It’s likely that you have had a conversation about privacy at some point in your prospect research or fundraising career. Perhaps it was in the form of a discussion with a privacy officer or fundraiser at your organization. Perhaps you attended a presentation at an Apra conference on privacy. Have you ever wondered why you can’t find information about a certain donor in Canada? Have you ever wondered if you should be approaching donor information differently for donors living in Canada? In this article, we hope to answer some of those potential questions about privacy legislation as it relates to prospecting for donors in Canada. Even if you don’t do much prospecting for donors in Canada, there are some general privacy considerations included throughout this article that may be applicable in your daily prospect research activities.
In the age of the internet, privacy legislation is a field that is constantly changing. Personal information is increasingly gathered by numerous organizations and is often shared across borders. Privacy breaches are often covered in the media, and consumers are becoming more aware of how organizations are collecting, storing and sharing personal data. You have likely read many articles in recent months related to data collection and privacy breaches, and in the past few years there has been a high level of media scrutiny of non-profit organizations and the collection of personal data. There is increased pressure on non-profit organizations, and therefore increased responsibility on prospect researchers to ensure that personal data is collected legally and ethically and securely stored to prevent personal privacy breaches.
In May 2018, the European General Data Protection Regulation (GDPR) legislation will officially be applied to all businesses and non-profit organizations in European Union member states. This will likely have a large impact on the future of privacy legislation internationally, including in the United States and Canada. In Canada, there is currently a push to modernize privacy laws to adapt to the digital age. A recent report by the Standing Committee on Access to Information, Privacy and Ethics to Canadian Parliament in February 2018 has recommended that Canada follow the lead of the GDPR in regard to recent changes in privacy legislation related to the collection and storage of personal data. At the same time, Canada’s Privacy Commissioner, Daniel Therrien, is actively lobbying for Canada to strengthen Canadians’ ability to guard their online reputation with the right to forgotten.1 These changes will likely have an impact on the work of prospect researchers on both sides of the border.
Canadian Privacy Laws and Considerations
In the 1970s, after a public inquiry on the use of listening devices by private agencies, privacy legislation became an issue of human rights and civil liberties debate in Canada. The country’s first public sector privacy legislation was enacted as Part IV of the Canadian Human Rights Act in 1977. Almost 20 years later, in March 1996, private sector privacy legislation gained momentum with the development of the Canadian Standards Association Model Code for the Protection of Personal Information. This model code established a voluntary national standard for the protection of personal information, and its principles are woven throughout Canadian privacy legislation.2
The 10 principles that form the basis of the code are: Accountability, Identifying Purposes, Consent, Limiting Collection, Limit Use, Disclosure and Retention, Accuracy, Safeguards, Individual Access, and Challenging Compliance.3 These principles have a direct influence on the fundraising activities of organizations in Canada.
- Accountability: Organizations are responsible for the personal information they collect and should have someone designated to be accountable for the organization’s compliance with the principles. Does your organization have an official privacy officer? If not, who is in charge of ensuring that personal information is collected and stored in compliance with privacy legislation at your organization? Does your fundraising team have a good working relationship with that individual? Does your privacy officer understand the role of prospect research and the work you do?
- Identifying Purposes: Organizations must let individuals know that they are collecting personal information and why they are doing it. Are development officers clear in the purpose of the meeting with the donor? Do they let donors know they will be keeping notes of their meeting to help guide future discussions?
- Consent: Individuals must provide consent for the collection and use of their information — there are limited exemptions to this principle in privacy legislation — and this consent may be withdrawn at any time. Do your organization’s donor forms have a consent statement?
- Limiting Collection: Organizations should only collect the amount of information needed for their purposes, and it should be collected by fair and legal means. How much information does a development officer bring back from visits? How much of the information is needed for donor relationship development? How much information do you keep in your database?
- Limit Use, Disclosure and Retention: Information should only be used for the purpose for which it was collected, and information should only be retained as long as it is needed to fulfill that purpose. Do you inadvertently share private donor information within your organization that should not be shared? Do you really need to keep the full, detailed profile of a one-time donor from 20 years ago?
