the members of the congregation who are more privacy aware.

No comments: