McLeish Orlando Top Banner (post until Dec. 31/20)

Charities grapple with data breach reporting rules, best practices

New mandatory data breach disclosure rules are causing apprehension for charities and other not-for-profit organizations struggling to determine how they fit into Canada’s privacy law framework, Toronto health lawyer Kathy O’Brien tells

“As of Nov. 1, organizations subject to the Personal Information Protection and Electronic Documents Act are required to notify consumers when there is a breach of their personal information,” says O’Brien, a partner with DDO Health Law.

“I think the media attention around this provision of the Digital Privacy Act is going to provide some anxiety for charities and not-for-profits because they often fall between the cracks of privacy legislation.”

For the most part, Canada’s federal privacy laws don’t apply to charities. But those that generate revenue through commercial activities are subject to the new rules, she says.

National charities that raise funds for research — whether it’s for cystic fibrosis, cancer or multiple sclerosis — can have difficulty figuring out where they fit in, O'Brien says.

She says this is a theme she frequently sees in her practice. While charities are there to raise funds and not generate profit, O’Brien says sometimes they have commercial components. 

“An organization could provide health and wellness programs to their stakeholders and charge a nominal fee, not for a profit, but it may still be a commercial activity,” she says. “Or sometimes a charity takes on a role that inadvertently catapults them into certain privacy legislation.”

As well, many national organizations operate in multiple provinces, each with privacy legislation applicable to not-for-profits, charities and commercial organizations. 

“It’s extremely complex and murky. These health-care charities can sometimes feel like a square peg in a round hole," O'Brien says. "They sometimes fit into some of the privacy legislation, but they just want clarity about the rules."

Even if a charity isn’t affected by the new federal privacy provision, she says it may still grapple with certain best practices and expectations.

“Charities may have very personal information about their stakeholders,” O'Brien says. “They have very sensitive information about their donors and those people have high expectations about how those charities protect their information.”

When working with charities, O’Brien looks specifically at an organization’s activities and the jurisdictions where they occur. 

“Then we give very practical guidance on how to comply and also how to meet the expectations of their stakeholders and their donors,” she says. “The reputational risk is extremely high. If it were to come to light that a charity was playing fast and loose with personal information, it would be devastating.”

Generally, O'Brien says charities and not-for-profits take the issue seriously, but some aren’t always aware of where they fit into the framework.

“That’s where we can help because we’ve had a large amount of experience helping similar organizations figure it out,” O’Brien adds.

To Read More Kathy O'Brien Posts Click Here
Lawyer Directory
CosmoLexToronto Lawyers Association (post to 6.30.19)MKD International (post until Sept. 30/19)Feldstein Family Law (post until May 31/19)Greystones Health VR Law/Victoria Romero (post until June 30/19)Ryerson LPPWilliams Family Law