Quality Mark
Last Reviewed: May 2023
Reviewed by: LFNP Contributors
Time to Read: 10 minutes

This Fact Sheet provides information about the legal rules non-profits must follow for disclosing (sharing) personal information.

Privacy law requires a non-profit to follow certain rules about the disclosure of any personal information that it collects. Disclosure means making personal information available to a third party or other organization. For example, sharing an email list of names, phone numbers, and birth dates is a disclosure of personal information of, and to, everyone on the list.

As with the collection of personal information, non-profits may only disclose personal information for valid reasons and only with consent.  Valid reasons are those related to the purpose of the non-profit. Consent is permission/voluntary agreement to the disclosure of their unique information. 

An important exception to the general principle of non-disclosure without valid reasons or consent is where a non-profit is formally ordered to disclose personal information. Formally ordered means some type of legal process such as subpoenas, warrants, and court/tribunal orders. Non-profits must either follow the direction to disclose given in a formal order or challenge that order.

Non-profits are obligated to protect the privacy of all personal information it collects. Beyond this general duty, they must pay special attention to protecting the personal information of its employees. Non-profits must take steps to limit access to this information. For example, best practice is to save personal information of employees on a restricted drive or computer, rather than on shared drives or computers. Information stored on a shared drive may be accessed by anyone who has access to that drive. Even though this example may not feel like a disclosure, in law it is a disclosure. Non-profits must take steps to prevent providing unintentional access to personal information.

Intentional access to private information typically comes in the form of a request for access to the information held by a non-profit. Non-profits should have a process and policy in place to handle such requests.