Sign up for Sector Connector
Login / Logout Link
Binder office

From the Vault – Privacy Protection: 4 easy steps

This blog was originally posted August 30, 2016.


Young employeeEarlier this year, we shared three ways that being privacy conscious can improve your organization’s reputation. By being privacy conscious you can help strengthen your organization’s reputation, enhance the trust in your staff, and even increase the loyalty of donors, participants, and volunteers.

So what steps can your organization take to improve your privacy practices?

In Alberta, the Personal Information and Protection Act (PIPA) is part of our privacy legislation. PIPA is an outline of best practices for privacy protection, and all organizations can benefit by meeting these standards.

Did you know?

Most nonprofit organizations are only legally required to follow PIPA when collecting, using, or disclosing personal information as part of a commercial activity. For example, operating a day care, emailing your donor list, or selling products, training, or a membership.

Service Alberta has created a workbook specifically for nonprofit organizations to help evaluate and improve privacy protection practices. We have gone through the workbook and highlighted these four best practices for you.


4 Best Practices for Privacy Protection

1. Have a good reason for collecting the information you do.

ID cartoon

What personal information does your organization collect for each program or service that it offers?

Collecting a client’s birthday might be appropriate if your program has a minimum or maximum age requirement, but it would be unnecessary if the client simply wanted to sign up for your newsletter.

Your organization can create a list of the information your organization collects, along with the purpose for collecting each piece. If you find that your organization is collecting more information than it needs, arrange to get rid of the extra information you already have, and stop collecting the information from new participants.

2. Designate a privacy contact person.

Envelope cartoonChoose one person to be a privacy contact person (staff member, volunteer, or board member) to answer questions or requests about the personal information your organization collects.

This person should be familiar with your organization’s privacy policies and procedures, and be readily available to answer any questions.

3. Get consent for collecting, using, and disclosing personal information.

Pen cartoonThere are two types of consent, implied consent and express consent:

Implied consent: Implied consent is acceptable in situations where it is really clear why you are collecting personal information and how you will use it. For example, taking a donor’s credit card information on the payment screen.

Express consent: Most of the time it is a good idea for your organization to provide added clarity for people and provide the opportunity for them to expressly consent to the collection, use, and disclosure of their personal information.

Two examples of express consent statements your organization might use:

1. Your organization is collecting income information for program participants to ensure they meet the low-income requirement:

The income information you have provided will be used to determine your eligibility for the program, and will only be shared within our agency.

□ I consent this information can be used within the organization to verify eligibility.

2. Your organization is collecting medical information for day camp attendees:

My child’s provided medical information will be shared with camp volunteers to assist them in recognizing a medical emergency. I consent to the collection of my child’s personal information for this purpose.

Signature:  ______________

4. Safeguard and protect the information you collect.

Laptop cartoon

The personal information your organization keeps on your clients, donors, members, staff, and volunteers is sensitive. Take care of other people’s information as if it were your own:

  • Lock your filing cabinets and password protect all devices, including laptops, tablets, and flash drives.
  • Limit access to personal information to relevant staff or volunteers.
  • Don’t keep information you don’t need. For example, if you need to verify your volunteer has a driver’s license, make a note that it has been verified rather than keeping a copy of the driver’s license on file.

Remember: Social insurance numbers, credit card information, birthdates, names, and addresses can all be used in identity theft. Medical information, criminal record checks, and income information can also have serious impacts on personal relationships, careers, and housing.

While privacy protection may require you to create new policies, or change your procedures, in the end best practices help your organization to protect those people who are integral to the work you do. After all, nonprofit organizations exist for the people we serve – let’s all do the best job that we can!

Does your organization follow these best practices? Do you have room for improvement? Let us know in the comments!

Sam Kriviak
Volunteer Alberta

Binder office

Privacy Protection: 4 easy steps

Young employeeEarlier this year, we shared three ways that being privacy conscious can improve your organization’s reputation. By being privacy conscious you can help strengthen your organization’s reputation, enhance the trust in your staff, and even increase the loyalty of donors, participants, and volunteers.

So what steps can your organization take to improve your privacy practices?

In Alberta, the Personal Information and Protection Act (PIPA) is part of our privacy legislation. PIPA is an outline of best practices for privacy protection, and all organizations can benefit by meeting these standards.

Did you know?

