What your nonprofit needs to know about data and privacy 2100 - - PowerPoint PPT Presentation

Donor and Client Information: What your nonprofit needs to know about data and privacy

2100 Building, Seattle, WA March 30, 2017

Jeff Brennan Jeffrey A Brennan, PLLC Zainab Hussain Foundry Law Group

Today’s Speakers

Donor & Client Information Agenda

This training will focus on privacy & privacy policy development, terms of services, and best practices for nonprofits  think of this as both what you should be doing internally and in your outward facing front (website).

• Section 1 – Privacy Overview
• Section 2 – Need for a privacy policy
• Section 3 – Drafting the privacy policy
• Section 4 – Terms of Services
• Section 5 – Best Practices
• Section 6 – Conclusion  Resources

3

Section 1

What is privacy?

4

What is a privacy?

5

• What does privacy mean?
• How do you define it?
• How broad should privacy be?
• In your home?
• When you are outside your home?
• How about when you engage with others?
• Is it absolute?

FIPs to EU GPDR… and everything in between

6

FIPs (1973) US Privacy Act (1974) OECD (1980) EU Data Protection Directive (1995) HIPPA (1996) COPPA (1998) HIPPA Privacy (2003) FIPPS (2008) EU GDPR (2018)

Fair Information Practice Principles (FIPPs)

• Transparency
• Individual Participation
• Purpose Specification
• Data Minimization
• Use Limitation
• Data Quality and Integrity
• Security
• Accountability and Auditing

7

Transparency

• Be open about your privacy practices to both your

customers and your employees

• Explain what you collect, why you collect it, and how

you use it

• Make your policies clear and easy to understand

8

Transparency  Your Privacy Policy

Individual Participation

• Ensure individuals have the ability to opt-in / opt-out
• Obtain consent where required and/or possible
• Provide the ability to access the personal information
• Allow individuals the ability to correct errors

9

Individual Participation  Consent

Purpose Specification

• State the underlying authority/rationale for the

collection of personal information

• Be clear

– why you’re collecting information – what you will do with it

10

Purpose Specification  Notice

Data Minimization

• Don’t collect more personal information than you

need

• Don’t keep it longer than necessary to meet your

needs

• Be aware of conflicting legal and business retention

periods

11

Use Limitation

• Limit the use of personal information to the purpose

stated in the notice

• Respect the consent provided by individuals as to

how their information is to be used

• Limit sharing to “compatible” purposes
• If your proposed use changes, you may need to

provide new notice and/or obtain new consent

12

Data Quality and Integrity

• Ensure personal information is complete, accurate,

and up-to-date to the extent necessary for your intended purposes

• Make sure it has not been altered or destroyed in an

unauthorized manner

• Allow individuals the ability to correct errors

13

Security

• Ensure information is protected from loss,

unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure

• Protect against both external and internal risks

– Cyber-attacks dominate the news, but most breaches stem from employee mishandling of personal information

14

Accountability and Auditing

• Provide training to employees and contractors
• Periodically audit the use of personal information

against your stated policies

• Ensure someone is responsible for privacy in your
• rganization

15

The personal information lifecycle

16

Retain Dispose Disclose Collect Use

Section 2

So, do you need (or want) a privacy policy?

17

Special Considerations for Nonprofits

• Do the same rules apply?

– State, Federal Laws & Regulations – Size and other practicalities – Customer expectations & trust

• Charity Navigator  Provides charity star ratings

– Website privacy policy part of scoring methodology

• Driven by “extreme concern” by donors for information to

be kept confidential; e.g., not sold

• Monitored since 2004 and part of scoring since September

2011

18

Federal Regulations – FTC Section 5

• Federal Trade Commission Act, Section 5

– As close to national privacy legislation as we get – Prohibits entities from engaging in unfair or deceptive acts in interstate commerce

• Materially misleading consumer by representation, act
• r omission

– Privacy policy concerns – deceptive trade practice

• Failure to adhere to own policy

– Does not apply to nonprofits…but

19

Federal Regulations – COPPA

• Children’s Online Privacy Protection Act

– Applies to entities who:

• Run websites designed for children
• Run general audience websites but knowingly collect

information from children under 13

– Aim is to put parents in charge…MUST:

• Post privacy policy
• Provide parents with direct notice of information policies
• Receive verifiable parental consent

– Federal Trade Commission enforced

• Does it apply to nonprofits?

