Most Toronto nonprofit staff assume PIPEDA is a government problem — something for banks and hospitals. It isn't. If your charity collects donor credit cards, stores client intake forms, or emails grant reports with personal data attached, PIPEDA applies to you. The Office of the Privacy Commissioner has increased enforcement activity since 2024. Three Canadian charities received breach notification warnings last year, two of them in Ontario. The penalties aren't the main risk — the donor trust damage is. This checklist is what we walk through with every Toronto nonprofit we onboard. It isn't legal advice. It's the practical IT side of compliance that your lawyer probably isn't covering.
PIPEDA — the Personal Information Protection and Electronic Documents Act — applies to any Canadian organization that handles personal information in the course of commercial activity. Courts and the OPC have interpreted donation processing, fee-for-service programs, and grant administration as commercial activity. That covers most Toronto-area charities. The ten PIPEDA principles you need to know: Accountability — designate someone responsible for privacy. Identifying purposes — document why you collect each type of personal data. Consent — get meaningful consent before collecting personal information. Limiting collection — collect only what you actually need. Limiting use, disclosure, and retention — don't keep data longer than necessary. Accuracy — keep records current and correct. Safeguards — protect personal information with appropriate security measures. Openness — have a published privacy policy. Individual access — respond to requests from people asking about their data. Challenging compliance — have a process for privacy complaints. Most nonprofits in Toronto fail on three of these: safeguards, retention, and accountability. That's where we focus.
Someone on your team needs to own this. It doesn't have to be a full-time role. For most Toronto nonprofits, it's the executive director, a senior program manager, or — if you have one — your IT coordinator. The privacy officer must be named and documented, contact information published on your website and in your privacy policy, and the privacy officer should have reviewed this checklist and signed off.
Walk through your operations and list every place personal information enters your organization. Common ones we find in Toronto nonprofits: Donation forms (CanadaHelps, DonorPerfect, Stripe, PayPal), client intake forms (paper and digital), volunteer registration forms, event registration (Eventbrite, Google Forms, your website), email newsletter signups (Mailchimp, Constant Contact), grant applications (funders collect your staff's personal info too), and HR files for paid staff and placement students. For each: document the purpose (why you collect it, what you do with it) and confirm the consent mechanism — is it opt-in, or buried in fine print?
Your CRM — whether it's Salesforce Nonprofit, Bloomerang, Raiser's Edge, or a spreadsheet someone built in 2014 — is your highest-risk data asset. Confirm: Who has admin access? Reduce to minimum necessary. Are former staff and volunteers deprovisioned? (This is where most Toronto nonprofits fail.) Is access to donor financial data logged? Is the database backed up — where, and is that location in Canada? Do you store full credit card numbers anywhere? (You should not — ever.) Is your donor database vendor PIPEDA-compliant? Get this in writing. For Toronto nonprofits using cloud CRMs: confirm your vendor stores Canadian data in Canadian or compliant data centres. Salesforce, Blackbaud, and Bloomerang all have Canadian data residency options — but you have to request them.
Most Toronto nonprofits run on Microsoft 365. The default configuration is not PIPEDA-ready. Multi-factor authentication (MFA) must be enabled for all accounts — staff and volunteers. Conditional access policies should block sign-ins from high-risk locations. External sharing on SharePoint and OneDrive must be reviewed — is anything set to 'anyone with the link'? Microsoft Purview should be reviewed for data classification. Former staff accounts must be disabled within 24 hours of departure — ideally same day. Shared mailboxes need to be audited — are generic accounts like 'info@' accessible to former staff? Email retention policies must be set. The volunteer access problem is real. We routinely find Toronto charities where a volunteer coordinator from 2022 still has an active M365 login. Under PIPEDA, you're responsible for that.
Staff laptops, shared computers, and personal devices used for work are all in scope. Full-disk encryption must be enabled on all laptops (BitLocker on Windows, FileVault on Mac). Antivirus / endpoint detection and response (EDR) must be installed and monitored. Automatic screen lock should engage after 5 minutes of inactivity. You need a clear policy on personal devices accessing organizational data (BYOD policy), and remote wipe capability for lost or stolen devices. If a volunteer's personal laptop is stolen and it has your client data on it, PIPEDA may require you to notify the affected individuals. Encryption is what stops that from becoming a mandatory breach report.
