Purpose of the policy
The Douglas Foundation is firmly committed to safeguarding personal information and being transparent about the information we hold on all our donors and stakeholders. A better understanding of our donors allows us to provide them with the best possible experience as donors and users of Foundation platforms and services.
The purpose of this policy is to clearly explain how we collect and handle personal information, including information donors may provide when making a donation, requesting a tax receipt or subscribing to our newsletters. We use the information that we collect in accordance with the following two pieces of legislation:
- The federal Personal Information Protection and Electronic Documents Act (PIPEDA).
- Quebec’s Bill 64, enacted An Act to modernize legislative provisions as regards the protection of personal information, scheduled to come into force on September 22, 2023.
This policy explains the following:
1. The kind of personal information that we are permitted to collect
2. How personal information is collected
3. Lawfully permitted use of personal information
4. Limitation on disclosure of personal information to third parties
5. The security of personal information
6. Data retention
7. Donor rights
8. Notification of changes to our Donor Confidentiality Policy
9. Addresses and additional information
Please contact the Douglas Foundation’s data protection officer at the email below if you need additional information:
Director, Annual Giving
(514) 761-6131 ext. 2761
1. The Kind of Personal Information that we are Permitted to Collect
Personal information means information about an identifiable individual. It does not encompass anonymous data, which is data that does not contain any identifying information. We are permitted to collect, use, store and transfer various kinds of personal information, which we have categorized as follows:
- Identifying information: includes a donor’s first name, surname, title, user name or similar identifier, date of birth and gender;
- Contact information: includes a donor’s billing address (for tax receipts), email address and telephone numbers;
- Payment information: includes credit or debit card details;
- Donation details: includes past donations made by donors or on their behalf, along with other donation-related details and services received by individual donors;
- Technical data: includes the donor’s Internet Protocol (IP) address, login information, browser type and version, time-zone setting and location, browser plug-in type and version, operating system and platform, and other technologies on donor devices used to access our websites;
- Usage data: includes information on how donors use our websites and our services;
- Marketing and communications information: includes donor preferences regarding receiving marketing communications from the Foundation and from third parties, as well as donor communication preferences and the fact that we may take note of conversations we have had with donors in person and/or donor communications sent to the Foundation. This helps us to manage donor relations and ensure that they will receive only relevant communications in accordance with their stated preferences.
- Job applicant data: includes all data submitted by a job applicant in an application for employment with the Douglas Foundation.
Aggregate data derived from personal data
We also collect, use and share aggregate data, such as statistical or demographic data, for all purposes. Although aggregate data may be derived from personal information, it is not regarded in law as personal information as it is not, directly or indirectly, identifying. For example, donor usage data can be aggregated to calculate the percentage of users who access a specific functionality of our websites. However, should we combine or connect the aggregated data with a donor’s personal data in such a way that, directly or indirectly, it could identify the donor, we would treat the combined data as personal information to be used in accordance with this Donor Confidentiality Policy.
We do not collect any information regarding a donor’s race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions or physical health. Nor do we collect any genetic or biometric data.
2. How Personal Information is Collected
We collect different types of information in several ways.
Personal information provided by donors:
When someone makes a donation, subscribes to our newsletter, registers for an event or contacts our customer service, we store the personal information provided to us by that person such as first and last name, email address, mailing address, phone number and payment card details. We also keep track of all donations and, occasionally, a donor’s communications with us.
Personal information collected via technologies or automated interactions:
When donors interact with our website, we can automatically collect technical data regarding their computer equipment and their browsing activities and patterns. We collect such personal information using cookies and other similar technologies.
Occasionally we receive personal information from third parties as described below:
- analytics providers such as Google Analytics;
- advertising networks such as Facebook and Google Ads;
- search information providers such as Google;
- publicly available personal information.
3. Lawfully Permitted Use of Personal Information
We use personal information only to the extent permitted by law. We most commonly use personal information in the following circumstances:
- when it is required for the legitimate interests of the Foundation (or those of a third party) unless a donor’s interests and fundamental rights take precedence over such interests;
- when we are required to comply with a legal or regulatory obligation;
- when we have obtained a donor’s express consent to use his or her personal information in a specific situation. Generally, we do not rely on donor consent as the legal basis for handling personal information, and donors can withdraw their consent at any time by contacting us. The relevant contact information is provided at the end of this policy.