20

Federal Regulations – CAN-SPAM & TCPA

• Controlling the Assault of Non-Solicited

Pornography And Marketing Act

– FTC enforces CAN-SPAM – Covers “all” commercial electronic mail messages

• No exemption for nonprofits
• Telephone Consumer Protection Act

– FTC and FCC enforce TCPA – Covers telemarketing by phone, fax and text messaging – Several impacts to nonprofits

21

Other Major Federal Regulations

• Health Insurance Portability and Accountability Act

–Covers health insurers and providers

• Gramm-Leach-Bliley Act

– Enforced by FTC and multitude of other Federal agencies – Applies to financial institutions

• Fair Credit Reporting Act (FCRA)

– Protects consumer information (fairness, accuracy and privacy) – Applies to consumer reporting agencies

• Family Education Rights and Privacy Act (FERPA)

– Protects privacy of student education records – Applies to schools that receive Department of Education funds

• Genetic Information Nondiscrimination Act (GINA)

– Protects from discrimination in health insurance and employment – Applicable to health insurance companies and companies >15 employees

• U.S.–EU Privacy Shield

– Allows participating companies to transfer data across the Atlantic in compliance with U.S. and EU law

22

Other Laws and Regulations

• State
• Canada
• Europe
• Elsewhere
• Application

–Where do you operate? –What’s your donor/client base?

23

Charity Navigator Privacy Policy Scoring

• Charity Navigator Accountability and Transparency scoring

weighting

1. Present and unambiguous regarding sharing and selling donor information 2. Present with opt-out provision  Minus 3 points 3. Either not-present or ambiguous  Minus 4 points

• Nonprofit privacy policy direction

– National-in-scope nonprofits’ websites generally have privacy policy statements today – Personal observation is privacy policy not present in small to medium size non-profits today – Charity Navigator and donors will increasingly put pressure on nonprofits to understand how their data is being protected – Opportunity for privacy practitioners to help nonprofits develop and implement a total privacy policy program

24

Section 3

Drafting the Privacy Policy.…assuming externally-focused website

25

What is a privacy policy?

Privacy Policy definition

– A privacy policy is your nonprofit’s promise to existing and potential donors and clients on how their personal information will be handled. A privacy policy can be as simple as a few line notice

• n a website to a multipage, highly “legalese”

document. – A privacy policy should do two things very clearly: build trust and meet legal requirements.

26

Section 3

Drafting the Privacy Policy.…assuming externally-focused website Before you start to draft …<or why you shouldn’t just copy a privacy policy off of the Internet!>

27

Know what you have

28

• What types of data are you collecting?
• Where are you keeping the data?
• What are you doing with the data?
• What do you want to do with the data?

Privacy Policy Drafting Goals

• “Meaningful” Transparency
• Understandability

– Use plain language – Keep it visually simple – Consider use of FAQs if needed

• Ensure you make promises to donors and

clients you can keep

• Goal is to instill trust in user

29

Example Nonprofit Privacy Policy

30

• Double click on policy to right
• Highlight all verbiage
• Use ctrl + c or copy
• Open blank Word template
• Use ctrl + v or paste

Thank you for visiting <website url>, a website developed and maintained by <the Nonprofit Org (“NP”)> to support our mission to < Insert mission here which should tie to stated mission on website>. NP is committed to protecting the privacy of your personal information.1 This privacy policy tells you how we use personal information collected at this site or that you provide directly to us through emails, mail, via phone or other means. Please read this privacy policy before using the site or submitting any personal information. By using the site, you are accepting the practices described in this privacy policy. To reflect the changing nature of our operations, this policy may be changed at any time. If we make any material changes, we will prominently post notification of change to this policy on our website. The latest privacy policy will appear here.

What Information about Me Does NP Collect and Store?

NP adheres to the highest standards of ethical practices in all of our operations and is dedicated to protecting the privacy of all visitors to our website. One of the basic principles we follow is minimizing the amount of information we collect. We ask only for the information we need to provide the service you've requested. 2As a result, what information we collect and store depends almost entirely on how you choose to make use of our website and our services. Read further to find out more…

Personal Information

We collect and store information that you enter into this website or provide to us via other means. For example, if you apply for membership, make a donation or send an email inquiry, we collect and store some or all of the following information that you provide, such as: name, address, phone number, email address, message contents of emails. NP offers you a wide variety of programs and opportunities for direct participation and for providing support (financial or otherwise). The personal information you provide is used by NP to process membership orders, to send donation requests and confirmations, to sign up individuals and groups for events and programs, to rent our facilities, and to provide customer service or respond to general inquiries.3 We do not sell, rent or share your personal information with anyone without expressly providing notification to you to you at the time you provide the information.4

Introduction or overall purpose

• Who are you?
• Who does this policy apply to?
• What information does it apply to?
• Why are you collecting the information?
• What are you going to do with the

information?

• Any other key marketing or legal information?

31

Consent – Quality of consent

• Explicit
• Stated (implicit)
• Additional implicit

32

Cookies and tracking

• Clearly explain your cookie practice(s)
• Define tracking and types of tracking

–Explain what you do and why –“Do Not Track” preference

33

Usage of data

• If your use(s) is not adequately covered in the

introduction

– Explain other uses of data – Uses by other entity subsidiaries and parties

• Uses required by legal/regulatory schemes

34

User Choices

• Choices and/or ability to view, change,

and/or delete collected information

– Include only if applicable – Detail exceptions

• Opt-out choices (if applicable)

– Email (to meet CAN-SPAM Act requirements)

• Other choices if applicable

35

Limitation notice on hyperlinks and third party websites

• Disclose

–Privacy policy does not apply –Lack of control –Use of third parties to facilitate user interaction, billing for example

• Note any privacy arrangements in place
• Good practice - open links and hand-offs in

new tab

36

Security of information

• Don’t commit more than you can

deliver!