Your privacy policy must be accessible to the public. That means posted on your website, not buried in a PDF that hasn't been updated since 2018. It needs to cover: what personal information you collect, why you collect it, how long you keep it, who you share it with (vendors, funders, government), how people can request access to their data or ask you to delete it, and how to file a privacy complaint. The policy must be published on your website, reviewed by a lawyer (at minimum every two years), with the last updated date visible on the policy page and contact information for privacy complaints included.
Under PIPEDA, you're required to notify the OPC and affected individuals when a breach 'poses a real risk of significant harm.' You're also required to keep records of all breaches — even ones you decided didn't require notification. You need a documented breach response procedure (who decides? who contacts the OPC? who calls affected donors?), the OPC breach notification form bookmarked at priv.gc.ca, an internal breach log created and maintained, staff who know what to do if they suspect a breach, and a cyber insurance policy reviewed for breach notification coverage. The 72-hour window isn't a hard PIPEDA requirement the way it is under GDPR, but OPC guidance strongly suggests prompt notification. In practice, breaches that are reported quickly get treated better than ones that sat for three weeks.
The biggest breach risk in Toronto nonprofits isn't a sophisticated hacker. It's a volunteer clicking a phishing email that looks like a message from United Way, or a staff member emailing a client list to their personal Gmail because it was easier. Run annual privacy awareness training for all staff. Conduct a phishing simulation at least once per year (ask us about SecureAware). Include a privacy module in new volunteer and staff orientation. Have a clear policy on what data can and can't be sent via personal email or messaging apps. Get an acceptable use policy signed by all staff and volunteers.
Every vendor that handles personal data on your behalf — your CRM provider, your payment processor, your email marketing platform, your IT provider — needs a data processing agreement. Create a vendor list of who has access to personal data. Put data processing agreements (DPAs) in place with each vendor. Review vendor security: do they have SOC 2 certification or equivalent? Ensure contracts include breach notification obligations — vendors must tell you promptly. Document offshore data transfers (if any vendor stores data outside Canada).
PIPEDA compliance isn't a one-time project. Your data practices change as your programs change. Schedule an annual review (we recommend Q4, ahead of board reporting). Complete a privacy impact assessment (PIA) for any new program that collects personal data. Review and enforce your data retention schedule — are you actually deleting data you said you'd delete? Update your privacy policy to reflect any changes.
After 17 years working with organizations across the GTA, the same problems keep coming up. Former volunteer accounts: a soup kitchen in Etobicoke had 34 active Microsoft 365 accounts for volunteers who hadn't worked there in over a year. Three were on personal devices that were no longer in anyone's control. The shared password problem: a social services agency in North York had one login for their donor database shared across a team of eight. Nobody knew who had used it, or when. Paper intake forms: a legal clinic in downtown Toronto was scanning intake forms and storing them in a shared Google Drive folder with no access controls. The scans included SINs and immigration documents. Email and attachments: client data emailed between staff — often to personal Gmail accounts — with no encryption, no retention policy, and no way to recall it. None of these organizations were careless. They were under-resourced and working fast. PIPEDA compliance for Toronto nonprofits is mostly an IT governance problem, not a legal problem. The controls exist. They just need to be turned on.
We offer a dedicated PIPEDA compliance service for Toronto and GTA charities that includes: privacy impact assessment of your current systems, Microsoft 365 security hardening and access audit, data processing agreements with your key vendors, breach response plan documentation, staff awareness training through SecureAware (secureaware.app), and quarterly compliance reviews. Up to 25% discount for registered Canadian charities with a valid CRA charitable registration number. Call us at (416) 623-9677 or request a free nonprofit IT assessment at nonprofititsolutions.com. This article is for informational purposes only and does not constitute legal advice. Consult a qualified privacy lawyer for advice specific to your organization.
Contact us at (416) 623-9677 or visit nonprofititsolutions.com for a free nonprofit IT assessment.