Donor and Client Information: What your nonprofit needs to know about data and privacy 2100 Building, Seattle, WA March 30, 2017
Today’s Speakers Jeff Brennan Jeffrey A Brennan, PLLC Zainab Hussain Foundry Law Group
Donor & Client Information Agenda This training will focus on privacy & privacy policy development, terms of services, and best practices for nonprofits think of this as both what you should be doing internally and in your outward facing front (website). • Section 1 – Privacy Overview • Section 2 – Need for a privacy policy • Section 3 – Drafting the privacy policy • Section 4 – Terms of Services • Section 5 – Best Practices • Section 6 – Conclusion Resources 3
Section 1 What is privacy? 4
What is a privacy? What does privacy mean? How do you define it? How broad should privacy be? • In your home? • When you are outside your home? • How about when you engage with others? Is it absolute? 5
FIPs to EU GPDR… and everything in between HIPPA OECD HIPPA Privacy EU GDPR FIPs (1973) (1980) (1996) (2003) (2018) US Privacy EU Data COPPA FIPPS Act (1974) Protection (1998) (2008) Directive (1995) 6
Fair Information Practice Principles (FIPPs) Transparency Individual Participation Purpose Specification Data Minimization Use Limitation Data Quality and Integrity Security Accountability and Auditing 7
Transparency • Be open about your privacy practices to both your customers and your employees • Explain what you collect, why you collect it, and how you use it • Make your policies clear and easy to understand Transparency Your Privacy Policy 8
Individual Participation • Ensure individuals have the ability to opt-in / opt-out • Obtain consent where required and/or possible • Provide the ability to access the personal information • Allow individuals the ability to correct errors Individual Participation Consent 9
Purpose Specification • State the underlying authority/rationale for the collection of personal information • Be clear – why you’re collecting information – what you will do with it Purpose Specification Notice 10
Data Minimization • Don’t collect more personal information than you need • Don’t keep it longer than necessary to meet your needs • Be aware of conflicting legal and business retention periods 11
Use Limitation • Limit the use of personal information to the purpose stated in the notice • Respect the consent provided by individuals as to how their information is to be used • Limit sharing to “compatible” purposes • If your proposed use changes, you may need to provide new notice and/or obtain new consent 12
Data Quality and Integrity • Ensure personal information is complete, accurate, and up-to-date to the extent necessary for your intended purposes • Make sure it has not been altered or destroyed in an unauthorized manner • Allow individuals the ability to correct errors 13
Security • Ensure information is protected from loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure • Protect against both external and internal risks – Cyber-attacks dominate the news, but most breaches stem from employee mishandling of personal information 14
Accountability and Auditing • Provide training to employees and contractors • Periodically audit the use of personal information against your stated policies • Ensure someone is responsible for privacy in your organization 15
The personal information lifecycle Use Retain Collect Dispose Disclose 16
Section 2 So, do you need (or want) a privacy policy? 17
Special Considerations for Nonprofits • Do the same rules apply? – State, Federal Laws & Regulations – Size and other practicalities – Customer expectations & trust • Charity Navigator Provides charity star ratings – Website privacy policy part of scoring methodology • Driven by “extreme concern” by donors for information to be kept confidential; e.g., not sold • Monitored since 2004 and part of scoring since September 2011 18
Federal Regulations – FTC Section 5 • Federal Trade Commission Act, Section 5 – As close to national privacy legislation as we get – Prohibits entities from engaging in unfair or deceptive acts in interstate commerce • Materially misleading consumer by representation, act or omission – Privacy policy concerns – deceptive trade practice • Failure to adhere to own policy – Does not apply to nonprofits…but 19
Federal Regulations – COPPA • Children’s Online Privacy Protection Act – Applies to entities who: • Run websites designed for children • Run general audience websites but knowingly collect information from children under 13 – Aim is to put parents in charge…MUST: • Post privacy policy • Provide parents with direct notice of information policies • Receive verifiable parental consent – Federal Trade Commission enforced • Does it apply to nonprofits? 20
Federal Regulations – CAN-SPAM & TCPA • Controlling the Assault of Non-Solicited Pornography And Marketing Act – FTC enforces CAN-SPAM – Covers “all” commercial electronic mail messages • No exemption for nonprofits • Telephone Consumer Protection Act – FTC and FCC enforce TCPA – Covers telemarketing by phone, fax and text messaging – Several impacts to nonprofits 21
Other Major Federal Regulations • Health Insurance Portability and Accountability Act – Covers health insurers and providers • Gramm-Leach-Bliley Act – Enforced by FTC and multitude of other Federal agencies – Applies to financial institutions • Fair Credit Reporting Act (FCRA) – Protects consumer information (fairness, accuracy and privacy) – Applies to consumer reporting agencies • Family Education Rights and Privacy Act (FERPA) – Protects privacy of student education records – Applies to schools that receive Department of Education funds • Genetic Information Nondiscrimination Act (GINA) – Protects from discrimination in health insurance and employment – Applicable to health insurance companies and companies >15 employees • U.S. – EU Privacy Shield – Allows participating companies to transfer data across the Atlantic in compliance with U.S. and EU law 22
Other Laws and Regulations • State • Canada • Europe • Elsewhere • Application – Where do you operate? – What’s your donor/client base? 23
Charity Navigator Privacy Policy Scoring • Charity Navigator Accountability and Transparency scoring weighting 1. Present and unambiguous regarding sharing and selling donor information Present with opt-out provision Minus 3 points 2. Either not-present or ambiguous Minus 4 points 3. • Nonprofit privacy policy direction – National-in- scope nonprofits’ websites generally have privacy policy statements today – Personal observation is privacy policy not present in small to medium size non-profits today – Charity Navigator and donors will increasingly put pressure on nonprofits to understand how their data is being protected – Opportunity for privacy practitioners to help nonprofits develop and implement a total privacy policy program 24
Section 3 Drafting the Privacy Policy.…assuming externally-focused website 25
What is a privacy policy? Privacy Policy definition – A privacy policy is your nonprofit’s promise to existing and potential donors and clients on how their personal information will be handled . A privacy policy can be as simple as a few line notice on a website to a multipage, highly “legalese” document. – A privacy policy should do two things very clearly: build trust and meet legal requirements . 26
Section 3 Drafting the Privacy Policy.…assuming externally-focused website Before you start to draft …<or why you shouldn’t just copy a privacy policy off of the Internet!> 27
Know what you have • What types of data are you collecting? • Where are you keeping the data? • What are you doing with the data? • What do you want to do with the data? 28
Privacy Policy Drafting Goals • “Meaningful” Transparency • Understandability – Use plain language – Keep it visually simple – Consider use of FAQs if needed • Ensure you make promises to donors and clients you can keep • Goal is to instill trust in user 29
Recommend
More recommend
