CONFIDENTIALITY

This section looks at when a volunteer must keep client information confidential and when there is a duty to disclose personal information.

 

Volunteers, whether they be members of the Board of Directors or workers in the field, are bound by confidentiality to the same extent as employees of the organization. If it is policy that employees not divulge the names of clients, for instance, then volunteers are also constrained in this regard.

The extent to which records and names are confidential usually depends on the nature of services provided. The more personal and in-depth the information is about a person, the greater the requirement for confidentiality. For example, if the XYZ Society sets up volunteers to help elderly people complete tax returns, the volunteers will be bound to keep confidential the financial information they obtained in the course of preparing the return. To the extent, however, because the information is readily available to the public at large, it is not subject to the confidentiality obligation. If the volunteer will be obtaining confidential information in the course of her duties, she should be made aware of the fact that she must keep it private. For example, she must not discuss with family or friends the details of client affairs. Failure to exercise this discretion may result in a lawsuit against the volunteer and the organization. A clause about the need for and level of confidentiality should be in a volunteer’s agreement with the organization to help prevent breaches of confidentiality.

I. DUTY OF CONFIDENTIALITY OWED TO THE ORGANIZATION

The volunteer has a duty of confidentiality to both the organization to which she donates her time, and to the individual client to whom she provides services. As indicated above, volunteers must keep confidential the information obtained as services are provided. The volunteer also owes a duty to keep information obtained in the course of her duties about the organization itself confidential. This includes client lists and financial information, but also may include client programs and participants, depending on the organization’s function.

A. Competition

If the volunteer is considered to be an agent of the organization, she is barred from using any confidential information obtained in the course of her duties with the intention of using it to engage in competition with the organization to which she had donated her time. Although at one time the duty not to use confidential information was restricted to directors of an organization, it has been expanded by the courts to include officers and employees. As a result, even if a volunteer is considered to be a gratuitous servant of an organization in the eyes of the law, she still may be held to have a duty not to compete with the organization, at least for a certain length of time after she has completed her volunteer work.

II. STATUTORY OBLIGATIONS TO DISCLOSE

Although volunteers have a duty not to disclose confidential information obtained in the course of their duties, that duty is not absolute. In certain important situations, various statutes impose a positive obligation to disclose information.

A. Criminal Code

Every person who believes, on reasonable and probable grounds, that any criminal act is being committed or may be committed, has a duty to report this knowledge. For example, a volunteer might gain knowledge that someone was about to (or had already) abandoned a child. As discussed in Chapter 5, section 218 prohibits the abandonment of a child under 10 so as to endanger the child’s life or health.

If there is a conflict for the volunteer between the duty to maintain confidentiality and the duty to report the information about the possible abandonment, the duty to report must take precedence, otherwise the life or well-being of another person may be at risk. Other sections of the Criminal Code impose similar duties to disclose information where someone’s life or health may be in danger.

B. Child, Youth and Family Enhancement Act[1]

This Act was formally known as the Child Welfare Act. It states that unless the information is legally  privileged[2], any person who has reasonable and probable grounds to believe that a child is in need of protective services must report the matter to a child protection agency immediately.

A child is in need of protection for the purposes of the Act when, among other things:

  • the child has suffered physical harm or there is substantial risk that the child will suffer physical harm whether it was inflicted by the person having charge of the child or resulted from that person’s failure to care for or protect the child;
  • the child has been sexually molested or sexually exploited or there is a substantial risk that the child will be sexually molested or exploited either by the person having charge of the child or as a result of that person’s failure to protect the child;
  • the child requires medical treatment to cure, prevent, or alleviate physical harm or suffering and the person having charge of the child does not provide or refuses or is unavailable to consent to the treatment;
  • the child has suffered emotional harm demonstrated by severe anxiety, depression, withdrawal or self-destructive behavior, or there is substantial risk that the child will suffer such emotional harm and the person having charge of the child does not provide or refuses or is unavailable to consent to treatment to alleviate the harm; or
  • the child suffers from a mental, emotional or developmental condition that if not remedied could seriously impair the child’s development and the person having charge of the child does not provide, refuses, or is unavailable to consent to the treatment.