Most nonprofit organizations are only legally required to follow PIPA when collecting, using, or disclosing personal information as part of a commercial activity. For example, operating a day care, emailing your donor list, or selling products, training, or a membership.

Service Alberta has created a workbook specifically for nonprofit organizations to help evaluate and improve privacy protection practices. We have gone through the workbook and highlighted these four best practices for you.


4 Best Practices for Privacy Protection

1. Have a good reason for collecting the information you do.

ID cartoon

What personal information does your organization collect for each program or service that it offers?

Collecting a client’s birthday might be appropriate if your program has a minimum or maximum age requirement, but it would be unnecessary if the client simply wanted to sign up for your newsletter.

Your organization can create a list of the information your organization collects, along with the purpose for collecting each piece. If you find that your organization is collecting more information than it needs, arrange to get rid of the extra information you already have, and stop collecting the information from new participants.

2. Designate a privacy contact person.

Envelope cartoonChoose one person to be a privacy contact person (staff member, volunteer, or board member) to answer questions or requests about the personal information your organization collects.

This person should be familiar with your organization’s privacy policies and procedures, and be readily available to answer any questions.

3. Get consent for collecting, using, and disclosing personal information.

Pen cartoonThere are two types of consent, implied consent and express consent:

Implied consent: Implied consent is acceptable in situations where it is really clear why you are collecting personal information and how you will use it. For example, taking a donor’s credit card information on the payment screen.

Express consent: Most of the time it is a good idea for your organization to provide added clarity for people and provide the opportunity for them to expressly consent to the collection, use, and disclosure of their personal information.

Two examples of express consent statements your organization might use:

1. Your organization is collecting income information for program participants to ensure they meet the low-income requirement:

The income information you have provided will be used to determine your eligibility for the program, and will only be shared within our agency.

□ I consent this information can be used within the organization to verify eligibility.

2. Your organization is collecting medical information for day camp attendees:

My child’s provided medical information will be shared with camp volunteers to assist them in recognizing a medical emergency. I consent to the collection of my child’s personal information for this purpose.

Signature:  ______________

4. Safeguard and protect the information you collect.

Laptop cartoon

The personal information your organization keeps on your clients, donors, members, staff, and volunteers is sensitive. Take care of other people’s information as if it were your own:

  • Lock your filing cabinets and password protect all devices, including laptops, tablets, and flash drives.
  • Limit access to personal information to relevant staff or volunteers.
  • Don’t keep information you don’t need. For example, if you need to verify your volunteer has a driver’s license, make a note that it has been verified rather than keeping a copy of the driver’s license on file.

Remember: Social insurance numbers, credit card information, birthdates, names, and addresses can all be used in identity theft. Medical information, criminal record checks, and income information can also have serious impacts on personal relationships, careers, and housing.

While privacy protection may require you to create new policies, or change your procedures, in the end best practices help your organization to protect those people who are integral to the work you do. After all, nonprofit organizations exist for the people we serve – let’s all do the best job that we can!

Does your organization follow these best practices? Do you have room for improvement? Let us know in the comments!

Sam Kriviak
Volunteer Alberta

Silhouette Woman

3 ways being privacy conscious can improve your organization’s reputation

Typing Woman smallIn the twenty-first century, data and information are everywhere. Collecting information is truly foundational to everything we do in our daily work. Online activities that collect personal information, fundraising efforts, volunteer screening, and social media put a responsibility on nonprofits to consciously manage people’s privacy, information, and other data.

By being privacy conscious you can help strengthen your organization’s reputation, enhance the trust in your staff, and even increase the loyalty of donors, participants, and volunteers.

If you want to maintain a positive perception of your organization and the important work you do, a solid practice is to have processes in place for managing information and personal records.

Here are a few simple ideas and actions your organization can take to be more privacy conscious and protect the personal information and privacy of those people who interact with your nonprofit.

Enhance your organization’s reputation

Protecting privacy and personal information can improve your organization’s reputation.

In general, nonprofits that manage personal information in accordance with privacy legislation (like PIPA or FOIP) are seen as more accountable and trustworthy, by clients, volunteers, donors, and potential partners.

An improved reputation may mean that other agencies will find opportunities to work together with your nonprofit more attractive, especially if operating joint programs or if a partnership requires information sharing.

By simply reviewing how your organization currently manages personal information, you can begin to establish more formalized processes.

