This information was prepared by a privacy working group of national fundraising and charity organizations, including the Association for Healthcare Philanthropy (AHP), the Association of Fundraising Professionals (AFP), the Association of Professional Researchers for Advancement (APRA), and the Canadian Centre for Philanthropy (CCP).
It is intended to provide the basic principles of the current federal and provincial privacy laws in place, as well as tips and guidance for fundraisers and charities trying to comply with those laws. A list of useful websites is at the end of this document as well as links to more extensive information about complying with PIPEDA in the working group's document, “Frequently Asked Questions Regarding Charitable Fundraising & The Personal Information Protection and Electronic Documents Act (PIPEDA).”
Fundraisers should keep in mind that with the exception of Quebec's privacy law, most other privacy laws are new, having gone into effect January 1, 2004. As such, even the governments that enacted them are not completely sure how they will work in practice and how they will be enforced. In addition, what evolves into best practice may be different – and of a higher standard – than what is legal or required.
Finally, fundraisers and their organizations need to consider both the legislation AND the regulations associated with the legislation. How government regulators (the bureaucrats) interpret the legislation is sometimes different than what the legislators intended. Often, the regulations may provide clear and specific details where the legislation is ambiguous. Or in the case of British Columbia (see below), the regulations may provide more freedom than what the legislation sets out.
Thus, this document provides the best guidance that the privacy working group can provide at this time. This guidance may change as laws are interpreted or challenged, or as best practices evolve.
Jurisdictions That Have Enacted Privacy Legislation:
- The federal government: The Personal Information Protection and Electronic Documents Act (PIPEDA)
- Alberta: Personal Information Protection Act - Bill 44
- British Columbia: Personal Information Protection Act - Bill 38
- Quebec: Act Respecting the Protection of Personal Information in the Private Sector
Currently, these are the only jurisdictions that enacted privacy legislation aimed at protecting the use of personal information by private and public organizations. The extent to which these laws affect charities is discussed below.
Most other provinces are currently considering privacy legislation as well. Just recently, Ontario introduced Bill 31, the Health Information Protection Act, which is addressed in the working group's document, “Answers To Frequently Asked Questions About Ontario Bill 31 And PIPEDA.”
Relationship between Federal and Provincial Laws
Many charities are confused whether or not they have to comply with both the federal privacy law (PIPEDA) and any applicable provincial law. The general rule is this:
Privacy Compliance Principle: If the provincial privacy law has been ruled to be “substantially similar” to the federal law by the Privacy Commissioner of Canada, then the provincial law supercedes the provincial law. (That is, the organization only has to comply with the provincial bill.)
However, if the provincial law in question is NOT considered to be “substantially similar” to PIPEDA, then organizations operating in that province must comply with both the federal and provincial laws. If the province in question does not have a specific privacy bill, then PIPEDA must be complied with.
At this time, only Quebec's privacy law has been deemed “substantially similar” to the federal law. Thus, if fundraising in Quebec, charities need only have to comply with the Quebec law. In all other provinces, both the federal and provincial bills must be complied with. (Note that Alberta and British Columbia are speaking with the Privacy Commissioner's office about having their laws certified as “substantially similar.”)
In Ontario it is federal legislation only at this point. If passed, Ontario's draft Bill 31 – Health Information Protection Act – is scheduled to take effect July 1, 2004.
National organizations working across provincial borders will have to address the different laws that each province has (and the federal restrictions as well). These charities should ensure that personal information is handled appropriately depending on the jurisdiction where the information is collected.
The Federal Privacy Law (PIPEDA)
PIPEDA covers cover the collection, use or disclosure of personal information in the course of any commercial activity within a province, including provincially regulated organizations. The definition of commercial activity is “any particular transaction, act or conduct or any regular course of conduct that is of commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”
Based on the definition above and conversations with privacy experts and staff, the act of gathering information about donors in order to solicit them for a gift is not considered commercial activity and is not covered by PIPEDA. Thus, the majority of fundraising functions conducted by a charity are exempt from the requirements of PIPEDA.
However, charities will be affected if they sell, barter, or lease their donor lists. If so, those charities will have to get the consent of an individual before they can put that person on a donor list that will be sold, bartered or leased to another organization. Similarly, when leasing or renting external lists, charities must ensure that the source organization is in compliance with the Act. This same principle of consent applies for any other activity that might be considered a “commercial” activity. You will need to assess your activities on a transactional basis to determine whether they fall under the definition of commercial activity.
Individuals may provide consent in various ways – see the following taken from the Federal Privacy Commissioner's web site.
(a) an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
(b) a check-off box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
(c) consent may be given orally when information is collected over the telephone; or
(d) consent may be given at the time that individuals use a product or service."
(source, Privacy Commissioner's web site)
It should be noted that ruling from the Privacy Commissioner have made clear that the OPT-OUT option needs to be clearly stated and easily executed.
Final Note on PIPEDA: The Charter Challenge
As of this writing, Quebec was considering a legal challenge to PIPEDA. While Quebec has a privacy law that the federal government has deemed “substantially similar” to PIPEDA, it has taken the position that the federal government has intruded into its jurisdiction by reviewing its privacy law. The Quebec Court of Appeals has determined that the province's Attorney-General can challenge the constitutional validity of PIPEDA on the ground that it exceeds the power given to Parliament by the Constitution Act of 1867. At this point, most signs indicate that Quebec will go ahead with a challenge in early 2004, but the exact time is unknown.