The new Act is clear on the liability of volunteers who fail to report “on reasonable and probable grounds that a child is in need of intervention.”[3] Failure to report a violation under the Child, Youth and Family Enhancement Act is an offence and imposes a penalty of “$2000 and in default of payment to imprisonment for a term of not more than 6 months.”  Anyone, not only professionals, can be held liable for failing to do so.[4] However, this “does not apply to information that is privileged as a result of a solicitor-client relationship.”[5]

C. Protection for Persons in Care Act

If an individual or service provider “has reasonable and probable grounds to believe and believes that there is or has been abuse against a client”, this Act requires that she report this abuse to the Minister of Community Development or as specified. A client is defined as any adult who receives services from an organization. A “service provider” means one “who provides services to a client and is employed by or provides the services on behalf of an agency.” This Act may, thus, apply to volunteers just as it applies to employees. The duty to report exists even if the information is confidential and disclosure is prohibited under other legislation.

D. Freedom of Information and Protection of Privacy Act

The Freedom of Information and Protection of Privacy Act[6] only applies to information kept by public bodies or records based on information kept by certain public bodies[7], rather than any institution.  Only volunteers working for a branch of the government or related office need to follow the disclosure rules of the Act.

III. PERSONS WITH A DISABILITY

Special care should be taken whenever persons with a disability are being served. Volunteers working with persons with disabilities must be especially vigilant in keeping confidential any information about such clients. For example, if a young person with a developmental disability wants information from a counsellor about sex, this information should not be revealed to anyone else, including the young person’s parents.

IV. PRIVACY LAWS

A. What is PIPA? What is PIPEDA?

PIPA is an Alberta law, Personal Information Protection Act. PIPEDA is a Federal Law, Personal Information Protection and Electronic Documents Act. Both of these statutes set out rules for how organizations may collect, use or disclose personal information. PIPA is the applicable law except in specific circumstances as outlined below.

B. What does PIPA do?

The main goal of PIPA is to protect the personal information of customers. Throughout the Act, a standard of “reasonable” is used. While “reasonable” is hard to define, the goal is that a common sense view is taken when examining the responsibilities of your organization. PIPA has created a number of rules which apply to all organizations (See Issue 1, below for specified details on how it affects NON-Profit Organizations.) These rules are described in the next question.

C. What are these rules?

First, PIPA requires that an organization designates one or more people to act as Privacy Officers. These officers must be available to answer questions about how your organization handles personal information, and to hear complaints from the public.

Second, a fundamental requirement of PIPA is that you must obtain consent to be allowed to collect, use, or disclose personal information. Anything which can be used to identify a person is considered personal information (Name, Address, Educational Background, Social Insurance Number). Without consent you are not allowed to record any such information.

D. What Guidelines should we follow?

The PIPA guide, http://www.pipa.gov.ab.ca/index.cfm?page=resources/PIPAguide.htm recommends a set of 9 guidelines for an organization to follow in regards to personal information. They are as follows:

  1. Be accountable
  2. Get consent
  3. Follow the rules for collecting information
  4. Follow the rules for using information
  5. Follow the rules for disclosing information
  6. Follow special rules for employee information
  7. Follow special rules for business transactions
  8. Follow the rules for giving access to, and correcting personal information
  9. Follow the rules for accuracy, protection and retention of personal information

A full explanation of each of these guidelines can be found in the guide to referred to above.

E. Specific recommendations for implementing PIPA

http://www.pipa.gov.ab.ca/index.cfm?page=resources/ImplementPIPA.html provides several recommendations:

  1. Put an employee in charge as a contact for the public as well as employees to deal with arising privacy issues
  2. Prepare staff by making them familiar with the Act
  3. Review how your organizations handles personal information in order to comply with evaluate compliance with the Act
  4. Conduct a ‘privacy audit’ to test whether information handling in your organization measures up to the Act
  5. Develop privacy policies and practices to comply with the Act
  6. Adequate training for staff is pivotal to promote privacy responsibilities
  7. Develop specific practices to handles complaints and to handle requests for access to information
  8. Organizations need to create forms which provide notice of the purpose of collecting the information
  9. Organizations need to review and revise contracts in that the contracts should contain specific clauses clarifying that the organization is legally responsible for that personal information. They should also set out expectations regarding the collecting, using, and disclosing of personal information on the organization’s behalf
  10. Organizations will need to decide when it requires an employee’s consent to collect, use, or disclose personal information

Issue 1: How are Non-Profit Organizations affected?

