Recently I had the opportunity to prepare an agreement where a municipal body was being contracted to provide its services and in so doing would have to collect, use, and disclose personal information. This resulted in the agreement setting out obligations with respect to privacy law. As the drafter of this agreement, I was faced with one major issue: does the service provider have to comply with provincial privacy law, or with the federal Personal Information Protection and Electronic Document Act (“PIPEDA”)?
Municipalities, their commissions, boards, and bodies are what most people would call government. In Canada, provincial and municipal governments and their different bodies are subject to the privacy regimes set out in provincial legislation, rather than PIPEDA. An organization’s commercial activities that involve collection, use or disclosure of personal information are subject to PIPEDA. But the distinction between applying provincial privacy law and PIPEDA can become mushy in what is called the “MUSH” section.
“MUSH” means, municipalities, universities, schools, and hospitals, which are all institutions that fall under provincial privacy law, being different arms of provincial government. But for my draft agreement, one of the MUSH institutions was buying a service, and the other was providing a service for a price, i.e. commercial activity. So, in this case, and a host of others like it, one has to ask if the MUSH institution providing the service needs to comply with provincial privacy law, or PIPEDA?
According to the Office of the Privacy Commissioner of Canada, this is a frequently asked question, and they have come out with the following answer. Since the MUSH sector relies primarily on taxes and grants for funding, as a general rule, PIPEDA does not apply to the activities that are central to the mandate and responsibilities of MUSH sector institutions.
Providing a service for a fee is not necessarily a commercial activity triggering PIPEDA, if the service is part of the institution’s core activities. For example, a hospital could likely charge a fee for a private room, or a municipality could likely charge a fee for arena time, without being subject to PIPEDA. On the other hand, if a MUSH sector institution engages in a non-core commercial activity, it could become subject to PIPEDA, unless substantially similar provincial legislation exists. For example, a university or hospital running a parking garage, or a coffee shop in city hall would likely be considered non-core commercial activities that are subject to PIPEDA.
In the case of my agreement, it was decided that provincial privacy law applied, as the service was at the core of the responsibilities and mandate of the institution. Choosing the correct privacy regime is of course a decision which must be made depending on the specific situation when dealing with the MUSH sector, especially when MUSH institutions are charging fees for services and the collection, use, or disclosure of personal information is involved.