A few years ago, I was responsible for publishing my church's membership directory. We realized at the time that the church did not have a written privacy policy with regard to safeguarding general contact information. Not surprisingly, we didn't have a written privacy policy regarding donor information either. Donor names, addresses, phone numbers, emails and annual giving history, etc. were considered "confidential" and certainly not shared casually with others. However, what has become a common practice in industry of having a written policy regarding that information, was lacking in the church. That is too bad and it can be embarrassing as well. Every now and then, we read about how customers private information has been compromised by some reckless company. Typically the news reads something like this:
Because of Xcompany's actions, hundreds of thousands or even millions of its customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages," according to sources (or "film at 11:00 PM").
Having a policy doesn't insure that confidential information is safeguarded but it's a start. People that have worked with me for a while know that I'm typically reminding my coworkers of the importance of three "P's" in business; or Policy, Procedure and Practice that need to be aligned in order for an organization to be firing on all cylinders. This means we have to do what we say we are going to do, and we have to do it consistently.
The reason for the mention of a privacy policy is because I often find that it's one of those industry practices that haven't made it successfully into the church or charity.
Do donors, members and our general email contacts expect charities to protect their personal information? Ya think! Finding out that your church or charity was negligent with your data is like finding your son or daughter going through your purse or wallet. Disappointment quickly turns to frustration and a loss of confidence and support.
Having a written policy is only the first step. Organizations need to take steps that volunteers and employees are aware of the policy and that they are properly safeguarding the information that they need to maintain. Also, organizations need to maintain only the information absolutely necessary and they need to limit the casual access of the data by volunteers and employees.
Some best-practices would include that to respect the privacy of individual contacts and donors, contact information and donor names should never be sold or otherwise made available without prior permission of the donors, except where disclosure is required by law (i.e. IRS Form 990 disclosures).
Other best practices would include ensuring that computer data is secure and password-protected. Data should only be available to qualified persons and databases should not be copied to notebook computers where security issues often are more likely to be compromised.
If your organization does not have the technical expertise to assess and determine privacy policy and data security, there are a number of independent consultants that have the appropriate expertise. If the task seems large and overwhelming, follow the typical advice given when someone wants to eat an elephant. “Take small bites.”