Non-Profit

advertisement
Charity & Volunteer Organizations
Privacy Considerations
1
Introduction
• Charitable organizations typically collect, use and store personal
information that relates to their members, donors, employees,
business associates, and the constituents whom they serve. This
information is used to conduct core organizational needs such as
verifying eligibility for membership, processing donations, conducting
event registration, distributing information about programs/initiatives,
providing proof of participation in activities, etc.
• Extensive, and in some cases sensitive, personal information
processed by charitable organizations against the backdrop of the
requirements imposed by privacy laws can present privacy risk and
require organizations to develop controls to mitigate potential
exposure.
Introduction, continued
• Although some privacy laws do not apply to (or include exceptions
for) non-profit organizations, organizations should still be concerned
about protecting their reputation and the personal information of their
members, supporters and constituents.
Privacy Accountability
• Do you have documented policies and procedures for handling
personal information?
• Factors to consider when developing policies and procedures
include:
−
−
−
−
−
sensitivity of the information
amount of information
extent of distribution
format of the information (electronic, paper, etc.), and
type of storage.
Privacy Policy Core Components
• Notice - Describe the purpose and nature of processing activities
• Choice and Consent – Acquire permission to use personal information of
individuals for purposes other than what it was originally collected
• Minimization- Limit the collection and use of personal information to that
which is relevant and necessary
• Data Accuracy - Endeavor to ensure that personal information is current
and establish procedures to permit individuals to correct their personal
information if it is inaccurate
Privacy Policy Core Components, continued
• Vendors or Service Providers - Ensure that vendors and service
providers are contractually bound to protect any personal information
they may process on behalf of your organization
• Retention - Do not retain information longer than necessary. Dispose
of Personal Information in a secure manner
• Security – Maintain appropriate administrative, physical, and technical
controls to protect personal information
Training
• Privacy and security training should be conducted regularly, repeatable
and timely. In addition to general privacy and security training,
employees should be trained regarding the following issues.
• How do I respond to member, donor and other public inquiries
regarding our organization's privacy policies?
• Do you point them to your website, is it including on a volunteer
form they filled out or is it a public document that can be mailed or
emailed to them?
• What is consent? When and how do we acquire it?
• Consent: Permission by the subject of the information to use it.
• How do we acquire permission for activities such as publication of
financial donors, pictures, volunteer lists, program participants,
etc.?
Training, Continued
• How do I recognize and handle requests for personal information?
• When someone asks for personal information about volunteers or
program participants, what are our protocols to confirm that the
person we are speaking is who they say they are? In other words,
how do we authenticate the requester of the information.
• To whom should I refer complaints about protection of personal
information?
• Who is the primary contact for information handling practices
within the organization?
Credit Card Processing and PCI
• Does your organization accept donations via credit card?
-
If so, you may be responsible for compliance with the Payment
Card Industry Data Security Standard.
-
PCI DSS 2.0 is the payment card industry global data security
standard that any business of any size must adhere to in order to
accept payment cards, and to store, process, and/or transmit
cardholder data.
Credit Card Processing and PCI,
Continued
• PCI Security Standards Council
-
https://www.pcisecuritystandards.org/
• PayPal for Nonprofits
-
https://merchant.paypal.com/cms_content/US/en_US/files/mercha
nt/paypal_nonprofit_faqs.pdf
Access to Personal Information
• Does your organization restrict access to the personal information it
collects and uses?
– Restrict access only to those with a need to know the information
for their job.
– Ensure that personal information that is stored in computer
systems have password restricted access.
– Ensure that user IDs and passwords are unique for each user.
– Ensure filing cabinets with documents containing personal
information are locked when not in use.
Email Campaigns & CAN-SPAM
• Does your organization acquire mailing lists for fundraising
solicitations? If yes, from what sources? Are the lists rented or
exchanged, or both? Does the source of the list purge the people who
don't want their names released before giving you the list?
-
-
The CAN-SPAM Act, a law that sets the rules for commercial
email, establishes requirements for commercial messages, gives
recipients the right to have you stop emailing them, and spells out
tough penalties for violations. CAN-SPAM applies to non-profit
organizations that send e-mails whose primary purposes are to
advertise or promote commercial products or services, even
where the non-profit organization's activities are not overtly
"commercial" in nature.
http://www.business.ftc.gov/documents/bus61-can-spam-actcompliance-guide-business
Telephone and Text Campaigns
• Does your organization conduct telephone or text message
campaigns?
-
There are laws that establish rules for telemarketing also. These
laws also cover some text activities. In many circumstances, nonprofits are exempt from these rules. However, even if your
organization is not subject to these rules, they are best practices
for telemarketing for any organization.
Social Media
• Does your organization use social media to communicate with
members, donors or volunteers?
• Do you mention individuals by name that helped with an event?
• Does permission to have photos taken at an event extend to social
media?
• Are there pictures of children that are taken at a family event?
Social Media, Continued
• Social media is an important way to keep members, donors, and
other stakeholders aware of the charity and current events. However,
it is important to maintain control of the organization’s social
reputation and the messaging.
• Prior to posting information about people who interact with your
charity get permission from them first by either posting a sign or
asking individuals to sign a waiver.
• Keep informed about social media trends and make changes to your
organization’s social media strategy as necessary.
• Comply with terms and policies of the social media sites you use.
Children and Website Data Collection
• If you run a website designed for children or have a website geared to
a general audience but collect information from someone you know is
under 13, you must comply with COPPA’s requirements.
• The Children’s Online Privacy Protection Act (COPPA) gives parents
control over what information websites can collect from their
children. The COPPA puts protections and procedures in place that
companies covered by the rule need to follow.
Resource List
•
Direct Marketing Association
-
•
Generally Accepted Privacy Principles (GAPP)
-
•
https://www.pcisecuritystandards.org/
PayPal for Nonprofits
-
•
http://www.aicpa.org/interestareas/informationtechnology/resources/priva
cy/generallyacceptedprivacyprinciples/pages/gapp_principlesandcriteria.a
spx
PCI Security Standards Council
-
•
http://thedma.org/
https://merchant.paypal.com/cms_content/US/en_US/files/merchant/payp
al_nonprofit_faqs.pdf
SPAM Guidance
− http://www.business.ftc.gov/documents/bus61-can-spam-act-complianceguide-business
Questions?
Download