The sixth tenet of the Donor’s Bill of Rights:
“…to be assured that information
about their donation is handled with
respect and with confidentiality
to the extent provided by law.“
(other tenets here…)
Safeguarding a donor’s private information should be a no-brainer for nonprofits, and yet the news is brimming with stories of charities who have blown it big time. A case in point: a couple years ago the Australian Red Cross suffered a data breach that left the records of 550,000 blood donors exposed to the public. More recently, Kars4Kids found that nearly 22,000 of their donor records were exposed, including email addresses, home addresses, phone numbers, and other private information. In the former case, a third-party contractor was given an inappropriate level of access to the donor database and unintentionally left a file open, and in the latter case the database configuration was itself the culprit.
Regardless of the cause, a failure to treat donors with respect and safeguard their information can be disastrous to the relationship. All philanthropy is based on trust, and once the trust is gone there is nothing left. Safeguarding donor information is not just the law, it is vital to the success of the organization. Here are four, seemingly common sense steps that all too many nonprofits fail to take.
Develop Specific Data Handling Policies
Never underestimate the power of a well written data handling policy. The aim of such a policy should be clarity—clarity about how a donor’s information is used, stored, and shared, and how all of this gets communicated back to the donor. Under the sixth tenet of the Donor’s Bill of Rights, people have the right to know how their information will be used and stored, and they have the right to opt out of having their information shared with a third party except where required by law. A written policy forces an organization to think through these issues in advance, and provides concrete assurance to donors that the organization intends to safeguard their information.
Lock Down the Database
In the Kars4Kids case, the database was not configured properly, and there were some security vulnerabilities that left data exposed. Work with the vendor of your database, or your internal technology personnel if you use a homegrown solution, to check the security of the system. If you are responsible for installing updates, be sure to do so right away when an update becomes available, as they will often close a security loophole. Additionally, it is not a bad idea to set up a regular security audit of the system in collaboration with your technical support professionals. At a minimum, an audit once a year is a wise precaution to take, but depending on your circumstances every six months or quarterly might be necessary. Whatever you do, the point is to be deliberate and intentional about maintaining the security of the system.
Beyond that, review the various roles of your team members, and determine who needs access to what. As a general rule, people should only have access to the features they need to do their jobs and nothing beyond that. It is not a matter of trust, rather it is a matter of shrinking the footprint of access. If say, twelve members of the team all have full administrative access, that is twelve opportunities for something to go horribly wrong. Restricting levels of access is a key step in safeguarding data.
Be Careful What Goes in Call Reports
By law, donors have the right to view their personal information in your system. They have the right to know what information is being kept and how it is being used. With that in mind, be very careful about what gets recorded in call reports. If you would not be comfortable having the donor read what you write, it probably should not be a part of the record.
Acknowledge the Spouse!
I admit to being burned by this one. While many couples keep separate bank accounts, decisions about where, when, and how much to give are more often than not made jointly, and the financial impact of the gift is felt by both. Unless there is a good reason to not include the spouse in a note of thanks, make sure they receive appropriate recognition.
A recent gaffe in this area occurred in the media when the Stephen and Tabitha King Foundation made a $1.25 million gift to a genealogical society. The follow-on press releases first only mentioned Stephen King, omitting all mention of Tabitha. Then it got worse when news outlets started talking about “Stephen King and his wife” as though she didn’t have a name! After some internet uproar, and numerous corrections, Tabitha King was finally credited with making the gift with her husband.
Now, your organization cannot control how the media covers a story like this, but more often than not, reporters will key off of whatever press release you put out. It is vital, therefore, that any communications with the press get the story right to begin with. That is, assuming the donor wants public recognition in the first place.
The key to all of this is remembering that you have a relationship with a real, live, flesh-and-blood person who deserves respect and security. While this might seem like common sense, the above examples show that, unfortunately, common sense is not a common as it used to be.
Question: What are the ways your organization uses to safeguard donor information? Leave a reply below.
*See more Donor Bill of Rights-related posts here...