Introduction and Background

A records retention policy is a recognized and proven protocol within an organization for retaining information for operational use while ensuring adherence to the laws and regulations concerning them. The objectives of this records retention policy are to keep important information for future use or reference, to organize information so it can be searched and accessed at a later date and to dispose of information that is no longer required.

The records retention policy for Across Languages is a set of guidelines that describes which records will be archived, how long they will be kept and other factors concerning the retention of the records.

A part of any effective records retention policy is the permanent deletion of the retained records when appropriate and as deemed by law.

Please see the section at the end of this document for Legal Requirements and References

LEGISLATIVE CONTEXT OF ACROSS LANGUAGES:

Section 5. (1) of the Privacy Act Regulations states that: “A government institution shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise or where personal information may be disclosed to the institution under subsection 8(2).”

Section 6. (1) of the Privacy Act Regulations states that: “Personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information.”

Section 230 (1) of the Income Tax Act states that: “Every person carrying on business and every person who is required, by or pursuant to this Act, to pay or collect taxes or other amounts shall keep records and books of account (including an annual inventory kept in prescribed manner) at the person’s place of business or residence in Canada or at such other place as may be designated by the Minister, in such form and containing such information as will enable the taxes payable under this Act or the taxes or other amounts that should have been deducted, withheld or collected to be determined.”

Section 230 (2) of the Income Tax Act states that: Every qualified donee [a registered charity is a qualified donee as per the definition under subsection 149.1(1) of the Act] referred to in paragraphs (a) to (c) of the definition qualified donee in subsection 149.1(1) shall keep records and books of account — in the case of a qualified donee referred to in any of subparagraphs (a)(i) and (iii) and paragraphs (b) and (c) of that definition, at an address in Canada recorded with the Minister [of National Revenue] or designated by the Minister — containing:

  1. information in such form as will enable the Minister to determine whether there are any grounds for the revocation of its registration under this Act;
  2. a duplicate of each receipt containing prescribed information for a donation received by it; and
  3. other information in such form as will enable the Minister to verify the donations to it for which a deduction or tax credit is available under this Act.

Section 230 (4) of the Income Tax Act states that: “Every person required by this section to keep records and books of account shall retain (a) the records and books of account referred to in this section in respect of which a period is prescribed, together with every account and voucher necessary to verify the information contained therein, for such period as is prescribed; and (b) all other records and books of account referred to in this section, together with every account and voucher necessary to verify the information contained therein, until the expiration of six years from the end of the last taxation year to which the records and books of account relate.”

Subsection 230 (4.2) of the Income Tax Act states that: every person required by this section (s. 230) to keep records who does so electronically shall retain them in an electronically readable format for the retention period referred to in subsection 230(4), above.

Records Retention Guidelines for Common Administrative Records

For Across Languages, in the absence of specific retention guidance and unless specified otherwise, the 7-year retention period for policy and procedures and the 7-year period for routine records should be applied to similar records. Retention periods should always be interpreted and applied “after all administrative actions are completed,” i.e., 7 years after all administrative actions are completed.

A retention guidance for common administrative record are:

