Sign up for Sector Connector
Login / Logout Link
Apple Computer

What does Canada’s Anti-Spam Legislation mean for your nonprofit?

Canada’s Anti-Spam Legislation (CASL) is coming into full force July 1, 2017 after a transition period of three years. The law prohibits sending commercial emails to Canadians without their consent. Here are some considerations to help ensure your organization is following this legislation:

We are a nonprofit! Our emails aren’t “commercial” are they? 

Your emails are commercial if they include or advertise any programs, services, or products the recipient could pay for.

For nonprofit organizations, commercial content in emails might include advertising membership, sharing workshop opportunities, selling event tickets, or promoting a corporate sponsor. If your emails include this type of information, CASL applies to your work.

For registered charities, soliciting donations is not considered a commercial activity.

CASL applies to my organization – what do we need to do?

You need to do three things to meet CASL: get consent, include identifying information about your organization, and include an unsubscribe function.

1. Get Consent

Your email recipients need to agree to receive emails from you.

In most cases, your organization is required to get expressed consent. This means email recipients need to ‘opt-in’ to receive your emails.

Implied consent is acceptable with your members, donors, volunteers, business relationships, and program participants who have been actively engaged with your organization in the past two years. Keep in mind, consent is only implied within the boundaries of that particular relationship – for example, you may only have implied consent from program participants for emails about said program. Implied consent needs to be renewed every two years.

When in doubt, get expressed consent!

2. Include Identifying Information

Your email recipients need to know who is sending the email (your organization) and how to get in touch with you. Add your nonprofits email, phone number, or address to your emails in a signature line or an email footer.

3. Include an Unsubscribe Function

Just because your email recipient gave consent, doesn’t mean they can’t withdraw that consent at a later time. You need to have a way for them to do this (like an unsubscribe button) and a process for ensuring you don’t keep emailing them after they have asked to be removed from your list.

What happens if my organization makes a mistake?

Originally, private citizens would have been allowed to file lawsuits against organizations and individuals who did not follow CASL as of July 1, 2017. The provisions allowing these private lawsuits were suspended this week.

The Competition Bureau, the Office of the Privacy Commissioner of Canada, and the CRTC can all still take legal action to enforce CASL, with penalties for the most serious violations ranging up to $10 million.

As well, personal assets of board members are no longer at risk in the case of a mistake or CASL noncompliance.

It is important for nonprofit organizations to ensure that their insurance covers possible risks.

More information on CASL for nonprofits

Lucky for all of us, there are many great CASL resources available for nonprofits! Here are some good places to look for more information, tools, and templates:

Please keep in mind that Volunteer Alberta is not able to offer legal advice. We hope the information we have offered is helpful and we encourage your nonprofit to contact a lawyer with any legal questions.

Sam Kriviak
Volunteer Alberta

Binder office

From the Vault – Privacy Protection: 4 easy steps

This blog was originally posted August 30, 2016.


Young employeeEarlier this year, we shared three ways that being privacy conscious can improve your organization’s reputation. By being privacy conscious you can help strengthen your organization’s reputation, enhance the trust in your staff, and even increase the loyalty of donors, participants, and volunteers.

So what steps can your organization take to improve your privacy practices?

In Alberta, the Personal Information and Protection Act (PIPA) is part of our privacy legislation. PIPA is an outline of best practices for privacy protection, and all organizations can benefit by meeting these standards.

Did you know?

Most nonprofit organizations are only legally required to follow PIPA when collecting, using, or disclosing personal information as part of a commercial activity. For example, operating a day care, emailing your donor list, or selling products, training, or a membership.

Service Alberta has created a workbook specifically for nonprofit organizations to help evaluate and improve privacy protection practices. We have gone through the workbook and highlighted these four best practices for you.


4 Best Practices for Privacy Protection

1. Have a good reason for collecting the information you do.

ID cartoon

What personal information does your organization collect for each program or service that it offers?

Collecting a client’s birthday might be appropriate if your program has a minimum or maximum age requirement, but it would be unnecessary if the client simply wanted to sign up for your newsletter.

