Personal Information Protection Act PIPA Information Sheet 8 · Personal Information Protection Act...

Collection, Use and Disclosure of Personal Information for Archival and Research Purposes

Personal Information Protection Act PIPA Information Sheet 8

Introduction Alberta’s Personal Information Protection Act (PIPA), which came into force on

January 1, 2004, governs the collection, use and disclosure of personal information in the private sector. The Act applies to organizations, including corporations, unincorporated associations, partnerships and individuals acting in a commercial capacity. The purpose of the Act is to balance the individual’s right to privacy and the interests of organizations in collecting, using and disclosing personal information for purposes that are reasonable. The focus of this publication is the balance between the protection of personal information and the interest in preserving personal information that has been collected or created by organizations, and making it available for archival purposes and research.

Archival institutions in Alberta acquire, preserve and provide access to information in their holdings for the purposes of documentary and historical research. They are important centres of research and heritage within the province and an essential resource for understanding local, provincial and national history. As part of their mandates, archival institutions acquire and make available to the public a significant amount of personal information of individuals.

Most archival institutions are operated by public bodies subject to the FOIP Act, but some are organizations, or affiliated with organizations, that are subject to PIPA. If an archival institution is subject to PIPA, the Act applies to its collection, use and disclosure of personal information, including the information in its holdings. It is important to note that privacy legislation is concerned with the actions of each party to a transaction, that is, the disclosure of personal information by one party and the collection of that information by the other party. Even if PIPA does not apply to the archival institution itself, PIPA may apply to prospective donors and to some researchers who use the collections. For this reason, all archival institutions in Alberta should make an effort to understand the way the legislation applies not only to its own activities but also to the activities of its donors, service providers and clients.

This Information Sheet will discuss

key definitions relating to archives (p. 2), organizations, personal information and activities to which PIPA does not

apply (including non-profit organizations and personal information that was unrestricted before PIPA came into force) (p. 3),

how PIPA applies to an archival institution that is subject to PIPA, as well as best practices for these institutions (p. 5),

how PIPA applies to an organization that is subject to PIPA with respect to the collection, use and disclosure of personal information for archival

Information Sheet 8: August 2006 Archival and Research Purposes Alberta Government Services

1


2

purposes and research, as well as best practices for these organizations (p. 8),

how PIPA applies to researchers, depending on whether they are organizations or individuals (p. 10), and

research agreements (p. 12).

This Information Sheet will not consider the legislation that governs public-sector archival institutions or the legislation that governs the transfer of personal information across Alberta’s boundaries. Since the focus of this publication is the collection, use and disclosure of personal information for archival and research purposes, other aspects of the Act are considered only briefly.

Key Definitions Archival institution means an institution

to which archival records are transferred for permanent preservation, and that provides public access to its archival collection (PIPA Regulation,

section 11(a)).

The definition of archival institution includes

an organization subject to PIPA, such as the Glenbow Archives or the Legal Archives Society of Alberta,

a public body that is subject to Alberta’s Freedom of Information and Protection of Privacy Act, such as the Provincial Archives of Alberta,

a public body or government institution that is subject to other Canadian access to information and privacy legislation, such as Library and Archives Canada.

An archival institution may also be part of, or affiliated with, a public body or an organization, if the institution

falls within the definition given above, and has custody of the archival records and exercises control of the records

independent of the parent body.

An archival institution provides public access if the institution is open to the public for a period of time each week that is sufficient to allow the public to exercise the right of access. The archival institution is considered to provide public access even if it charges a fee for use of its collection or requires membership, provided that the fee is reasonable and membership is open to any member of the public.

A public body or an organization whose archival collection is not accessible to the public is not an archival institution for the purposes of PIPA. The archives of private-sector businesses may fall into this category. These archives cannot rely on the special provisions for the collection, use and disclosure of personal information by an archival institution under PIPA. They must follow the rules that apply to organizations in general.

Archival records means records of historic or archival importance (PIPA Regulation, section 11(b)).


3

Record means a record of information in any form or in any medium, but does not include a computer program or other mechanism that can produce a record (PIPA, section 1(m)).

For archival purposes means for the purposes of preserving archival records, and making those records accessible in an archival institution to the public (PIPA Regulation, section 11(c)). Examples of activities that archival institutions perform to achieve these purposes include appraisal, acquisition, conservation, arrangement, and description of records.

Personal information means information about an identifiable individual (PIPA, section 1(k)). This definition includes

information that can identify an individual, such as a social insurance number or other identifying number, and

information about an individual, such as race, religion, medical history, family history, or an opinion about the individual.

