• Whitepaper

Managing Client Privacy Risks

Protecting the privacy of client information is a critical duty of any organization that collects it. With countless data breaches in the news—damaging both the wellbeing of clients and the reputations of nonprofit organizations—nonprofit leaders must do more to manage client privacy risks proactively.

Exploring Privacy Pitfalls

Nonprofit leaders are not immune to making mistakes or falling into traps that threaten client privacy. Data security experts can point out plenty of problems with the information security practices employed at any organization. The sea of security snares is vast and deep, but begin by honing in on a few mistakes you can start correcting today:

  • Viewing client privacy as just an IT problem: All nonprofit personnel is responsible at some level for client privacy. If your team refuses responsibility or continues to place the burden of client privacy solely on tech/security staff, then try a new way of compelling your workers to care. Show them how savvy nonprofit leaders recognize data security as a business enabler, not a backburner item or budgetary burden. Distancing data security personnel from collaborating with other teams will attribute to misalignment of data privacy efforts with departments’ business goals. That hurts the success of your mission, programs, and services, as well as your bottom line.
  • Dehumanizing data privacy: Employees might have heard of data privacy protocols, but do they truly understand the potential effects of data breaches on the clients they work and care for daily? Make privacy personal again by explaining the potentially distressing effects of client privacy breaches, including identity theft, fraudulent credit card activity, account cancellations, and stress. Ask your team members how they would feel while experiencing these challenges—all at the hands of a supposedly trustworthy community organization.
  • Granting staffers unwarranted access to information when not needed: Personnel manuals should include a policy strictly prohibiting employees from attempting to open or access any restricted files that contain clients’ sensitive data unless access to such information relates to an employee’s job duties. Make it clear that employees who violate this policy will be subject to discipline, up to and including termination.
  • Collecting data you do not need and can’t use: In the information age, data is currency. Organizations over-collect data by habit. Storing excess data adds to your privacy exposures, and this risk is not worth taking for data that is irrelevant to your fundraising or programmatic activities. Remember that data you do not have cannot be breached! Aim to balance the need to collect and maintain personal information with the need to protect client privacy.
  • Forgetting to safeguard physical and digital files: As many organizations continue transitioning from physical to electronic records, both storage styles pose unique risks to client privacy. Encourage employees to consider various file formats when enacting data privacy protocols. Focusing on digital data to the detriment of physical records could open your door to risks like the theft of paper records or the destruction of valuable physical records in a building fire or flood.
  • Failing to assess client privacy risks: To ensure that your nonprofit is taking reasonable steps to guard and protect clients’ personal information, conduct a privacy audit or risk assessment. According to the Nonprofit Risk Management Center, an initial privacy risk assessment can be as simple as asking and answering the questions below*:
    • Do you know what kinds of personal client information your nonprofit collects, keeps, and uses?
    • Have you identified all the activities through which you interact with, transfer, or store client data?
    • Do you know what kind of personal client information is received by your organization from outside sources, such as vendors or coalition partners, and the frequency of these deliveries?
  • Do you screen potential partners and vendors that share in your responsibility to safeguard client data? Are you confident that you understand any potential third-party data privacy exposures?
  • Do you know how much of the personal information collected by your organization is stored digitally versus physically?
  • Do you know what personal information your nonprofit discloses—intentionally and unintentionally?
  • Do you know what happens to information flowing between internal and external sources that contain personal data about clients?
  • Do you know how secure your client’s data is from external hacking, internal sabotage, and generally from those who aren’t in a need-to-know position within your nonprofit?
  • Do you have a policy about the length of time you retain clients’ personal information and how you dispose of it? If so, is that policy consistently followed?

*Questions were adapted from Exposed: A Legal Field Guide for Nonprofit Executives. Several “no” answers might indicate that your nonprofit is unnecessarily exposed to risk by failing to protect client records and information.

Risk Management Strategies to Protect Client Privacy

Follow these best practices and tips to protect your clients’ privacy better while managing your nonprofit’s exposure to privacy liability.

  • Understand what constitutes PII (personally identifiable information) and what types of PII your organization is responsible for safeguarding.
  • Learn about federal and state data privacy laws as well as how they impact nonprofits. If your nonprofit deals with client health records in any way, you probably are required to comply with HIPAA. For a brief explanation of how HIPAA may apply to your nonprofit, see THIS article from MissionBox. If your nonprofit does deal with client health information, you should have someone very familiar with HIPAA designated as your organization’s HIPAA compliance officer
  • Consult with a cybersecurity expert to have your data security systems evaluated and, if found to be lacking, bring them up to standard.
  • Provide periodic updates to paid and volunteer staff to keep all personnel abreast of recordkeeping changes and document retention policies. Don’t forget to safeguard paper records and dispose of records properly (shred) to maintain client privacy.
  • Conduct vendor cyber risk assessments for any vendors with access to clients’ sensitive data.
  • If not available in-house, consult an outside vendor to prepare a data breach response plan.
  • Promptly investigate any allegations that client privacy has been compromised and document these investigations. Contact legal counsel if you believe privacy has been compromised and seek independent forensic data analysis experts to conduct research.
  • Discipline staff members who violate your nonprofit’s privacy policy. Scrutinize policy violations to prevent future violations better.
  • Always obtain permission before using photographs or other information about clients for public relations or marketing purposes. Obtain a signed photo release form before including your clients’ photos in an annual report or on your website. Exercise extreme caution when using photos of children for any purpose. For example, if a child’s image appears on your website, do not include any information to help identify the child. This information could potentially be used to track down and target the child for victimization, and your nonprofit could be liable for negligence.
  • If you collect personal client information through your website, you need to develop a statement that addresses how you protect this client information’s security and confidentiality.
  • Change system passwords regularly (at least every six months).
  • Make sure that sensitive files are password-protected, whether on networked computers, local servers, or in the cloud.
  • If possible, keep regular audit trails of information accessed on your systems or database.
  • Enact privacy protocols as needed to manage risks related to telecommuters and staff delivering services to clients off-site.
  • Remind employees that client data does not belong to personal devices. Similarly, unencrypted private or confidential information does not belong on transportable media like flash drives.
  • Restrict access to sensitive information by employees who are about to be terminated.

For more detailed information on data privacy and cyber risks your nonprofit may face, see Data Privacy and Cyber Liability: What You don’t Know Puts Your Mission at Risk by the Nonprofit Risk Management Center.

Related Resources

Nonprofit Risk Management Center,Exposed: A Legal Field Guide for Nonprofit Executives,” https://nonprofitrisk.org/products/exposed-a-   legal-field-guide-for-nonprofit-executives/

MissionBox, “HIPAA for Nonprofit Organizations,”https://www.missionbox.com/article/53/hipaa-for-nonprofit-organizations

Nonprofit Risk Management Center, “Data Privacy and Cyber Liability: What You Don’t Know Puts Your Mission at Risk,” https://nonprofitrisk.org/resources/articles/data-privacy-and-cyber-liability-what-you-dont-know-puts-your-mission-at-risk/


Back to All Risk Resources