In this Ask the Ethicist column, we at the Apra Ethics & Compliance Committee are flipping the script to present to you the most frequently asked questions (FAQs) from an unprecedented year.

Q: Can we do XYZ with data from the Federal Election Commission database of political contributions?

A: No, and here is why: Under the U.S. Election Campaign Act, information about individual contributors taken from FEC reports cannot be sold or used for soliciting contributions, including charitable contributions. The Act prohibits the use of any information about those donors, including their names and addresses, for the purpose of soliciting contributions. Even if an organization is not harvesting names of prospective contributors, it is not permissible to look up or use any political contribution data for charitable solicitation purposes, which includes prospect development.

See for more details.

Q: Can we store health-related information, especially regarding COVID-19 vaccination status, for our constituents?

A: We are all excited to emerge from the COVID-19 quarantine world, and many donors or prospects may freely mention that they are vaccinated. However, this is still personal health information, and should not be put in your database. Feel free to use more general language, such as, “Donor can now meet in person for coffee” or something along those lines, which does not include health information.

The New York Times’ own Ethicist recently published a column about inquiring about others’ vaccination status. We agree that it is important to know the information, and will definitely be spending the next months thinking about vaccine etiquette. HIPAA does not play any role in dictating whether an individual shares (or does not disclose) their own medical information, including vaccination status. However, discussing the information and putting in your database are two distinct actions, with the database covered under HIPAA.

See the Apra Ethics and Compliance Toolkit’s HIPAA section for more details.

Q: Can we glean ethnicity, race and gender information from looking at our constituents’ pictures in old school yearbooks or from social media, such as LinkedIn, Facebook or Twitter?

A: No and here is why: Race and ethnicity data must be self-identified or self-disclosed. Through self-identification methods, our organizations can ensure we are honoring how each individual sees themselves. It also allows each person to opt-in or opt-out of the data collection and usage, so no one is forced to disclose information they do not wish to share. To put it simply, we can’t put someone in a box in which they have not agreed to be placed.

See the new Apra DEI Data Guide for more details.

Yours in Ethics and Compliance,
The Ethicist