Such a challenge makes the privacy picture in Canada dramatically less clear, even as the nonprofit sector struggles to understand and fully comply with PIPEDA. Whether or not a challenge to PIPEDA is successful, charities are encouraged to continue to comply with PIPEDA when engaged in commercial activities. The challenge will have no impact on provincial legislation.
Alberta's Bill 44, the Personal Information Protection Act , came into force on January 1, 2004. Alberta's law has not yet been certified as being “substantially similar” to the federal law.
Bill 44 is similar to PIPEDA in its impact on charities. It specifically exempts most nonprofits from its requirements unless they are engaged in a commercial activity. Opt-out mechanisms are allowed as long as charities gives the individual “a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed.”
Information that organizations had gathered about individuals before the law came into effect are “grandfathered” in (i.e. exempt), but only to the extent that the information is being used for the purpose intended. Thus, if a charity wants to sell or exchange a donor list, it needs to look closely as to whether or not that was a purpose for which it gathered the personal information in the first place (and equally importantly, whether or not that purpose was communicated to donors and other individuals). Note, PIPEDA does NOT provide for grandfathering of personal information collected prior to the legislation taking effect. Therefore, until or unless the Alberta legislation is deemed “substantially similar,” the standard set by PIPEDA should be followed.
British Columbia's Bill 38, the Personal Information Protection Act, is much stricter than the federal privacy law. There is no reference to commercial activity nor is there an exemption for charities. Any organization gathering, using or disclosing an individual's personal information must have the individual's consent. Under the legislation, only “contact information," defined as data enabling an organization to contact an individual at work, was exempt. Contact information includes: name, position name or title, business telephone number, business address, business email or business fax number of the individual.
However, the regulations for Bill 38 that were later developed by the province are quite broad. The definition of “public information” (information that can be gathered without consent) includes:
- The name, address, telephone number and other personal information that appears in telephone directories, if the individual is allowed to refuse to have his/her information made available;
- Personal information that appears in a professional or business directory that is available to the public, if the individual has the right to refuse to have his/her information included in the directory;
- Personal information appear in a registry to which the public has a right of access; and
- Personal information that appears in a printed or electronic publication that is available to the public, including magazines, books and newspapers.
Charities can collect, use and disclose the information found in the sources above without an individual's consent. Charities can gather information outside of the “public information” realm so long as they give the individual “a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed.” Reasonable and clear opt-out mechanisms are permissible depending on the sensitivity of the information - medical and salary information, for example, would always require express, opt-in consent.
Before collecting information, a charity must tell the individual how that information will be used and who will have access to it, and must make sure the person is aware that he or she has a right of access and correction. Opt-in or opt-out mechanisms are both acceptable.
The Quebec law also directly addresses the issue of donor lists. Lists containing the names, addresses and telephone numbers of the members, clients and employees of an enterprise may be communicated or used for commercial or philanthropic prospecting purposes. However, the enterprise must give the person concerned a valid opportunity to refuse permission for such communication or use. An organization that uses a nominative list must identify itself and inform persons of their right to remove any information concerning them from the list.
Ontario has yet to pass any privacy legislation similar to PIPEDA (a version was considered in 2003, but failed to became a law). However, in December 2003 a bill was introduced that would affect personal health information. If passed, the legislation would take effect in July 2004.
The Personal Health Information Protection Act (Bill 31) requires express consent (i.e. opt-in) for the collection, use and disclosure of personal health information by any organization. While this requirement places a very large burden on charities, there is still much debate as to whether basic contact information – name address, telephone number, email address – falls under the definition of “personal health information.”
The bill has only received its First Reading, and the organizations comprising the privacy working group will be speaking with the Ontario legislature about the potential impact of the bill and seeking clarification on what constitutes personal health information. For more information about the proposed Ontario Bill 31, see the privacy working group's document, “Frequently Asked Questions About Ontario Bill 31 And PIPEDA.”
(The Industry Canada Q&A list is highly recommended. Although directed at healthcare fundraisers, most of the questions and answers can be applied to all categories of charities and fundraising.)
The privacy working group's other documents (note, there is some duplication between the two FAQs documents and we encourage members to review both if in doubt)
- “Privacy 101: A Guide to Privacy Legislation for Fundraising Professionals and Not-for-Profit Organizations in Canada
- “Frequently Asked Questions Regarding Charitable Fundraising & The Personal Information Protection and Electronic Documents Act (PIPEDA)”
- “Frequently Asked Questions About Ontario Bill 31 And PIPEDA” can be found at member websites:
Legal Disclaimer: The resource material provided in this document and the accompanying appendices is for general information purposes only. The material reflects interpretations and practices regarded as valid as of the date the document was released based on available information at that time. The material is not intended, and should not be construed, as legal advice or opinion nor is it intended to be endorsed as lawful practice. Organizations concerned about the applicability of privacy legislation to their activities are advised to seek legal advice based on their particular circumstances.