Charity & Volunteer Organizations Privacy Considerations 1 Introduction • Charitable organizations typically collect, use and store personal information that relates to their members, donors, employees, business associates, and the constituents whom they serve. This information is used to conduct core organizational needs such as verifying eligibility for membership, processing donations, conducting event registration, distributing information about programs/initiatives, providing proof of participation in activities, etc. • Extensive, and in some cases sensitive, personal information processed by charitable organizations against the backdrop of the requirements imposed by privacy laws can present privacy risk and require organizations to develop controls to mitigate potential exposure. Introduction, continued • Although some privacy laws do not apply to (or include exceptions for) non-profit organizations, organizations should still be concerned about protecting their reputation and the personal information of their members, supporters and constituents. Privacy Accountability • Do you have documented policies and procedures for handling personal information? • Factors to consider when developing policies and procedures include: − − − − − sensitivity of the information amount of information extent of distribution format of the information (electronic, paper, etc.), and type of storage. Privacy Policy Core Components • Notice - Describe the purpose and nature of processing activities • Choice and Consent – Acquire permission to use personal information of individuals for purposes other than what it was originally collected • Minimization- Limit the collection and use of personal information to that which is relevant and necessary • Data Accuracy - Endeavor to ensure that personal information is current and establish procedures to permit individuals to correct their personal information if it is inaccurate Privacy Policy Core Components, continued • Vendors or Service Providers - Ensure that vendors and service providers are contractually bound to protect any personal information they may process on behalf of your organization • Retention - Do not retain information longer than necessary. Dispose of Personal Information in a secure manner • Security – Maintain appropriate administrative, physical, and technical controls to protect personal information Training • Privacy and security training should be conducted regularly, repeatable and timely. In addition to general privacy and security training, employees should be trained regarding the following issues. • How do I respond to member, donor and other public inquiries regarding our organization's privacy policies? • Do you point them to your website, is it including on a volunteer form they filled out or is it a public document that can be mailed or emailed to them? • What is consent? When and how do we acquire it? • Consent: Permission by the subject of the information to use it. • How do we acquire permission for activities such as publication of financial donors, pictures, volunteer lists, program participants, etc.? Training, Continued • How do I recognize and handle requests for personal information? • When someone asks for personal information about volunteers or program participants, what are our protocols to confirm that the person we are speaking is who they say they are? In other words, how do we authenticate the requester of the information. • To whom should I refer complaints about protection of personal information? • Who is the primary contact for information handling practices within the organization? Credit Card Processing and PCI • Does your organization accept donations via credit card? - If so, you may be responsible for compliance with the Payment Card Industry Data Security Standard. - PCI DSS 2.0 is the payment card industry global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. Credit Card Processing and PCI, Continued • PCI Security Standards Council - https://www.pcisecuritystandards.org/ • PayPal for Nonprofits - https://merchant.paypal.com/cms_content/US/en_US/files/mercha nt/paypal_nonprofit_faqs.pdf Access to Personal Information • Does your organization restrict access to the personal information it collects and uses? – Restrict access only to those with a need to know the information for their job. – Ensure that personal information that is stored in computer systems have password restricted access. – Ensure that user IDs and passwords are unique for each user. – Ensure filing cabinets with documents containing personal information are locked when not in use. Email Campaigns & CAN-SPAM • Does your organization acquire mailing lists for fundraising solicitations? If yes, from what sources? Are the lists rented or exchanged, or both? Does the source of the list purge the people who don't want their names released before giving you the list? - - The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. CAN-SPAM applies to non-profit organizations that send e-mails whose primary purposes are to advertise or promote commercial products or services, even where the non-profit organization's activities are not overtly "commercial" in nature. http://www.business.ftc.gov/documents/bus61-can-spam-actcompliance-guide-business Telephone and Text Campaigns • Does your organization conduct telephone or text message campaigns? - There are laws that establish rules for telemarketing also. These laws also cover some text activities. In many circumstances, nonprofits are exempt from these rules. However, even if your organization is not subject to these rules, they are best practices for telemarketing for any organization. Social Media • Does your organization use social media to communicate with members, donors or volunteers? • Do you mention individuals by name that helped with an event? • Does permission to have photos taken at an event extend to social media? • Are there pictures of children that are taken at a family event? Social Media, Continued • Social media is an important way to keep members, donors, and other stakeholders aware of the charity and current events. However, it is important to maintain control of the organization’s social reputation and the messaging. • Prior to posting information about people who interact with your charity get permission from them first by either posting a sign or asking individuals to sign a waiver. • Keep informed about social media trends and make changes to your organization’s social media strategy as necessary. • Comply with terms and policies of the social media sites you use. Children and Website Data Collection • If you run a website designed for children or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s requirements. • The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their children. The COPPA puts protections and procedures in place that companies covered by the rule need to follow. Resource List • Direct Marketing Association - • Generally Accepted Privacy Principles (GAPP) - • https://www.pcisecuritystandards.org/ PayPal for Nonprofits - • http://www.aicpa.org/interestareas/informationtechnology/resources/priva cy/generallyacceptedprivacyprinciples/pages/gapp_principlesandcriteria.a spx PCI Security Standards Council - • http://thedma.org/ https://merchant.paypal.com/cms_content/US/en_US/files/merchant/payp al_nonprofit_faqs.pdf SPAM Guidance − http://www.business.ftc.gov/documents/bus61-can-spam-act-complianceguide-business Questions?