Data Protection in Animal Welfare

By Gilberto Gandra, Board Member

Whether it is a DSH with infrequent BM, or a LOS report biased by a few DOAs, acronyms have ingrained themselves in animal welfare speak.  As someone who has only served on the fringes of this field, I quickly had to learn to differentiate the meanings.  Leading me to wonder how much animal-focused non-profits are aware of acronyms which have made up a large portion of my last year in the corporate sector: PIPEDA (Personal Information Protection and Electronic Documents Act), GDPR  (General Data Protection Regulation), OPPA (Online Privacy Protection Act).

Raise your device proudly if you have completely read the Privacy Policy on any of the last ten apps you have downloaded!  If you did not, you are amongst the 91% of Americans that DO NOT read Terms of Use for contests, social networks, products and services according to study conducted by Deloitte last year.  This seems to me like a staggering small audience of readers, considering how much money and effort is poured into drafting privacy policy statements and terms of use in the corporate world.  Forbes Magazine estimates companies spent $9Bn on getting ready for the latest privacy craze, GDPR, the EU’s privacy governing practices which came into effect last month.

Animal welfare agencies collect varying levels of personal information which are subject to privacy protection.  From social security numbers of employees, to credit card information of an adopter, to the IP address of a site visitor browsing available animals.  Don’t forget personal information of volunteers and partner agencies individuals who interact with your organization.  No matter the size of your organization, a well written privacy policy is an important first step.  As tempting as copy and paste may be, this is not a recommended practice.  Transparency of how data is collected, stored, shared and how it is used is unique to every organization.

The next step should be dedicating resources to implementation of the privacy policy.  This may or may not require IT and legal resources but at the very least needs to be part of the ongoing training and practices of the organization.  Also, any third-party users of the information collected by your agency needs to be aligned with your privacy statement.  This can include foundations, corporate partner, collaborating agencies or business contractors. Remember, just because an affiliate breached your policy, does not make your agency automatically immune to State & Federal regulators if you handed over the information to that partner.

Finally, continual review and staff training are the only way to make sure your organization is practicing what you preach to the public.  There are various resources online to guide an organization through the setup of proper data protection practices:

Traditionally not overseeing non-profits, the FTC (Federal Trade Commission) oversees the commercial activities of non-profits which could include adoption, pet supplies & other purchases.  This link provides a start to finish https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

If a breach does occur and PII (Personally Identifiable Information) is leaked, every State has legislation directing the notification of individuals who have been affected.  This site has the links to each of those state instructions, check the one that applies to you.

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Although specific to GDPR and more broad than US privacy practices, this link walks you through a comprehensive assessment of your current state level of data protection: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/information-security-checklist/

It may not be the most exciting adoption case study or framework for new foster program but data protection is serious business. I believe every animal welfare organization can benefit from understanding these rules and implementing or reviewing their very own privacy statements/practices.  There is growing consumer awareness regarding their rights, and it is important to have these rules in place to protect your non-profit and ensure the continuing operation towards achieving your missions.

Leave a Reply