Privacy Policy
1. PURPOSE
The Alliance of Canadian Land Trusts (ACLT) is committed to safeguarding the privacy of personal information belonging to its employees, sub-contractors, volunteers, donors, members, customers, and other stakeholders. We adhere to the highest standards of
transparency and accountability in the handling of the information shared with us.
ACLT ensures that all personal information is protected with the utmost care, and that any use of this information is done only with consent. Please note that our privacy policy does not apply to third-party websites accessible through our links. If a user accesses a third-party website
from ACLT’s site, it is the user’s responsibility to review their privacy policy before providing any personal information. ACLT is not liable for any consequences that may arise from users sharing personal information with third parties.
As some third-party websites may be based outside of Canada, ACLT strongly recommends that users review the privacy policies and applicable laws of any third-party websites before sharing their personal information, as these websites may be subject to different legal jurisdictions.Our privacy policy is designed to comply with the following legal frameworks:
• The Personal Information Protection and Electronic Documents Act (PIPEDA)
• Quebec Protection of Personal Information Act (Law 25
2. SCOPE
2.1 This policy applies to employees, sub-contractors, volunteers, donors, members, customers, and other stakeholders.
2.2 This policy describes the organization’s objectives and policies regarding the protection of personal information to ensure transparency and accountability.
2.3 Major restrictions/conditions
• Information in the public domain is not subject to privacy legislation and as such is not included in this policy. See the DEFINITIONS section for more information.
• Customers and clients that use their home contact information as business contact information will be considered as business contact information, not
Subject: Privacy Approved by ACLT board on:
Applies to: Employees, sub-contractors, volunteers, donors, members, customers, and other stakeholders
personal information, and is therefore not subject to protection as personal information.
• All donor and volunteer information is considered personal information, and the ACLT does not disclose information about donors or volunteers without consent.
2.4 Associated Privacy Procedures and Cookies Policy – in addition to this Privacy Policy and the Privacy Impact Assessment (PIA) process, ACLT maintains internal Privacy Procedures and a Cookies Policy to ensure the responsible handling of personal information across all platforms and activities. These supplementary documents detail ACLT’s operational privacy practices and outline how data is collected, stored, and used online. These policies are available upon request and support ACLT’s compliance with PIPEDA, Quebec’s Law 25, and other applicable regulations.
3. REFERENCES
• Privacy Commissioner of Canada website
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Quebec Protection of Personal Information Act (Law 25)
• Canada AdChoices Program
4. CONTACT INFORMATION
For any inquiries associated with this policy please contact ACLT’s Executive Director at info@acoc.ca.
5. DEFINITIONS
Personal Information
Personal information is any recorded information that can be used to distinguish, identify, or contact a specific individual. This information can include an individual’s opinions or beliefs, as well as facts about, or related to, the individual.
Public Domain Information Business contact information, and certain publicly available information, such as names, addresses, and telephone numbers as published in telephone directories are considered public information and therefore not subject to the same laws as personal information.
Personally Identifiable Information (PII)
Subject: Privacy Approved by ACLT board on:
Applies to: Employees, sub-contractors, volunteers, donors, members, customers, and other stakeholders
Personal Identifiable Information is any data that could potentially identify a specific individual.
Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
6. RESPONSIBILITIES
The person responsible for data management and breaches is the Executive Director, Renata
Woodward. In addition, the following roles and responsibilities apply:
The ED or other assigned employee, subcontractor, or volunteer is responsible for:
• Ensuring professional conduct regarding personal information.
• Keeping up to date on personal information policy or legislation updates and changes.
• Ensuring that private information is protected and remains confidential.
• Using private information only for the reason(s) it was collected.
• Following the federal and provincial acts and legislation requirements regarding personal information.
7. CONSENT
An individual’s consent is required regarding the collection and proposed use of personal information when information is collected. Consent can be either expressed or implied and can be provided directly by the individual or by an authorized representative. Expressed consent can be given orally, electronically, or in writing. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction.
Individuals may contact ACLT to withdraw or change their consent at any time. ACLT will honor any request made to withdraw or change consent, or to access or review the personal information ACLT has obtained as referred to below.
NOTE: An individual’s consent must be given in writing or electronically before confidential information is released to outside parties.
In response to inquiring about our programs, registering for an event, participating in our surveys, visiting our website, engaging with us on social media, or contacting our office,
ACLT may collect and retain the following personal information provided by individuals:
• Name
• Address
• Telephone number
• Email address
• Date of birth
• Emergency contact name, relationship, and phone number (in response to event sign-ups)
• How the individual heard about an event (in response to event sign ups)
The following table outlines the types of information collected from various groups of people,
the purpose for which it is collected, the retention period, and the relevant legislation and regulations. In all cases, this information is provided by the individual, either voluntarily or in response to a request from ACLT.
