1 / 18

Charity & Volunteer Organizations

Charity & Volunteer Organizations. Privacy Considerations. Introduction.

gerodi
Download Presentation

Charity & Volunteer Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Charity & Volunteer Organizations Privacy Considerations

  2. Introduction • Charitable organizations typically collect, use and store personal information that relates to their members, donors, employees, business associates, and the constituents whom they serve. This information is used to conduct core organizational needs such as verifying eligibility for membership, processing donations, conducting event registration, distributing information about programs/initiatives, providing proof of participation in activities, etc. • Extensive, and in some cases sensitive, personal information processed by charitable organizations against the backdrop of the requirements imposed by privacy laws can present privacy risk and require organizations to develop controls to mitigate potential exposure.

  3. Introduction, continued • Although some privacy laws do not apply to (or include exceptions for) non-profit organizations, organizations should still be concerned about protecting their reputation and the personal information of their members, supporters and constituents.

  4. Privacy Accountability • Do you have documented policies and procedures for handling personal information? • Factors to consider when developing policies and procedures include: • sensitivity of the information • amount of information • extent of distribution • format of the information (electronic, paper, etc.), and • type of storage.

  5. Privacy Policy Core Components • Notice - Describe the purpose and nature of processing activities • Choice and Consent – Acquire permission to use personal information of individuals for purposes other than what it was originally collected • Minimization- Limit the collection and use of personal information to that which is relevant and necessary • Data Accuracy - Endeavor to ensure that personal information is current and establish procedures to permit individuals to correct their personal information if it is inaccurate

  6. Privacy Policy Core Components, continued • Vendors or Service Providers - Ensure that vendors and service providers are contractually bound to protect any personal information they may process on behalf of your organization • Retention - Do not retain information longer than necessary. Dispose of Personal Information in a secure manner • Security – Maintain appropriate administrative, physical, and technical controls to protect personal information

  7. Training • Privacy and security training should be conducted regularly, repeatable and timely. In addition to general privacy and security training, employees should be trained regarding the following issues. • How do I respond to member, donor and other public inquiries regarding our organization's privacy policies? • Do you point them to your website, is it including on a volunteer form they filled out or is it a public document that can be mailed or emailed to them? • What is consent? When and how do we acquire it? • Consent: Permission by the subject of the information to use it. • How do we acquire permission for activities such as publication of financial donors, pictures, volunteer lists, program participants, etc.?

  8. Training, Continued • How do I recognize and handle requests for personal information? • When someone asks for personal information about volunteers or program participants, what are our protocols to confirm that the person we are speaking is who they say they are? In other words, how do we authenticate the requester of the information. • To whom should I refer complaints about protection of personal information? • Who is the primary contact for information handling practices within the organization?

  9. Credit Card Processing and PCI • Does your organization accept donations via credit card? • If so, you may be responsible for compliance with the Payment Card Industry Data Security Standard. • PCI DSS 2.0 is the payment card industry global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data.

  10. Credit Card Processing and PCI, Continued • PCI Security Standards Council • https://www.pcisecuritystandards.org/ • PayPal for Nonprofits • https://merchant.paypal.com/cms_content/US/en_US/files/merchant/paypal_nonprofit_faqs.pdf

  11. Access to Personal Information • Does your organization restrict access to the personal information it collects and uses? • Restrict access only to those with a need to know the information for their job. • Ensure that personal information that is stored in computer systems have password restricted access. • Ensure that user IDs and passwords are unique for each user. • Ensure filing cabinets with documents containing personal information are locked when not in use.

  12. Email Campaigns & CAN-SPAM • Does your organization acquire mailing lists for fundraising solicitations? If yes, from what sources? Are the lists rented or exchanged, or both? Does the source of the list purge the people who don't want their names released before giving you the list? • The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. CAN-SPAM applies to non-profit organizations that send e-mails whose primary purposes are to advertise or promote commercial products or services, even where the non-profit organization's activities are not overtly "commercial" in nature. • http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business

  13. Telephone and Text Campaigns • Does your organization conduct telephone or text message campaigns? • There are laws that establish rules for telemarketing also. These laws also cover some text activities. In many circumstances, non-profits are exempt from these rules. However, even if your organization is not subject to these rules, they are best practices for telemarketing for any organization.

  14. Social Media • Does your organization use social media to communicate with members, donors or volunteers? • Do you mention individuals by name that helped with an event? • Does permission to have photos taken at an event extend to social media? • Are there pictures of children that are taken at a family event?

  15. Social Media, Continued • Social media is an important way to keep members, donors, and other stakeholders aware of the charity and current events. However, it is important to maintain control of the organization’s social reputation and the messaging. • Prior to posting information about people who interact with your charity get permission from them first by either posting a sign or asking individuals to sign a waiver. • Keep informed about social media trends and make changes to your organization’s social media strategy as necessary. • Comply with terms and policies of the social media sites you use.

  16. Children and Website Data Collection • If you run a website designed for children or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s requirements. • The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their children.  The COPPA puts protections and procedures in place that companies covered by the rule need to follow.  

  17. Resource List • Direct Marketing Association • http://thedma.org/ • Generally Accepted Privacy Principles (GAPP) • http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/generallyacceptedprivacyprinciples/pages/gapp_principlesandcriteria.aspx • PCI Security Standards Council • https://www.pcisecuritystandards.org/ • PayPal for Nonprofits • https://merchant.paypal.com/cms_content/US/en_US/files/merchant/paypal_nonprofit_faqs.pdf • SPAM Guidance • http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business

  18. Questions?

More Related