With a growing global emphasis on privacy regulation, non-profit organizations (NPOs) must carefully evaluate how they handle personal information.
Privacy legislation such as the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial Personal Information Protection Acts (PIPAs) are critically important to non-profit organizations in Canada. These laws govern how organizations collect, use, disclose, and protect personal information. For non-profits, adhering to these regulations is essential for legal compliance, for maintaining stakeholder trust, and for upholding ethical standards.
Not-for-profit organizations often work with individuals in sensitive or vulnerable situations while providing services. They also collect personal information from their donors, requiring discretion and care of data. Therefore, NPOs need to stay abreast of updates to Canadian privacy laws like PIPEDA, PIPA and external legislation, such as the EU's General Data Protection Regulation (GDPR).
What are PIPEDA and PIPA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal data privacy law for private sector organizations. The Personal Information Protection Act (PIPA) refers to provincial versions of PIPEDA (collectively the “Acts”). Two examples are BC's PIPA and Alberta's PIPA. The Acts are substantially similar, so while it is important to understand which applies to your organization, the end results are quite similar.
Among other things, the Acts require organizations collecting, using, or sharing personal information in the course of commercial activities to:
- gain consent for its collection,
- take reasonable security measures to keep it safe and
- limit its disclosure
Since November 2018, NPOs must also comply with certain obligations surrounding the recording and reporting of data breaches.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is the federal privacy law that applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of commercial activities. This includes non-profits engaged in commercial activities (e.g., selling merchandise and fee-based services).
Key Provisions
- Requires organizations to obtain consent when collecting, using, or disclosing personal information.
- Mandates that organizations protect personal information with appropriate security measures.
- Grants individuals the right to access and correct their personal information.
Provincial Privacy Acts
Many provinces have enacted their own private-sector privacy legislation deemed substantially similar to PIPEDA. In these provinces, provincial law takes precedence over PIPEDA for intra-provincial matters.
British Columbia: Personal Information Protection Act (PIPA)
Similar to Alberta's PIPA, it applies to all private-sector organizations in British Columbia, including non-profits.
Key Provisions
- Requires consent for the collection, use, or disclosure of personal information.
- Allows individuals to access and correct their personal information.
- Obligates organizations to protect personal information from unauthorized access.
Alberta: Personal Information Protection Act (PIPA)
Applies to all private-sector organizations in Alberta, including non-profits and charities, regardless of whether activities are commercial.
Key Provisions
- Governs the collection, use, and disclosure of personal information.
- Requires organizations to appoint a Privacy Officer.
- Mandates reasonable security arrangements to protect personal information.
Saskatchewan: The Health Information Protection Act (HIPA)
Applies to trustees of personal health information, which can include non-profit organizations.
Manitoba
Personal Information Protection and Identity Theft Prevention Act (PIPITPA)
As of November 2024, Manitoba has passed but has not yet proclaimed PIPITPA. It, therefore, is not yet in force. As such, NPOs generally fall under PIPEDA.
Personal Health Information Act (PHIA)
Applies to trustees of personal health information, including non-profits providing health services.
Ontario
Freedom of Information and Protection of Privacy Act (FIPPA) & Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
Primarily apply to public-sector organizations, but non-profits may be subject if performing services on behalf of public bodies.
Personal Health Information Protection Act (PHIPA)
Applies to "health information custodians," which can include non-profits handling personal health information.
Key Provisions
- Governs the collection, use, and disclosure of personal health information.
- Requires consent and provides individuals with rights regarding their health information.
Quebec: Act Respecting the Protection of Personal Information in the Private Sector
Applies to all private-sector organizations in Quebec, including non-profits.
Key Provisions
- Requires organizations to collect personal information only for legitimate purposes.
- Mandates consent for the collection, use, and disclosure of personal information.
- Grants individuals rights to access and rectify their personal information.
- Note: Quebec has enacted significant amendments through Bill 64 (Law 25), enhancing privacy obligations with phased implementation starting in 2022.
New Brunswick: Personal Health Information Privacy and Access Act (PHIPAA)
Governs custodians of personal health information, including non-profits.
Nova Scotia
Personal Information International Disclosure Protection Act (PIIDPA)
Applies to public bodies but may impact non-profits contracted by public bodies.
Personal Health Information Act (PHIA)
Applies to custodians of personal health information.
