Answers to two questions with long answers that arose during the Security Webinar Series Session 3
The following questions were asked during the webinar, and I deferred them because I knew they would take too long to meaningfully answer within the time constraints presented by a one-hour webinar already chock full of material. Even the answers below are not entirely all-encompassing for a thorough response, but hopefully they will help get you moving in the right direction.
Question: Should we delete constituent records for those who contact us asking to be removed from the database? (Likely triggered by my discussion that only the DBM should be able to delete constituent records in almost all cases.)
Bill’s Answer: First and most importantly: I am not a lawyer and certainly do not know the laws, rules, and regulations of every region in the world. Be sure to check with your legal counsel and ensure your approach follows required legal obligations for your location regardless of my answer.
That said, to my knowledge, we have no legal obligation as nonprofit and educational institutions to delete constituent records from our database because constituents “tell” or ask us to. We don’t work for them, and they don’t own our data legally and ethically collected. We do have, however, an ethical obligation as fundraising and data professionals to do our best to honor constituent wishes.
I think there are two reasons today why constituents will ask us to “delete/take me out of your database.” The first is those who no longer want to have contact with us, such as those moving out of the area or unhappy with the organization. The irony here is that if we do as they ask – delete their records from the database – we are actually making it harder to honor their real wish, which is not to hear from us. With their name and address removed, we have no place to associate this desire with their information to keep them from hearing from us when we purchase or trade acquisition lists, someone re-finds them in another list, file, or report somewhere, etc. We can actually best honor their wish by keeping them in the database, correctly coding their records, and then ensuring only those who know how to pull data correctly do so and those codes are honored (how to set up these codes and honor them is beyond the scope of this answer right now; if you need help with this, consider chapter 4 of Bill’s book on Raiser’s Edge). Constituents unfamiliar with our work or databases are not likely to understand the details and nuances, but I would try to explain to a constituent the situation, recommend the coding approach for the reasons noted, and if they insist, defer to an institutional policy signed off by senior management and legal counsel comparable to the topic addressed in the next paragraph (which if you don’t have, you should get created).
The second reason someone might make this request is that they want to ensure their data is not in our possession for it to get stolen in a data breach, theft of a laptop or other equipment, etc. This is a trickier situation because we want to honor their request, but the same challenges as presented in the previous paragraph will still exist plus we have institutional needs to consider. For example, if we delete a constituent, we delete their gifts, memberships, event attendance history, volunteer history, actions, etc. We need that information for our work and our records as well. What are the consequences of anonymizing the record to do as the constituent requests and still be able to do our work? To my knowledge, no clear direction or industry-wide “best practices” have appeared. Can we wipe out some of the data we don’t need, say phone numbers, but keep the key data we need to uniquely identify the record and the person so we can make a note and code the record so we can honor and continue to honor their wishes? Can we transfer the identifying data to another location outside RE and have a cross-referencing system, or does that really not help – we’ve just transferred the sensitive data from RE to another place and the same risk applies to the other place? What if it’s an alum of your school – we have a need and right to have a history of our former students, and name information is just not sufficient, as we data professionals know. We need contact information to uniquely identify a person. The challenge is that we want to honor the constituent’s intent even if we’re not legally obligated to, but in our line of work people frequently re-appear in other ways. The irony is we need to keep their name and unique contact information to honor their request or it’s very possible they will re-appear, new communication will start, and they will think we didn’t listen to them. There is no easy answer here, so if you are concerned about this I would discuss it with fundraising management, IT, and legal counsel, but the RE DBM must be involved in the conversations because there is more at play here than these other colleagues are going to understand since RE and its role is not their area of expertise.
Question: During the webinar you talked about not giving all gift editing rights to the gift processor because it’s better financial controls to have a division of duties and to have a different person do the gift entry than makes changes to gifts. You mentioned having the gift processor do the gift entry and the DBM make needed changes to gift. But what about a small organization where we don’t have that many people? What should we do?
Bill’s Answer: Raiser’s Edge is used by organizations with only 1 or 2 people in the entire fundraising department to organizations with hundreds of users. I apologize the time allotted for the webinar did not allow me to be more nuanced in my recommendations. This is a good and reasonable question.
The principle is that the more people involved in a process, the less opportunity there is for fraud because each person holds the other people accountable. This is why auditors don’t like gift processors to open the mail, for example. At a very high-level summary, it’s best if you have different people for each of these stages:
- One person who opens the mail and logs checks
- A different person who does the original gift entry; it’s okay if they do the acknowledgements as well
- Yet another person who makes changes to gifts, like Edits, Adjustments, and Pledge Write-offs
- And yet one more person (or more) who does the finance/accounting work in the financial system
But small organizations don’t have this many people. So, two words of advice:
- Just do the best you can with the people you have access to
- Get signoff from your auditor on your procedures as they relate to financial controls (don’t let auditors or finance folks control the basic processes of RE gift entry, however)
For example, is there someone else – a receptionist, a program manager – who can open the mail? (Finance should not open the mail and then process things on their side first! Someone other than the gift processor should open the mail and log the checks, but that’s it. The RE gift processor takes over from there and after the RE steps are done, only then does Finance get the checks and posting paperwork.)
Same concept with changes: Is there someone else who can make the changes, such as a capable fundraiser? If not, then changes should be clearly documented in writing and signed off by someone else (they should be anyway, actually – there should be paper trails for gifts that are adjusted and pledges that are written off). Monthly reconciliations will help create financial control confidence as well.
You just have to do the best you can if you don’t have a staff large enough for separation of duties. But if you do have the staff, you should practice separation of duties and set up security properly to ensure it.