• State the facts

–Any use of relevant industry standards –Any use of third party security vendors

• State the risks
• Better to under-commit and over-deliver!

37

Contact information

• Minimum recommended

–Email address –Mailing address –Address title

• Would not include phone number
• Do respond to every inquiry

–Test email address frequently

38

Policy Changes and Version

• Reserve right to change
• Recommend use of date at beginning
• r end of policy
• Retain all versions whether material or

not

39

Section 4

Terms of Services – What is it, and do you need

• ne?

40

What is it?

• Terms of Service
• Terms of Use
• Terms & Conditions
• Contract between your organization and the

user of your website, app, or other platform

• Rights, roles, responsibilities, contact

information

Do You Need Terms? Yes!

• Common Practice
• Build client and donor confidence by being
• pen and honest about your data practices
• Shield your organization from easily-avoided

disputes – it’s a contract like any other

Interaction between the Terms and Privacy Policy

• Terms

– Umbrella document (broad)

• Privacy Policy

– Housed within Terms (narrow)

• “Your privacy is important to us. Please review our Privacy

Policy for information about the data we may collect and

• use. Our Privacy Policy is incorporated in these Terms, and is

available at www.organization.org/privacy.”

– Hyperlinked, posted separately

• Some issues

– Copy-paste relevancy, accuracy

Interaction between the Terms and Privacy Policy

Main Elements Who?

• Who are the parties to these Terms?

– Parents or Legal Guardians represent minors – Third Party service providers (e.g. payment processors, business analytics)

• Who is responsible for X, and who is responsible

for Y?

– User responsible for reading, acknowledging and accepting the terms. Continued use = acceptance – Does your organization inform users when the Terms are updated? How?

Main Elements What?

• The heart of the Terms
• What are the terms, conditions, rights, duties,

privileges, licenses, and permissions your

• rganization wants to offer users?

– “Subject to your compliance with these Terms, Organization grants you a

limited, non-exclusive, non-transferable, non-sublicenseable license to access and view our content (“Organization Content”) solely in connection with your permitted use of the Services.”

– “We encourage you to participate in our community (when available), but

ask that you respect other Users just like yourself when posting Content to, and otherwise using, the Services. You agree NOT to:…”

Main Elements Where?

• Where can users reach your Terms?

– Place link conspicuously; usually on the bottom banner of a website

• Where can users reach your organization

– Designated emails: support@organization.com; feedback@organization; legal@organization.com – Mailing address (to send notices, donations) – Physical address – depends on organization (a museum is likely to want to give out its physical location; a small back

• ffice might not want to go public)

Main Elements When?

• When can users terminate their accounts?
• By when can users expect support questions
• r phone calls to be responded to?

Main Elements Why?

• Similar to privacy policy – tell users why you do

things a certain way. Create user confidence!

• Some common “purposes”:

– “To improve our processes” – “To understand the reach of our supporters, and work towards extending that reach” – “In order to provide you with an accurate accounting statements and receipts of your generous donations” – “In order to comply with a Court Order or ongoing law enforcement investigation”

Section 5

Best Practices to consider for a nonprofit

50

Physical Security

• Avoid paper copies
• Lock drawers, offices
• Work location

Personnel Security

• Limit access to those

who need to know certain information

• Training – education is
• ngoing

Technological Security, Pt. 1

• Password Protection

– Use unique and strong passwords – Try to use different passwords fro different programs – Don’t be like HBGary!

Technological Security, Pt. 2

• Data Anonymization/Encryption

– Might be too costly to automate for some. Do the best you can – Remove as much identifying information as possible from the data you collect

• Maintain consolidated databases
• Data retention/destruction policies

– How long are you going to retain the data for? – How will you destroy the data?

Technological Security, Pt. 3

• Devices

– Laptops – Desktops – Smartphones

• Tiny computer
• Integration of apps
• Move to the Cloud – you’re probably already in it

– Spend less time on IT admin, reduce IT costs – More flexibility – In-built security

• Questions?

– zainab@foundrylawgroup.com – jeff_brennan@sbcglobal.net

• Additional resources

– https://iapp.org/ – https://www.charitynavigator.org/ –https://www.charitynavigator.org/index.cfm?bay=content.view&cpid=1093 – https://wiredimpact.com/blog/nonprofit-privacy-policy/

Thank you!

56

Thank you for your interest and support.

Jodi Nishioka, Executive Director jodi@wayfindlegal.org