The purposes for which we use personal information:
Please contact us if you would like greater detail of the specific lawful purpose for which we process personal information where more than one purpose is identified in the table below.
Purpose / Activity
- To process donations and issue tax receipts
- To solicit donations
- To manage donor relations, including: (a) informing donors of changes to our Conditions of Use or our Donor Confidentiality Policy (b) seeking donor participation in surveys
- To manage and protect the Foundation and its websites (including troubleshooting, data analysis, tests, system maintenance, user assistance, data reporting and data hosting).
- To provide donors with relevant content and marketing through external websites, social platforms and our newsletters, and to assess or gain insight into the effectiveness of our marketing.
- To use data analysis to improve our websites, our services, our marketing and our communications, relations and interactions with donors.
- To make suggestions and recommendations regarding donations or services and events that may be of interest to donors.
- To receive and consider donor job applications.
4. Limitation on Disclosure of Personal Information to Third Parties
In some circumstances, we are legally entitled or legally obliged to disclose donors’ personal information to the following third parties:
Foundation service providers and fund-raising partners who process data for us at our direction
We require all third parties to respect the confidentiality of personal information and to process it as required by law. We do not permit third party service providers to use a donor’s personal information for their own purposes. They are authorized only to process that information for specific purposes and as per our instructions.
Government bodies and law enforcement agencies:
We may be under a legal obligation to disclose personal information to government authorities and law enforcement agencies further to legislation or a court order. We do not sell personal information to third parties for any purpose whatsoever.
5. Security of Personal Information
We have implemented appropriate safeguards (both in our information collection practices and in the technology we use) to ensure the security of all personal information. We require that the third parties to whom we subcontract the processing of donors’ personal information do the same and that they process personal information in accordance with our instructions. They are also subject to a strict confidentiality obligation.
Credit or debit card information:
When a donor uses a credit or debit card to make a donation to the Foundation, we ensure that the transaction is secure and in compliance with Payment Card Industry Data Security Standard (PCI-DSS). We never store credit or debit card numbers or three- or four-digit security codes in our systems.
6. Data Retention
We retain donors’ personal data only as long as necessary to fulfill the purposes for which it was collected, including compliance with legal, accounting or reporting requirements. In determining the appropriate retention period for personal data, we consider the amount, type and sensitive nature of the personal information, the risk of possible harm from unauthorized use or disclosure, the purposes for which it was collected and the possibility of achieving those purposes by other means, as well as all applicable legal requirements.
7. Donor Rights
In certain circumstances, donors have the following rights under data protection legislation regarding their personal information:
- a) The right to access personal information
Donors are entitled to request a copy of the personal information that the Foundation holds on them. Any donor wishing to exercise this or any of the following rights should contact the data protection officer whose contact information is indicated at the end of this policy.
(b) The right to correct personal information
Donors are entitled to ask us to correct the personal information we hold on them, but it should be noted that we may need to verify the accuracy of the new information donors may provide. Any donor wishing to exercise this right should contact the data protection officer whose contact information is indicated at the end of this policy.
(c) The right to removal of personal information (“the right to be forgotten”)
Donors are entitled to ask us to remove or delete personal information if we no longer have a valid reason for continuing to use it. However, we may not always be able to comply with a request for deletion if we have specific legal reasons for retaining the information, in which case we would provide those reasons on request.
(d) The right to object to the processing of personal information
Donors may object to the processing of personal information despite the legitimate interest of the Foundation or a third party in having that information if, because of their particular situation, they believe that their fundamental rights and freedoms are or will be adversely affected. Donors are also entitled to object where their personal information is used for direct marketing purposes. Note that in certain cases, we may be able to argue that our legitimate interests in processing personal information overrides personal rights and freedoms.