Examples of personal information in archives include

personal letters and diaries, including the opinions of the writer and opinions about individuals mentioned in the documents,

photographs of individuals in records of historical events, audio recordings of information about interviewees and their social circles in

oral histories, and records concerning a community’s response to a natural disaster.

Collection, use and disclosure of personal information to which PIPA does not apply

► Non-profit organizations

PIPA has special provisions for non-profit organizations. PIPA defines non-profit organization for the purposes of the Act as an organization that is incorporated under the Societies Act, or the Agriculture Societies Act or registered under Part 9 of the Companies Act (section 56(1)(b)).

PIPA applies only to personal information that is collected, used or disclosed by a non-profit organization in connection with a commercial activity carried out by the non-profit organization. For the purposes of the Act, commercial activity means any transaction, act or conduct, or any regular course of conduct, that is of a commercial character (section 56(1)(a)). This includes the selling, bartering or leasing of membership lists or of donor or other fund-raising lists. The Act expressly states that commercial activity includes the operation of a private school or a private college.

Most archival institutions in the private sector are non-profit organizations for the purposes of PIPA. This means that PIPA applies only to personal information that these organizations collect, use or disclose in the course of a commercial activity. The definition of commercial activity is discussed in PIPA Information Sheet 1: Non-Profit Organizations.

Examples of activities carried out by an archival institution that likely would not be considered commercial activities include:


4

providing services to researchers subject to payment of a membership fee, providing copying services on a cost-recovery basis, using its donor list for a fund-raising campaign, and managing employees of the archival institution.

Examples of activities carried out by an archival institution that are likely to be considered commercial activity for the purposes of PIPA include:

selling a list of individuals who have donated money to the archival institution,

providing environmentally controlled storage facilities under contract for an organization’s historical records, and

processing an individual’s private family history collection, for a service fee.

An archival institution that is a non-profit organization can collect personal information from an organization subject to PIPA only if the other organization is authorized to disclose the personal information to the archival institution. An organization planning to transfer its records to an archival institution is likely to rely on the archival institution to bring to its attention matters affecting the disposition of the organization’s records, including the application of PIPA. Archival institutions should understand the obligations of both parties.

► Archival records transferred or unrestricted before January 1, 2004 (s. 4(3)(j))

PIPA does not apply to personal information in a record transferred to an archival institution before PIPA came into force on January 1, 2004, where access to the record was

unrestricted, or governed by an agreement between the archival institution and the donor of

the record.

If the archival institution did not provide unrestricted access to the records or there was no agreement governing access to the records, the Act applies.

For example, a coal company began transferring its archival records to an organization that is an archival institution under an agreement signed in 1996. The agreement established restrictions on access to certain personal information in the records. Since the parties entered into the agreement before January 1, 2004, PIPA does not apply to the records.

As of January 1, 2004, an archival institution may not enter into an agreement respecting personal information with a prospective donor that is contrary to PIPA (section 4(7)). An archival institution that has an agreement with an organization for the ongoing transfer of records which dates from before January 1, 2004 should revisit the agreement to bring it into compliance with PIPA.


5

► Personal information about an individual who has been dead at least 20 years or in a record that is at least 100 years old (s. 4(3)(h), (j))

It is generally recognized that the sensitivity of personal information about a deceased individual diminishes over time. PIPA does not apply to personal information of an individual who has been dead for at least 20 years or to personal information in a record that is at least 100 years old. An organization can collect, use or disclose personal information in these categories without consent. The organization must ensure that the applicable time period has elapsed, and that the Act therefore no longer applies.

How PIPA applies to an archival institution that is an organization subject to PIPA

In this section we discuss how PIPA applies

to an organization, or part of an organization, that meets the definition of an archival institution,

with respect to personal information that is subject to the Act (i.e. that is not excluded under section 4 or under the special provisions for non-profit organizations in section 56).

The guiding principle in PIPA is that an organization must normally obtain consent for the collection, use or disclosure of personal information from the individual the information is about, unless an exception applies. It is important to note that a donor or the author of a record cannot give consent on behalf of the subject of the record.

The exception to consent that is most important to archival institutions is that the Act permits collection, use and disclosure without consent if

the organization that collects, uses or discloses the information is an archival institution, and

the collection, use or disclosure is reasonable for archival purposes or research (sections 14(j), 17(k), 20(p)).

Reasonable means what a reasonable person would consider appropriate in the circumstances (section 2).

Part 4 of the PIPA Regulation explains in more detail what is permitted.

