I understand that there are laws about personal information. Do these privacy laws apply to our registered charity’s fundraising activities?
They may or may not. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) covers the collection, use, or disclosure of personal information in the course of any commercial activity within a province, including provincially regulated organizations. The definition of commercial activity is “any particular transaction, act or conduct or any regular course of conduct that is of commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
If you don’t buy or sell donor lists, then it may not affect you. If you are involved in transferring these lists, you need to pay careful attention.
As well, where a charity contracts a for-profit third party to do its fundraising, the third party may be required to comply with PIPEDA in carrying out the contract.
Based on this definition, the charity itself gathering information about donors in order to solicit them for a gift may not be considered commercial activity and is not covered by PIPEDA. Thus, the majority of fundraising functions conducted by a charity are exempt from the requirements of PIPEDA.
Charities will be affected, however, if they sell, barter, or lease their donor lists. If so, the charities would have to get the consent of an individual before they can put that person on a donor list that would be sold, bartered, or leased to another organization. Similarly, when leasing or renting external lists, charities must ensure that the source organization has complied with the PIPEDA.
As a matter of good risk management and to protect the groups reputation, it is prudent for charities contracting for-profit third parties for fundraising activities to require that they comply with all applicable legal requirements. However, in this circumstance, the final responsibility for compliance would rest with the service provider.
This same principle of consent applies for any other activity that might be considered a “commercial” activity. You will need to assess your activities to figure out if they fall under the definition of commercial activity.
A fact sheet from the Office of the Privacy Commissioner of Canada, “The Application of the Personal Information Protection and Electronic Documents Act (PIPEDA) to Charitable and Non-Profit Organizations,” states that “although the Act does not generally apply to charities, associations and other similar organizations, we recommend that such organizations provide their members, donors or supporters with an opportunity to decline to receive further communications”. See: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_19/
You and your fundraisers need to be aware of both the privacy legislation and the regulations associated with the legislation. Sometimes, the regulations may provide clear and specific details where the legislation is ambiguous or the regulations may provide more freedom than the legislation sets out.
How does our registered charity know whether to follow federal or provincial privacy laws?
Even where a charity’s fundraising does not trigger a requirement that it may comply with privacy laws, other aspects of the charity’s work (such as its role as an employer) may impose privacy compliance obligations on it.
Many charities are confused about whether to comply with federal or provincial privacy law. The general rule is set out in the “privacy compliance principle”:
If the provincial privacy law has been ruled to be “substantially similar” (such as in Alberta, British Columbia, and Quebec) to the federal law by the Privacy Commissioner of Canada, then the provincial law supercedes the federal law. That is, the registered charity only has to comply with the provincial legislation.
If the provincial law is not considered to be “substantially similar” to PIPEDA, then registered charities operating in that province must comply with both the federal and provincial laws. If a province does not have specific privacy legislation, then registered charities must comply with PIPEDA.
National registered charities working across provincial borders will have to address the different laws of each province (as well as the federal restrictions).
The Service Alberta site covers privacy legislation at www.servicealberta.ca/491.cfm.
What does our registered charity need to know about how to use personal information?
Legislation has been enacted by the federal government and other jurisdictions dealing with the use of personal information. Depending on the type of information, and use of it made by the charity, one or more of these statutes may apply.
There are 10 principles, typically incorporated in legislation governing use of personal information, you need to keep in mind. It is good practice to follow these principles regardless of whether or not your charity is statutorily required to adhere to them:
- Accountability—A charity is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the charity’s compliance with privacy principles.
- Identifying purposes—The purposes for which personal information is collected shall be identified by the charity at or before the time the information is collected.
- Consent—The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- Limiting collection—The collection of personal information shall be limited to that which is necessary for the purposes identified by the charity. Information shall be collected by fair and lawful means.
- Limiting use, disclosure, and retention—Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
- Accuracy—Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards—Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- Openness—A charity shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual access—Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging compliance—An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the charity’s compliance.
What privacy legislation does Canada and Alberta have?
- Freedom of Information and Protection of Privacy Act
- Health Information Act
- Personal Information Protection Act
(Legislation has been declared “substantially similar” to PIPEDA)
The Alberta Act is similar to PIPEDA in its impact on charities. It specifically exempts most non-profits from its requirements unless they are engaged in a commercial activity. Opt-out mechanisms are allowed as long as charities give the individual “a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed.”