Your organization can create a list of the information your organization collects, along with the purpose for collecting each piece. If you find that your organization is collecting more information than it needs, arrange to get rid of the extra information you already have, and stop collecting the information from new participants.

2. Designate a privacy contact person.

Envelope cartoonChoose one person to be a privacy contact person (staff member, volunteer, or board member) to answer questions or requests about the personal information your organization collects.

This person should be familiar with your organization’s privacy policies and procedures, and be readily available to answer any questions.

3. Get consent for collecting, using, and disclosing personal information.

Pen cartoonThere are two types of consent, implied consent and express consent:

Implied consent: Implied consent is acceptable in situations where it is really clear why you are collecting personal information and how you will use it. For example, taking a donor’s credit card information on the payment screen.

Express consent: Most of the time it is a good idea for your organization to provide added clarity for people and provide the opportunity for them to expressly consent to the collection, use, and disclosure of their personal information.

Two examples of express consent statements your organization might use:

1. Your organization is collecting income information for program participants to ensure they meet the low-income requirement:

The income information you have provided will be used to determine your eligibility for the program, and will only be shared within our agency.

□ I consent this information can be used within the organization to verify eligibility.

2. Your organization is collecting medical information for day camp attendees:

My child’s provided medical information will be shared with camp volunteers to assist them in recognizing a medical emergency. I consent to the collection of my child’s personal information for this purpose.

Signature:  ______________

4. Safeguard and protect the information you collect.

Laptop cartoon

The personal information your organization keeps on your clients, donors, members, staff, and volunteers is sensitive. Take care of other people’s information as if it were your own:

  • Lock your filing cabinets and password protect all devices, including laptops, tablets, and flash drives.
  • Limit access to personal information to relevant staff or volunteers.
  • Don’t keep information you don’t need. For example, if you need to verify your volunteer has a driver’s license, make a note that it has been verified rather than keeping a copy of the driver’s license on file.

Remember: Social insurance numbers, credit card information, birthdates, names, and addresses can all be used in identity theft. Medical information, criminal record checks, and income information can also have serious impacts on personal relationships, careers, and housing.

While privacy protection may require you to create new policies, or change your procedures, in the end best practices help your organization to protect those people who are integral to the work you do. After all, nonprofit organizations exist for the people we serve – let’s all do the best job that we can!

Does your organization follow these best practices? Do you have room for improvement? Let us know in the comments!

Sam Kriviak
Volunteer Alberta

Binder office

Privacy Protection: 4 easy steps

Young employeeEarlier this year, we shared three ways that being privacy conscious can improve your organization’s reputation. By being privacy conscious you can help strengthen your organization’s reputation, enhance the trust in your staff, and even increase the loyalty of donors, participants, and volunteers.

So what steps can your organization take to improve your privacy practices?

In Alberta, the Personal Information and Protection Act (PIPA) is part of our privacy legislation. PIPA is an outline of best practices for privacy protection, and all organizations can benefit by meeting these standards.

Did you know?

Most nonprofit organizations are only legally required to follow PIPA when collecting, using, or disclosing personal information as part of a commercial activity. For example, operating a day care, emailing your donor list, or selling products, training, or a membership.

Service Alberta has created a workbook specifically for nonprofit organizations to help evaluate and improve privacy protection practices. We have gone through the workbook and highlighted these four best practices for you.


4 Best Practices for Privacy Protection

1. Have a good reason for collecting the information you do.

ID cartoon

What personal information does your organization collect for each program or service that it offers?

Collecting a client’s birthday might be appropriate if your program has a minimum or maximum age requirement, but it would be unnecessary if the client simply wanted to sign up for your newsletter.

Your organization can create a list of the information your organization collects, along with the purpose for collecting each piece. If you find that your organization is collecting more information than it needs, arrange to get rid of the extra information you already have, and stop collecting the information from new participants.

2. Designate a privacy contact person.

Envelope cartoonChoose one person to be a privacy contact person (staff member, volunteer, or board member) to answer questions or requests about the personal information your organization collects.

This person should be familiar with your organization’s privacy policies and procedures, and be readily available to answer any questions.

