As the world around us transitions from winter to spring, so does Capitol Hill’s landscape. Issues that once seemed dormant are now stirring with life. Among them, data privacy and artificial intelligence regulation stand out. This topic —of particular interest to nonprofits and individuals concerned with data privacy — is gaining traction in Congress. Even Ryan Gosling was featured in a skit about AI and data privacy on SNL recently.
The chair of the House Energy and Commerce Committee, Rep. Cathy McMorris Rodgers (R-Wash.), and the chair of the Senate Commerce Committee, Sen. Maria Cantwell (D-Wash.), are leading a possible bipartisan and bicameral agreement called the American Privacy Rights Act (APRA).
The same House committee recently hosted a hearing to discuss “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights.” There was broad consensus for Congress to pass federal regulation that reduces the uncertainty due to various state laws, instead creating a regulatory framework that protects children’s right to privacy throughout the country.
At Independent Sector for the last two years, we have closely monitored the evolution of this conversation and its possible impact on nonprofit organizations. This year is no exception; we have prepared a detailed summary of the discussion draft, its essential rules, and its potential impact on the sector.
However, it is necessary to look beyond the requirements of a particular legislative effort. It is well known that nonprofits are the most trusted institutions in America. To protect that trust, nonprofit organizations must include privacy data governance strategies in their operations. According to Atlan, a data science firm, “Data governance promotes transparency in how data is collected, processed, and used.
Through clear data policies and consent management practices, individuals are better informed about how their data is utilized, giving them more control over their privacy.” The bill sheds some light on some elements like individual control over data, covered data, de-identification, affirmative consent, data minimization, and sensitive covered data that organizations must pay attention to maintain their constituents’ trust with or without a data privacy law.
Individual Control over Data. This is the main aspect of data privacy. The common goal of data privacy regulations, APRA, or data privacy governance protocols is to provide data owners with the necessary tools to control what happens to their information. In other words, they can request modifications, updates, deletion, or restrict the use or transfer of their personal information. Sounds reasonable, doesn’t it?
Covered Data. The bill includes a definition of the data covered, meaning that not all the data your organization has is data to which the privacy regulations apply. In general, special protection protocols must be applied to identifiable data, that is, data that can be linked to one or more people or a device and/or can be used to identify an individual, individuals, or entities directly.
De-Identification. In contrast, data that cannot be assigned to an identifiable person or device, is not subject to data privacy. Survey outcomes, statistical data, and research results with anonymous data are not subject to special protections because no name is associated with the data.
With or without law, establishing a data inventory, that classifies covered data and de-identifies data is a fundamental step to creating good data privacy governance in organizations.
Affirmative Consent. If at this point, you are wondering what to do with the identifiable data of your volunteers, your board members, or the members of your organization, the magic word is consent. According to the International Association of Privacy Professionals (IAPP) “If an individual has choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure.”
Identifiable data is the property of the owner of that information. If your organization has identifiable information, it makes sense that the owners of that information give authorization to use it. The data covered by APRA must be treated with a special protocol in which the data owner is clear about who has their information, what they are using it for, and how to modify, update, or delete it.
A key step in establishing data privacy governance protocols is creating or updating private data use consent. Once you inventory your data, those with an identifiable owner(s) should authorize you to host and use their information.
Data minimization. Do you really need all that information? Are you really using all the personal data you collect? Data minimization is a principle that is included in APRA and consists of establishing protocols that lead organizations to retain only the data necessary for their operation. According to the IAPP, “The idea that one should only collect and retain that personal data which is necessary.” Establishing a data inventory that identifies the relevant information will not only put you on the right path, but also save you time and valuable resources.
Sensitive Covered Data. Certain data require special protection. APRA, for example, indicates that “personal identifiers; personal financial data; personal health data; precise geolocation data; biometric identifiers; and human genomic data” are sensitive covered data. in which case the consent needs to be more detailed with rigorous explanations about how to use that information. If your organization hosts sensitive data such as social security numbers, bank accounts, health information, or others, it is recommended to contact an expert who can help you develop appropriate consent for this, as well as protocols that allow you to be extra careful managing this information.
As you can see, there is a lot our organizations can do to avoid reputational damage or, even worse, expose ourselves to legal risks. Data privacy is an essential element in the operation of any organization, and we do not need to wait for APRA approval to advance the governance of the personal data that our constituents have entrusted to us.
Bonus: If you are looking for more information on how to establish a protocol for data privacy governance in your organization, here is NetHope’s guide to implementing data governance in nonprofits. The DaSy Center has this Data Governance Toolkit, and PWC published this Personal data Pivacy Tolkit for NGOs.
Manuel Gomez is Manager, Public Policy at Independent Sector.