| Category | Collected Information | Purpose | Retention period | Legislation/regulations |
|---|---|---|---|---|
| Employees | First and last names, phone numbers, personal email addresses, SIN, banking info, home addresses, birth dates | Employee identification, communication, payroll, tax reporting, benefits, mailing |
Employment duration + 7 years, then securely destroyed or anonymized | PIPEDA, Employment Standards Act, Law 25 |
| Sub-contractors | Full names, email addresses, phone numbers, birth dates, SIN, GST/HST/provincial sales tax numbers, company names, experience, banking info, tax status, insurance coverage, license numbers | Tax reporting, compliance, payment processing |
7 years after contract ends, then securely deleted or anonymized |
CPPA, PIPEDA, Law 25 |
| Volunteers – Board Members | First and last names, phone numbers, personal email addresses, banking info, birth dates, professional details | Identification, verification, communication, reimbursements, legal compliance | 7 years after term ends, then securely deleted | PIPEDA, Income Tax Act, Law 25 |
| Donors | Full names, phone numbers, email addresses, mailing addresses, past donation history, credit card and/or banking information | Personalized communication, tax receipts, donation tracking, respecting communication preferences, payments | 7 years after last donation, then securely destroyed or anonymized | CPPA, IPEDA, GDPR, Law 25 |
| Volunteers | Full names, email addresses, phone numbers, emergency contacts, positions, hours, projects, start dates, training completed, consent |
Manage roles, track contributions, ensure safety |
Undefined, then archived or deleted |
PIPEDA, Law 25 |
| Members, Customers, and Other Stakeholders | Full names, email addresses, phone numbers, organizational details, opt-in/opt-out preferences, engagement history, consent, agreements | Communication, compliance with preferences, record maintenance | Undefined | PIPEDA, Law 25 |
8.1 Reason for collection
ACLT collects personal information to manage and maintain relationships with its supporters. This information is used to facilitate program participation, ensure safety at events, process donations, issue accurate tax receipts, and communicate relevant updates about ACLT’s work and fundraising activities. Credit card or banking information may also be collected for the purpose of processing recurring donations, where applicable.
In accordance with applicable privacy laws, ACLT obtains either express or implied consent depending on the context and sensitivity of the information collected. Internal uses—such as event coordination or donor acknowledgment—may rely on implied consent where the purpose is clearly understood. However, any external sharing of personal information (e.g., with third-party service providers or partners) is subject to explicit, informed consent or as otherwise permitted or required by law.
8.2 Limited Collection
The collection of personal information is limited to that which is relevant and necessary to ACLT’s programs and fundraising efforts. ACLT will not make unwarranted or intrusive inquiries into a donor or prospect’s gift history or personal life. ACLT attributes all data that it collects.
8.3 Limited Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
Personal information shall be as complete, accurate, and up to date as possible. Donors are encouraged to review, correct, and update their personal information.
• Registering for ACLT events
• Through donations
• Possible interactions through e-mail, telephone, mail
• Through our newsletter
Upon request, individuals shall be given access to the information in their records.
Rights that individuals have regarding collection of personal information:
• Right to ask
• Right to ask about personal information
Subject: Privacy Approved by ACLT board on:
Applies to: Employees, sub-contractors, volunteers, donors, members, customers, and other stakeholders
• Right to be informed
• Right to anonymize personal information
• Right to file a complaint if they feel there’s been a breach
• Right to ensure that information collected is not misinformation and is accurate
Personal information gathered by ACLT shall be kept in confidence. Appropriate physical and electronic measures shall be used to ensure personal information is secure. Access to donor and volunteer records shall be limited to those who require such information to fulfil their job responsibilities. ACLT takes the security of personal information seriously and employs measures to protect it from unauthorized access, use, or disclosure. Information is securely stored and only accessible to authorized personnel. After the retention period, personal information is securely destroyed or anonymized to protect privacy. Special protection shall be
given to all records pertaining to anonymous donors. Donors who request that their name and/or the amount of the gift not be publicly released shall remain anonymous.
The confidentiality of donor and volunteer records shall continue after the relationship with the individual has ended. It is important to note that nothing through the internet is 100% safe. The ACLT will take all the precautions necessary and possible but cannot guarantee there will not be a data breach.
Cybersecurity is the process of protecting information by preventing, detecting, and responding to cyber breaches. A cyber breach is a loss of unauthorized access to, or disclosure of personal information, through a cyber-attack or an operational failure. The ACLT takes steps to identify, assess, and mitigate risks associated with cybersecurity. ACLT has implemented measures designed to secure personal data from accidental loss and from unauthorized access, use, alteration, and disclosure (such as identity and access management, password rotation, access control monitoring, and leading firewall technologies). Personal data provided to ACLT in
accordance with this policy will be encrypted in transit. If a cyber breach results in the release of Personally Identifiable Information, the ACLT will report to the Privacy Commissioner of Canada and notify the affected individuals. Refer to the section on Addressing a Data Breach below.
To address any forms of data breach, the ACLT has a privacy log incident form. The form addresses the following information/questions:
• Date and time of the incident: When did the incident occur?
• Description of the incident: What exactly happened? What personal information was compromised?
• Cause of the incident: What triggered the incident? For example, was it an external attack, internal error, technical issue, etc.?
• Actions taken in response to the incident: What was done to mitigate the effects of the incident? Was there notification to the affected individuals or the Privacy Commission?
• Effects of the incident: What were the effects on the individuals involved and the organization? Were there any legal, financial, or reputational consequences?
• Actions taken to prevent similar incidents in the future: What changes were made after the incident to prevent a similar event from happening again?
To ensure that personal information is collected, used, stored, and disclosed in a manner that complies with applicable privacy legislation, ACLT conducts a Privacy Impact Assessment (PIA) for any new or significantly modified initiatives, systems, or processes that involve personal information. The PIA helps identify potential privacy risks and implement safeguards to reduce or eliminate those risks. This proactive approach supports ACLT’s commitment to privacy, transparency, and accountability. A copy of the PIA template used by ACLT is included as Appendix A of the Privacy Procedures.