3. Get consent for collecting, using, and disclosing personal information.

Pen cartoonThere are two types of consent, implied consent and express consent:

Implied consent: Implied consent is acceptable in situations where it is really clear why you are collecting personal information and how you will use it. For example, taking a donor’s credit card information on the payment screen.

Express consent: Most of the time it is a good idea for your organization to provide added clarity for people and provide the opportunity for them to expressly consent to the collection, use, and disclosure of their personal information.

Two examples of express consent statements your organization might use:

1. Your organization is collecting income information for program participants to ensure they meet the low-income requirement:

The income information you have provided will be used to determine your eligibility for the program, and will only be shared within our agency.

□ I consent this information can be used within the organization to verify eligibility.

2. Your organization is collecting medical information for day camp attendees:

My child’s provided medical information will be shared with camp volunteers to assist them in recognizing a medical emergency. I consent to the collection of my child’s personal information for this purpose.

Signature:  ______________

4. Safeguard and protect the information you collect.

Laptop cartoon

The personal information your organization keeps on your clients, donors, members, staff, and volunteers is sensitive. Take care of other people’s information as if it were your own:

  • Lock your filing cabinets and password protect all devices, including laptops, tablets, and flash drives.
  • Limit access to personal information to relevant staff or volunteers.
  • Don’t keep information you don’t need. For example, if you need to verify your volunteer has a driver’s license, make a note that it has been verified rather than keeping a copy of the driver’s license on file.

Remember: Social insurance numbers, credit card information, birthdates, names, and addresses can all be used in identity theft. Medical information, criminal record checks, and income information can also have serious impacts on personal relationships, careers, and housing.

While privacy protection may require you to create new policies, or change your procedures, in the end best practices help your organization to protect those people who are integral to the work you do. After all, nonprofit organizations exist for the people we serve – let’s all do the best job that we can!

Does your organization follow these best practices? Do you have room for improvement? Let us know in the comments!

Sam Kriviak
Volunteer Alberta

Silhouette Woman

3 ways being privacy conscious can improve your organization’s reputation

Typing Woman smallIn the twenty-first century, data and information are everywhere. Collecting information is truly foundational to everything we do in our daily work. Online activities that collect personal information, fundraising efforts, volunteer screening, and social media put a responsibility on nonprofits to consciously manage people’s privacy, information, and other data.

By being privacy conscious you can help strengthen your organization’s reputation, enhance the trust in your staff, and even increase the loyalty of donors, participants, and volunteers.

If you want to maintain a positive perception of your organization and the important work you do, a solid practice is to have processes in place for managing information and personal records.

Here are a few simple ideas and actions your organization can take to be more privacy conscious and protect the personal information and privacy of those people who interact with your nonprofit.

Enhance your organization’s reputation

Protecting privacy and personal information can improve your organization’s reputation.

In general, nonprofits that manage personal information in accordance with privacy legislation (like PIPA or FOIP) are seen as more accountable and trustworthy, by clients, volunteers, donors, and potential partners.

An improved reputation may mean that other agencies will find opportunities to work together with your nonprofit more attractive, especially if operating joint programs or if a partnership requires information sharing.

By simply reviewing how your organization currently manages personal information, you can begin to establish more formalized processes.

A simple review of your current practices may provide other benefits like;

  • assist you in making better decisions about what information is reasonable to collect and only collecting what you need
  • guide you to use the information you collect more effectively and intentionally
  • improve how you protect the privacy of those people who are important to you

Trust in your staff

Not having good personal information protections in place could hurt how your staff are perceived and trusted by your donors, volunteers, and clients.

Simply because a few standardized processes are lacking in their work, your staff may not be perceived to have the same level of responsibility and accountability as people working in businesses.

While initially it may seem like added work, you can help improve the level of trust your donors, volunteers, and clients have in your staff by involving staff in the process of protecting personal information.

Simple ways your staff can be seen as part of protecting privacy while collecting information include;

  • staff being transparent about how a person’s personal information will be used, providing those people an opportunity to ask questions or make requests that help them feel their information is respected
  • staff explaining how information will be stored and/or destroyed, demonstrating a professional level of accountability in the staff person and helping to develop a relationship of trust between the individual and staff at your organization

Loyalty from your donors, participants, and volunteers

GlassesPeople are asked to share their personal information many times a day, from entering an email address, to sharing a postal code at a store check-out, to signing into social media websites. Personal information is increasingly valuable in today’s world.

