This chapter will help you to examine if you use the data adequately and will provide practical guidelines how to improve digital safety of your YO. We will start with the analysis of the typical data processing practices of YOs. Then we should continue by presenting the type of data YOs usually collect.
1. General data and core operations
General data are the data you collect so that your organization could essentially operate. E.g. data on your employees, members of the assembly or other internal bodies. Also, here we will refer to some steps you need to undertake regardless of specific projects you implement.
1.1 Develop an Internal rulebook on data processing and data protection
This document is your Privacy ID. It identifies your data processing practices in the eyes of the public. It is also an important document for your staff members. It sets the rules that every staff member should apply.
For example, you may use the following language, butmake sure it fits practices of YOUR organization:
The YO’s internal Rulebook on Personal Data Protection The purpose of this Rulebook is to provide legal security and transparency in terms of processing of personal data of employees, beneficiaries and other persons whose data we process. The Rulebook presents the legal basis, purpose of processing, types of data being processed, rights of data subjects with regards to personal data processing, data protection measures, etc. The Rulebook also establishes the obligations of employees in terms of personal data protection. It applies to associates, consultants and other persons contracted by our organization. Employees are obliged to respect and protect personal data that they process in the work occurring in the office or elsewhere. Employees can process only the data to which they are allowed access, in accordance with tasks they perform.
Our organization may process the following personal data on its employees*:
*IMPORTANT: make sure you design this paragraph by reflecting your national labor and data protection laws and regulations. This is just an illustration how it should look.
- General data: Name and surname, address, date and place of birth, sex, ID number, citizenship, health insurance identifiers,
- Academic and professional qualifications: level of education, foreign language skills, employment history, data enlisted in submitted CV within the recruitment process,
- Financial data: bank account number, income data,
- Information on work performance: job title, supervisor assessment, business email address;
- Communication data: e-mail address, phone number, contact in case of an emergency.
Our organization may process the following personal data on its beneficiaries*:
*IMPORTANT: make sure you design this paragraph by reflecting your actual practices. This is just an illustration how it should look.
Name and surname, name of employer or the institution that the person represents, information on academic and professional qualifications, contact e-mail address, phone number.
If you provide legal aid to sensitive categories of clients, you should design this paragraph accordingly (for example: we collect information on the history of abuse and discrimination, information on sexual orientation, medical information.)
You could elaborate your practices on staff recruitment in similar fashion. Then you should provide concise information on:
For what purposes you process personal data.
- You collect information on your staff member to engage in labor relation, so usually the purpose is to meet mutual obligation arising from it.
- Usually you need data on your beneficiaries to conduct trainings, provide legal aid, etc.
The legal ground for processing personal data.
- Generally speaking, legal ground for contracting staff members is in national labor legislation.
- Usually the legal ground for collection of data on beneficiaries is established through their consent.
How personal data are being collected.
- Here you should elaborate if you collect the data directly from data subjects, or through former employees, the agency you maybe contract to perform HR tasks for you, though organizations that delegate participants at your training, etc.
For how long will personal data be used.
- With regards to data collected on your employees, consult your national labor legislation. It probably establishes such deadlines. You should adhere to these rules and have them in your rulebook.
- Data on your beneficiaries should generally be stored until the purpose of its collection has been met. It does not necessarily end the moment you finish your training or provide legal aid. It is legitimate to store that data for some period of time, if you need to report them to your donors, or keep participants informed about your events in the future. But bear in mind that all of that should be timely communicated with beneficiaries and you need their consent for such practices.
The rights of data subject on the use of their data.
Here you need to enlist all the rights arising from your national data protection legislation and GDPR (if applicable). Typically, the rights of data subjects are:
- The right to be informed about data processing practices,
- The right of access to his/her personal data (usually, through a copy),
- The right to update inaccurate or incomplete information,
- The right to erasure data that are no longer needed or unlawfully processed,
- The right to withdraw consent,
- The right to restrict processing,
- The right to data portability.
Finally, the rulebook should contain information about the point of contact for any inquiries about personal data processing practices.
1.2 Introduce contract clauses with staff members (confidentiality and privacy clauses)
Your staff members should be timely informed about the rules of data processing in the office. You may want to consider amending contracts with your staff members by adding confidentiality and privacy clauses. Such clauses are usually explicit about responsibility of a staff member to use information and data in lawful and professional manner, in accordance with internal rules of the organizations that are usually elaborated in an internal rulebook.
“You are required to apply data processing rules and guidelines defined in the internal rulebook of the organization. You are required to apply an appropriate standard of confidentiality of information and use personal data in lawful manner. Any disclosure of confidential information belonging to the organization, or disclosure of personal data collected on behalf of the organization, kept on computer or other media, made unlawfully outside the proper course of duty will be treated as a disciplinary offence. Any disclosure of personal data or confidential information to any unauthorized natural or legal person will lead to disciplinary action.”
