Managing personal data has become a concern for organizations that engage in commercial activities. Gathering data from donors calls for strict internal practices that respect donors’ rights by optimizing data security. In the wake of the May 25, 2018 enactment by the European Union of the General Data Protection Regulation (GDPR), we were all submerged by email messages stating that the sender had updated its privacy policy and that we now had control over our personal information. Since that time, organizations have each worked hard to develop their privacy policy and reassure their contact base.

As a non-profit organization (NPO), are you up‑to‑date on how to manage personal donor data? Do you know what federal and provincial legislation applies to you? Are you aware of your obligations? We offer refresher training on current legislation so you can manage you donor data base effectively.

Does your organization engage in commercial activities inside and outside Quebec?

Unlike private‑sector organizations, charities are not necessarily subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

If your organization does engage in commercial activities that require the collection and use of personal information, you must comply with PIPEDA. To comply with the privacy requirement governing personal donor data, you need to determine whether your organization engages in commercial activities. For example, selling, bartering or leasing a membership list or a list of donors is considered a commercial activity that is subject to PIPEDA.

Concerned about PIPEDA? Here are eight things you need to know.

  1. If your organization carries out commercial activities, it is subject to PIPEDA.
  2. Your organization needs to develop a privacy policy and personal information management procedure; the Gatineau Health Foundation provides an example.
  3. You must obtain donor consent and specify data use before collecting personal information.
  4. Donors may request access to all their personal information held by your organization.
  5. Your employees may also request access to their personal information.
  6. If your organization is associated with a municipality, school, university or hospital, you are undoubtedly subject to provincial legislation.
  7. If your organization operates exclusively in Quebec, Alberta or British Columbia, you are not subject to PIPEDA.
  8. If your organization operates outside provincial and national boundaries, you are subject to PIPEDA.


Does your organization engage in commercial activities exclusively in Quebec?

The federal government considers that Quebec’s privacy legislation is substantially similar to PIPEDA.

The Quebec government nevertheless recommends that organizations engaging in commercial activities know their obligations in collecting, using and communicating personal information to third parties.

Here are eight things you need to know about Quebec’s privacy legislation.

  1. You must have a reason for collecting personal information, and must collect the information by lawful means.
  2. You must obtain consent before collecting, using or communicating personal information.
  3. You must inform individuals of the use that will be made of their personal information.
  4. You must ensure the security and privacy of personal information you collect.
  5. You must obtain consent from individuals to use their personal information after the initial purpose of collecting the information has been accomplished.
  6. You must obtain consent from individuals to communicate and share their personal information with third parties.
  7. You must ensure that personal information you collect is accurate when it is used.
  8. When individuals request access to personal their information and wish to rectify it, you must comply with the request.


What if a complaint is filed?

In the past few years, Desjardins, Facebook, Uber and Yahoo have been disgraced because of leaked and pirated personal data. Charities are not immune from these scandals. They can be vulnerable to cyberattacks because of the sensitive nature of the data they collect, or because of the limited information technology (IT) protection they can afford.

Whether your donor data are saved to a server or to a file, the risks for your organization usually have to do with IT management: storage, access, and purpose and time of use.

A number of issues arise. Do you keep the credit card information of a donor who spreads out a donation over several years? What steps do you take if your donor list needs to be used by a third party, such as the agency organizing your next gala benefit event? Are employees and volunteers authorized to use their own computers and cell phones when working on projects for your organization? How does your organization transfer personal information from the fundraising department to the financial department?

The Office of the Privacy Commissioner of Canada offers 10 relevant tips to optimize personal data management and avoid complaints.

  1. Post contact information for your Privacy Officer on your Internet site. Make sure you have procedures set up to address complaints or instances of fraud. Who on your team will be the resource person? When and how will you inform individuals affected by a complaint or instance of fraud, as well as donors, beneficiaries and clients?
  2. Train and inform employees and volunteers about privacy.
  3. Reinforce policies within your organization to avoid employee mistakes.
  4. Collect only necessary personal information. Keep your filing and information systems up-to‑date. Although a number of free software security applications are available, investing in the services of IT professionals could spare you a lot of headaches if a system fails or a complaint is filed.
  5. Avoid requesting a donor’s social insurance number.
  6. Avoid photocopying a donor’s driver’s licence to validate their identity.
  7. Inform individuals if you use video or other forms of surveillance.
  8. If you collect it, protect it! Take out cyber insurance; this coverage will require you to screen your procedures and identify, minimize or eliminate high‑risk possibilities.
  9. Make access to personal information request forms available.
  10. Clearly explain why you need to collect personal information.

Since your organization needs to collect personal donor data to carry on its activities, to preclude any problems with your donors we recommend that you develop a thorough privacy policy and personal information management procedure. The Association of Fundraising Professionals Internet site offers a Donor Bill of Rights. Your determination to respect the privacy of personal information and your desire to provide optimum data security are strong points for your image and your reputation.