Non-profits and Privacy Laws - Yes, No, Maybe?
As a non-profit organization (“NPO”), you will likely collect and have access to highly sensitive data, be it from members, supported individuals, minors, volunteers or donors – you are privy to quite a lot. While you may be exempt from several onerous pieces of legislation, NPOs are not automatically exempt from PIPEDA. The Office of the Privacy Commissioner of Canada (OPC) has said that “Whether an organization is a non-profit business for purposes of taxation is not determinative of whether its collection, use or disclosure of personal information is carried out in the course of commercial activity”. So is it a ”maybe?”. Over the years, there have been several cases in Ontario trying to determine this question. For example, non-profit daycares were in some instances subject to PIPEDA and in other instances not. In 2008, a Canadian Skin Cancer Foundation case revealed that “[N]on-profit or charitable organizations that engage in limited commercial activities that are ancillary to their primary functions would nevertheless be subject to [PIPEDA] to the extent that those commercial transactions involve the collection, use or disclosure of personal information.”
PIPEDA defines “commercial activity” as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. To that end, NPOs are not generally subject to PIPEDA as they typically do not engage in that type of commercial activity, however, the test is based on the activity, as the case law shows, and not the nature of the organization. For example, where an NPO sells a list of donors or memberships, that activity would fall under PIPEDA as it constitutes a “commercial activity”. Generally, however, NPOs such as charities, minor hockey associations, clubs, community groups and advocacy groups are exempt from PIPEDA as they do not engage in commercial activities. It is therefore essential that as an NPO you have a good grasp on what information you are collecting, using, storing and sharing and the activity you are engaging in to determine compliance with privacy legislation.
If we look outside of PIPEDA, interestingly some jurisdictions require charities and NPOs to comply with privacy legislation (with some exceptions), such as in British Columbia, Alberta, Quebec and Europe. It is only feasible that Canada’s federal legislation will follow at some point - so be prepared. In other instances, NPOs also collect health information and as such provincial health legislation, such as the Personal Health Information Act (PHIPA) would apply. NPOs may also collect information about minors, in which case Part X of the Child, Family and Youth Act (CYFSA) may apply.
In addition to sensitive health data, NPOs are also privy to other types of data, such as donor lists, inferred data (associating an individual with the non-profit) or sensitive stories shared by vulnerable individuals on fundraising campaigns. While this data would not be subject to PIPEDA, this type of information deserves protection. It is therefore not as simple as whether an “NPO” is subject to PIPEDA or other privacy-related legislation, it is a consideration of the type of activity, the jurisdiction, and the type of individual that would trigger compliance with PIPEDA, provincial privacy legislation, health legislation or legislation relating to the information of minors.
Most importantly, whether or not PIPEDA or other privacy legislation applies to your NPO, voluntary compliance will protect your staff, volunteers, donors and the individuals you support who may be vulnerable. To the extent you do advocacy work, your message will be more meaningful if your NPO is not in the news for a privacy breach or irresponsible use of data.
By addressing privacy considerations (legislated or not), NPOs can better protect individuals’ privacy, build trust with stakeholders, including donors, and comply with relevant data protection regulations insofar as they apply.
