The 10 Privacy Questions Every Ontario Charity Board Should Be Able to Answer

You know, when you donate to a local charity or maybe you volunteer your time on a weekend, naturally feel like you're doing something good.

Right, you're helping the community.

Exactly. You picture your money or your effort directly helping people, maybe feeding a neighborhood or funding medical research. But, and I really want you to look at this exact same interaction from a totally different angle today.

Yeah. The cybercriminals angle.

Right. Because to a cybercriminal, that local charity isn't a beacon of hope at all. It is frankly an absolute gold mine.

Oh, completely. They aren't seeing your good intentions.

No, they are seeing pristine, unprotected lists of donors, payroll data, volunteer records, all of it often guarded by really outdated software and, you know, a shoestring budget.

And we tend to view the nonprofit sector through this lens of goodwill. Right? We kind of assume that because a charity's mission is noble, they are somehow insulated from the kind of ruthless corporate espionage or ransomware attacks that we see in the news all the time.

Which makes sense emotionally, but not practically.

Exactly. The data tells a much darker I mean in 2024 alone non profits experienced a staggering 30% year over year increase in the number of weekly cyber attacks.

Wow, 30%.

Yeah, attackers have realized that the healthcare clinic or the local animal shelter holds the exact same highly valuable personal information as a Fortune 500 company.

Just with a fraction of digital defense.

Precisely.

And 30% in one year is a massive jump. Plus, the financial impact is just as shocking. The average cost of a data breach is now hitting up to $2,000,000

It's devastating for these organizations.

It really is. Think about a local charity you support. If they suddenly had a $2,000,000 liability just drop out of the sky, that's not just a bad quarter.

Right, they don't have corporate cash reserves to just absorb that kind of blow.

Exactly. For most local charities, a breach of that size is a literal existential event. It means closing the doors for good.

Which brings us to our mission for this session today. We are exploring a highly practical source, Privacy Essentials for Ontario Charities. A Senior Lawyer's Guide by Dov Goldberg.

He's the managing lawyer at B. I. G. Charity Law Group. Right?

He is. And his entire premise is that charity boards need to fundamentally change their mindset.

Yeah.

They have to stop treating privacy as just an IT issue, like, you know, a problem for the part time tech support person to figure out, and start looking at the very real structural traps that organizations are falling into right this second.

Okay. Let's unpack this. Because when we hear cyber attack, our brains immediately go to a very specific Hollywood image, right?

Oh, for sure. The guy in the hoodie.

Exactly. We picture sophisticated hackers in dark rooms typing furiously in green code, cracking complex firewalls. But the source material reveals that the actual vulnerability is usually much closer to home.

It's almost entirely human.

Right. It's human error.

The highly sophisticated brute force hacking of a firewall is incredibly rare compared to much simpler psychological I mean, in 2024, sixty eight percent of breaches involved a human element.

Sixty eight percent.

Yeah. We are talking about basic phishing emails or simply a staff member making a careless error because they were, you know, rushing to finish a task on a Friday afternoon. Wow. Cybercriminals just don't waste time trying to break down a titanium door when they know a staff member might just hand them the keys if they ask nicely enough.

It's like, well, it's like installing a state of the art vault door on the front of your house but leaving the living room window wide open.

That is a perfect analogy.

You spend all this donor money on technical defense, the firewalls, the antivirus software, but the entry point is just someone walking by and noticing the latch is undone. Yeah. You can have the best security software in the world, but if a human being die passes it, the software is totally useless.

And Goldberg frames this exact dynamic using the concept of the three legged stool of safeguards.

Okay. What are the three legs?

So if you want a robust privacy defense, you need three equal legs supporting your organization. First, you need physical safeguards.

Meaning like locked filing cabinets.

Exactly. Locked cabinets, secure building access, clean desk policies. Then you need technical safeguards, which are your encrypted laptops, secure WiFi, two factor authentication.

Right, the IT stuff.

Right. Crucially, you need administrative safeguards.

Which is what? The human policies?