You may want to introduce such clauses in contracts with your permanent staff members, part time contracted associates, external consultants, volunteers, interns, and basically, any person you cooperate with that may have access to personal data your organization is responsible to process in lawful manner.
Ok, we know that not many people read privacy policies. It is understandable. We visit so many different websites. Privacy policies are usually long (therefore – time consuming) and boring (therefore – not worth of reading). We don’t have enough time to read and understand them all.
But keep in mind that they exist for a reason. They provide information about data processing practices that may occur while visitors use a web site.
Try using any other visuals that would clearly demonstrate your practices.
1.4 Apply data protection rules when recruiting new staff members
Yes, you are hiring! It’s a good news as it usually means your organization is growing. However, recruitment process requires that you use all those applications wisely.
- Include a reference on your rulebook in the job vacancy and invite candidates to read the document.
- Consider using a standardized CV template that could be downloaded, so that you eventually obtain the same categories of information.
- If you don’t use standardized version of CV, instruct job candidates not to provide data that are not pertinent for the job vacancy. Which they sometimes do. You may want to include the following note:
Our organization does not use standardize template of CV. When submitting your CV, make sure to present information that are relevant for the job vacancy only.
- Establish internal rules on how long you plan to keep unsuccessful applications. You could delete them immediately after you make a decision to hire someone else. But you may have a legitimate need to keep the application for a while if your organization keeps on growing and opens up new vacancies soon. So, determine the time limit for keeping job applications (e.g. 2 years), inform job candidates about that rule by acknowledging it in the job vacancy, make sure you are really able to delete applications after the envisaged period of time wherever they may be at that time.
Before you start collecting job applications, make sure to:
- Designate only one e-mail for candidates to submit applications,
- Define who should have access to job applications (e.g. office manager, program officer, director, selection committee, or similar.)
- Restrict access to that e-mail for persons responsible for the process,
- If you print applications, keep them in the same folder and make them available only to designated staff members.
1.5 Define users’ roles in your organization
Youth organizations usually do not have a lot of staff members. But certainly there is some type of division of labour and responsibilities. So, not all your staff members should have access to all categories of personal data the organization possess.
- Program staff probably does not need to have access to staff members’ bank account numbers. Access to bank numbers should be restricted to financial manager, whoever is in charge of signing payment documents, accountant, etc.
- Project assistant working on one project may not need to have access to all personal data of consultants contracted through another project.
- Volunteers probably should not have access to confidential information about persons to whom you provide sensitive legal advice. We know that you need to make sure the organization runs smoothly. But still you should determine which team member typically needs access to which categories of data.
- Design such rules internally, taking care of both legitimate needs – that the working process should not be hindered due to unreasonable restrictions, and the need to apply data protection standards.
- Communicate the rules with all staff members.
- Evaluate the rules from time to time. They should not be set in stone, especially if you see they could be improved.
2. Project data and program operations
2.1 How should a YO use personal data when drafting project proposals?
In the fundraising activities you collect, you may sometimes need to provide the names of experts and other individuals you tend to hire through the project. Make sure to obtain their consent for that. This is not just a matter of fair business practices, it is a personal data issue as well.
- Provide full information to them about how their names (and other data) will be used in the project application.
- Avoid informing them through phone call; make sure you have their consent in your emails.
2.2 Obtain consent for data processing from your beneficiaries
Whenever you want to collect data from an individual, always:
- Provide all relevant information about data processing practices,
- Provide information prior to data collection,
- Obtain consent for such data processing practices.
We will further explore a few typical activities you implement, and leave you to apply same principles in other similar occasions.
A. Consent from applicants for trainings you organize
If you are organizing a training for which participants should fill in and submit application sheet, you should provide information about your practices in the application sheet.
You could use the following language in the notice, but make sure it reflects actual practice:
Information about our data processing practices:
Through this application we collect the following personal data: name, surname, the organization you represent, e-mail, phone number.*
*enlist all categories of data you collect
We collect data for the following purposes:
– To timely inform participants about the event,
– To issue certificate of attendance,
– Promote future events to participants.*
*enlist all purposes you find legitimate. Remember, you are not allowed to change the purpose once you obtain consent, without new consent.
Make sure to collect personal data that are necessary for the purposes you want to achieve. For example:
- If you want to issue a certificate, you probably don’t need participants’ home addresses.
- If you want to promote future events, you probably don’t need date of birth.
This approach is called data minimization. Don’t collect the data you don’t need.
You could also provide the following information:
We will not use your data for any other purposes.
We will use your data in lawful and confidential manner. Access to your data is limited our team members who need the data to perform their tasks to meet the purposes of data processing.
The legal ground for processing your data is your consent. By submitting the application form to us, you consent to the conditions of data processing elaborated here.
