By now, everyone is aware that healthcare organizations operate under HIPAA rules that govern the privacy of patients. Similar government regulations and rules are in effect for financial, human services, and educational institutions to guard the privacy of their clients, employees, and students.
Nonprofits also have an obligation to extend privacy to their members, donors, clients, and volunteers.
The first rule is to err on the side of preserving privacy. You should get permission from every individual whose name appears in your printed or online materials, including your newsletter, press releases or website. For example, a signed thank you note from a beneficiary of the nonprofit is not permission to use the thank you online with the person’s full name and contact information. Participation by a volunteer in an event is not permission to include that volunteer’s name in a photo of the event. Finally, if someone contacts your organization for help through your website, that is not permission to use their name as an example of the type of help you provide. You must ask.
Anyone who connects with your nonprofit through your Facebook page should be aware that their information will be available for other people to see—that’s the nature of social media—but that doesn’t authorize you to use their name and information in other contexts.
You may be storing private information electronically and/or in paper files. File cabinets should be secured. There should be limits on the individuals who can access personal information, such as donor contact information and the amount donated. When changeovers occur in staff, passwords should also be changed.