Yes. Those are the clear, written policies dictating who can do what with sensitive information and importantly the training to actually back it up.

And if you take one leg away, the whole stool just collapses.

It falls right over.

The guide mentions this classic almost tragic Ontario charity trap. An organization spends thousands on pristine cybersecurity. They've got the encrypted laptops, the firewalls.

They feel completely invincible.

Right. But every Tuesday they leave a physical printed donor binder sitting completely unattended on the front reception desk while the receptionist goes to lunch.

It's so common and that physical failure instantly negates millions of dollars of technical safeguards.

Because anyone could just walk in.

Exactly. Anyone walking in for an appointment or, a delivery driver dropping off a package could flip open that binder and snap a photo with their phone.

And boom, the data is compromised without a single line of code being hacked.

Precisely. The guide highlights another incredible real world example of a small social services charity. Right in the middle of a formal audit, they discovered that intake forms, documents containing highly sensitive personal health information, were being casually emailed to a staff member's personal Gmail account.

Oh man, just sent right to a Gmail account. Yeah. And the reasoning behind that is almost always just for convenience, right? A staff member wants to make it easier to print a document at home or maybe review a case file on a weekend from their personal tablet.

Yeah, it's so innocent in its intent.

Innocent, but so catastrophic in its potential.

Absolutely.

But I want to push back on the reality of charity operations for a second here.

Sure. Go ahead.

Because charities are fundamentally different from big banks or tech firms. They run on incredibly tight budgets and they rely heavily on volunteers who might only be there for like two or three hours a week.

That's very true.

So if you sit a volunteer down on day one and have them sign a robust privacy acknowledgement form, doesn't that legally cover the organization's bases?

Well, having a signature on file might make a board of directors feel legally protected, but it does absolutely nothing to protect the actual data.

Right.

Day one paperwork is not training. It is just a compliance receipt. Staff and volunteers need ongoing active education that challenges them.

So signing a paper once isn't enough anymore?

Not at all. The source makes it clear that mandatory annual cybersecurity training is now the baseline expectation across the sector.

Which means we have to move beyond just reading a PDF handbook. It has to include simulated phishing tests. Right?

Yes. Exactly.

You have to put a fake invoice in front of an employee on a random Tuesday and see if they actually clicked the malicious link.

Because phishing isn't just the most prevalent type of attack, it's the one that actively preys on the helpful nature of charity workers.

Oh, that's an interesting point.

Yeah. The psychology of charity workers actually makes them prime targets. They are conditioned to be responsive, to help people in urgent need, and to react quickly to requests.

Wow, so hackers actively exploit their empathy?

They absolutely do. You need to train your team to recognize what a fraudulent email from the executive director asking for gift cards looks like.

We've all seen those emails.

Right. And beyond the simulations, the administrative leg of that stool comes down to very strict practical rules like no personal information should ever go in an unencrypted USB stick.

Oh, for sure.

And if staff are working remotely from a coffee shop, they must use a virtual private network of VPN to encrypt their connection.

The guide also emphasizes need to know access, which makes a lot of sense. If I'm the summer intern hired to manage the social media accounts, I do not need administrative access to the database of the charity's top tier major donors.

No, you definitely don't.

Limiting access limits the blast radius if that intern's account gets compromised.

Exactly.

And the simplest, most vital rule: never leave a work laptop in your car. A quick smash and grab for a piece of hardware can instantly turn into a multi million dollar privacy breach.

It happens way more often than you'd think.

I bet. Now here's where it gets really interesting. Because even if you train your staff perfectly and you limit access and nobody ever leaves a laptop in a car, the reality of modern non profit work is that the data rarely sits in a physical office anyway.

Right, lives in the cloud.

Exactly. And the moment data enters the cloud, it introduces this massive tangled web of invisible legal borders. Almost every charity relies heavily on third party tools.

Like Mailchimp or Salesforce.

Yes. They use Mailchimp to send their monthly newsletters, Salesforce to manage their donor profiles, Google Workspace for their internal emails. Let's map out how that actually works. If a donor in Toronto clicks submit on a donation form, that data doesn't stay in Toronto.