► Collection and use for archival purposes

An archival institution may collect and use personal information without consent for archival purposes, as defined in the Regulation. Archival purposes include the appraisal, acquisition, conservation, arrangement, and description of records.

If an archival institution enters into an agreement with a service provider (e.g. an archivist or another archival institution) for services relating to its archival purposes (e.g. to develop a catalogue, to provide conservation services), this would be considered a use for the purposes of PIPA and would be permitted under the Act.


6

► Disclosure for research purposes and research agreements

An archival institution may disclose personal information without consent for research purposes under specified conditions:

the disclosure of individually identifiable information is necessary for the research purpose (this may be the case if the research purpose is to produce a biography of a prominent individual),

the disclosure is not harmful to the individual concerned (this may be the case if the personal information is not sensitive and is close to an age at which it could be made public without restriction),

the research purpose is not contrary to the purposes and intent of PIPA (the Act aims to balance the individual’s right to have his or her personal information protected with the legitimate needs of organizations).

If all of these conditions are satisfied, the archival institution must then decide whether it is necessary to enter into a research agreement.

The archival institution does not need to enter into an agreement if the disclosure is reasonable and appropriate at the time, taking into consideration all the relevant circumstances. Circumstances that may be relevant include:

whether the information was originally supplied in confidence, whether the information is likely to be inaccurate or unreliable, whether disclosure of the information would be likely to damage an

individual’s reputation, whether obtaining the individual’s consent to the disclosure would be

unreasonably difficult, and whether disclosure of the information at the time is in the public interest.

If disclosure of the personal information meets all the conditions for disclosure for a research purpose, but disclosure without a research agreement is not appropriate, the archival institution may disclose the information under a research agreement. The requirements of a research agreement are set out at the end of this document. The research agreement must be signed before access is given.

The research agreement option is most applicable to research projects where the researcher may need to access identifiable personal information, but does not need to identify individuals in the publication, report, or records produced by the project.

► Examples of cases where disclosure under a research agreement may be appropriate:

An archival institution holds audio tapes of oral history interviews with indigenous people. The tapes contain individually identifying information about the interviewee and family members discussed in the interview. A researcher requests access to the tapes for a research project concerning wedding ceremonies and funeral rites among indigenous peoples. The archival institution finds that the research could not be completed without access to the complete taped record of the oral interviews, that


7

disclosure to the researcher would not be harmful to the individuals concerned and would not be contrary to the purposes of the Act. However, the archival institution decides that disclosure to a wider public would not be appropriate at the time and enters into an agreement stating that the researcher may not identify the individuals in the published research.

An archival institution holds congregation lists and files of active church members who refused to follow the tradition of tithing a percentage of income to the church. A sociologist requires access to the files of the congregations in the region to compile the numbers of individuals who rejected the tradition. Although the sociologist seeks only to record (anonymously) the number of congregation members who refused to tithe monies to the church, the researcher requires access to all the records in the holdings to complete the research. Disclosure to the researcher is permitted, subject to an agreement that the researcher must not disclose individually identifying personal information.

These conditions require the archival institution to make a determination on each point of the “test.” The decision-making process under PIPA is similar to the process that many archival institutions used in the past to establish access restrictions to sensitive information in new accessions. The decisions are often documented as access restrictions in donor agreements and finding aids. It is important to note, however, that PIPA requires archival institutions to consider disclosure for research purposes under this exception on a case-by-case basis.

► Archival and research purposes only

Organizations need to distinguish clearly between archival and research purposes and ongoing business purposes. This is especially important for an archival institution that is part of a larger organization.

Section 13 of the PIPA Regulation states that an archival institution must not use or disclose personal information in its archival records for any purpose other than archival or research purposes. An archival institution cannot disclose personal information in the archival records to an organization for the organization’s business purposes, even if the organization originally collected or created the records.

Best practices for archival institutions Determine whether your archival institution is subject to PIPA, and if it is,

what personal information is subject to the Act, and what exclusions and exceptions may apply to collection, use, and disclosure activities.

Appoint a member of the archival institution to act as the main contact for compliance with PIPA.

Establish reasonable policies and practices, as well as accountability for decision-making, with respect to personal information holdings.

Include clauses in agreements with donors concerning the collection, use and disclosure in accordance with PIPA.

Identify the personal information collections in archival records and in finding aids. Be careful to ensure that biographical information and descriptive


8

entries in finding aids may be disclosed in compliance with PIPA. Review files requested by researchers to determine whether the records

include personal information and if so, whether disclosure would contravene PIPA. Although the Act does not apply to records to which access was unrestricted or governed by an agreement before 2004, consider whether it may be appropriate to comply with the spirit of the Act with respect to these records.

