Data Privacy for Nonprofits

As part of their operations, Nonprofits collect, use, and disclose an increasing amount of personal information (details on donors, employees, volunteers, etc.). It is therefore essential that Nonprofits ensure they handle this personal information in compliance with applicable laws. 

Data Privacy for Nonprofits

The protection of personal information is governed by a series of provincial and federal laws in Canada, created to uphold rights to privacy for personal information.

The Personal Information and Electronic Documents Act applies to all organizations that gather, use and disclose personal information as part of their commercial activities. While many Nonprofit activities are not commercial in nature, various Nonprofits may engage in some form of commercial initiatives which could be enough to create scrutiny in terms of complying to the Act.

The definition of “personal information” varies according to the applicable act. Under the Federal Act, personal information generally constitutes any information that concerns an identifiable individual.


The Act governs the following:

  1. collection;
  2. use;
  3. safeguarding; and
  4. disclosure of personal information.


Under the Federal Act, there are rules that must be abided by in order to comply with minimum applicable requirements.  

Required personal Information that is collected must be solely for a specific purpose.

Collecting names and addresses from donors for fundraising emails, invitations to events and report recognition complies as the information collected is aimed at serving the sole purpose of donor management. However, you would not be able to collect items such as credit card numbers or identification cards as this information is not serving the sole purpose unless this information is required to fulfill an important function of donor management such as processing donor donations.

To comply with the act, Nonprofit organizations should review the following checklist to ensure they’re within their acceptable rights for information collection:

  • What is the reason for collecting this personal information?
  • What information is required to attain this objective?
  • How will the information be used?

You should always be able to justify reasons for collecting personal information.


A major essential is the ability to gain consent from individuals when collecting or disclosing their personal information. Nonprofits should try to do the following:

  • clearly disclose the reasons for collecting the information;
  • indicate how the information will be used;
  • specify whether the information will be shared with any third parties;
  • inform individuals where and how their information will be retained.  

Once the information has been collected, Nonprofits must use the information for the purposes of which it was gathered and for which the individuals consented.

Safety of personal information is of paramount importance. Adequate measures must then be taken to save the information, regardless of the manner in which it is retained.

Implementing an adequate security policy and placing an individual in charge of retaining the information can limit the liability of nonprofits and help them react more effectively in the case of security breaches. It is probable that only a few people really need to use the information, in which case other employees should not be given access to the retained information.  

Scroll to Top