No, it gets beamed to a server farm in Georgia or California to be processed.

So when charities use those tools, they're routinely exporting Canadian data outside of our national borders.

They are. Now, under Canadian privacy frameworks, this kind of cross border data transfer is generally permitted, but it requires explicit transparency.

So they have to tell the donor.

Right. Usually a clear disclosure in the organization's privacy policy at the point of collection is sufficient. Something explicitly stating that service providers are located in The United States and the data may therefore be subject to U. S. Legal jurisdictions.

Okay, disclosing the server location is easy enough to write into a policy document, but the guide brings up a terrifying operational reality about the cloud. You can outsource your data processing to these massive tech companies, but you absolutely cannot outsource your liability.

This is a huge misconception. If a cloud vendor experiences a massive server breach and your donor's personal profiles are leaked onto the dark web, those donors are not going to blame the cloud vendor.

No. They don't even know who the vendor is.

Exactly. They gave their money and their trust to your charity. Your contracts with these third party providers cannot just be standard click through agreements that nobody reads.

Right.

Charities must ensure there are written safeguards built into the service agreement, guaranteed breach notification clauses so the charity is alerted immediately, and even audit rights warrants it.

The liability rests entirely on the Charity's shoulders because they made the choice of which vendor to use. Yep. But the headache isn't just about international borders. The guide outlines a border multiplier effect right here within Canada's own legal framework.

Yes, the domestic borders.

Right. An organization might launch what they think is a very straightforward unified national fundraising campaign completely unaware of the jurisdictional dominoes they are knocking over.

And this raises an important question about how jurisdiction actually works in the digital age. Organizations often operate under the assumption that because their head office is located in one specific province, they only need to follow that single province's rule book.

Which makes intuitive sense.

It does, but a digital campaign crosses provincial lines instantly. That can quietly trigger four entirely different privacy regimes at the exact same time, each with their own distinct rules and penalties.

So instead of just looking at one overarching Canadian law, charities have to navigate this alphabet soup of regional legislation. Let's break down what actually triggers these different laws. If an Ontario charity has regular donors living in Alberta or British Columbia, are suddenly governed by those specific provincial personal information protection acts. And if that same charity happens to collect any sort of health information, maybe they run a mental health counseling service or a medical research fund, they trigger Ontario's highly strict health privacy law, FIPA.

Yes. And then there is the federal lair.

Oh right, PIPEDA.

The federal law is PIPEDA and the trigger for that legislation is so often misunderstood by non profits.

How so?

Well, charities assume they are exempt from corporate federal privacy laws simply because they are non profits, but PIPEDA applies the moment a charity engages in commercial activities.

Commercial activities, like what?

Well, if your organization runs a retail thrift shop or sells branded merchandise online or even charges a fee for specific community services, you are acting as a commercial entity in the eyes of the law. Wow. You are suddenly held to the exact same federal data standards as a major bank or a massive e commerce retailer.

It is a jurisdictional minefield. But out of all these overlapping laws, the guide highlights one specific provincial framework that acts as the ultimate trap for the unweary: Quebec's Privacy Act.

Yes, recently overhauled by Law 25.

Right. Law 25, what's the deal with that?

Well, Quebec looked at the European Union's General Data Protection Regulation, the GDPR, which is widely considered the gold standard for aggressive privacy protection globally.

Right. The really strict European rules.

Exactly. And Quebec essentially decided to replicate that level of strict enforcement right here in Canada. The provincial government's intent was to forcefully drag organizations into the modern era of data protection. Because of that, Law 25 casts a massive aggressive net.

How massive?

It applies to any nonprofit regardless of where they are physically headquartered in the world as long as they handle the personal data of a Quebec resident.

Okay, wait. Just to be completely clear on the mechanics of this. An Ontario charity with zero physical offices in Quebec, no staff in Quebec, but who happens to have like a handful of regular donors living in Montreal? They are now legally bound by Quebec's strict provincial law.