(e) The right to request a restriction on the processing of personal information
Donors are entitled to request that the processing of their personal information be suspended in the following situations: (a) where a donor wants us to establish the accuracy of that information; (b) where our use of the information may be unlawful, but a donor nevertheless does not want it deleted; (c) where a donor wants us to retain the information even though we no longer have any use for it because the donor wishes to establish, exercise or defend certain legal claims; or (d) where a donor objects to our use of the personal information but we want to verify if we have preponderant legitimate reasons for using it.
(f) The right to withdraw consent
Where we require donor consent to process personal data, donors are entitled to withdraw their consent at any time. However, note that information processed before consent is withdrawn is lawful. Note that where consent is withdrawn, we may be unable to provide the donor with certain products or services. If this is the case, we would advise the donor when consent is withdrawn.
As a general rule, we do not charge a fee for exercising any of the above rights.
Donors are entitled to access their personal information (or to exercise any of the other rights listed above) free of charge. An exception to that rule is if a request for access is clearly unfounded, repetitive or excessive, in which case we may charge a reasonable fee or refuse to comply with the request.
What we may need from a donor wishing to exercise any of the above rights:
We may request specific information to help us confirm the donor’s identity in order to ensure that the donor is entitled to access the personal information (or exercise any other right). This security measure ensures that personal information is not disclosed to someone not entitled to receive it. We may also contact donors and request additional information related to their requests to expedite our response.
Time limit for responding to requests or objections:
Our goal is to respond to all legitimate requests or objections within 30 days. Occasionally, it may take up to 60 days if a request or objection is particularly complex or if multiple requests or objections are involved, in which case, we will notify the donor and keep them informed of the progress of the request or objection.
8. Notification of changes to our Donor Confidentiality Policy
Please check this page of our website regularly for changes to our Donor Confidentiality Policy.
9. Contact Details and Additional Information
If you have any questions about any aspect of this Donor Confidentiality Policy, and in particular if you wish to object to any processing of personal information for our legitimate organizational interests, feel free to contact us.
Also, please contact us if you have any questions concerning the personal information we hold on you or to change your donor contact preferences.
Send us an email: [email protected]
Director, Annual Giving
6875 boul. Lasalle
Montreal, Quebec H4H 1R3 Canada
Use of session cookies and web beacons
In order to deliver an optimal site navigation experience, the Douglas Foundation uses session cookies. To learn more, consult our cookies policy section.
Protection of Information by the Douglas Foundation
The Douglas Foundation complies with PCI security standards for processing credit card donations to protect donors’ confidential data and prevent fraud.
If you wish to file a complaint against a Foundation employee or volunteer, or in response to a situation you feel is inappropriate, we urge you to familiarize yourself with the terms of our Complaints Policy.
Receipt of Complaints
A verbal complaint will be handled immediately by a member of our staff.
If a complaint requires a more in-depth assessment, a written request will be sent to the manager responsible for the activity or team concerned. This request will include the name, phone number, street address and email address of the person filing the complaint and a description of the circumstances, including the incidents and/or individuals involved.
The manager must acknowledge receipt of the complaint within two business days.
A complaint received in writing must contain the aforementioned information. It will be transferred to the manager responsible for the concerned activity or team.
Response and Resolution
Every effort will be made to address the complaint as quickly as possible, and all parties will be treated in a fair, impartial and respectful manner. The person responsible for the complaint must attempt to settle the matter within 10 business days. If it is still unresolved after this time, the file will be turned over to the appropriate director.
If the director is unsuccessful in bringing about a resolution, the complaint will be escalated to the Chief Executive Officer. If the Chief Executive Officer is a party to the complaint, the matter will be transferred to the Secretary and Chair of the Governance committee.
The complainant must be kept up to date of the status of their complaint and provided with a clear, detailed explanation of the final decision when it is issued.
Should a complainant be dissatisfied with the process or the outcome, they may request that the matter be escalated to a more senior staff member. This must occur within 10 business days, and the complaint must be resolved within one month of receipt.
The manager must keep a copy of all complaints that could not be resolved immediately (i.e., upon receipt).
The Douglas Foundation will keep a detailed log of incoming complaints, along with all relevant information on the subsequent response and resolution. A summary report will be presented to the Board of Directors on a yearly basis.