  • For GOVERNING DOCUMENTS: Articles of incorporation, Bylaws, Written agreements and contracts, Board and staff meeting minutes, Annual reports, Promotional materials, Fundraising materials: Must be held for as long as the charity is registered or incorporated and for two (2) years after the date the registration of the charity is revoked, the organization is dissolved, or the organization is amalgamated. (whichever is the latest).
  • For FINANCIAL RECORDS: Financial statements, Ledgers, Bank statements, Expense accounts, Inventories, Investment agreements, Accountant’s working papers, Payroll records, Annual CRA information returns: Must be kept for six (6) years from the end of the last tax year to which they relate, while the charity is Registered or incorporated, and for two (2) years after the date the registration of the charity is revoked. the organization is dissolved, or the organization is amalgamated. (whichever is the latest).
  • For OFFICIAL DONANTION RECORDS – 10 YEAR GIFTS: Must be kept for as long as the charity is registered or incorporated and for a minimum of two (2) years after the date the registration of the charity is revoked, or the organization is dissolved or amalgamated (whichever is the latest).
  • For OFFICIAL DONANTION RECEIPTS – OTHE THAN 10 YEAR GIFTS: Must be kept for a minimum of two (2) years from the end of the calendar year in which the donations were made. [Note: typically, the retention periods follow the fiscal period; for instance, if a receipt is issued February 28, 2019, the duplicates must be retained until December 31, 2021].
  • For Access to Information and Privacy: This activity generally includes the business processes and activities which produce records created by AL in relation to the administration of the Access to Information Act and Privacy Act. More specifically, it includes individual requests for access to records under the acts. Access to Information includes individual case files and reports. Protection of Privacy includes individual case files and reports. 
  • The guidelines below will usually apply but refer to the PIPEDA Act and/or the references at the end of this document for clarity It is important that the 7-year period will not apply to Personal Health Information if the client provides instruction that the organization may not collect, use or disclose their personal information.
  • For Personal Information, there is no defined retention period. Usually, the purpose for which it was collected is a clear indication of the retention period. If it is no longer required for the intended purpose, it should be disposed of 7-10 years following the date on which a request was responded to and a subsequent complaint, if any, was fully processed.
  • For Disposal of Records and Personal Information: Disposal of records does not mean throwing paper documents in the trash or deleting electronic records using a delete function. Secure methods of disposal must be used. These include shredding paper documents and using software that securely deletes electronic records.

Books and Records in the Electronic Format

Books and records can be kept in the electronic format. Electronic records are subject to the same rules and retention periods as described above. Books and records that are created and maintained in electronic format must be kept in an electronically readable format, even if the charity has paper printouts of the electronic records. An electronically readable format means information supported by a system capable of producing an accessible and useable copy that would allow auditors to process and analyze the electronic records on CRA equipment.

If any source documents are initially created, transmitted, or received electronically, they must be kept in an electronically readable format. Scanned images of paper documents, records, or books of account that are maintained in electronic format are acceptable if proper imaging practices are followed and documented.

Books and records maintained outside Canada but accessible electronically in Canada do not meet the requirement of being kept in Canada.

Further Obligations

A registered charity is responsible not only for keeping books and records, but for maintaining, retaining, and safeguarding these records as follows:

  • If the charity hires a third party to maintain its records, the charity is still responsible for meeting all requirements. Third parties include bookkeepers, accountants, Internet transaction managers, and application service providers.
  • The charity should keep all its books and records in one area for easy access. This will make it easier for the charity in the case of an audit or when there is a change to the governing board.
  • The charity should also keep copies of its books and records in a separate location (preferably off- site) for backup purposes.
  • The charity is responsible for making its books and records available to CRA officials. These officials are authorized to inspect, audit, or examine a charity’s records, as well as make or have made copies of any records, including electronic records.

Failure to keep adequate books and records may result in the suspension of a registered charity’s tax receipting privileges, or the loss of its registered status.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA applies to every organization in Canada that collects, uses and discloses personal information in the course of commercial activities. 

Personal information is defined by PIPEDA as: any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as: age, name, ID numbers, income, ethnic origin, or blood type; opinions, evaluations, comments, social status, or disciplinary actions; and employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).

Commercial activity is defined by PIPEDA as “any particular transaction, act or conduct of any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or fundraising lists.” While it is obvious that the legislators consider charitable and non-profit organizations capable of engaging in commercial activities, it is not obvious which activities charitable and non-profit organizations engage in will be considered commercial and which will not. Whether a charitable or non-profit organization will be subject to PIPEDA depends on whether the organization engages in the kind of commercial activities contemplated by the Act.

Although a charity may not be subject to PIPEDA, it is still important for the charity to adhere to the underlying privacy principles.