The consent you provide is freely given.
You have the right to withdraw your consent. You have the right to request additional information on how we use your data, which you can do by contacting as at:* [provide contact e-mail].
We advise you to see the Rulebook on Personal Data Protection at: [provide link to the document]
B. Consent from participants at events you organize
When you need participants lists to be filled in at your events, provide concise information about your data processing practices. You could use the following statement at the bottom of each side of the participants’ list.
Our organization [name of the organization] collect your data to keep you informed on upcoming events within the project and to report to the donor [name of the donor] on implementation of the project*. We will use your data in lawful and confidential manner. For more information contact us at: [contact e-mail].
* make sure to include all purposes for data processing, because you are not allowed to change it without prior consent.
2.3 How to promote YOs’ work at social networks?
YOs should promote their work. However, let’s focus on some inadequate practices of promotion and see how you could avoid them.
Some participants may be put at risk if you promote the event
- Be extra careful if you organize event for members of social groups that are particularly exposed to discrimination, violence, or any violation of their civil or minority rights.
- Avoid posting visitors’ photos at public events on sensitive issues (e.g. LBGT rights). Use panelists’ photos instead.
- If you still need to publish photos from such events, try not to make visitors identifiable. Take the photo of a crowded room from the gallery, standing behind the visitors so that their faces remain hidden.
- If you are organizing international event on human rights issues, do not expose participants from nondemocratic countries. Do not publish a photo of a member of LGBT community coming from a country in which same sex relation is punishable under the law. Remember, they need to go back home and someone may cause them harm.
Do not assume participants at your events would love you to publish photos! If the event is closed to the public, there are no media, etc, you should:
- Before the event starts, inform participants that you want to make photos,
- Inform them about the purpose of it (e.g. reporting to the donor, promotion of the event),
- Ask participants if they are ok with: Making photos and Publishing photos.
- Obtain consent before you make photos and before you post them online.
- Don’t exclude participants that don’t want to be photographed. Respect their privacy-related decision.
- Publicize photos of persons that explicitly consented to that only.
Publishing case studies and personal testimonies may sometimes harm your beneficiaries
Some organizations publish case studies based on psychological support or legal aid they provide to their clients. Storytelling has become very popular way of promoting the work of YOs and has proven to be an effective way to get readers’ attention, alarm media, and influence decisions makers. This is ok, as long as you apply data protection rules when you report on experiences of others.
Make sure that you always obtain that person’s consent before publishing it.
- Provide full information to that person about your intentions to go public with the story.
- Inform that person on the amount of information you want to publicize.
- Make sure that person consents with the use of his/her real name.
- Be extra careful with publishing sensitive data (e.g. on victims of domestic violence, discrimination based on sexual orientation, etc) and obtain explicit consent for publishing such information from that person.
- If the person wants to go public, be sure that the person understands what is his/her role in the campaign.
- If he/she opposes to the disclosure of personal data, respect that decision.
- In such case consider using pseudonym.
- In such case make sure that you do not publicize any information that may ultimately identify that person. E.g. avoid mentioning the village of residence, where he/she works, etc.
- In such case if you think a video testimony would make a difference, blur the face and distort the sound.
- Limit access to raw materials, keep it confidential and inform team members on disciplinary consequences in cases of misuse of the materials.
2.4 How should a YO use its beneficiaries’ data when reporting to its donors?
Ok, your project has been successfully implemented. Now it’s time to draft and submit report to your donor.
Donors are sometimes quite demanding, but their interests are legitimate. They need proof that activities that they support have been implemented. Other than narrative reports, they may request documents developed within specific activities, e.g. intake forms when you provide legal aid to your clients, photos taken at closed meetings, participants’ lists, etc.
Make sure to clarify reporting rules with the donor when you start implementing the project if you recognize possible privacy-related concerns. That may occur in particular if you anticipate you will collect sensitive personal data on:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic data,
- biometric data,
- medical data
- individual’s sex life or sexual orientation.
Here are some steps you could take to be on the safe ground:
- Inform the donor on sensitive issues within the reporting process.
- Clarify with the donor if all documents containing personal data should be fully reported.
- If they need to be reported, apply anonymisation when reporting on sensitive issues (e.g. intake forms you develop while providing legal aid to victims of discrimination). Make sure not to provide information that may lead to identification of that person.
- Whatever the rules of the donor are put in place, inform data subject about your relation with the donor and how the data would be processed.
- Obtain consent from data subject for reporting to the donor.
- Apply data minimization principle as much as possible, through limited collection of data from the client.
Also, some donors request you to provide payment lists, to demonstrate that you have used the money properly. Bank statements usually consist of several payments. When submitting bank statements to donors, make sure to use black marker to hide payments that are not supported by the donor you report to.