Monday to Thursday, 10am-4pm, EST
1.855.281.5499 (toll free)

Data Privacy and the Law: Understand Your Nonprofit's Legal Obligations

Data & Relationship Management

By: Imran Ahmad and Eloïse Gagné, Miller Thomson LLP

Nonprofit organizations in Canada are collecting, using, and disclosing an increasing amount of personal information (e.g. sensitive data relating to donors, employees, volunteers, etc.) as part of their operations. It is therefore essential that nonprofits ensure that they handle this personal information in compliance with applicable laws.

The Federal Legal Framework 

In general, the protection of personal information is governed by a series of provincial and federal laws in Canada, all of which aim to uphold individuals’ right to privacy. 

The Personal Information and Electronic Documents Act (the "Federal Act") applies to all organizations that gather, use and disclose personal information as part of their commercial activities. Commercial activities may constitute regular activities as well as any isolated actions that are commercial in nature. This includes the sale, barter, and rental of donor, membership and fundraising lists. This means that the Federal Act does not automatically apply to nonprofits, but only to those that engage in commercial activities. As explained by the Office of the Privacy Commissioner “Collecting membership fees, organizing club activities, compiling a list of members' names and addresses, and mailing out newsletters are not considered commercial activities. Similarly, fundraising is not a commercial activity. However, some clubs, for example many golf clubs and athletic clubs, may be engaged in commercial activities which are subject to the Act.”

A Few Provincial Distinctions

The Federal Act does not apply to organizations that exclusively carry out their activities in a province with a similar law to the Federal Act, unless the personal information is transferred between provinces or internationally. Quebec, Alberta and British Columbia have adopted similar laws, and organizations operating in those provinces may be constrained by further obligations under these acts.   

The Personal Information Protection Act (the “Albertan Act”) closely mirrors the wording of the Federal Act and applies to cases in which nonprofits collect, use and disclose information as part of their commercial activities. Several criteria used to identify what constitutes a commercial activity under this act were taken from those developed for the Federal Act.

In Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (the  “Quebec Act”) applies to information gathered, held, used or disclosed to third parties as part of the operations of an enterprise, as defined in Section 1525 of the Civil Code of Quebec. This constitutes one or more individuals exercising an organized economic activity, be it commercial in nature or otherwise, consisting of producing, administering or alienating property, or providing a service.  

The resulting definitions of the terms “commercial activities” and “the operations of an enterprise” have a broad meaning, which makes it such that conducting certain activities may subject a nonprofit to the applicable acts. In all of these jurisdictions, this analysis must be done on a case-by-case basis. 

In British Columbia, all organizations, including nonprofits, are subject to the Personal Information Protection Act (the “British Columbian Act”), and will therefore need to abide by the rules regarding collection, use, safeguarding and disclosure of information described in this article, but subject to specificities that may be provided in the British Columbian Act.

The Collection, Use, Safeguarding and Disclosure of Information

The definition of “personal information” varies according to the applicable act. Under the Federal, Albertan and British Columbian Acts, personal information generally constitutes any information that concerns an identifiable individual. In Quebec, personal information constitutes any information that relates to a physical person and allows the individual to be identified. 

Whether it is under the Federal, Albertan, Quebec or British Columbian Act, laws intended for the protection of personal information govern the: 

1. collection;

2. use;

3. safeguarding; and

4. disclosure of personal information.

Applicable Rules

Under the Federal Act (which forms the basis for the provincial acts), it is suggested that the following basic rules be followed in order to comply with minimum applicable requirements.  

Limit Collection

The golden rule is that personal information must be collected solely for specific purposes and that only the personal information required to fulfill these purposes be collected.

For example, you may be collecting personal information from your donors, such as their names and email addresses so that you can send them fundraising emails, invite them to events, and recognize them in your annual report. However, you wouldn't be able to collect data that does not serve this direct purpose, like their social insurance numbers or credit card information, because that would be outside of the scope of fulfilling these purposes.

