This blog was originally posted August 30, 2016.
Earlier this year, we shared three ways that being privacy conscious can improve your organization’s reputation. By being privacy conscious you can help strengthen your organization’s reputation, enhance the trust in your staff, and even increase the loyalty of donors, participants, and volunteers.
So what steps can your organization take to improve your privacy practices?
In Alberta, the Personal Information and Protection Act (PIPA) is part of our privacy legislation. PIPA is an outline of best practices for privacy protection, and all organizations can benefit by meeting these standards.
Did you know?
Most nonprofit organizations are only legally required to follow PIPA when collecting, using, or disclosing personal information as part of a commercial activity. For example, operating a day care, emailing your donor list, or selling products, training, or a membership.
Service Alberta has created a workbook specifically for nonprofit organizations to help evaluate and improve privacy protection practices. We have gone through the workbook and highlighted these four best practices for you.
4 Best Practices for Privacy Protection
1. Have a good reason for collecting the information you do.
What personal information does your organization collect for each program or service that it offers?
Collecting a client’s birthday might be appropriate if your program has a minimum or maximum age requirement, but it would be unnecessary if the client simply wanted to sign up for your newsletter.
Your organization can create a list of the information your organization collects, along with the purpose for collecting each piece. If you find that your organization is collecting more information than it needs, arrange to get rid of the extra information you already have, and stop collecting the information from new participants.
2. Designate a privacy contact person.
Choose one person to be a privacy contact person (staff member, volunteer, or board member) to answer questions or requests about the personal information your organization collects.
This person should be familiar with your organization’s privacy policies and procedures, and be readily available to answer any questions.
3. Get consent for collecting, using, and disclosing personal information.
There are two types of consent, implied consent and express consent:
Implied consent: Implied consent is acceptable in situations where it is really clear why you are collecting personal information and how you will use it. For example, taking a donor’s credit card information on the payment screen.
Express consent: Most of the time it is a good idea for your organization to provide added clarity for people and provide the opportunity for them to expressly consent to the collection, use, and disclosure of their personal information.
Two examples of express consent statements your organization might use:
1. Your organization is collecting income information for program participants to ensure they meet the low-income requirement:
The income information you have provided will be used to determine your eligibility for the program, and will only be shared within our agency.
□ I consent this information can be used within the organization to verify eligibility.
2. Your organization is collecting medical information for day camp attendees:
My child’s provided medical information will be shared with camp volunteers to assist them in recognizing a medical emergency. I consent to the collection of my child’s personal information for this purpose.
4. Safeguard and protect the information you collect.
The personal information your organization keeps on your clients, donors, members, staff, and volunteers is sensitive. Take care of other people’s information as if it were your own:
- Lock your filing cabinets and password protect all devices, including laptops, tablets, and flash drives.
- Limit access to personal information to relevant staff or volunteers.
- Don’t keep information you don’t need. For example, if you need to verify your volunteer has a driver’s license, make a note that it has been verified rather than keeping a copy of the driver’s license on file.
Remember: Social insurance numbers, credit card information, birthdates, names, and addresses can all be used in identity theft. Medical information, criminal record checks, and income information can also have serious impacts on personal relationships, careers, and housing.
While privacy protection may require you to create new policies, or change your procedures, in the end best practices help your organization to protect those people who are integral to the work you do. After all, nonprofit organizations exist for the people we serve – let’s all do the best job that we can!
Does your organization follow these best practices? Do you have room for improvement? Let us know in the comments!