Law For Non-Profits is a simple and low-barrier digital platform offered by the Pacific Legal Education and Outreach Society. It’s designed to help non-profit leaders understand their legal obligations and compliance. This tool was created for non-profits working in BC, however, all other provinces in Canada will have similar laws with different names.
Utilizing a database for your audience can be a powerful tool for achieving your non-profit’s mission. Information on your most important patrons and donors is extremely valuable for marketing and fundraising efforts. It does, however, hold you legally responsible for protecting the data and a breach could have major consequences for your reputation.
Fear not, we’re here to help you get proactive on your potential privacy issues. We’ve created a list of the top tips to avoid privacy pitfalls.
Designate someone to be responsible for personal information held by the organization
A dedicated privacy officer on your team is the first point of contact for any issues that arise. This includes conducting privacy audits to make sure your policy is upheld, implementing training for your team, responding to requests for personal information held, and working with an Information and Privacy Commissioner in the event of an investigation.
Password protect digital data
If your organization stores data digitally, keep it password protected to ensure it isn’t misused beyond what is outlined in your policy. Monitor who has passwords, update passwords at regular intervals or when there is a change on your team, and create user-specific accounts.
Don’t collect personal info you don’t need
Don’t collect data that doesn’t help your organization serve its purpose e.g. birth date, SIN number etc.
Don’t keep what you don’t need
Avoid being responsible for certain data by deleting it after use such as credit card numbers. Will it really improve your efforts if a patron or donor doesn’t have to punch in their card number each time?
Keep documents with info secure
Store files in a secure location with limited access. The more sensitive the information, the more securely it should be stored.
Only share data with consent
You may legally be able to share a person’s data, but only if they have provided you with consent.
Review IT security regularly
Concerns with IT security should be taken seriously. Digital threats with hacking and ransomware do exist and you are still responsible for the data. Consult an IT security specialist if you’re unsure what best practices should be followed.
Have a ‘records retention’ policy
A retention policy sets the standard for the length of time your organization holds on to data. If old data is no longer needed, reduce your risk by getting rid of it.
Train staff regularly on privacy issues and processes