To comply with these principles, organizations should ask the following questions in order to delimit the type and quantity of information collected:  

  • What is the reason for collecting this personal information?
  • What information is required to attain this objective?
  • How will the information be used?

Once these questions have been answered, ensure that the collection is not carried out arbitrarily, and be thorough in applying your practices. You should always be able to justify the reasons for collecting this specific information. If some personal information is no longer required, take appropriate measures to destroy it.

Seek Consent

It is also essential to obtain free and informed consent from individuals before collecting, using, storing or disclosing personal information. As such, all organizations should:

  • clearly disclose the reasons for collecting the information;
  • indicate how the information will be used;
  • specify whether the information will be shared with any third parties;
  • inform individuals where and how their information will be retained.  

These indications should be easily accessible and detailed enough for any individual to be able to provide full consent for his or her information being gathered or retained. It is also important to retain proof of any consent received. That said, certain special circumstances provided by law may justify waiving individuals’ consent. We recommend seeking legal advice if you intend on using, collecting or disclosing personal information without a person’s consent.

If, while carrying out your activities, you modify your way of using, safeguarding or disclosing information, once again seek the consent of the individuals concerned in order to inform them of the changes.  

Limit the Use, Retention and Disclosure of Personal Information

Once the information has been collected, you have an obligation to use it in compliance with the purposes for which it was gathered and for which the individuals consented to the collection. At this stage, it is important to review the reasons for which the information was collected and to always ensure that you are acting in compliance with the consented use.  

Keep only information that is essential for your purposes in order to avoid the high costs and risks associated with managing personal information. As a guideline, you may consider the following questions:

  • How long do I need to retain the personal information?
  • How does the information need to be classified?
  • How will we destroy the information that is no longer required?
  • Who will be responsible for ensuring that the information is adequately destroyed?

Once again, remain thorough in your practices and make sure that someone is placed in charge of managing the information to ensure that current policies are applied. 

Lastly, it is possible that you may need to share certain information to fulfill your purposes – to service suppliers or third parties for retention, for example. In this case, ensure that you get the individuals’ consent to disclose the information and that adequate agreements have been established to ensure that the information is protected and to limit your liability if problems arise. Share only the information required by third parties and ensure that they have adequate procedures in place to protect personal information.  

Keep your Files Updated, Safe and Accessible

Collected information must remain as current as possible. All information that is not updated or that is no longer required should be deleted.

Certain laws, including the Quebec Act, may also set specific requirements regarding the way in which information should be organized.  

Adequate measures must then be taken to save the information, regardless of the manner in which it is retained. To accomplish this, ask the following questions:

  • Who will have access to the information and who will be responsible for protecting it? 
  • How do we protect the information from being lost or stolen? What measures should be set up to accomplish this?

Implementing an adequate security policy and placing an individual in charge of retaining the information can limit the liability of nonprofits and help them react more effectively in the case of security breaches. It is probable that only a few people really need to use the information, in which case other employees should not be given access to the retained information.  

Lastly, all individuals generally have the right to access information that is classified in their name and to know how the information was used and with whom it was shared. Set up adequate measures to respect these requirements. For example, this may involve designating an individual within the organization to manage the files and respond to requests within a reasonable timeframe. Complaints procedures must also be set up.  

Conclusion

All nonprofits should establish whether their activities are “commercial” in nature (if the legal entity is governed by the Federal or Albertan Acts) or constitute “the operation of an enterprise” (if governed by the Quebec Act) in order to assess if they are subject to the laws applicable to the protection of personal information. All nonprofits in British Columbia are automatically regulated under that province’s act.

To avoid any claims (including remedies for damages or penalties), implement adequate systems and procedures to collect, use, retain and disclose personal information in compliance with these laws and to ensure that you are thorough in your adherence to these requirements. Being organized will help you avoid many issues.


About the authors 

Imran Ahmad is a business law partner in the Toronto office of Miller Thomson, and Eloïse Gagné is a business law associate in the Montreal office of Miller Thomson.