A simple review of your current practices may provide other benefits like;

  • assist you in making better decisions about what information is reasonable to collect and only collecting what you need
  • guide you to use the information you collect more effectively and intentionally
  • improve how you protect the privacy of those people who are important to you

Trust in your staff

Not having good personal information protections in place could hurt how your staff are perceived and trusted by your donors, volunteers, and clients.

Simply because a few standardized processes are lacking in their work, your staff may not be perceived to have the same level of responsibility and accountability as people working in businesses.

While initially it may seem like added work, you can help improve the level of trust your donors, volunteers, and clients have in your staff by involving staff in the process of protecting personal information.

Simple ways your staff can be seen as part of protecting privacy while collecting information include;

  • staff being transparent about how a person’s personal information will be used, providing those people an opportunity to ask questions or make requests that help them feel their information is respected
  • staff explaining how information will be stored and/or destroyed, demonstrating a professional level of accountability in the staff person and helping to develop a relationship of trust between the individual and staff at your organization

Loyalty from your donors, participants, and volunteers

GlassesPeople are asked to share their personal information many times a day, from entering an email address, to sharing a postal code at a store check-out, to signing into social media websites. Personal information is increasingly valuable in today’s world.

People are concerned about what data is requested of them, how much of the requested information is required for the service they want to use, and how their data is eventually used. While they may have differing thoughts and feelings about their expected privacy when it comes to their own information, one thing often rings true, people generally place more trust and respect in those who work to protect their privacy.

People who your organization counts on to volunteer or donate are not only important to your work, but also champions who will share the experiences they have with your organizations with others. It is a good idea to be transparent with those people about the steps you have in place to protect and respect their privacy.

Some simple solutions that you can incorporate;

  • a “privacy practices and policy” notice on all donation forms or receipts
  • be upfront about the personal information that is required for volunteer screening processes (ex. is a police information check required, references, or employment history?)
  • set clear expectations during volunteer interviews or orientation about how their personal information will be used, stored, and destroyed

If your organization is already taking some of these steps for privacy protection – great work! Please keep it up and share any tips you might have about your processes in the comments.

Guest Blog: Volunteers as Staff: Where Labels and Titles Collide

volunteer staffIn 2010 alone, 47% of Canadians volunteered 2 billion hours, the equivalent of 1.1 million full-time work positions. Volunteers, who freely offer their services, have become an essential component of our communities and the modern workforce. In the nonprofit sector, we know all too well the benefit volunteers bring to our organizations. For many of us, they are indeed a necessity. But having volunteers work for our organizations can and does expose us to potential risks.

With the important part volunteers play, should we as agencies recruit, screen, and manage them, as we would staff? Or do they require something different?

This may sound like a daunting question. How would we even begin to tackle this? My initial strategy was to ask as many people as possible, so I asked volunteers, managers, and those in-between, this very question. I found there were just as many points of view as there were individuals who held them:

• Some agencies I spoke with (such as Distress Centre Calgary) identified having worked towards an integrated Human Resources model. Their rational was that many volunteers provide a front line service and need similar training, time, support, and supervision as employees. “Volunteers do not get the financial benefits. However, the volunteer is here to do a job, shows up, and does it to the best of their ability. Volunteers represent the agency just as much as staff, and expectations around service seem the same for both volunteers and staff”.

• A few volunteers stated they enjoy being on an equal footing with staff. This made them feel respected and important; a peer in the organization. Others felt a sense of safety being separate from paid workers, feeling almost exempt from punishment over mistakes or errors in procedure. “I feel volunteers are lower in the hierarchy overall, and that there’s less responsibility on the volunteer when being directed in my role.”

• A surprising number of respondents worried of a volunteer/staff “synergy.” When asked to clarify, these individuals said the treatment of some nonprofit staff leaves something to be desired and worry about comparisons being made between the kinds of support given to volunteers and to staff. “Essentially, volunteers are held in a place of esteem while staff is often not. All too often staff does not get the same support to the same degree.”

• Others found an already organic union blurring of the lines between staff and volunteers. “I volunteered for a program essentially run by volunteers. With some volunteer roles, you are doing the same tasks as a staff anyways.”

With such a wide range of experiences and opinions, what’s a nonprofit to do? Do we work actively towards formalizing the volunteer position? Do we establish rigid screening and feedback processes? Or do we play it by ear depending on the volunteer role and/or specific individual? Much to my chagrin, it looks like there is no definitive answer.