Organizations covered by PIPEDA (which may or may not include a registered charity) must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again.

Individuals should also be assured that their information will be protected by appropriate safeguards.

Organizations must follow a code for the protection of personal information. This code is included in the Act as Schedule 1. The 10 fair information principles that organizations covered by PIPEDA must follow are

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

Pursuant to Principle 5 of the Act, unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.

Under the same principle, organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.

Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information (Principle 5 – Clause 4.5.3).

REGARDING TO INFORMATION RECORDED BY THIRD PARTIES 

Across Languages for providing customer services uses different devices to carry out the final transaction; among the devices they use are STRIVE and BREVO.

STRIPE:

This is the device through which the end consumer makes the payment for the contracted service.

For a better understanding, we proceed to provide the following meaning:

Business User: Stripe provides services to entities (“Business Users”) who directly and indirectly provide us with “End Customer” Personal Data in connection with those Business Users’ own business and activities.

End Customer: When you do business with, or otherwise transact with, a Business User (typically a merchant using Stripe Checkout, e.g. when you buy a pair of shoes from a merchant that uses Stripe for payment processing) but are not directly doing business with Stripe, we refer to you as an “End Customer.”

End User: When you directly use an End User Service (such as when you sign up for Link, or make a payment to Stripe Climate in your personal capacity), for your personal use, we refer to you as an “End User.”

Regarding to End Consumer Stripe offers Business Services to our Business Users (e.g. payment processing through in-person or online checkout, or processing pay-outs for those Business Users). When we are acting as a Business User’s service provider (also known as a data processor), we will process Personal Data in accordance with the terms of our agreement with the Business User and the Business User’s lawful instructions (e.g. when we process a payment for a Business User because you bought a product from them) or they instruct us to send funds to you. 

Business Users are responsible for making sure that their End Customers’ privacy rights are respected, including ensuring appropriate disclosures about data collection and use that happens in connection with their products and services. If you are an End Customer, please refer to the privacy policy or notice of the Business User you choose to do business with for information regarding their privacy practices, choices and controls.  We provide more information about our collection, use and sharing of Personal Data in our Privacy Center, including the legal bases which we rely on for using (processing) your Personal Data.

Personal Data that we collect about End Customers

Transaction Data. If you are an End Customer, when you make payments to, get refunds from, begin a purchase, make a donation or otherwise transact with a Business User that uses us to provide payment processing Business Services, we will receive Transaction Data. We may also receive your transaction history with the Business User. Moreover, we may obtain information typed into a checkout form, even if you choose not to complete the form or purchase with the Business User.

Security and retention

STRIVE make reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your Personal Data. We maintain organizational, technical, and administrative measures designed to protect Personal Data covered by this Policy against unauthorized access, destruction, loss, alteration or misuse. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.

BREVO

Brevo is the device that Across Languages uses for emailing the end costumer about the purchase made.

The personal data collected by Brevo during the provision of the Services is necessary for the performance of the contracts concluded with the Users, or to allow Brevo to pursue its legitimate interests while respecting the rights of the Users.

Brevo Data security

Brevo implements reasonable and appropriate security procedures and practices to help protect your Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure. Brevo employ a series of security measures, including a multi-level firewall, encryption, and anti-virus and intrusion detection solutions. 

Please note, however, that no transmission of data over the internet is 100% secure. We cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Information for improper purposes.

Canada’s two federal privacy laws—the Privacy Act, which applies to federal government institutions, and the 

PIPEDA, which applies to many private-sector organizations—give people a right to access the personal information

1 Canada’s two federal privacy laws—the Privacy Act, which applies to federal government institutions, and the
PIPEDA, which applies to many private-sector organizations—give people a right to access the personal information
organizations hold about them.

2 https://stripe.com/en-ca/privacy#4-your-rights-and-choices

3 Sometimes the damages you suffered result from more than one person’s fault. Responsibility will be divided among all the persons at fault. When the responsibility is share will decrease the amount of compensation you receive.