Privacy Policy

1. Who We Are and Scope

The Institute of Fiscal Studies and Democracy and IFSD Advisors Ltd. (together, “IFSD”, “we”, “us”, “our”) provide research, consulting, and analytical services to public, para-public, Indigenous, and private organizations across Canada and internationally.

This Privacy Policy explains how we collect, use, disclose, retain, and protect Personal Information in connection with our commercial activities, in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable guidance from the Office of the Privacy Commissioner of Canada (OPC).

Wherever possible, IFSD works with aggregate, de-identified or anonymized data. We only handle identifiable Personal Information where it is necessary, proportionate, and clearly supported by a lawful basis and documented commitments (for example, contracts or Information Sharing Agreements).

2. Key Definitions

Personal Information (PI): Information about an identifiable individual, as interpreted under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Business Contact Information: An individual’s name, title, business address, business telephone, or business email, used solely for business communications.

Service Provider: A third party engaged by IFSD to process information on our behalf under written contract and subject to confidentiality and security obligations.

De-identified/Aggregate Data: Personal Information modified so individuals are not directly identified, but a risk of re-identification may remain.

Anonymized Data: Information that has been irreversibly modified, using appropriate technical and organizational measures, such that no individual can be identified directly or indirectly, and re-identification is not reasonably possible.

Information Sharing Agreement (ISA): A written agreement defining roles, purposes, safeguards, and retention rules when IFSD receives or accesses data from partners or clients.

Retained Consultant/Staff: Individuals engaged by IFSD (employees or contractors) who are bound by confidentiality and this Privacy Policy.

3. Accountability

IFSD is responsible for Personal Information in its custody or under its control, including when it is processed by service providers on our behalf.

Privacy Officer: Sahir Khan, Executive Vice-President
Email: sahir.khan@ifsd.ca
Phone: (613) 724-7503

We maintain a privacy management framework that includes policies, Information Sharing Agreements, contractual safeguards, training, and oversight of service providers. We remain accountable for Personal Information transferred to third parties for processing.

4. Identifying Purposes

We identify and document purposes at or before the collection or receipt of Personal Information. Typical purposes include:

• Conducting research, modeling, and analytics
• Delivering advisory and consulting services
• Managing relationships with clients, partners, and experts
• Ensuring security and integrity of our systems and datasets (for example, logging, fraud or abuse monitoring)
• Meeting legal, regulatory, contractual, and audit obligations, including under Information Sharing Agreements

5. Consent

Where IFSD collects Personal Information directly from individuals, we obtain meaningful consent (express or implied, as appropriate to the context, sensitivity, and expectations). Individuals are informed of what information we collect, for what purposes, with whom it may be shared, and any meaningful risks that are not obvious.

Individuals may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. We explain any implications of withdrawal, such as limits on our ability to provide certain services.

We comply with Canada’s Anti-Spam Legislation (CASL). We send commercial electronic messages only with consent, where implied consent applies, or where another CASL exception permits it. Each message identifies us and includes an easy, no-cost unsubscribe option.

6. Limiting Collection

IFSD limits the collection and use of identifiable Personal Information to what is necessary and proportionate for the identified purposes.

Our default approach is to request aggregate, de-identified or anonymized datasets, and to avoid sensitive identifiers unless clearly required and justified for the research or advisory mandate.

Where we receive data from organizations under an Information Sharing Agreement, those organizations are responsible for ensuring a lawful basis for disclosure (for example, redaction, applicable legislative authority, or consent). We rely on that authority and apply controls consistent with PIPEDA and the applicable agreement.

7. Limiting Use, Disclosure, and Retention

We use and disclose Personal Information only for the purposes identified at collection, as permitted or required by law, or as specified in applicable contracts or Information Sharing Agreements.

We align retention with the applicable Information Sharing Agreement or engagement terms and the purposes for which the data was provided. Where no specific term applies, we generally retain research data for up to five (5) years to support accountability, and quality assurance, unless a shorter period is appropriate. At the conclusion of the retention period, or upon termination of an agreement, Personal Information is securely destroyed, and we maintain records or certificates of destruction where appropriate.

We do not repurpose Personal Information for new, incompatible purposes without a lawful basis and, where required, updated consent or contractual terms.

8. Accuracy

We take reasonable steps to ensure that Personal Information is accurate, complete, and up to date where it is relied upon for our work or may impact individuals. For datasets provided by clients or partners, we typically rely on them as the system of record and will raise material inaccuracies with the data provider where necessary.

9. Safeguards

We protect Personal Information with administrative, technical, and physical safeguards appropriate to its sensitivity, volume, and context. These safeguards include:

Our administrative safeguards include confidentiality undertakings, clearly defined roles and responsibilities, privacy and security training, due diligence and contractual safeguards for service providers, and governance under Information Sharing Agreements.

Our technical safeguards include role-based access control and least privilege, strong authentication (multi-factor authentication), encryption in transit and at rest, secure configurations, logging and monitoring, vulnerability management, and data loss prevention where appropriate.

Our physical safeguards include controlled office access, secure storage, clean desk practices, and the secure disposal of media.

We maintain incident response procedures and, where required by PIPEDA, assess, record, report, and notify breaches of security safeguards that pose a real risk of significant harm.

10. Openness

We are committed to clear and accessible information about our privacy practices. This Privacy Policy is our primary notice. Additional, purpose-specific notices or Information Sharing Agreement terms may supplement it in particular projects. On request, we will provide more detail about our privacy management practices, subject to security and confidentiality constraints.

11. Access and Correction

Individuals have the right to request access to Personal Information about them held by IFSD and to request corrections where they believe the information is inaccurate or incomplete, subject to limited exceptions under PIPEDA. We may need to verify identity before responding and will respond within legally required timeframes, explaining any refusal and available escalation options.

12. Challenging Compliance

Questions, concerns, or complaints about this Privacy Policy or our practices may be directed to our Privacy Officer. We will acknowledge, investigate, and respond within a reasonable period and take corrective action where warranted. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada.

13. International and Cross-Border Transfers

IFSD’s servers and backup servers are located in Canada. In the event IFSD utilizes service providers or cloud infrastructure located outside Canada, then the IFSD remains accountable for that information and uses contractual, technical, and organizational measures to protect it, consistent with PIPEDA’s accountability principle.

14. Cookies, Analytics, and Online Tracking

Our websites may use essential cookies required for security and site functionality and, with consent where required, analytics cookies or similar technologies to understand site usage and improve our services. Individuals can manage cookie settings through their browser and, where available, through our cookie preferences tools. We do not engage in invasive profiling or micro-targeted advertising inconsistent with PIPEDA.

15. Vulnerable Individuals and Indigenous Communities

Our services are directed to institutional and professional audiences. Where we work with datasets that include sensitive information about Indigenous Communities (First Nations, Inuit and Métis) we apply heightened safeguards (e.g. OCAP® Principles), follow requirements set out in applicable Information Sharing Agreements, as well as our standard operating procedures.

16. How to Contact Us

For questions, access requests, or complaints, please contact:

We will accommodate accessibility needs related to privacy inquiries or complaints upon request.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The Effective Date at the top indicates the most recent version. Where changes are material, we will provide more prominent notice and, where required, seek renewed consent.