Building trust through data privacy protection

Building trust is a critical component of nonprofit work. We build trust with our communities and stakeholders by delivering effective programs, producing data to demonstrate outcomes, and ensuring that our advocacy efforts follow the values articulated by our mission and vision statements. But what if I told you (Morpheus voice) that protecting people’s personal information is another way that you can build trust with your community, AND it doesn’t have to be a super technical process? Mind-blowing, right?

‍

‍

In this article, we’ll cover:

• The types of data nonprofits must protect
• Low and no-tech tips for protecting data privacy at your organization
• The role of transparency in building trust through data protection

What data needs protecting?

When an individual decides to share their personal information with a nonprofit – whether through becoming a donor, filling out a feedback form, or signing up for an event – they are trusting that the organization is going to do as much as they can to protect their information from those with bad intentions. Therefore, nonprofits have a responsibility to secure what’s known as personally identifiable information (PII).

The Department of Labor defines PII as:

“Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information:

• that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email addresses.) or
• by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).

Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.”

What’s important to note about this definition is that PII is not just about names and phone numbers. Demographic information, like race, ethnicity, gender identity, and even data points like IP addresses all count as PII. So what can you do to start protecting all of this sensitive information?

Low and no-tech tips for protecting PII

Tip #1: Review your nonprofit’s data privacy policy

If your nonprofit has a website, you likely already have a data privacy policy. A data privacy policy lets people know what information your nonprofit collects on its website, how it uses the data, reasons for collecting data, and any policies regarding sharing information with third parties. Privacy policies can serve as excellent guides for planning program evaluations, assessments, and other data-driven projects. Review the privacy policy to ensure your practices align with your organization’s expectations as you develop your plans for collecting, storing, and analyzing data.

Tip #2: Limit who has access to your nonprofit’s data

For nonprofits big and small, it’s likely that most staff members only need access to some data to do their jobs. For instance, if your child literacy team is evaluating one of its programs, the finance department probably doesn’t need access to their confidential interview data. If you don't know who needs access to what, sit with your staff and talk about what data they need and don’t need to fulfill their job responsibilities. Once you have a clear understanding of what everyone needs, you can:

• Create a data access manual that details the types of data each staff member needs to see to do their job properly
• Manage who has access to what by setting database permissions appropriately.

If you’re unsure how to set permissions, contact your data software provider for guidance. YouTube is also a great resource for how-to problems like this.

PS: If you want to dazzle your friends and colleagues, you can tell them that this practice is based on the principle of least privilege, or POLP. POLP, a fun acronym to say, helps reduce the likelihood that malware will get access to the information it is trying to steal. Suppose malware infects a staff member’s computer, but that staffer only has limited database access. In that case, the malware can't access most of the data it is trying to steal. Also, the POLP helps ensure that employees don’t accidentally make any significant changes to data systems that could be potentially damaging, like when you press the wrong button and your Excel spreadsheet loses its mind for some reason.

(*jazz hands, razzle-dazzles away*)

Tip #3: If you don’t need it, don’t collect it

Another way to protect PII is to avoid collecting it at all. It's one of many reasons why it is so vital to establish clear goals and objectives for any data-related project that you’re doing. For instance, if your organization sends out a survey to learn what participants thought about a new financial education program, is it really necessary to collect names? Can you answer your big questions without collecting phone numbers or dates of birth? In most cases, probably not.

This isn’t to say that you should never collect PII -there are many times when this information is critical to the learning and evaluation process. However, in the interest of protecting privacy, be intentional about what data you really need to achieve your project goals.

Tip #4: Be transparent about your practices

Clearly and repeatedly communicating your privacy practices will help you build trust with your stakeholders. Whenever you ask project participants to share information with you, inform them of the data you're collecting, how you’re using it, and the steps you are taking to protect it from prying eyes. You can share this information via:

• Outreach communications, like emails, flyers, and social media posts
• Consent forms (written or online)
• Data collection tools (e.g., the introduction to an online survey)

Also, don’t forget to include a link to your nonprofit's privacy policy and a contact person who can answer any questions about data protections.

‍

Interested in a quick data management check? Be sure to fill out the free Data Audit Checklist to get personalized recommendations for your nonprofit today!

‍

This article is not legal advice. Please consult your general counsel for guidance regarding data privacy laws that apply to your organization.