Not to Be Indelicate, but …

More than 50 million consumers have had their personal data compromised this year, a statistic grim enough to elicit spasms of paranoia in donors’ hearts about identity theft, data security and privacy. But, in reality, there have been few cases of privacy infringement reported in the nonprofit world — not enough to spawn a skittish donor pool.

It does, however, raise two important questions for nonprofit fundraisers. First, with the explosive growth in data collection and compilation, to what extent is it moral, ethical or legal to mine data on potential donors? And secondly, what proactive measures can be taken to safeguard donor privacy?

Jim Harper, director of information-policy studies at the CATO Institute, says most privacy advocates are incensed by “private, for-profit use of data” and fall mute on what charitable groups do with all the personal information they collect on donors and prospects.

“Nonprofits want to appear on the good side of the privacy issue, but like any other organizational user of data, like the big financial institutions, they need a lot of data and need to do a lot of things with that data,” says Harper, who also serves as editor of Privacilla.org, a Web-based think tank devoted exclusively to privacy issues. “Limiting the use of personal information is probably not beneficial.”

Harper cautions organizations about making explicit vows to donors without first considering the consequences.

“If you promise donors not to rent a mailing list, that’s giving away revenue,” he says.

Harper, an active member of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, stresses tact and trust when talking privacy with donors.

“One of the ways to stay ahead of the curve is to take a lesson from the recent security breaches and know who has access to donor data within [your organization],” Harper advises. “Every nonprofit that has personal information [on donors], including credit card information, can safeguard [data] by encrypting it and protecting it from insider access. Everyone thinks it’s about computers, but it’s not. Very often it’s about people inside an organization.”