Yes. If you hold their data, you play by their rules.

That is wild.

And the stakes under Law 25 are astronomical compared to older frameworks. The penalties for non compliance can reach up to $25,000,000 or 4% of the organization's worldwide turnover, whichever is higher.

$25,000,000 for a local charity?

Yes. Furthermore, Kodak explicitly requires that an organization designates a publicly named privacy officer.

Which creates a massive burden for smaller charities. Because that title almost always defaults to the executive director.

Oh almost every time.

They are the ones whose name is suddenly listed on the website, whose contact info must be publicly available and who is ultimately accountable to the regulators. You have these community leaders who got into this work to run food banks or shelter programs and suddenly they are carrying the legal weight of a Chief Privacy Officer under threat of a $25,000,000 fine.

And what's fascinating here is the undeniable shift in how consent is fundamentally treated across the entire Canadian privacy landscape, largely driven by this Quebec standard.

Right. Consent used to be pretty loose.

Historically, charities relied heavily on implied consent or what we call an opt out model. The mechanism was simple. Someone signs up for a five k charity run, and the organization assumes that person also wants to receive their weekly fundraising newsletter forever unless the runner goes out of their way to actively uncheck a hidden box.

Or the classic website, Danner. You visit a charity's homepage, a little box pops up at the bottom saying, by continuing to use this site, you consent to our tracking cookies.

Right.

The user just ignores it, keeps scrolling, and the charity logs that as legal consent. But the guide makes it explicitly clear that relying on these old mechanisms is incredibly dangerous now.

Operating

off a privacy policy template downloaded in 2014 provides zero legal cover and burying your consent clauses in dense legal jargon on page 12 of a terms and conditions document just does not meet the modern threshold for informed consent.

The entire regulatory trend is moving forcefully away from implied models and demanding opt in consent.

Opt in meaning I have to actually check the box myself.

Exactly. Under the strict new law 25 standard, which Dov Goldberg advises all Ontario charities to universally adopt just to be safe, those preticked cookie banner boxes are completely illegal. You must give the user a meaningful, frictionless choice. They have to actively and knowingly click yes to having their data collected, especially for anything that isn't strictly essential to the transaction, like marketing communications or background analytics tracking.

Okay, let's look at the reality though. A charity does everything right. They get explicit opt in consent. They upgrade their cloud contracts. They lock the physical donor binders in a filing cabinet.

The guide is still incredibly pragmatic about this. Despite your best efforts, eventually a breach will happen.

It's inevitable.

A staff member will click a sophisticated phishing link, a vendor server will get compromised. So how does an organization navigate the immediate aftermath of that?

The survival of the organization depends entirely on preparation done before the crisis hits. When a breach is actively unfolding, you cannot be trying to figure out your internal chain of command on the fly.

It's too late by then.

Way too late. You need a written, rehearsed protocol. Who gets notified first? Who has the authority to speak to the media? And most importantly, who decides whether the breach is severe enough to require notifying the government authorities?

That's a huge decision.

It is. And to help with that specific decision, the Office of the Privacy Commissioner of Canada, the OPC, released a privacy breach risk self assessment tool, very recently actually, on 03/26/2025.

Oh, so this is very fresh guidance. Yeah. How does this tool actually help a charity in the middle of a crisis?

It provides an objective framework to determine if a specific data breach meets what regulators call the real risk of significant harm threshold or RO.

ROSH, okay.

Yeah. Calculating ROSH involves looking at two specific mechanisms. First, the sensitivity of the data involved.

By how private the information is.

Exactly. A leaked list of public business emails is low sensitivity. But a leaked database of mental health intake forms is incredibly high sensitivity.

Makes sense.

Second, the probability that the data will be misused. Was the data on an encrypted laptop that was lost on a subway or was it an unencrypted spreadsheet accidentally posted to a public forum? Right. If the combination of sensitivity and probability hits that RRA ish level, it usually triggers mandatory reporting to both the government and the individuals affected.

