At our webinar last month, All About CRM, a lot of people had questions about privacy laws: Does federal and provincial privacy legislation apply to nonprofits? What does this mean for us and how we store our data? What do we need to be aware of if our data is stored in the US? These are all great questions and I’ll admit that I didn’t know the answer - so I decided to dive in and do some research.
Not surprisingly, privacy laws are pretty hairy for someone with no background in law. I’m taking things one step at a time and trying to track down the best resources that explain things clearly (if you know of any, please share in the comments).
To start off, I’m going to cover what privacy laws Canadian organizations need to be aware of and who they apply to.
Canada’s Privacy Laws
PIPEDA (aka Personal Information Protection and Electronic Documents Act) is Canada’s law about data privacy. It covers issues such as making sure individuals give their consent for their information to be collected and companies having clear privacy policies.
Does it apply to nonprofits?
PIPEDA is only applicable for commercial activities. According to the Office of the Privacy Commissioner of Canada, common nonprofit activities such as “collecting membership fees, organizing club activities, compiling a list of members' names and addresses, and mailing out newsletters are not considered commercial activities.”
However, PIPEDA does apply to nonprofits when they carry out commercial activities. There are two main situations where this would be the case:
1) when nonprofits carry out commercial activities
Some nonprofits do actually carry out commercial activities, for example golf clubs and athletic clubs.
2) buying, selling and renting lists of personal information
PIPEDA makes it quite clear that this counts as commercial activity. The definition of “commercial activity” is: "...any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
Doesn’t apply to you? You’re not totally off the hook:
a) your organization might fall under provincial privacy legislation
b) being the decent organization that you are, you will want to respect individuals’ privacy regardless of whether the laws specifically apply to you or not
Provincial Privacy Laws
PIPEDA has a bit that says that if your province has privacy legislation that is “substantially similar” to PIPEDA, you should follow your provincial laws instead. EXCEPT that PIPEDA still applies to activities between provinces or outside of Canada.
As it turns out, there are currently four pieces of provincial privacy legislation that have been declared “substantially similar” to PIPEDA. I’ll list them and discuss how they apply to nonprofits.
British Columbia: Personal Information Protection Act
Unlike PIPEDA, BC’s laws don’t say anything about commercial activities. This means that the law applies to nonprofits and charities, just like everyone else. If you are a government agency or board then it might be a different situation; see this explanation of what privacy laws apply to who in BC.
Alberta: Personal Information Protection Act
Alberta’s legislation works the same way as PIPEDA, in that it only applies to nonprofits when they carry out commercial activities. For more information on how PIPA applies to nonprofits, see this Nonprofit FAQ.
Québec: An Act Respecting the Protection of Personal Information in the Private Sector
Quebec’s Privacy Act applies to collection, use and disclosure of personal information for all activities, not just commercial activities.
Ontario: Personal Health Information Protection Act, 2004, with respect to health information custodians (PHIPA)
Unlike the other provincial laws, PHIPA applies only when collecting health information (all other information still falls under PIPEDA). It clearly applies to nonprofits just as much as any organization that collects and uses health information (for example, hospitals and other health care organizations). For more details on what is considered health information and who this applies to, see Privacy Legislation and its Application to Fundraising and Personal Health Information.
- If you are a provincially-regulated organization in BC, Alberta or Quebec, follow your provincial privacy laws for activities within the province.
- If you are a provincially-regulated organization in Ontario that is a health information custodian, follow PHIPA for activities within the province related to health information.
- In all other cases, follow PIPEDA.
If you need more detailed information on how all of this works, see this Fact Sheet from the Office of the Privacy Commissioner of Canada.