This Fact Sheet provides information about the role of a privacy officer.
A privacy officer is a person designated by a non-profit to answer questions about how it collects, uses, keeps, and discloses personal information. Best practice is to include this person’s contact information in the non-profit’s privacy policy ie privacyofficer@society.org
A privacy officer will receive and may decide upon requests for access to a non-profit’s records. Best practice is for a non-profit to establish clear guidelines for the privacy officer to follow in making these decisions. At least one member of the Board should have sufficient knowledge or training to advise the privacy officer if specific concerns arise.
This Fact Sheet provides information about the legal rules non-profits must follow for keeping (retaining) personal information.
Most non-profits retain (keep) records of some kind. Typically, these records are in paper and/or digital/electronic form. Paper records include all records in a physical (non-electronic) form such as printed documents and emails and hand-written notes.
Digital/electronic records include all information recorded by a computer such as email messages, word processed documents, images, spreadsheets, and databases. Best practice is to ensure that both types of records are retained securely.
| Paper Records | Digital/Electronic Records |
|
Limit access: securely store paper records behind a locked door. |
Encrypt (make data unreadable except by certain people using an authorized device) highly sensitive electronic records. |
|
Secure sensitive personal information e.g., medical and financial, in a locked cabinet. |
Password protect (only those with the assigned code, word, or phrase can access) records stored online or on shared drives. |
|
Only provide keys to doors/cabinets to specific authorized individuals. |
Use and regularly update antivirus software to protect electronic records from illegal access, sharing, and corruption. |
Different types of records must be kept for different amounts of time. For example, financial records must be kept for 7 years and official records (under section 20 of the Societies Act) for 10 years.
Personal information should not be kept if it is no longer necessary for the purpose it was collected. For example, if a non-profit had people sign up for a newsletter and it stops publishing the newsletter, the names and email addresses of those who signed up are no longer necessary. Those documents can be deleted or shredded.
This Fact Sheet provides information about the legal rules non-profits must follow for disclosing (sharing) personal information.
Privacy law requires a non-profit to follow certain rules about the disclosure of any personal information that it collects. Disclosure means making personal information available to a third party or other organization. For example, sharing an email list of names, phone numbers, and birth dates is a disclosure of personal information of, and to, everyone on the list.
As with the collection of personal information, non-profits may only disclose personal information for valid reasons and only with consent. Valid reasons are those related to the purpose of the non-profit. Consent is permission/voluntary agreement to the disclosure of their unique information.
An important exception to the general principle of non-disclosure without valid reasons or consent is where a non-profit is formally ordered to disclose personal information. Formally ordered means some type of legal process such as subpoenas, warrants, and court/tribunal orders. Non-profits must either follow the direction to disclose given in a formal order or challenge that order.
Non-profits are obligated to protect the privacy of all personal information it collects. Beyond this general duty, they must pay special attention to protecting the personal information of its employees. Non-profits must take steps to limit access to this information. For example, best practice is to save personal information of employees on a restricted drive or computer, rather than on shared drives or computers. Information stored on a shared drive may be accessed by anyone who has access to that drive. Even though this example may not feel like a disclosure, in law it is a disclosure. Non-profits must take steps to prevent providing unintentional access to personal information.
Intentional access to private information typically comes in the form of a request for access to the information held by a non-profit. Non-profits should have a process and policy in place to handle such requests.
This Fact Sheet provides information about the legal rules non-profits must follow for collecting personal information.
Privacy law requires a non-profit to follow certain rules about the collection of personal information. Personal information is that which is unique to an individual. Some examples include: name, address, email address, birthdate, Social Insurance Number(SIN), gender, medical information, educational history, employment status, IP address, family status, and income.
Prior to collecting any personal information, a non-profit must identify the purpose for its collection and get consent.
- Purpose: Non-profits should only collect personal information for valid reasons i.e., to help fulfill its mission. Non-profits must provide the reason(s) for collecting personal information and how it might be used. Non-profits may only use personal information for those reasons and for nothing else. These reasons might include: communicating with members, sending newsletters and invitations, service phone calls and emails, audit purposes, soliciting donations, and issuing tax receipts.
- Consent: Non-profits should have the consent prior to collecting personal information. Consent means permission or voluntary agreement to the collection of their personal information. This usually happens in one of two ways.
-
Implicit consent means that the individual has consented based on their purchase of a ticket. In order to buy the ticket they have to pay for it and provide a credit card number. Purchasing the ticket is their implicit consent to the collection of their credit card number which is personal information.
-
Explicit consent is where a consent form is provided to the person. For example, consent forms are routinely used for the sharing of personal information between medical practitioners.
-
This Fact Sheet provides details about the important factors for a non-profit to consider in drafting its privacy policy.
Privacy laws protect individuals’ personal information. To comply with privacy law, non-profits that collect personal information such as names, addresses, and birth dates, must take steps to protect this information.
A best practice for legal compliance is for non-profits to have a privacy policy. A good privacy policy covers how a non-profit will collect, use, disclose, and retain (keep) personal information.
| Collect | Use | Retain | Retain |
|
Collect means to gather information. Personal details are gathered in a variety of ways:
*Clearly identify possible methods of collection in a privacy policy. |
Personal information may only be collected and used for the reason(s) it was collected. If collecting details for a membership contact list, do not use those details for marketing purposes.
*Describe the purpose for collecting and using personal information in a privacy policy. |
Disclose means to make personal details available to another person or organization.
Non-profits must not disclose personal details for purposes other than it was collected without consent.
*List the circumstances where personal information may be disclosed in a privacy policy. |
Retain means to keep/store.
*Include rules in a privacy policy for how personal details are kept and for how long. |
A privacy policy should clearly state that it applies to all the non-profits’ directors/board members, workers (employees and contractors), volunteers, and the people it serves.
Non-profits should provide training on its privacy policy to its staff, directors/board members, and other volunteers. Training means teaching people about the rules. From a privacy perspective, training means ensuring people are aware and understand their obligations under the policy.
This Fact Sheet provides information about the legal rules for spam messages.
Canada has rules (anti-spam) about sending certain types of electronic messages to groups of people (Canadian Anti-Spam Legislation or “CASL”). Electronic messages are messages sent by any electronic means such as email, text, instant message, and tweet. These messages may be considered spam if they are sent for a commercial purpose. Spam is not allowed.
Canada’s anti-spam law only applies to electronic messages sent for a commercial purpose. Commercial purposes means encouraging participation in a commercial (for profit) activity. Examples include selling tickets to shows, sending fundraising emails, and selling season subscriptions.The activities of non-profits and charities may be commercial if they involve selling to the public. Generally speaking, if the message is not about a commercial transaction, it is subject to the anti-spam law. Further, fundraising emails for registered charities are exempt from the anti-spam law but this exemption does not extend to non-profits.
If a non-profit wants to send commercial electronic messages, it must allow the recipients to “opt-in” before those messages are sent. Opt-in means the recipients of the email messages actively agree to receive emails from the non-profit. Email recipients typically opt-in by subscribing to an email list. Further, the non-profit must include an “opt-out” option in the group email messages. Opt-out means the recipients of the email messages can unsubscribe (withdraw their consent to future emails).
Commercial electronic messages must include contact information for the non-profit.