|Employment | More With Less | Potpourri | Records | Reporting | Research | Revenue | Samples | Systems | Web Sightings|
sample recommendations are to designed to address
practices relating to the collection, use and
destruction of personal information and can help bring an
organization into greater compliance with generally accepted privacy principles and
Personal information has been defined as information about an identifiable individual, but does not include the name, title, or business address or telephone number of an employee of an organization.
These recommendations should be reviewed by your legal counsel if you use them in your own organization.
Each office should clarify and document its purposes for collecting personal information.
These purposes should be written into a formal policy that directs staff and should state that personal information may only be collected for documented purposes.
Personal information, particularly sensitive personal information, should only be collected directly from the individual with explicit consent for its use in accordance with documented purposes.
Organizations must ensure that purposes are communicated and that consent is obtained at the time of collection.
Consent can be obtained in a variety of ways, depending on the sensitivity of the information. Where information is likely to be considered sensitive, express consent should be sought, while implied consent may be sufficient for less sensitive information.
Advancement policies should discourage the collection of personal information through informal means, such as rumour and word of mouth unless the information can be confirmed with the individual and consent for its use obtained.
If the information is not sensitive, another approach is to confirm the information with another source where implied consent for its use had been given. For example, if an advancement staff member hears rumours of a career appointment of an alumnus and they confirm the rumour with a public news source, then the alumnus has implied consent. It is reasonable to expect that the alumnus would only provide the information to a public new source if they did not object to the information being distributed and used.
One method to obtain consent is to provide a check box on application or graduation forms, allowing advancement to use the information for alumni / student related activities, such as fundraising.
Advancement organizations should undertake an analysis of the sensitivity of the different types of personal information collected and then establish policies to ensure that appropriate consent for collection and use is obtained at the time of collection. The purposes for which this information is used should be formally identified and recorded.
Advancement organizations should compile a complete list of all systems containing personal information.
Where these systems are merely used to manipulate and then update the development system, the data should be destroyed once the update is complete. All areas that insist upon maintaining separate systems that contain personal information must assume responsibility for administering access requests to personal information in that system.
Similarly, hard copy personal information that is currently distributed should be amalgamated as much as possible.
Formal policies should be adopted that state how personal information may or may not be used by advancement staff.
Each advancement staff member should sign-off on the policies.
A sign-off procedure similar to central systems access should be adopted for all new staff. It may also be prudent to have all staff sign off on such a statement on an annual basis, as a reminder.
All requests from third parties to access personal information should be routed to the appropriate manager.
When personal information is disclosed it should be documented in the donor record and, where consent is not implied or explicitly given, donor permission should be obtained in advance.
Advancement policies should confirm that contracts must be signed with any vendor where personal information is disclosed, and legal counsel should review all contracts.
Advancement organizations should develop a comprehensive written policy on the collection, use, and destruction of personal information.
Advancement organizations should simply devise guidelines and retention schedules for paper and electronic files that contain personal information. Every staff member that maintains any file with personal information should be made formally aware of these policies upon orientation.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous.
It may be an advisable task for advancement to appoint a key person to manage the retention and destruction schedules of all advancement files.
Advancement organizations should develop stringent policies regarding verification of individual information before access is permitted.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the advancement organization should amend the information as required.
Polices should be developed to monitor the verification process of individuals requesting to amend information and to outline the process of documentation in the individual's record of when/why the information was amended.
Security safeguards should protect personal information against loss or theft, a well as unauthorised access, disclosure, copying, use, or modification.
Methods of protection should include physical measures, for example, locked cabinets and restricted access to offices.
Organizational methods, such as limiting access on a "need-to-know" basis and technological measures, for example, the use of passwords and encryption.
Security profiles for the development system should be reviewed on a regular basis.
All new advancement staff should be presented with an orientation package that contains the organizations privacy policies.
Each department within advancement should have a person responsible for ensuring that the policies regarding personal information are being adhered to, and each accountable person should be made known to all staff.
|Some additional resources on security and privacy:|
|Contributed by ...|
|Mary Ellen Caskenette, Manager, Document Systems, University of Toronto|
Sample File Plan.
Sample File Retention and Disposition Schedule.
Survey - Contactable Rates, Survey Results
Survey on how your contactable rates for constituents compare with other organizations.
|Ursula Shail, Manager of Document Systems, University of Toronto|
Ursula is the Manager of Document Systems within the Alumni and
Donor Records Department and is responsible for the Central Files
and Document Imaging within the Division of University Advancement.
Electronic Imaging - The Series. Part 1, Part 2, Part 3, Part 4, Part 5.
Privacy Audit Questionnaire.