Estimated Reading Time: 7 minutes
By the NRMC Team
The meaning of “personal privacy” has changed over time. Activities that would have been considered an invasion of privacy a decade ago have become routine and acceptable to many in 21st century society. For instance, a social security number, which originally was to be used for one purpose, is now used as an identifying code on many driver’s licenses and other documents. Very recently, keeping a customer’s credit card number on file or photographing a car as it proceeds through a tollbooth or intersection, or creating an electronic signature that can be copied and pasted into other documents would have been considered by many Americans to represent unnecessary and inappropriate invasions of personal privacy.
However, Americans are finding that if they want to conduct business, they must acquiesce more and more to never-before-imaginable invasions of personal privacy. But passivity isn’t the American way: there is growing concern among employees and consumers alike that our society has gone too far in permitting invasions of once-sacred privacy for commercial efficiency, marketing, reducing actions of scofflaws or other reasons.
And then we have the Internet, possibly the greatest single assault to private information. No longer does the expression: “On the Internet, nobody knows you’re a dog” apply. The anonymity one once enjoyed when traveling the information superhighway was fleeting. Internet travelers are increasingly identifiable. With the growing use of forced logons that require providing personal information before you can enter a site; spyware that comes along for the ride, unbeknownst to you, when you download a desired software program and forevermore tracks your use of the Internet; and “cookies” that automatically identify you when you logon to a Web site; computer users are becoming increasingly accustomed to unprecedented intrusions into their personal lives.
Despite these concerns, there remains no comprehensive federal law addressing privacy. Isolated attempts at legislating the issue have resulted in protecting one segment of the population: The Children’s Online Privacy Protection Act, which requires parental consent before identifying information (i.e., full name, home address, e-mail address, and telephone number) can be obtained from children who are under 13 years of age. Across the country, some 465 privacy-related bills have been introduced in 46 state legislatures, but none have become law.
Balancing the needs and rights of your nonprofit against its employees and its clients can be tricky. Creating use policies, educating people on their existence and chastising those who break the policy go a long way towards providing necessary protection.
Have you completed a detailed privacy risk assessment as part of your nonprofit’s risk management strategy? Do you know what kinds of personal information your nonprofit collects, keeps and uses? Do you know how much of that material is gathered via the Internet or stored on computer? Do you know which of that personal information your nonprofit discloses intentionally or unintentionally? How secure is that information from external hacking, internal sabotage, and generally from those not in a need-to-know position within your nonprofit?
A privacy policy statement posted on your Web site can help solidify service-recipient relationships. If the user of your Web site knows that the organization’s policy is to safeguard personal information and let the site user determine what information to provide, what gets collected and how it is used, they will feel more confident in providing information about themselves to you. Of course, you have to honor your policy or trust will be broken. Thus, you need to put procedures in place that back up your Internet privacy policy.
An important component of a nonprofit’s policy governing the use of computer equipment is a provision that seeks to dispel any notion or expectation of privacy with respect to use of the nonprofit’s systems and equipment. According to a recent survey undertaken by the American Management Association, 78 percent of U.S. companies monitor employee phone calls, e-mails, Internet access, or computer files. Among 1,600 midsize to large companies responding to the survey, 63 percent reported monitoring Internet use, while 47 percent reported storing and reviewing e-mails. While nonprofits may be less likely to monitor equipment and system use by employees, the growing awareness about the risks associated with such use is likely to increase monitoring in the years ahead.
Protecting client privacy is an important consideration for every nonprofit. Whether the organization provides emergency shelter for victims of domestic abuse, matches mentees and mentors, or places children in adoptive or foster families, every nonprofit should take reasonable measures to safeguard personal information about clients.
The availability of computer systems has resulted in tremendous improvements in case management. Client information previously maintained in worn file folders can be tracked in a database and readily retrieved by those with a “need to know.” A push-pull relationship exists between the need to protect client privacy and the desire to use state-of-the-art technology to enhance efficiency and program management. We must accept that a slight loss of efficiency comes with the need to adequately protect client privacy. By the same token, no system can be completely secure from breaches of privacy and still be functional. Striking the appropriate balance for your organization requires a thorough review of your programmatic needs and technological capabilities.
This article was adapted from Full Speed Ahead: Managing Technology Risk in the Nonprofit World, published by the Nonprofit Risk Management Center. To speak with a staff member of the Center about any of the topics covered in this article, call (202) 785-3891.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!