Protecting Privacy– Meld best practices into your policy and procedures
An appreciation for protecting individuals’ privacy has picked up steam in recent years, fueled by public outrage over identity theft and other violations. The protection of an individual’s privacy strikes the core of nonprofits, which collect a significant amount of personal data on clients, donors and other constituents. Safeguarding their privacy starts with the development of a privacy policy and procedures to bring it home.
There’s plenty to keep in mind when developing — or updating — a privacy policy. In addition to mandates from federal agencies, individual states deliver their own rules and regulations. And professional societies and trade organizations provide standards in their respective niches, such as health care and education.
Privacy Bill of Rights calls up online transactions
One of the most recent national developments in privacy protection comes from the White House. The Obama administration drafted the Consumer Privacy Bill of Rights (CPBR) as a blueprint for protecting consumers online in the digital age.
Unveiled last February, the document applies to both nonprofits and for-profit businesses and is meant to improve consumers’ control over how their personal information is used on the Internet. Concurrently, it aims to help businesses maintain consumer trust and grow Internet commerce. It focuses on such “rights” as security, transparency, access and accuracy.
The White House has asked the U.S. Department of Commerce to begin convening companies, private advocates and other stakeholders to develop and implement enforceable privacy policies based on the document. In July, the topic of mobile applications and data processing was the first in a series of meetings, held by the National Telecommunications and Information Administration, designed to enforce the CPBR.
GAPP provides principles
Another authority for nonprofits that are creating — or reevaluating — their privacy policies and procedures is the American Institute of Certified Public Accountants’ Generally Accepted Privacy Principles (GAPP). Revised in 2010, the principles overlap with the CPBR and are organized into 10 areas:
1. Management. The organization defines, documents, communicates and assigns accountability for its privacy policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
3. Choice and consent. The organization describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulation and thereafter appropriately disposes of such information.
6. Access. The organization provides individuals with access to their personal information for review and updating.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security. The organization protects personal information against unauthorized access.
9. Quality. The organization maintains accurate, complete and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and puts in place procedures to address privacy-related complaints and disputes.
Follow-up is crucial
The most important requirements of a privacy policy for your constituents are that it remains current and is fully executed throughout your organization. Consider asking your CPA to review your privacy policy and its implementation procedures. CPAs also can provide guidance using the GAPP Privacy Risk Matrix to help assess privacy-related risks. Additionally, make sure that your board of directors reviews your nonprofit’s privacy policy annually.
Resources for creating a privacy policy
Is your nonprofit creating a privacy policy for the first time, or reviewing the one you already have? If so, you can find useful information on these websites:
WhiteHouse.gov
Information about the Consumer Privacy Bill of Rights can be found here, including a fact sheet. Visit for a detailed report, Consumer Data Privacy in a Networked World.
AICPA.org/privacy
The American Institute of Certified Public Accountants’ Privacy Maturity Model provides specifics about establishing and evaluating privacy policies and procedures under Generally Accepted Privacy Principles (GAPP), as well as related articles and a listing of other resources.
HHS.gov
At the U.S. Department of Health and Human Services website, you can find information on the Health Insurance Portability and Accountability Act (HIPAA) that addresses the security and privacy of health data in health care systems under its “administrative simplification” provisions.