People are concerned about what data is requested of them, how much of the requested information is required for the service they want to use, and how their data is eventually used. While they may have differing thoughts and feelings about their expected privacy when it comes to their own information, one thing often rings true, people generally place more trust and respect in those who work to protect their privacy.

People who your organization counts on to volunteer or donate are not only important to your work, but also champions who will share the experiences they have with your organizations with others. It is a good idea to be transparent with those people about the steps you have in place to protect and respect their privacy.

Some simple solutions that you can incorporate;

  • a “privacy practices and policy” notice on all donation forms or receipts
  • be upfront about the personal information that is required for volunteer screening processes (ex. is a police information check required, references, or employment history?)
  • set clear expectations during volunteer interviews or orientation about how their personal information will be used, stored, and destroyed

If your organization is already taking some of these steps for privacy protection – great work! Please keep it up and share any tips you might have about your processes in the comments.

Guest Blog: Volunteers as Staff: Where Labels and Titles Collide

volunteer staffIn 2010 alone, 47% of Canadians volunteered 2 billion hours, the equivalent of 1.1 million full-time work positions. Volunteers, who freely offer their services, have become an essential component of our communities and the modern workforce. In the nonprofit sector, we know all too well the benefit volunteers bring to our organizations. For many of us, they are indeed a necessity. But having volunteers work for our organizations can and does expose us to potential risks.

With the important part volunteers play, should we as agencies recruit, screen, and manage them, as we would staff? Or do they require something different?

This may sound like a daunting question. How would we even begin to tackle this? My initial strategy was to ask as many people as possible, so I asked volunteers, managers, and those in-between, this very question. I found there were just as many points of view as there were individuals who held them:

• Some agencies I spoke with (such as Distress Centre Calgary) identified having worked towards an integrated Human Resources model. Their rational was that many volunteers provide a front line service and need similar training, time, support, and supervision as employees. “Volunteers do not get the financial benefits. However, the volunteer is here to do a job, shows up, and does it to the best of their ability. Volunteers represent the agency just as much as staff, and expectations around service seem the same for both volunteers and staff”.

• A few volunteers stated they enjoy being on an equal footing with staff. This made them feel respected and important; a peer in the organization. Others felt a sense of safety being separate from paid workers, feeling almost exempt from punishment over mistakes or errors in procedure. “I feel volunteers are lower in the hierarchy overall, and that there’s less responsibility on the volunteer when being directed in my role.”

• A surprising number of respondents worried of a volunteer/staff “synergy.” When asked to clarify, these individuals said the treatment of some nonprofit staff leaves something to be desired and worry about comparisons being made between the kinds of support given to volunteers and to staff. “Essentially, volunteers are held in a place of esteem while staff is often not. All too often staff does not get the same support to the same degree.”

• Others found an already organic union blurring of the lines between staff and volunteers. “I volunteered for a program essentially run by volunteers. With some volunteer roles, you are doing the same tasks as a staff anyways.”

With such a wide range of experiences and opinions, what’s a nonprofit to do? Do we work actively towards formalizing the volunteer position? Do we establish rigid screening and feedback processes? Or do we play it by ear depending on the volunteer role and/or specific individual? Much to my chagrin, it looks like there is no definitive answer.

However, there are a plethora of references and materials out there for agencies wanting to take a stab at formalizing the volunteer role. They make a strong case that it’s in our best interest, as nonprofit organizations, to put volunteers and staff on a similar plane. Authors such as Judith Wilson, Michelle Gislason, and Linda Graff highlight that as the risk for the agency or the volunteer increases, so does the need for formalized processes. Conveniently, you can find these and many other resources on the Volunteer Alberta Resource Centre, or why not ask other nonprofits (such as Distress Centre Calgary) what is working for them.

Chloé McBean, Contact Centre Volunteer Team Lead
Distress Centre Calgary

 

 

  • 1
  • 2

Not-for-profit Web Consulting & Digital Marketing by Adster Creative