By necessity, regulatory authorities have to handle sensitive personal information about their registrants on a day-to-day basis. Member’s names, contact information, education transcripts and more are all critical for regulatory authorities to effectively protect the public interest. However, protecting the public interest isn’t your only obligation; handling so much private information also means you have a duty to protect that information and to use it only as required or consented to.

Privacy Legislation in Canada

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA), governs the protection of personal information. It regulates the collection, use and disclosure of personal information by private sector organizations, including regulatory authorities. Some provinces also have privacy legislation in place that has been deemed substantially similar, such as Alberta’s PIPA (Personal Information Protection Act). In an age of identity theft and cybercrime, it’s understandable why so much legislation protects people’s personal information. It’s also incredibly important for organizations to understand their legal obligations to protect that information. That’s why we’ve prepared a new book all about Canadian privacy legislation and how it intersects with regulatory authorities across the country. Here are just a few of the highlights.

Tips on How to Protect Personal Information

1. Know what you need to protect

PIPEDA is a comprehensive piece of legislation that covers a lot of ground, and you can’t be sure you’re in full compliance with the law unless you know what’s in it. For example, organizations are responsible for the collection, use and disclosure of information, even when engaging third parties. There are also different rules governing implied versus express consent to the use of information, particularly in the case of sensitive information, which many regulatory authorities regularly work with. Furthermore, your obligations to protect information don’t end with the collection and use of it; you’re also responsible for developing a policy for its destruction. The development of these policies are likely the responsibility of a privacy officer or other individual responsible for ensuring compliance. Nevertheless, it’s always a good idea to ensure that all staff  understand privacy legislation and how it intersects with their duties.

2. Err on the side of caution

Don’t take chances with personal information. If you or your staff don’t know how the law applies to a specific situation, check with your privacy officer. If they’re unavailable, always err on the side of caution. These can be murky waters to navigate, particularly if the individuals themselves are requesting their information; one of the main principles of PIPEDA is allowing people access to their own information. Staff need to be knowledgeable about who they can release information to and how to ascertain if someone has legitimate access to it. However, if you’re using information for a new purpose that you’re unsure you have consent for, or if you’re distributing information to a third party, hold off until you know with certainty that members have provided consent and that the distribution is compliant with the law. It’s not worth risking a breach.

3. Use association management software

Association management software (AMS), particularly one designed specifically for regulatory authorities, can help ensure PIPEDA rules are always followed. Many of the principles of privacy legislation can be directly built into the functions of a good association management software. For example, the ability to restrict usage rights can add an important safeguard against unauthorized use of personal membership information. Also, an online portal protected with an email/password combination both allows members access to their information and meets the security standards for providing it. Document management can reduce dependency on paper filing, and makes destroying data when necessary fast and easy. What’s more, a CASL/CAN-SPAM (anti-spam) compliant licensing software would also provide convenient access to mailing preferences. This allows members to expressly consent to the various uses of the information while still receiving mandatory communications like renewal notices.

These tips are just the beginning, though. Protecting people’s personal information and their right to privacy is an absolute necessity in today’s world. However, doing so can be exceedingly complex. Understanding how privacy legislation impacts regulatory authorities is important. Educating yourself and your staff on their privacy obligations, and using an association management software built specifically for regulatory authorities, can go a long way to protecting your organization from potentially dangerous privacy breaches.