Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Considerations Charity & Volunteer Organizations 1.

Published byAriel Anger Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy Considerations Charity & Volunteer Organizations 1."— Presentation transcript:

1 Privacy Considerations Charity & Volunteer Organizations 1

2 Charitable organizations typically collect, use and store personal information that relates to their members, donors, employees, business associates, and the constituents whom they serve. This information is used to conduct core organizational needs such as verifying eligibility for membership, processing donations, conducting event registration, distributing information about programs/initiatives, providing proof of participation in activities, etc. Extensive, and in some cases sensitive, personal information processed by charitable organizations against the backdrop of the requirements imposed by privacy laws can present privacy risk and require organizations to develop controls to mitigate potential exposure. Introduction

3 Although some privacy laws do not apply to (or include exceptions for) non-profit organizations, organizations should still be concerned about protecting their reputation and the personal information of their members, supporters and constituents. Introduction, continued

4 Do you have documented policies and procedures for handling personal information? Factors to consider when developing policies and procedures include: − sensitivity of the information − amount of information − extent of distribution − format of the information (electronic, paper, etc.), and − type of storage. Privacy Accountability

5 Notice - Describe the purpose and nature of processing activities Choice and Consent – Acquire permission to use personal information of individuals for purposes other than what it was originally collected Minimization- Limit the collection and use of personal information to that which is relevant and necessary Data Accuracy - Endeavor to ensure that personal information is current and establish procedures to permit individuals to correct their personal information if it is inaccurate Privacy Policy Core Components

6 Vendors or Service Providers - Ensure that vendors and service providers are contractually bound to protect any personal information they may process on behalf of your organization Retention - Do not retain information longer than necessary. Dispose of Personal Information in a secure manner Security – Maintain appropriate administrative, physical, and technical controls to protect personal information Privacy Policy Core Components, continued

7 Privacy and security training should be conducted regularly, repeatable and timely. In addition to general privacy and security training, employees should be trained regarding the following issues. How do I respond to member, donor and other public inquiries regarding our organization's privacy policies? Do you point them to your website, is it including on a volunteer form they filled out or is it a public document that can be mailed or emailed to them? What is consent? When and how do we acquire it? Consent: Permission by the subject of the information to use it. How do we acquire permission for activities such as publication of financial donors, pictures, volunteer lists, program participants, etc.? Training

8 How do I recognize and handle requests for personal information? When someone asks for personal information about volunteers or program participants, what are our protocols to confirm that the person we are speaking is who they say they are? In other words, how do we authenticate the requester of the information. To whom should I refer complaints about protection of personal information? Who is the primary contact for information handling practices within the organization? Training, Continued

9 Does your organization accept donations via credit card? -If so, you may be responsible for compliance with the Payment Card Industry Data Security Standard. -PCI DSS 2.0 is the payment card industry global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. Credit Card Processing and PCI

10 PCI Security Standards Council -https://www.pcisecuritystandards.org/https://www.pcisecuritystandards.org/ PayPal for Nonprofits -https://merchant.paypal.com/cms_content/US/en_US/files/mercha nt/paypal_nonprofit_faqs.pdfhttps://merchant.paypal.com/cms_content/US/en_US/files/mercha nt/paypal_nonprofit_faqs.pdf Credit Card Processing and PCI, Continued

11 Does your organization restrict access to the personal information it collects and uses? –Restrict access only to those with a need to know the information for their job. –Ensure that personal information that is stored in computer systems have password restricted access. –Ensure that user IDs and passwords are unique for each user. –Ensure filing cabinets with documents containing personal information are locked when not in use. Access to Personal Information

12 Does your organization acquire mailing lists for fundraising solicitations? If yes, from what sources? Are the lists rented or exchanged, or both? Does the source of the list purge the people who don't want their names released before giving you the list? -The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations. CAN-SPAM applies to non-profit organizations that send e-mails whose primary purposes are to advertise or promote commercial products or services, even where the non-profit organization's activities are not overtly "commercial" in nature. -http://www.business.ftc.gov/documents/bus61-can-spam-act- compliance-guide-businesshttp://www.business.ftc.gov/documents/bus61-can-spam-act- compliance-guide-business Email Campaigns & CAN-SPAM

13 Does your organization conduct telephone or text message campaigns? -There are laws that establish rules for telemarketing also. These laws also cover some text activities. In many circumstances, non- profits are exempt from these rules. However, even if your organization is not subject to these rules, they are best practices for telemarketing for any organization. Telephone and Text Campaigns

14 Does your organization use social media to communicate with members, donors or volunteers? Do you mention individuals by name that helped with an event? Does permission to have photos taken at an event extend to social media? Are there pictures of children that are taken at a family event? Social Media

15 Social media is an important way to keep members, donors, and other stakeholders aware of the charity and current events. However, it is important to maintain control of the organization’s social reputation and the messaging. Prior to posting information about people who interact with your charity get permission from them first by either posting a sign or asking individuals to sign a waiver. Keep informed about social media trends and make changes to your organization’s social media strategy as necessary. Comply with terms and policies of the social media sites you use. Social Media, Continued

16 If you run a website designed for children or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s requirements. The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their children. The COPPA puts protections and procedures in place that companies covered by the rule need to follow. Children and Website Data Collection

17 Direct Marketing Association -http://thedma.org/http://thedma.org/ Generally Accepted Privacy Principles (GAPP) -http://www.aicpa.org/interestareas/informationtechnology/resources/priva cy/generallyacceptedprivacyprinciples/pages/gapp_principlesandcriteria.a spxhttp://www.aicpa.org/interestareas/informationtechnology/resources/priva cy/generallyacceptedprivacyprinciples/pages/gapp_principlesandcriteria.a spx PCI Security Standards Council -https://www.pcisecuritystandards.org/https://www.pcisecuritystandards.org/ PayPal for Nonprofits -https://merchant.paypal.com/cms_content/US/en_US/files/merchant/payp al_nonprofit_faqs.pdfhttps://merchant.paypal.com/cms_content/US/en_US/files/merchant/payp al_nonprofit_faqs.pdf SPAM Guidance − http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance- guide-business http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance- guide-business Resource List

18 Questions?

Download ppt "Privacy Considerations Charity & Volunteer Organizations 1."

Similar presentations

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
PRIVACY CONSIDERATIONS Privacy for Children Under 13 1 February 2013.

PRIVACY CONSIDERATIONS Privacy for Children Under 13 1 February 2013.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
4.01 Foundational knowledge of promotion

4.01 Foundational knowledge of promotion
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
Data Protection.

Data Protection.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
The FTC Do Not Call Registry Training

The FTC Do Not Call Registry Training
1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:

1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Similar presentations

Ads by Google