Personal Information and Privacy

F27. I understand that there are laws about personal information. Do these privacy laws apply to our registered charity’s fundraising activities?

F27. I understand that there are laws about personal information. Do these privacy laws apply to our registered charity's fundraising activities?


Short answer

They may or may not. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) covers the collection, use, or disclosure of personal information in the course of any commercial activity within a province, including provincially regulated organizations. The definition of commercial activity is "any particular transaction, act or conduct or any regular course of conduct that is of commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."

If you don't buy or sell donor lists, then it may not affect you. If you are involved in transferring these lists, you need to pay careful attention.

As well, where a charity contracts a for-profit third party to do its fundraising, the third party may be required to comply with PIPEDA in carrying out the contract.

Long answer

Based on this definition, the charity itself gathering information about donors in order to solicit them for a gift may not be considered commercial activity and is not covered by PIPEDA. Thus, the majority of fundraising functions conducted by a charity are exempt from the requirements of PIPEDA.

Charities will be affected, however, if they sell, barter, or lease their donor lists. If so, the charities would have to get the consent of an individual before they can put that person on a donor list that would be sold, bartered, or leased to another organization. Similarly, when leasing or renting external lists, charities must ensure that the source organization has complied with the PIPEDA.

As a matter of good risk management and to protect the groups reputation, it is prudent for charities contracting for-profit third parties for fundraising activities to require that they comply with all applicable legal requirements. However, in this circumstance, the final responsibility for compliance would rest with the service provider.

This same principle of consent applies for any other activity that might be considered a "commercial" activity. You will need to assess your activities to figure out if they fall under the definition of commercial activity.

A fact sheet from the Office of the Privacy Commissioner of Canada, "The Application of the Personal Information Protection and Electronic Documents Act (PIPEDA) to Charitable and Non-Profit Organizations," states that "although the Act does not generally apply to charities, associations and other similar organizations, we recommend that such organizations provide their members, donors or supporters with an opportunity to decline to receive further communications". This fact sheet is available here.

You and your fundraisers need to be aware of both the privacy legislation and the regulations associated with the legislation. Sometimes, the regulations may provide clear and specific details where the legislation is ambiguous or the regulations may provide more freedom than the legislation sets out.

More...

FAQ F30 lists privacy legislation across the country.

F28. How does our registered charity know whether to follow federal or provincial privacy laws?

F28. How does our registered charity know whether to follow federal or provincial privacy laws?

Even where a charity's fundraising does not trigger a requirement that it may comply with privacy laws, other aspects of the charity's work (such as its role as an employer) may impose privacy compliance obligations on it.

Many charities are confused about whether to comply with federal or provincial privacy law. The general rule is set out in the "privacy compliance principle":

If the provincial privacy law has been ruled to be "substantially similar" (such as in Alberta, British Columbia, and Quebec) to the federal law by the Privacy Commissioner of Canada, then the provincial law supercedes the federal law. That is, the registered charity only has to comply with the provincial legislation.

If the provincial law is not considered to be "substantially similar" to PIPEDA, then registered charities operating in that province must comply with both the federal and provincial laws. If a province does not have specific privacy legislation, then registered charities must comply with PIPEDA. National registered charities working across provincial borders will have to address the different laws of each province (as well as the federal restrictions).

More…

The Office of the Privacy Commissioner of Canad - Fact Sheet: The Application of the Personal Information Protection and Electronic Documents Act to Charitable and Non-Profit Organizations.

The Association of Fundraising Professionals reports on relevant Canadian public policy issues.

The Service Alberta site covers privacy legislation; Legislation - Charities and Fundraisers.

F29. What does our registered charity need to know about how to use personal information?

F29. What does our registered charity need to know about how to use personal information?


Legislation has been enacted by the federal government and other jurisdictions dealing with the use of personal information. Depending on the type of information, and use of it made by the charity, one or more of these statutes may apply.

There are 10 principles, typically incorporated in legislation governing use of personal information, you need to keep in mind. It is good practice to follow these principles regardless of whether or not your charity is required by law to adhere to them:

1. Accountability - A charity is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the charity's compliance with privacy principles.

2. Identifying purposes - The purposes for which personal information is collected shall be identified by the charity at or before the time the information is collected.

3. Consent - The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

4. Limiting collection - The collection of personal information shall be limited to that which is necessary for the purposes identified by the charity. Information shall be collected by fair and lawful means.