- Accuracy: Personal information should be accurate, complete and up-to-date. Of course, this is key for prospect research. How does your team ensure you have the correct information? What safeguards are in place to ensure that data is attached to the correct John Smith when there are 12 in your database?
- Safeguards: Organizations should establish appropriate security safeguards as determined by the sensitivity of the personal information. Prospect research information is quite sensitive. What technical safeguards does your organization have in place?
- Openness: An organization’s policies and practices about personal information should be available for review. Are donors able to easily learn why and how their information is collected, used and stored? Do development officers know where to direct donors when they want to know your organization’s policies and practices?
- Individual Access: Individuals should be informed of what personal information is being collected by your organization and have the right to review and correct information collected for accuracy and completeness. What would your donors think if they reviewed the information you have stored?
- Challenging Compliance: Individuals have the right to challenge an organization on their adherence to these principles. Are your donors aware of their rights? Do you and your team members remember that the donor always owns their personal information, not your organization?
As previously mentioned, these principles are woven throughout all of Canada’s privacy legislation; however, that does not mean that legislation is the same in each province or territory. For example, Saskatchewan permits the use of health information for fundraising purposes while Alberta does not. Alberta specifically identifies fundraising by post-secondary institutions as an acceptable use of personal information, but other provinces do not. British Columbia specifically requires that the personal data of its citizens is stored within Canada, but not every province specifies this (although it is often preferred).
While privacy legislation differs across provinces, privacy principles are still important to Canadians. In a 2016 poll conducted by the Information of the Privacy Commissioner of Canada, 92 percent of Canadians stated that they are at least somewhat concerned about their personal privacy, and most Canadians stated that they are concerned about how their online information can be used by organizations.4 With increasing attention on privacy in Canada, it is important that prospect researchers know how to balance the expectations of Canadian donors with ethical prospecting methods.
Prospecting Within the Guidelines of Canadian Privacy Laws
If you have a privacy officer at your organization, make sure you work closely with them to ensure you are following the laws and best practices applicable to your organization and region. In order to mitigate risk, it may be a good idea to draft some policies and procedures related to how you approach research on donors residing in different countries.
Tips for Prospecting:
- Consult publicly available sources, such as:
- News articles – Canadian Newsstream, available through ProQuest at many libraries, provides a historical index of news articles in Canada.
- Public sector employee “Sunshine Lists” for salary information are available in some provinces for public sector employees earning over a certain amount (BC, Alberta, Ontario).
- Property valuation data is available for free in some provinces and at a cost in other provinces.
- Although information such as birthdates is not publicly available in Canada, age can often be estimated through various resources, such as university graduation dates, biographies and past media interviews. Sources such as the Canadian Who’s Who often include birthdates for high profile individuals.
- Use estimates based on neighborhood demographic information available through various vendors such as Environics Analytics and iWave:
- Statistical information in Canada based on postal code/selected area
- Average household income, average household value, etc.
- Average financial information for that geographical area rather than actual financial information (estimating)
Information privacy and prospect research are both young industries that continue to evolve. While the industries grow, so does donor awareness of privacy rights in a digital age. As we have recently witnessed with the GDPR legislation in the EU and the UK, it is likely that the non-profit industry in Canada will continue to face increasing scrutiny in regard to how private information on donors is collected and shared. As legislation changes, it is essential that prospect researchers maintain their privacy skill set so they can always act ethically in their pursuit of donors.
Additional Recommended Resources
Tawnia Daughton is a privacy business advisor with Alberta Health Services (AHS), Canada’s first and largest province-wide fully integrated health system. Prior to joining AHS, she was a prospect research and corporate records analyst at the University of Alberta. Tawnia has previously presented at Apra International and Apra Canada Conferences. Follow Tawnia on LinkedIn.
Sarah Anderson has worked in the field of prospect research for 10 years. She is currently a research analyst at the University of British Columbia in Vancouver, BC, which recently completed a $1.5 billion fundraising campaign. Sarah previously worked with the University of Alberta and the BC Children’s Hospital Foundation. She has served on the board of Apra Canada since 2015, and has previously presented at Apra International and Apra Canada conferences. Follow Sarah on LinkedIn.
For more on privacy and prospecting in Canada, check out the 2017 webinar from Tawnia Daughton and Sarah Anderson.