Portrait of Ryan Prendergast

The Legalities of Collecting, Protecting and Working with Patron Information

At Orchestras Canada’s Ontario Small Budget Orchestras Workshop on November 3, we heard from lawyer Ryan Prendergast, of Carters Professional Corporation. Ryan has extensive experience in providing corporate and tax advice to charities and non-profit organizations, and he led a lively session on the legalities of collecting, protecting and working with patron information. The slide deck from this session is available here.

A quick heads-up: this article and the points mentioned in the accompanying slide deck do not constitute legal advice. We advise you to consult with a qualified lawyer and obtain a written opinion concerning the specifics of your situation.

Why this is important

Any information that you keep on your patrons could be viewed as sensitive. When you keep information on these people, you are being trusted to take care of it, and to use it responsibly. Whether this relates to your concert attendees, musicians, or donors, you need to have proper systems in place for keeping it secure. Patron data can be susceptible to cyber attacks, or mis-use by employees or volunteers. It pays to have strong information collection protocols in place, and to take the time to train anyone working with your patron data on those protocols.

What you need to know

Privacy legislation varies by province, there are overlaps between key pieces of legislation, and it is constantly being updated as communication technologies advance. The main sources of privacy law are:

  1. Federal Legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA)

This act applies to the collection, use or disclosure of personal information in the course of a commercial activity. Given the blurry lines between what is or isn’t a ‘commercial activity’ at an orchestra, it is generally best practice to take steps to comply with PIPEDA. Among many other things, PIPEDA requires that organizations obtain consent before collecting data. They must

  • collect it by lawful means,
  • collect it for a clear purpose,
  • give individuals access to the information the organization holds about them.

Information that has been anonymized and stripped of identifiable markers is not subject to privacy protection, however the risk of re-identification may exist.

  1. Provincial Legislation

Similar legislation exists in individual provinces, but it is not identical. In Ontario (where this workshop was given), provincial privacy legislation includes the Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act

  1. Federal Legislation, such as Canada’s Anti-Spam Legislation (CASL)

This act came into force in July, 2014 and prohibits the sending of commercial electronic messages (CEMs) unless the sender has express or implied consent. Express consent means that someone has clearly agreed (orally or in writing) to receive commercial electronic messages. Express consent does not expire, but can be withdrawn. It’s important to include unsubscribe links in CEMs to allow for this. Implied consent is slightly more complicated, and is given when someone:

  • “Conspicuously publishes their email address” by including it on a website or having it printed on a business card;
  • Engages in a “business relationship” with your organization, perhaps by attending your concerts or events;
  • Engages in a non-business relationship with your organization, perhaps by being a member, donor or volunteer at your organization.

It’s important that we know when and how individuals have consented to receive electronic messages from us: implied consent expires after two years. If someone doesn’t attend any of your events for this time, you are obliged to take them off your list unless they’ve given consent in another way.

This act normally does not apply to social media, but does apply to direct messaging using SMS or social media platforms such as Twitter, Instagram, Facebook or LinkedIn.

In addition to being the law, CASL can also be seen as an example of best communication practices. Communications are most effective when we’re in dialogue with people who want to hear from us, value our content, and feel that we’re listening to them, too. You can save time and money by removing people from your database who have demonstrated that they are not interested in what your organization is doing.

What you can do

Institute (or update) your privacy policy. The policy should be accessible to the public, and it should outline:

  • How personal information will be collected, used, protected and disclosed
  • The process for making and handling complaints and requests for access to and correction of personal information
  • The process for dealing with, reporting and communicating data breaches
  • Who your Privacy Officer is, including contact information

Orchestras Canada’s Privacy Policy is available on our website. Other useful privacy-related policies will depend on your organization’s activities, but could include:

  • CASL Compliance Policy
  • Intellectual Property Policy
  • Social Media Fundraising Policy
  • Staff or Volunteer Privacy Agreement (outlining staff or volunteer obligations with respect to patron privacy)

As Ryan Prendergast told workshop participants, “with the advent of modern technologies as well as social media, the legislatures and courts in Canada are continually creating new avenues for privacy and related protection of individuals… To avoid potential pitfalls involving donor information, charities, directors and senior management should be aware of privacy-related obligations, and implement a proactive approach to compliance.”

Orchestras Canada thanks Mr. Prendergast for a remarkably lively and informative session. If you want to learn more, you can download Ryan Prendergast’s slide deck here.