Develop a research agreement template setting out the conditions under which personal information may be disclosed for research purposes.

Establish security measures to prevent unauthorized disclosure of personal information, with particular attention to processing rooms and reading rooms. Ensure an appropriate level of security for sensitive personal information.

In-house archival collections

To operate as an archival institution, ensure that you have a clear mandate and authorities in policies or governance directives that establish custody and control of archival records and appropriate independence from the parent organization.

Business records may stored in the archives even though control has not been formally transferred to the archival institution. Ensure that records retention for business purposes and acquisition for archival purposes are clearly documented to avoid confusion of purposes.

How PIPA applies to an organization that is not an archival institution

In this section we discuss how PIPA applies

to an organization that is not an archival institution, with respect to personal information that is subject to the Act (i.e. that is not

excluded under section 4 or under the special provisions for non-profit organizations in section 56).

► Collection, use and disclosure of personal information for archival purposes

An organization normally requires consent to collect, use or disclose personal information. However, PIPA permits an organization that is not an archival institution to collect, use or disclose personal information in accordance with the requirements respecting archival purposes or research set out in the PIPA Regulation. An organization may rely on these provisions if it is not reasonable to obtain the consent of the individual the information is about (section 14(k), 17(i), 20(q)).

For archival purposes means for the purposes of preserving archival records and making them accessible to the public in an archival institution. An organization cannot rely on PIPA’s provisions for archival purposes or research to retain records for use only by the organization.

It may not be reasonable to obtain the consent of the individual the information is about if, for example,


9

the archival records are old and the subject is likely either deceased or difficult to locate, or

the number of individual subjects documented in the archival records is large and diverse.

An organization may collect and use personal information without consent to

acquire records of historical importance for transfer to an archival institution, and

prepare its organizational records for archival appraisal and transfer to an archival institution.

For example, an organization could purchase records relating to a prominent figure in the organization’s history for donation to an archival institution. An organization could also, as part of its own internal records management processes, conduct an assessment of records relating to a significant event in the organization’s history, such as a royal visit or a major discovery, for possible donation to an archival institution. To rely on these provisions, the organization must be contemplating the transfer of custody and control of the records to an archival institution.

An organization may also disclose personal information in its records for the purpose of

obtaining an archival appraisal of the organization’s records, and transferring custody and control of the records to an archival institution.

For example, an organization could invite an archival institution to appraise records for their historic or archival importance and to make a recommendation regarding the transfer of the records, or a portion of the records, to the archival institution. The archival institution may be affiliated with the organization, provided that its operations are separate from the organization’s business operations (see the discussion of the definition of archival institution under “Key Definitions” above).

If the organization proposes to continue to use records in the custody of the archival institution (for legal purposes, for example), the organization cannot rely on the provisions in PIPA for use or disclosure without consent for archival purposes. The organization may arrange for the archival institution to store the records. In that case, the organization can retain the records only as long as is reasonable for legal or business purposes. Personal information in the records can be used and disclosed without consent only as permitted under the exceptions for other purposes in PIPA.

► Collection, use and disclosure of personal information for research purposes

PIPA also permits an organization to disclose personal information without consent for research purposes, under conditions specified in the Act. The disclosure must meet the following conditions:

the person to whom the information is to be disclosed enters into a research agreement (the requirements are set out at the end of this document)


10

the research has been approved by a recognized research ethics review committee (such as an ethics committee of a national research council or a professional regulatory organization), and

the researcher has agreed to any additional conditions imposed by the ethics review committee.

All the conditions must be met before access is given.

These conditions would not permit an organization to disclose personal information without consent for market research.

Best practices for organizations If your organization regularly transfers its records to an archival institution, it

is particularly important to establish a records retention and disposition schedule. The schedule will allow your organization to show that the retention, transfer or destruction of the information has been managed in compliance with PIPA.

If your organization stores its records in an archival institution but retains control of the records for business or legal purposes, ensure that control of the records is clearly addressed in the service agreement. The agreement should also state that any request by an individual for access to his or her personal information must be addressed to your organization.

If your organization regularly transfers records containing the personal information of clients to an archival institution, ensure that this is addressed in your organization’s privacy policies and practices.

If your organization regularly permits access to its records for research purposes, develop a research agreement template setting out the conditions under which personal information may be disclosed for research purposes.

