By now, everyone is aware that healthcare organizations operate under HIPAA rules that govern the privacy of patients. Similar government regulations and rules are in effect for financial, human services, and educational institutions to guard the privacy of their clients, employees, and students.
Nonprofits also have an obligation to extend privacy to their members, donors, clients, and volunteers.
A privacy policy is essential to make sure that all staff members are on the same page. The privacy policy should be available to donors, members and clients, as well as staff. If your nonprofit collects information about children, has international members, asks health-related questions or asks for financial information, you may trigger federal or state laws that govern how or even whether the information can be asked, stored and used.
The first rule is to err on the side of preserving privacy. You should get permission from every individual whose name appears in your printed or online materials, including your newsletter, press releases or website. For example, a signed thank you note from a beneficiary of the nonprofit is not permission to use the thank you online with the person’s full name and contact information. Participation by a volunteer in an event is not permission to include that volunteer’s name in a photo of the event. Finally, if someone contacts your organization for help through your website, that is not permission to use their name as an example of the type of help you provide. You must ask.
Anyone who connects with your nonprofit through your Facebook page should be aware that their information will be available for other people to see—that’s the nature of social media—but that doesn’t authorize you to use their name and information in other contexts.
You may be storing private information electronically and/or in paper files. File cabinets should be secured. There should be limits on the individuals who can access personal information, such as donor contact information and the amount donated. When changeovers occur in staff, passwords should also be changed.
If you lack a privacy policy or haven’t reviewed your policy recently, HR Compliance 101 can help you and recommend appropriate resources to ensure that your nonprofit meets its state, federal and moral obligations.