About  |  Contact Us  |  Register for Benefits  |  Login  |  View or Edit My Profile  |  Consulting  |  Sponsorship Opportunities  |  Legal & Privacy

  Home      Blog      Job Board      Community      Vendor Listings      Search Site
  Employment  |  Like Minded  |  More With Less  |  Potpourri  |  Records  |  Reporting  |  Research  |  Revenue  |  Samples  | Systems  |  Web Sightings
  Privacy Recommendations Records
Privacy RecommendationsThese sample recommendations are to designed to address practices relating to the collection, use and destruction of personal information and can help bring an advancement organization into greater compliance with generally accepted privacy principles and standards.

Personal information has been defined as information about an identifiable individual, but does not include the name, title, or business address or telephone number of an employee of an organization.

These recommendations should be reviewed by your legal counsel if you use them in your own organization.


Recommendation 1

Each office should clarify and document its purposes for collecting personal information.

These purposes should be written into a formal policy that directs staff and should state that personal information may only be collected for documented purposes.

Personal information, particularly sensitive personal information, should only be collected directly from the individual with explicit consent for its use in accordance with documented purposes.

Recommendation 2

Organizations must ensure that purposes are communicated and that consent is obtained at the time of collection.

Consent can be obtained in a variety of ways, depending on the sensitivity of the information. Where information is likely to be considered sensitive, express consent should be sought, while implied consent may be sufficient for less sensitive information.

Advancement policies should discourage the collection of personal information through informal means, such as rumour and word of mouth unless the information can be confirmed with the individual and consent for its use obtained.

If the information is not sensitive, another approach is to confirm the information with another source where implied consent for its use had been given. For example, if an advancement staff member hears rumours of a career appointment of an alumnus and they confirm the rumour with a public news source, then the alumnus has implied consent. It is reasonable to expect that the alumnus would only provide the information to a public new source if they did not object to the information being distributed and used.

One method to obtain consent is to provide a check box on application or graduation forms, allowing advancement to use the information for alumni / student related activities, such as fundraising.

Advancement organizations should undertake an analysis of the sensitivity of the different types of personal information collected and then establish policies to ensure that appropriate consent for collection and use is obtained at the time of collection. The purposes for which this information is used should be formally identified and recorded.

Recommendation 3

Advancement organizations should compile a complete list of all systems containing personal information.

Where these systems are merely used to manipulate and then update the development system, the data should be destroyed once the update is complete. All areas that insist upon maintaining separate systems that contain personal information must assume responsibility for administering access requests to personal information in that system.

Similarly, hard copy personal information that is currently distributed should be amalgamated as much as possible.

Recommendation 4

Formal policies should be adopted that state how personal information may or may not be used by advancement staff.

Each advancement staff member should sign-off on the policies.

A sign-off procedure similar to central systems access should be adopted for all new staff. It may also be prudent to have all staff sign off on such a statement on an annual basis, as a reminder.

Recommendation 5

All requests from third parties to access personal information should be routed to the appropriate manager.

When personal information is disclosed it should be documented in the donor record and, where consent is not implied or explicitly given, donor permission should be obtained in advance.

Recommendation 6

Advancement policies should confirm that contracts must be signed with any vendor where personal information is disclosed, and legal counsel should review all contracts.

Recommendation 7

Advancement organizations should develop a comprehensive written policy on the collection, use, and destruction of personal information.

Recommendation 8

Advancement organizations should simply devise guidelines and retention schedules for paper and electronic files that contain personal information. Every staff member that maintains any file with personal information should be made formally aware of these policies upon orientation.

Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous.

It may be an advisable task for advancement to appoint a key person to manage the retention and destruction schedules of all advancement files.

Recommendation 9

Advancement organizations should develop stringent policies regarding verification of individual information before access is permitted.

Recommendation 10

When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the advancement organization should amend the information as required.

Polices should be developed to monitor the verification process of individuals requesting to amend information and to outline the process of documentation in the individual’s record of when/why the information was amended.

Recommendation 11

Security safeguards should protect personal information against loss or theft, a well as unauthorised access, disclosure, copying, use, or modification.

Methods of protection should include physical measures, for example, locked cabinets and restricted access to offices.

Organizational methods, such as limiting access on a "need-to-know" basis and technological measures, for example, the use of passwords and encryption.

Security profiles for the development system should be reviewed on a regular basis.

Recommendation 12

All new advancement staff should be presented with an orientation package that contains the organizations privacy policies.

Recommendation 13

Each department within advancement should have a person responsible for ensuring that the policies regarding personal information are being adhered to, and each accountable person should be made known to all staff.
Some additional resources on security and privacy:

Computer Security InstituteSecurity
Supportingadvancement.com FIRST – Forum of Incident Response and Security Teams
Supportingadvancement.com Industry Canada – Online Security and Privacy Guide
Supportingadvancement.com Microsoft – Baseline Security Analysis Tool, newsletters and other tools. Free seminars.
Supportingadvancement.com National Cyber Security Partnership – Public private partnership to make cyberspace more secure.
Supportingadvancement.com PC Magazine Utilities – A number of free tools such as spyware detectors.
Supportingadvancement.com Software Engineering Institute – Papers
Supportingadvancement.com Threats and Countermeasures From Microsoft. A free 900+ page document on improving web security.

Sites with privacy legislation, policies and procedures:
   AFP Toronto ChapterSecurity
AFP Canadian Public Policy on Privacy
Australian Government Privacy Office
CASE – Foundation Independence and Donor Privacy
Canadian Department of Justice Policy on Access to Information and Privacy
  Direct Marketing Association. Privacy policy generator.
Information and Privacy Commissioner of Ontario (IPC) Web site
Ontario’s Consultation on Privacy Protection
Privacy Commissioner of British Columbia
Privacy Commissioner of Canada
Privacy is Your Business from CIO
Privacy Rights Clearinghouse

On this site:
Data Backup and Recovery Strategies
Democracy and Responsibility. Additional security considerations given break-ins and compromises of higher ed data.
Employment Pages. Confidentiality agreements.
Privacy Architecture
Privacy Audit Questionnaire
Privacy Policy Statement
Privacy Principles
Privacy Recommendations
Releasing Alumni Information
Security Survey
Shadow Databases

Contributed by …
Mary Ellen Caskenette, Manager, Document Systems, University of Toronto
Email AddressSupportingadvancement.com Privacy Audit Questionnaire.
Supportingadvancement.com Privacy Recommendations.
Supportingadvancement.com Sample File Plan.
Supportingadvancement.com Sample File Retention and Disposition Schedule.

Supportingadvancement.com Survey – Contactable Rates, Survey Results
Survey on how your contactable rates for constituents compare with other organizations.
Ursula Shail, Manager of Document Systems, University of Toronto
Email AddressUrsula is the Manager of Document Systems within the Alumni and Donor Records Department and is responsible for the Central Files and Document Imaging within the Division of University Advancement.

Supportingadvancement.com Electronic Imaging – The Series. Part 1, Part 2, Part 3, Part 4, Part 5.

Supportingadvancement.com Privacy Audit Questionnaire.
Supportingadvancement.com Privacy Recommendations.
  ↑  Top of Page  |  Samples Page  |  Sample Forms  |  Favorite Reports  |  Frequently Asked Questions  |  Glossary of Terms