How PIPA applies to researchers

► Organizations

An organization subject to PIPA that engages in research must comply with the Act’s provisions for collection, use and disclosure of personal information to which the Act applies. The definition of an organization in PIPA includes an individual acting in a commercial capacity, such as a freelance researcher or genealogist who performs research for individual clients for a fee.

The general rule is that the organization must obtain consent to the collection, use or disclosure of personal information from the individual the information is about. An organization may collect, use or disclose personal information from an archival institution or from another organization for a research purpose without consent if the research meets the requirements set out in the PIPA Regulation. In practice, this means that the archival institution or organization must agree to disclose the information in accordance with the Regulation.

The most likely circumstance in which an archival institution may disclose personal information to a researcher is under a research agreement. If a researcher does not need to include identifying personal information in the research report, this may be an option for obtaining access to personal information that is not available to the public.


11

A researcher acting on behalf of an organization that transferred custody and control of its records to an archival institution does not have any special rights with respect to personal information in those records. Like any other researcher, the organization’s researcher must comply with the Act.

There is an important exception to these general rules. PIPA does not apply to an organization’s collection, use or disclosure of personal information for artistic, literary or journalistic purposes (section 4(3)(b)). These are purposes protected under the Charter of Rights and Freedoms. For example, PIPA would not apply to the collection of personal information from an archival institution or an organization by an author for a novel based on the lives of real persons or by a news organization for an investigative report, unless it could be shown that the organization’s collection, use or disclosure of the personal information was for other, additional purposes.

Even though PIPA may not apply to a researcher’s collection of personal information for artistic, journalistic or literary purposes, PIPA may apply to disclosure of the records by the archival institution. Section 4(3)(b) does not create a right of access by a researcher. The archival institution or organization may require a researcher to enter into a research agreement as described below. An organization that is not an archival institution may have additional requirements.

► Individuals

PIPA does not apply to individuals, unless an individual is acting in a commercial capacity. In addition, the Act states that PIPA does not apply to the collection, use or disclosure of personal information for personal or domestic purposes (s. 4(3)(a)).

If an individual is acting in a personal or domestic capacity and not on behalf of an organization, PIPA does not apply to that individual’s collection, use or disclosure of personal information. For example, the Act would not normally apply to an individual’s collection of genealogical information from an archival institution for the purpose of building a family history.

Even though PIPA may not apply to a researcher’s collection of personal information for personal or domestic purposes, PIPA may apply to disclosure of the records by the archival institution or an organization. Section 4(3)(a) does not create a right of access by a researcher. If the archival institution or organization is not authorized to disclose the requested personal information without restriction, the institution or organization may require a researcher to enter into a research agreement as described below.

Requirements of a research agreement under PIPA If personal information is to be disclosed for a research purpose by an archival institution or an organization, the person to whom the information is to be disclosed must agree to do all of the following:

to use the information only for the research purpose, to make reasonable security arrangements to protect the information, to maintain the confidentiality of the information, to not contact any individual to whom the information relates, to remove or destroy, at the earliest reasonable time, individual identifiers, to not disclose the information in individually identifiable form, and to notify the archival institution immediately of a breach of the agreement.

Additional conditions may be required for disclosure by an organization that is not an archival institution.

Other resources A Guide for Businesses and Organizations on the Personal Information Protection Act provides an overview of the Act with examples and tips for incorporating good privacy practices in the work place.

The Personal Information Protection Act, A Summary for Organizations summarizes of the key obligations of organizations.

PIPA Information Sheet 3: Personal Information discusses the concept of “personal information” in greater detail.

PIPA Information Sheet 4: Personal Information Collected Before 2004 discusses the use and disclosure of personal information collected by an organization prior to January 1, 2004.

Publications are available on-line from:

Access and Privacy Branch Alberta Government Services www.pipa.gov.ab.ca

The web site of the Office of the Information and Privacy Commissioner also contains resources, at www.oipc.ab.ca.

This Information Sheet was prepared to assist organizations implement the Personal Information Protection Act that came into effect on January 1, 2004. This document is an administrative tool intended to assist in understanding the Act. It is not intended as, nor is it a substitute for, legal advice. For the exact wording and interpretation of the Act, please read the Act in its entirety. This Information Sheet is not binding on the Office of the Information and Privacy Commissioner of Alberta.


12

http://www.pipa.gov.ab.ca/

http://www.oipc.ab.ca/

Personal Information Protection Act PIPA Information Sheet 8 · Personal Information Protection Act...

Documents

Transcript of Personal Information Protection Act PIPA Information Sheet 8 · Personal Information Protection Act...