Ensuring Ethical Practices: Nonprofits Collecting Personal Information of Children

All opinions expressed here are my own. While I've made every effort to ensure that the information is accurate, I welcome any comments, suggestions, or corrections of errors. This article is based on my experience of over thirty years in the nonprofit organization sector, including the establishment, governance, operations, management, and administration of 501(c)3, 501(c4), and 501(c)6 organizations.

Over the last six months, I've helped a local chapter of an international nonprofit modernize the application process for its annual school supplies and holiday toy distribution.

Providing access to an online application and replacing hard copy applications saves a considerable amount of time for processing and consolidating the information contained in hundreds of applications. On a related note, we received over 350 applications for 900+ children in the first 24 hours of our application being live.

We've also been able to utilize the data to measure and track the impact of our programs, as well as focus our efforts on key areas of our community.

A recent discussion with the primary program organizer revealed that personal information is required to be shared with a partner agency for our annual Holiday Toy drive - specifically, the parent's name and email address as well as the name, age, gender, and date of birth for each child.

Despite invoking a role of least privilege regarding access and storage to the collected data, I quickly recognized a risk - the historical and online form does not address informed consent! The ensuing dialogue with the program organizer about the right to control one's personal data (including their children's), consumer protection, and ethical responsibilities including transparency inspired me to write this article.

Background

I've frequently observed in my decades of experience that many staff and volunteers involved in the management and administration of nonprofit and grassroots organization initiatives are unaware of related privacy regulations. Worse yet, they do not recognize the impact of not following best practices for data privacy. Although nonprofit entities generally are not subject to Children’s Online Privacy Protection Rule (COPPA), the Federal Trade Commission encourages such entities to post privacy policies online and to provide COPPA’s protections to their child visitors.

Nonprofit organizations play a crucial role in bettering communities and championing various causes. As they continue to evolve and adapt to the digital age, many nonprofits collect personal information, including names, genders, and dates of birth electronically. Safeguarding this sensitive data is of utmost importance to ensure ethical practices, compliance with regulations, and the trust of the communities they serve.

I've outlined a few guidelines for nonprofits to responsibly collect, use, and share personal information of children:

Prioritize Informed Consent

Before collecting any personal information, nonprofits should obtain informed consent from the parents or legal guardians of the children involved. Communicate the purpose of collecting the information, how it will be used, and whether it will be shared with third parties. Make sure the consent form is easy to understand and readily accessible.

Implement Strict Security Measures

Nonprofits must prioritize the security of the personal information they collect. This includes employing robust encryption methods, regularly updating security protocols, and restricting access to the data to only those who need it. Regular audits and assessments of security measures should be conducted to identify and address potential vulnerabilities.

Limit Data Collection to Necessities

Collect only the information that is necessary for the nonprofit's purposes. Avoid unnecessary data points that could increase the risk of misuse or compromise the privacy of the children involved. Additionally, regularly review the data collected and purge any information that is no longer needed.

Educate Staff and Volunteers

Ensure that all staff and volunteers are educated on the importance of privacy and confidentiality. Provide training on data protection laws, the organization's policies, and the ethical responsibilities associated with handling personal information. Regularly remind personnel of the critical nature of safeguarding children's data.

Establish Data Retention Policies

Develop and adhere to clear data retention policies. Determine how long the organization will retain the collected information and under what circumstances it will be deleted. Regularly review and update these policies in accordance with evolving legal requirements and best practices.

Transparency in Data Usage

Maintain transparency in how the collected data will be used. Communicate to parents or legal guardians how their child's information will be utilized, whether it will be shared with third parties, and if so, under what circumstances. Establish open lines of communication to address any concerns or questions.

Compliance with Regulations

Stay informed and ensure compliance with relevant data protection regulations, such as COPPA. Nonprofits should be aware of the specific requirements and obligations imposed by these regulations to avoid legal repercussions and protect the rights of children.

Conclusion

How are we resolving the issue that prompted this article?

1. We've created a consent form that will be sent to every parent who completed an online application.
2. All existing programs will be reviewed and their complete liabilities will be documented and addressed to minimize resource mismanagement.
3. I've also reviewed the parent organization's Youth Protection Policies & Procedures, and located the following policy:

All documents bearing personal information of any youth attending an ... event, including registration forms, medical information forms, permission to treat forms, etc., should be treated as confidential. Processes that protect this information must be created, including minimizing the number of people who have access to any such documents. The documents shall be maintained a minimum of three years or longer, as may be required by applicable state/provincial laws and regulations. After the maintenance period has expired, the documents shall be destroyed in a way that maintains confidentiality, such as shredding. The disposal and destruction of all confidential information shall conform to applicable state/provincial laws and regulations.

The irony is that we completed the parent organization's annual Youth Protection training last month, but data privacy was not addressed in the training materials. The primary focus is on direct engagement with youth.

In conclusion, collecting the personal information of children under the age of 13 is a responsibility that nonprofits must handle with the utmost care and ethical consideration. By prioritizing informed consent, implementing stringent security measures, and maintaining transparency, nonprofits can build and maintain the trust of the communities we serve while adhering to legal and ethical standards. It is through these conscientious practices that nonprofits can continue making a positive impact on the lives of children and their families.