Prince Edward Island: Health Information Act (HIA)
Applies to custodians of personal health information.
Newfoundland and Labrador: Personal Health Information Act (PHIA)
Governs the handling of personal health information by custodians, including non-profits.
Yukon, Northwest Territories, Nunavut: Public Sector Privacy Laws
Territorial privacy laws primarily apply to public bodies. Non-profits may fall under PIPEDA for commercial activities or specific health information laws if applicable.
Why PIPEDA and the PIPAs Matter for Not-For-Profit Organizations?
With PIPEDA governing commercial activities, charities and not-for-profits are often unclear as to if or how the Act affects them. First, you should understand that your NPO is not automatically exempt from PIPEDA since “commercial” is defined by activity - not by an organization’s tax status.
Many charities, for example, rely on the sale of goods or services to earn revenue. Selling or leasing fundraising lists also fall under the heading of commercial activity.
Because non-compliance in not-for-profits is frequently determined on a case-by-case basis, the safest approach, according to legal experts, is to err on the side of caution. Assume that, as a charity or NPO in Canada, PIPA or PIPEDA may apply to your organization and consider taking steps to voluntarily bring your privacy policies and procedures into compliance.
Summary of PIPEDA & PIPA Applicability
- Non-Profits Engaged in Commercial Activities: Subject to PIPEDA federally unless operating in a province with substantially similar legislation (Alberta, BC, Quebec).
- Non-Profits Not Engaged in Commercial Activities: May still be subject to provincial privacy laws (e.g., Alberta and BC PIPAs apply regardless of commercial activity).
- Handling Personal Health Information: Subject to provincial health information privacy laws in provinces where they operate.
How Non-Profits Can Comply
- Determine Applicable Laws: Identify which federal and provincial privacy laws apply based on the organization's activities and location. Seeking legal advice is recommended to understand your NPO's obligations regarding privacy legislation.
- Develop Privacy Policies: Create comprehensive policies that comply with relevant legislation, covering how personal information is collected, used, disclosed, and protected.
- Appoint a Privacy Officer: Designate an individual responsible for overseeing privacy compliance.
- Obtain Consent: Ensure appropriate consent is obtained for the collection, use, and disclosure of personal information.
- Implement Security Measures: Protect personal information with physical, organizational, and technological safeguards.
- Provide Access and Correction Rights: Establish procedures for individuals to access and correct their personal information.
- Train Staff and Volunteers: Educate all personnel on privacy obligations and best practices.
- Prepare for Breaches: Develop a breach response plan in accordance with legal requirements, including notification procedures.
What is GDPR?
The General Data Protection Regulation (GDPR) was implemented across the EU in May 2018 to standardize data protection and privacy laws. It essentially:
- strengthens data protection rights for EU residents,
- imposes strict requirements on organizations that collect, use, disclose, or store personal data, and
- penalizes organizations for non-compliance
Despite being an EU-driven law, the GDPR impacts organizations worldwide. With so many Canadian charities and non-profits processing so much donor and client information, accountability in terms of privacy matters has increased considerably.
Why GDPR Matters for Not-For-Profit Organizations?
According to EDPB (European Data Protection Board) Guidelines, even if your Canadian charity or not-for-profit isn’t established within the EU, if your actions target EU residents, you must comply with the GDPR.
Targeting basically means your organization:
- processes the personal data of EU residents to offer them goods or services, or
- monitors their behaviour within the EU
Behaviour monitoring includes tracking individuals on the internet for predictive or analytical purposes. If your website uses cookies in a non-compliant manner – and the site’s accessible to EU residents – you could be caught out.
The GDPR can require you to appoint a representative within the EU to oversee your compliance, and failing to do so could open your organization to significant fines.
Overall, volunteering to comply with PIPEDA and GDPR is the most effective approach for:
- safeguarding your NPO’s reputation,
- preserving stakeholder confidence, and
- overseeing legal and financial liability
Legislative obligations aside, your donors, clients, and staff look to you to protect their personal information, be accountable for its use, and keep it from falling into the wrong hands.
Understanding your organization’s role in cyber security - and what to do in the event of a data breach - is one way to maintain their trust while avoiding potential penalties.
Related Content: Cyber-security for NPOs. Although the discussion is in the context of COVID, many of its cyber-security recommendations are still useful post-COVID!