However, there are a plethora of references and materials out there for agencies wanting to take a stab at formalizing the volunteer role. They make a strong case that it’s in our best interest, as nonprofit organizations, to put volunteers and staff on a similar plane. Authors such as Judith Wilson, Michelle Gislason, and Linda Graff highlight that as the risk for the agency or the volunteer increases, so does the need for formalized processes. Conveniently, you can find these and many other resources on the Volunteer Alberta Resource Centre, or why not ask other nonprofits (such as Distress Centre Calgary) what is working for them.

Chloé McBean, Contact Centre Volunteer Team Lead
Distress Centre Calgary

 

 

What you need to know about Canada’s new Anti-Spam Law

courtesy of harrisonpensa.com

courtesy of harrisonpensa.com

On December 4, Federal Minister of Industry James Moore announced that Bill C-28, Canada’s Anti-Spam Legislation (CASL) will come into effect on July 1, 2014.  Although Canada’s new anti-spam law comes into effect six months from now, it will face a mandatory review in three years.

The legislation is intended to deter spam and electronic threats. Many everyday activities such as sending an email message to a member, operating an organization’s website, and making a mobile application available for download will soon be subject to new, detailed rules that will likely require you to make significant changes to your operational practices or face tough fines and penalties. Although there are exceptions for charities, many of the requirements are still mandatory.

Organizations will have to adjust to the new law, but most already maintain databases of opt-out consents and provide their members with information on how they can unsubscribe from further marketing materials. The new law establishes some additional form requirements and shifts toward opt-in consents, but the fundamental need to actively manage personal information remains unchanged.

The most significant, and potentially challenging, aspect of CASL is the consent requirement. In essence, all organizations will be required to obtain positive – opt-in – recipient consent to be able to send “commercial electronic messages” (CEMs) to their customers, donors, members and others, unless they have a relationship with the contact that is exempt from the law or can establish implied consent under one of CASL’s specifically defined categories. Due to the difficulties in managing email contact lists to fit within these exceptions, many nonprofits will likely choose to obtain express consent from their donors, past members and other contacts, to ensure compliance.

What the law means for charities and nonprofits:

The full implications are not yet fully known. However, an exemption for messages sent by registered charities that raise funds as their primary purpose was added making the law less cumbersome. According to the government release, “Canadian charities, which operate based on the generosity of Canadians, will be able to continue fundraising as before.” Charities will still need to distinguish between commercial messages used to raise funds and those including the promotion of commercial activities that are not considered to be fundraising activities.

All commercial electronic messages sent by nonprofits that are not registered as charities (including those intended to raise funds) will still fall under CASL.

For messages not exempt from regulation, organizations are required to:

  1. Obtain consent from recipients before sending commercial electronic messages.

1.1.    Consent will be “implied” in the case of “members, donors or volunteers that have been active in the two years immediately prior to the date the message is sent.”

1.2.    Consent is also implied if the recipient’s electronic address is conspicuously published or is disclosed to the sender and is not accompanied by a statement indicating they do not wish to receive commercial electronic messages.  Additionally, the message must be relevant to the recipient’s business, role, functions or duties.

2. Include the sender’s identifying information “and provide information to enable recipient to contact the sender.”

3. Enable the recipient to withdraw consent (unsubscribe option).

Exempt Messages:

  • Those sent to individuals where there is an existing personal or family relationship.
  • Those sent between employees, representatives, and consultants of organizations that have a relationship and the message concerns the activities of the recipient organization.
  • Those sent in response to a request, inquiry or complaint or that are otherwise solicited by the person to whom the message is sent.
  • The first commercial electronic message sent to a recipient that has been referred to the sender by someone who has an existing business, non-business, family, or personal relationship, provided the name of the referring individual is included in the message.

A full listing can be found under “Excluded Commercial Electronic Messages” in the regulations document.

More information can be found at:

 

Imagine Canada’s Anti-spam exemption for charities press release

CCVO’s Anti-Spam Legislation Review

Government of Canada’s Anti-Spam Legislation Website

CRA’s Guidance on Fundraising by Registered Charities

ONN: Top Ten Things Nonprofits Need to Know about CASL 

Bennett Jones Canadian Anti-Spam Information Site

 

Kassie Burkholder, Volunteer Alberta

  • 1
  • 2

Not-for-profit Web Consulting & Digital Marketing by Adster Creative