Originally appeared on Texas Nonprofits at http://www.txnp.org/Article/?ArticleID=18750
So I’m pulling together a few points from my podcast and framing them as guided questions. I frame them as questions to get you thinking about what your model policy looks like, rather than what a model policy might be. Because policies are nothing more than a memorialization of what you need to do day to day. And by asking yourself these questions, you create the curiosity and inquisitiveness needed to draft a solid policy.
Naturally, my depth is limited with a few pages. But an exhaustive discussion would leave you bored and (justifiably) angry. So this discussion is just long enough to get your wheels turning.
But before we get there, let’s agree to a few preliminary assumptions. So we’re all on the same page:
- Using an unaltered template won’t cover all your exposures, no matter how magical it purports to be.
- Speaking of helpful, “book-shelf” policies are not our friends. These are the policies you draft and finalize but end up shelved under promotional stress balls. Develop your policy with implementation already in mind. Have a roll-out plan ready to go for the website, internal staff and the Board.
Now, for those questions:
- What promises can we comfortably make? Many templates include language like, “we never disclose information to third parties.” Don’t get me wrong, this sounds nice. But is it true? What about website developers working on a contact database? Is this true if local authorities reach out about a transaction? And does Google Analytics count as a disclosure? I say all this to say carefully use hard-line language. Think through your process and don’t be afraid to make qualifiers. People just want honesty.
- What laws apply to the information we collect? By way of example, COPPA (Children’s Online Privacy Protection Act) applies to websites that collect, or might collect, information from children 13 or younger. It mandates certain requirements like parental contact, opt-outs, etc. If this law applies to you, you’ll want to cover these logistics (changing parental contact information, sending opt-out notices) in the policy. The same is true if you collect health or financial information, both of which have specific requirements under Federal and/or State law.
- Should the policy have an international flavor? If the organization has an international presence, or audience, you might touch on key concepts around privacy in other applicable countries. For example, the collection and use of information under European law. Because requirements can and will work differently than those in the U.S. In fact, they might be the exact opposite (i.e. Canada requires “opt-in’s” whereas the U.S requires “opt-out’s” in some instances). The FTC (Federal Trade Commission) has really good resources on this.
- How will we update the terms? Things change and, in the case of the cyber world, they change rapidly. Is it clear terms aren’t static? If not, make sure it is and outline how you plan to make changes. How will people know when a change has been made? Internally, how will you keep track of versions? As a head’s up, tread lightly with the, “You should probably check the site sometimes” language. Consider emailing changes where they’re major. Or possibly requiring users agree to the changes the next time they log on to your site.
- Can people find the policy? Last but not least, is the link leading to the policy strategically placed? It shouldn’t hide in a corner. Make sure people can see it, that it is prominent and that their attention is brought to it as soon as they enter your site.
As I mentioned, the list of potential questions to ask could go on. The point isn’t to be perfect, but to be thorough and thoughtful. Have the Board and the staff take a few minutes to think up more questions by asking themselves, “What would I want to know about how my information is treated?”
If you do decide to use a template, do yourself a favor. Break the template down into a secondary outline and draft something from scratch. Pulling from that outline when you need. That way, inaccuracies don’t slip in and you’ve created another avenue of being thoughtful.
Other Posts You Might Like
Posted by Erin | 0 comments