Managing your Data: Data Policy 101
We all know that we are living in a more connected, more online, data-driven world. If you know more about your donor base you can communicate with them in ways that can build more genuine connections. However, storing and managing data about donors leaves you open to the risks of data breaches and data audits from government entities.
So how do we capture what we need in a responsible way?
Principles of Least
Before we dive into the different policy structures that can help you in managing data, we need to talk about a guiding light in the space. One of the most important words when it comes to Data Management is LEAST.
If data managers were compared to home improvement celebrities, (I suppose I did just type that sentence) they would be compared to Marie Kondo, in her minimalist period. If that candle doesn’t bring you happiness, get rid of it! If you haven’t used donor information about illnesses/interests/banking/etc., don’t keep it. While it might be “nice to have” it clutters your database. Plus, if there is no benefit to having it then, there is only a risk of losing it.
The maxim is that you should only have data that you actively use. In addition, only those people who need access to that data should have access to it. These two ideas are described as:
The Principle of Least Data –> Keep only data that you use
The Principle of Least Privilege -> Only give data access to people who use it
By following these principles you do not limit what you are able to do with your data. But you remove any excess noise from the system and ensure that your data security is not having to manage unneeded risks.
Data Policy 101
I know policy is a word that induces sleep in many of us, but it can be useful. The important thing is to not treat it like a checklist. Instead, I hope you find insights that can be beneficial to your organization in this article. Then the work of shifting them to fit into your culture starts. Sentinel Consulting is happy to provide hands-on help with this or inspiration!
Without further adieu let’s get started with…
Data Inventory
This is the top-down view of how your organization uses and stores data. It is the starting point of data policy because it gives you a shared vocabulary on what data is coming in, going out, and how you manage it while it is here.
It lists all of the different kinds of data you store (Client Data, Donor Data, Medical Records, Financial Records, etc.). Then it provides a clear set of rules on how each of these types of data should be treated. Generally, it will include 4 points on each data type:
A description of the data
Where the data can be stored
How the data can be securely shared
Who has access to this data
I often find it can be helpful to draw data maps in this policy. Flow Charts that show you the different venues of storage and the inflows and outflows of data.
Data Privacy Policy
Next is your external facing policy. A Data Privacy Policy is where you explain what data you collect, how you’ll use it, and for how long you will keep it. While most websites come with an in-built privacy policy, you should consider creating one for all of your data-storing platforms. This gives your constituents the chance to see why they are providing certain information and read about how you are protecting it.
This policy should answer the following questions:
How to opt out of data collection (also the impacts of getting services while opted out)
How to exercise their “right to be forgotten”
How to request a copy of their data
When and how algorithms are used to make decisions about them
Who to contact if they are dissatisfied
While this can seem like a lot there are a lot of great resources that can help you create a Privacy Policy. For Canadians, there is Charity Central. For the stricter EU standards, there is GDPR.
Data Sharing Policy
In order to do our work effectively we often have to share information across the Not For Profit ecosystem. We are sharing details about our work with donors, working with partner organizations who need access to our data, and often have to report to government agencies.
But with all of these different data flows have we written out what is appropriate to share and what isn’t? A Data Sharing Policy outlines what is your staff’s legal and ethical responsibilities when it comes to sharing data with others inside and outside of the organization.
This policy should include:
Who within your organization is allowed to access various kinds of sensitive data?
Standards for anonymizing data before it is shared widely
Any legal reporting or data-sharing obligations
Under what circumstances and to whom can your staff discuss details about a constituent
What data do you share with partner organizations, and how do you vet their use to ensure it’s ethical
Content and Media Policy
We all know that we need to create content that can engage and inspire our donors and community members. It is a powerful way of sharing our work. However, creating content without thought to the type of data we are sharing can pose risks to ourselves and our community.
This type of policy outlines the different mediums of communication we use and what is okay to share on those different mediums.
How you manage politicized content – what you’ll post and what you won’t
Use of constituent photos and stories
How to achieve diverse representation without tokenizing or mispresenting your services
Security risks of posting locations, photos of people’s faces, and other sensitive content
Accessibility
Data Masking Policy
We’ve all typed in a password and seen those dots pop up in place of what we are typing. That is a form of data masking. The system stores the information that is required for day-to-day functionality but it does not display the information to end users who do not need access to it. I.e. the person over your shoulder who wants to know what your password is.
This is required by law for specific types of data.
Protected Health Information -> Demographic information, Medical Histories, Test and Lab Results, Insurance Information, and other health data
Payment Information -> Credit Card Numbers and Banking Information
Personal Identifiable Information -> In Canada, this largely refers to SIN, Driver's License Numbers, and other forms of ID that could be used in Identity Theft.
Most databases will have built-in options that will mask the most common sensitive information taken, credit cards. But it is important to ensure if you are collecting the above information that it is masked so that you can limit the data risks to your constituents.
Data Retention Policy
It’s best practice to not keep your data forever. Not only can it get expensive, the more data you have the more that can be leaked in the worst-case scenario. This return to the Least Data Principle. Are those inactive constituent records from 10 years ago actually still useful? Do they provide any meaningful information that you plan to track?
It is best to have a policy that decides:
How long you will keep different types of data
How it will be deleted
Who is responsible for managing this task
Conclusion
Thank you for coming on this Data Policy crash course. For some further resources, I would recommend looking through the Data Empowerment Report which outlines data use in the Not-For-Profit sector https://www.nten.org/posts/publication/2022-data-empowerment-report.
For any of you interested in having a conversation about Data management please reach out to us we would love to connect.
If you would like us to tackle a topic or problem of interest to you, please let us know here.
Please note this is general Policy recommendations not tailored data/legal advice. It is important to review your specific data environment and find the policy that meets your organization’s specific needs.