Although all Alberta organizations are affected by PIPA, section 56 of the Act limits the scope of the Act for certain non-profit organizations. Section 56 defines a non-profit organization, as “organization registered under the Societies Act or the Agricultural Societies Act, or Part 9 of the Companies Act.”

Organizations functioning as non-profit, which do not fall under this definition, are subject to the entire Act. This includes organizations incorporated by other, including federal, statutes, under the Religious Lands Societies Act, and churches.

If an organization does fall under the section 56 definition, then PIPA will only apply to personal information of employees, volunteers, clients and donors that is collected, used or disclosed while carrying out commercial activities.

A commercial activity is defined in section 56(1) (a) of the Act and includes any transaction, act or conduct that is of a commercial character and includes such things like selling, bartering, leasing membership/donor lists, or other fundraising lists.

If a non-profit organization has both commercial activities and non-commercial activities, PIPA will only apply to the information collected for the commercial activities.

  • For example: Personal information collected as part of a membership process for XYZ Society will not be subject to PIPA because it is not considered a commercial activity. So, a roster of volunteer drivers for a children’s baseball team organized through XYZ would not be subject to PIPA. Whereas, a list of members of XYZ would be subject to the Act because it falls under the definition of commercial activity due to the requirement paying fees.

Individuals do not have a legal right of access to personal information about themselves. Non-profit organizations will have differing policies and practices around protecting and disclosing personal information. However, this is not to say that an individual may not make a request at all, and non-profit originations can continue their practices for providing information upon requests.

The Personal Information Protection and Electronic Documents Act (PIPEDA), is a federal act that applies to federally regulated businesses operating in Alberta, as well as Alberta organizations that carry out business across provincial borders. The PIPEDA will only apply to non-profit organizations which collect, use or disclose personal information across provincial or international borders.

Issue 2: Asking for a Review or Initiating a Complaint

Under section 26 of PIPA, individuals may make a written request to access personal information held by an organization. If an organization refuses access and does not provide reasons for the refusal or does not provide appropriate reasons, the individual may appeal the decision to the Commissioner. The Commissioner may review any decision, act or failure to act by the organization and make an Order.

  • For example: An individual may request YMCA to provide the personal information they have collected on that individual with regards to their membership with the organization.

Issue 3: Grounds of Redress and Liability

PIPA provides for three ways to seek satisfaction where the requirements about an individual’s private information under the statute are not met. The individual may make a complaint to the Office of the Information and Privacy Commissioner against the organization. Upon receiving the complaint, the Commissioner may hold an inquiry, the result of which would be an Order against the organization. This first avenue would be the normal route for the majority of cases.

Secondly, fines may be assessed against the organization by the courts, if the court finds the organization guilty of a section 59 offence under the Act. An offence may be found in where there has been an intentional violation of the Act. An example of a deliberate violation would be secretly selling a member’s private information for profit.

Finally, under section 60 of the Act, an organization may be sued for damages for loss or injury that was suffered as a result of the breach of the obligations set out in PIPA. This route may not be taken however, until after a Commissioner has made an Order against an organization (s. 60(1)), or a person has been convicted of an offence under the Act (s.60(2)).

Note that section 57 of PIPA will provide protection for organizations and employees/volunteers of the organization who have committed an error, but have acted in good faith under the Act.

For example: An action in damages cannot be brought if an honest mistake was made, i.e., if the information is mistakenly released to the wrong person who also requested information. However, with regards to the volunteer driver list, which is not subject to the Act, this provision would not assist such mistakes.

[1] R.S.A. 2000, c. C-12.

[3] Ibid, s. 4(1).

[4] Ibid, s. 4(6).

[5] Ibid, s. 4(3).

[6] R.S.A. 2000, c. F-25.

[7] See s. 4 for a complete list.