5. Limiting use, disclosure, and retention- Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

6. Accuracy - Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards - Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness - A charity shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

9. Individual access - Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging compliance - An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the charity's compliance.

More ...

These 10 principles are described in more detail in the latest version of the Personal Information Protection and Electronic Documents Act at the Justice Canada site.

F30. What privacy legislation does Canada have?

F30. What privacy legislation does Canada have?


Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Review Discussion Document, Protecting Privacy in an Intrusive World (July 18, 2006)

Alberta


Freedom of Information and Protection of Privacy Act

Health Information Act

Personal Information Protection Act
(Legislation has been declared “substantially similar” to PIPEDA)
The Alberta Act is similar to PIPEDA in its impact on charities. It specifically exempts most non-profits from its requirements unless they are engaged in a commercial activity. Opt-out mechanisms are allowed as long as charities give the individual “a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed.”

 

British Columbia


Freedom of Information and Protection of Privacy Act

Personal Information Protection Act
(Legislation has been declared “substantially similar” to PIPEDA)

Privacy Act

E-Health (Personal Health Information Access and Protection of Privacy) Act

British Columbia’s Personal Information Protection Act is much stricter than the federal privacy law. There is no reference to commercial activity nor is there an exemption for charities. Any organization gathering, using or disclosing an individual’s personal information must have the individual’s consent. Under the legislation, only “contact information,” defined as data enabling an organization to contact an individual at work, was exempt. Contact information includes name, position name or title, business telephone number, business address, business email, or business fax number of the individual.


The regulations for Bill 38 that were later developed by the province are quite broad, however. The definition of “public information” (information that can be gathered without consent) includes:

• the name, address, telephone number and other personal information that appears in telephone directories, if the individual is allowed to refuse to have his/her information made available
• personal information that appears in a professional or business directory that is available to the public, if the individual has the right to refuse to have his/her information included in the directory
• personal information appear in a registry to which the public has a right of access
• personal information that appears in a printed or electronic publication that is available to the public, including magazines, books, and newspapers.

Charities can collect, use, and disclose the information found in the sources above without an individual’s consent. Charities can gather information outside of the “public information” realm if they give the individual “a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed.” Reasonable and clear opt-out mechanisms are permissible depending on the sensitivity of the information. Medical and salary information, for example, would always require express opt-in consent.

 

Manitoba


The Privacy Act

The Freedom of Information and Protection of Privacy Act

The Personal Health Information Act

 

New Brunswick


Protection of Personal Information Act

 

Newfoundland and Labrador

Access to Information and Protection of Privacy Act

Privacy Act

Personal Health Information Act (To be proclaimed)

 

Nova Scotia

Freedom of Information and Protection of Privacy Act

 

Ontario

Freedom of Information and Protection of Privacy Act

Personal Health Information Protection Act
(Legislation has been declared “substantially similar” to PIPEDA, with respect to health information custodians)

Municipal Freedom of Information and Protection of Privacy Act

 

Prince Edward Island

Freedom of Information and Protection of Privacy Act

 


Québec

An Act Respecting the Protection of Personal Information in the Private Sector
(Legislation has been declared “substantially similar” to PIPEDA)

An Act Respecting Access to Documents Held by Public Bodies and the Protection of Public Information


Quebec currently has the strictest privacy policy in place. The provincial privacy law applies to all private enterprises, including non-profits and charities, and applies to all information that relates to an individual and allows an individual to be identified. Information can only be collected for an intended purpose and that purpose must be specified when an individual’s file is created. Some publicly available information, such as those found in phone books, can be used without consent.


Before collecting information, a charity must tell the individual how that information will be used and who will have access to it, and must make sure the person is aware that he or she has a right of access and correction. Opt-in or opt-out mechanisms are both acceptable.


The Quebec law also directly addresses the issue of donor lists. Lists containing the names, addresses, and telephone numbers of the members, clients, and employees of an enterprise may be communicated or used for commercial or philanthropic prospecting purposes. The enterprise must, however, give the person concerned a valid opportunity to refuse permission for such communication or use.

 

Saskatchewan

Freedom of Information and Protection of Privacy Act

Health Information Protection Act

Local Authority Freedom of Information and Protection of Privacy Act

Privacy Act

 

Northwest Territories

Access to Information and Protection of Privacy Act

 

Nunavut

Access to Information and Protection of Privacy Act

 

Yukon


Access to Information and Protection of Privacy Act

 

To see a list of the provincial and territorial privacy commissioners and ombudsmen, as well as offices with oversight and government organizations relating to privacy, click here.