These
sample recommendations are to designed to address
practices relating to the collection, use and
destruction of personal information and can help bring an
advancement
organization into greater compliance with generally accepted privacy principles and
standards.
Personal information has been defined as information about an
identifiable individual, but does not include the name, title,
or business address or telephone number of an employee of an
organization.
These recommendations should be reviewed by your legal counsel
if you use them in your own organization.
Recommendations
Recommendation 1
Each office should clarify and document its purposes for
collecting personal information.
These purposes should be written into a formal policy that
directs staff and should state that personal information may
only be collected for documented purposes.
Personal information, particularly sensitive personal
information, should only be collected directly from the
individual with explicit consent for its use in accordance with
documented purposes.
Recommendation
2
Organizations must ensure that purposes are communicated and
that consent is obtained at the time of collection.
Consent can
be obtained in a variety of ways, depending on the sensitivity
of the information. Where information is likely to be considered
sensitive, express consent should be sought, while implied
consent may be sufficient for less sensitive information.
Advancement policies should discourage the
collection of personal information through informal means, such
as rumour and word of mouth unless the information can be
confirmed with the individual and consent for its use
obtained.
If the information is not sensitive, another approach
is to confirm the information with another source where implied
consent for its use had been given. For example, if an
advancement staff member hears rumours of a career appointment
of an alumnus and they confirm the rumour with a public news
source, then the alumnus has implied consent. It
is reasonable to expect that the alumnus would only provide the
information to a public new source if they did not object to the
information being distributed and used.
One method to obtain consent is to provide a check box on
application or graduation forms, allowing advancement to use the
information for alumni / student related activities, such as
fundraising.
Advancement organizations should undertake an analysis of the sensitivity
of the different types of personal information collected and
then establish policies to ensure that appropriate consent for
collection and use is obtained at the time of collection. The purposes for which this information is used should be
formally identified and recorded.
Recommendation 3
Advancement organizations should compile a complete list of all systems
containing personal information.
Where these systems are merely
used to manipulate and then update the development system, the data should be
destroyed once the update is complete. All areas that insist
upon maintaining separate systems that contain personal information
must assume responsibility for administering access requests to
personal information in that system.
Similarly, hard copy personal information that is currently
distributed should be amalgamated as much as possible.
Recommendation 4
Formal policies should be adopted that state how personal
information may or may not be used by advancement staff.
Each
advancement staff member should sign-off on the policies.
A sign-off procedure similar to central systems access
should be adopted for all new staff. It may also be prudent to
have all staff sign off on such a statement on an annual basis,
as a reminder.
Recommendation 5
All requests from third parties to access
personal information should be routed to the appropriate manager.
When
personal information is disclosed it should be documented in the
donor record and, where consent is not implied or explicitly
given, donor permission should be obtained in advance.
Recommendation 6
Advancement policies should confirm that contracts must be
signed with any vendor where personal information is disclosed,
and legal counsel should review all contracts.
Recommendation 7
Advancement organizations should develop a comprehensive written policy on the
collection, use, and destruction of personal information.
Recommendation 8
Advancement organizations should simply devise
guidelines and retention schedules for paper and electronic
files that contain personal information. Every staff member
that maintains any file with personal information should be made
formally aware of these policies upon orientation.
Personal information that is no longer required to fulfil the
identified purposes should be destroyed, erased or made
anonymous.
It
may be an advisable task for advancement to appoint a key person
to manage the retention and destruction schedules of all
advancement files.
Recommendation 9
Advancement organizations should develop stringent policies regarding
verification of individual information before access is permitted.
Recommendation 10
When an individual successfully
demonstrates the inaccuracy or incompleteness of personal
information, the advancement organization should amend the information as
required.
Polices should be developed to monitor the verification
process of individuals requesting to amend information and
to outline the process of documentation in
the individual’s record of when/why the information was
amended.
Recommendation 11
Security safeguards should protect
personal information against loss or theft, a well as
unauthorised access, disclosure, copying, use, or modification.
Methods of protection should include physical measures, for
example, locked cabinets and restricted access to offices.
Organizational methods, such as limiting access on a
"need-to-know" basis and technological measures, for example,
the use of passwords and encryption.
Security profiles for the development system should be reviewed
on a regular basis.
Recommendation 12
All new advancement staff should be
presented with an orientation package that contains the
organizations privacy policies.
Recommendation 13
Each department within advancement should have a person
responsible for ensuring that the policies regarding personal
information are being adhered to, and each accountable person
should be made known to all staff. |