Charities and non-profits gather a lot of personal information – from members and donors. Somewhat surprisingly, the Personal Information Protection and Electronic Documents Act (PIPEDA) usually will not apply to them. However, it would be wise for these organizations to comply with the privacy protection obligations in PIPEDA.
PIPEDA applies to organizations that collect, use or disclose personal information in the course of commercial activities.[1] The legislation defines “commercial activity” as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
The Privacy Commissioner of Canada indicated that the following activities are not considered commercial: collecting membership fees; organizing club activities; compiling a list of members’ names and addresses; mailing out newsletters; and fundraising.[2] It is important to note that an organization’s non-profit status is not determinative of whether it is required to comply with PIPEDA.[3] It is determined on a fact-specific basis.
PIPEDA imposes obligations on an organization to obtain a person’s consent in order to collect, use or disclose personal information. It also imposes obligations for notification to an individual, and in some cases, the Privacy Commissioner, when applicable breaches of personal information occur.
In today’s world of increased reliance on technology and sharing of data, privacy protection is becoming an ever increasing priority for people. Most people, if not all, expect organizations to be protecting their personal information once shared with them. This expectation extends to charities and non-profits, especially when the personal information is being provided in the context of making a donation or providing financial support. Charities and non-profits rely on the trust and confidence of their stakeholders. This can be eroded by failing to properly protect personal information provided to the organization.
Charities and non-profits would benefit from drafting their privacy policies and procedures in compliance with the obligations set out in PIPEDA. Not only will it help to protect stakeholder personal information, it will also ensure compliance with PIPEDA if it were ever found that the organization did carry on a commercial activity.
Of note, several jurisdictions, including British Columbia, Alberta and the European Union, require charities and non-profits to comply with privacy legislation (in Alberta there are certain exemptions).[4] For several years, the Privacy Commissioner of Canada has called for fundamental reforms to federal privacy legislation, including PIPEDA. It is not unreasonable to think that charities and non-profits will be subject to privacy legislation in the (near) future.
The Lerners Privacy, Data and Information Security Group can assist charities and non-profits bring themselves into compliance with PIPEDA privacy obligations.
[1] Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 4(1).
[2] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_19/
[3] Ibid. See also https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2008/389_rep_080529/
[4] Esther Shainblum, Privacy Issues Affecting Charities, Ontario Bar Association, February 5, 2019.
