
This Fact Sheet provides details about the important factors for a non-profit to consider in drafting its privacy policy.
Privacy laws protect individuals’ personal information. To comply with privacy law, non-profits that collect personal information such as names, addresses, and birth dates, must take steps to protect this information.
A best practice for legal compliance is for non-profits to have a privacy policy. A good privacy policy covers how a non-profit will collect, use, disclose, and retain (keep) personal information.
Collect | Use | Retain | Retain |
Collect means to gather information. Personal details are gathered in a variety of ways:
*Clearly identify possible methods of collection in a privacy policy. |
Personal information may only be collected and used for the reason(s) it was collected. If collecting details for a membership contact list, do not use those details for marketing purposes.
*Describe the purpose for collecting and using personal information in a privacy policy. |
Disclose means to make personal details available to another person or organization.
Non-profits must not disclose personal details for purposes other than it was collected without consent.
*List the circumstances where personal information may be disclosed in a privacy policy. |
Retain means to keep/store.
*Include rules in a privacy policy for how personal details are kept and for how long. |
A privacy policy should clearly state that it applies to all the non-profits’ directors/board members, workers (employees and contractors), volunteers, and the people it serves.
Non-profits should provide training on its privacy policy to its staff, directors/board members, and other volunteers. Training means teaching people about the rules. From a privacy perspective, training means ensuring people are aware and understand their obligations under the policy.