Okay, so we've established that figuring out if a breach is severe enough to report is a massive analytical headache. But what happens after you make that call? Charities usually assume this is the exact moment they pass the baton to their cyber insurance provider.

Absolutely.

Boards often sleep well at night thinking, well if we get hacked, the insurance policy will cover the fines, pay for the IT recovery and handle the lawsuits. But the guide points out a huge devastating warning here.

Yes, the insurance trap.

Charities are discovering right in middle of a crisis that their insurance policies are practically worthless.

It is a brutal realization for a board of directors. A charity will suffer a massive, crippling attack, file a claim with their provider, and then receive a letter stating that their specific policy completely excludes coverage for social engineering.

Wait let's connect that back to our earlier point about the human element. Social engineering is exactly what we established as the primary threat.

Exactly.

The phishing emails, the fake invoices, The employee being tricked into handing over a password.

Yep. Social engineering doesn't involve breaking technical safeguards. It involves manipulating human psychology. And the insurance company argues that because there was no technical failure of the charity's firewall because the employee willingly, albeit unknowingly, clicked the bad link, the policy does not pay out.

That is wild.

If the policy excludes the mechanism used in 68% of all attacks, the organization is completely exposed. Or charities find out that their coverage is capped at a sub limit of $50,000 which covers barely a fraction of the actual financial exposure from a multimillion dollar incident.

So you have to read the exclusions line by line before you ever need to make a claim.

You have to. And if we connect this to the bigger picture, it paints a pretty stark reality for the entire nonprofit sector. Charities are not getting targeted by accident.

No. They're the low hanging fruit.

Exactly. They are highly attractive targets precisely because attackers expect them to weaker defenses, tighter budgets and older IT systems. But while the thought of a $25,000,000 regulatory fine from a place like Quebec is terrifying, the guide suggests that the true existential threat isn't the government regulator. No. No, it's the local community.

Because it comes down to the loss of trust. Exactly. A regulatory fine is a massive financial hit, but reputational damage is fatal. A charity spends decades painstakingly building trust with local donors, philanthropic foundations, and community partners.

It takes years to build.

And if a donor feels their personal sensitive information was treated recklessly just because the charity couldn't be bothered to implement basic safeguards, that donor will simply direct their philanthropy elsewhere.

They'll just find another cause.

The stakes are about preserving the organization's legacy and public standing just as much as they are about legal compliance. Absolutely. So what does this all mean? When you look at the 17 questions Dov Goldberg lays out in this guide, it becomes clear that this isn't just a boring compliance checklist that a board can fill out once, throw in a filing cabinet, and forget about.

No. It is a running diagnostic of the organization's health. The threat landscape changes daily, the legal jurisdictions are shifting rapidly, and the organization's internal data practices are constantly evolving.

Right.

Privacy risk needs to be on the board's agenda as a mandatory discussion item at least once a year, and that conversation needs to be thoroughly documented to prove due diligence.

And the charities that actually handle privacy the best aren't necessarily the massive international NGOs with bottomless IT budgets. They are simply the local organizations whose boards made a conscious decision that privacy actually matters.

That's the real differentiator.

They stopped viewing it as an annoying IT expense and started treating data protection as a core fundamental component of donor stewardship.

Because recognizing that your organization currently has vulnerabilities isn't a failure of leadership, it is simply the necessary starting point for building a resilient culture.

It fundamentally changes how you look at the entire nonprofit ecosystem. So, I wanted to leave you with a final thought to mull over today. Next time you look at the Board of Directors for a local charity or a community foundation, take a close look at their professional backgrounds. You will almost always see Certified Accountants to handle the finances, Marketing Directors to handle the outreach, and Legal Experts to handle the governance. But how often do you see a Cybersecurity Professional or Data Privacy expert sitting on a local non profit board?

Rarely, if ever.

Right. If donor data is rapidly becoming a charity's most valuable asset and simultaneously its most dangerous liability, maybe it's time we start treating digital literacy as an absolute prerequisite for community leadership, rather than an afterthought.