Privacy Without Pain: A Primer for Nonprofits
Yesterday, David Schulz warned us about the need to protect the private information of our participants and supporters. Today David explains the 8 basic principals involved in protecting the information you store so you don’t become the kind of example he shared yesterday. ~Kivi
Guest Post by David Schulz
Privacy is a cherished right. But it’s among the most confusing and nuanced. How do nonprofit administrators and fundraisers incorporate privacy as a process, in working with clients and donors?
Start by clearing away the philosophic clutter. Simply look what is in our control: information and data about people. That’s where you’ll find the critical focus – the place where crises occur – or can be avoided. Fortunately, there are guidelines to collecting and handling information, known as the Fair Information Principles (FIPs). Understanding them is a great was to begin your own privacy audit.
FIPs were developed just as computers began storing previously unfathomed amounts of data in the 1970s. They underpin “privacy policies” throughout the world. Refined and expanded in various states and countries, there are eight basic principles in common: Collection Limitation, Quality, Purpose, Use, Security, Openness, Participation and Accountability.
Collection limitation requires that all information is obtained by lawful and fair means and with the knowledge or consent of the subject. Lawful and fair is easily obliged; most development offices are awash in legitimate data received through regulated systems. (This doesn’t include social media! … more on that later.) But do your donors or clients know how the extent and accuracy of your independent research? Have they ever explicitly granted permission to research and store sensitive information?
Quality concerns correctness: information should be accurate, complete and up-to-date. It’s a principle near the heart of every development shop – no one likes discovering they have bad prospect information. Making decisions based on incorrect information is not only bad management; it can subject the organization to lawsuits, particularly in personnel hiring. Avoid basing any decisions on social media information… you don’t know its accuracy or origin!
Purposes for which personal information are gathered should be specified when its collection; use is limited to the fulfillment of those purposes. Collecting bits and types of information indiscriminately can accidentally change the category of the information you’re holding from PII (personally identifiable information) to SPI (sensitive personal information) to PHI (personal health information), without even noticing it. Losing control of a donors’ giving history is embarrassing; losing control of their health data can result in legal action.
Use, after being gathered, should only be for the purposes specified in the gathering. Data collected in credit checks by the HR or financial aid offices can’t be used by the development office without that use being specified in its collection and agreed on by the subject.
Security is a prerequisite for privacy. It’s important to have clear lines of communication with the IT professionals that act as information security-gatekeepers. With more institutions using the “cloud” for record storage, it’s important to examine service level agreements with providers to ensure their security standards are up to your needs, and their liability limits. The average cost of a data breach is more than $2-million; when trusting the cloud with your crown jewels, make sure they’re up to the task.
Openness is a very simple quality: there should be no collection of information kept secretively. People have a right to know of data collected, and to review and correct it if needed, bringing us to…
Participation. Times change, people change, and their personal information should accurately reflect the facts. This is only possible with the willing participation of the data subject, and their involvement in reviewing and updating information.
Accountability: Risk is only properly managed when someone is assigned to it. Who is responsible to assure adherence to the FIPs? If no one is accountable, everyone is culpable.
These principles offer a framework through which to audit an organization’s risk of privacy breach. But we’re reductionists at heart: we’ll compress them into a simple triad, a holy trinity for privacy management: C-I-A (Confidentiality, Integrity, Availability).
Wishing you privacy without pain! If you have any incidents or questions regarding these issues, please share!
David Schulz, CIPP/US, is a privacy professional who has been a nonprofit manager and director for thirty years, initially in marketing and media relations, then fundraising and leadership. Currently serving as Commissioner on the Texas Commission of Holocaust and Genocide, Mr. Schulz has been a director on the Plano Symphony Orchestra Board and the UT-Dallas Arts and Humanities Advisory Council. He lives in San Antoniowith his wife Ann, a field leader in cyber security and a certified ethical hacker: their pillow talk, though dull, is encrypted and password protected.