By the Apra Ethics & Compliance Committee
My organization is partnering with another organization on an upcoming art exhibition. We are having a VIP reception and dinner in conjunction with the exhibition, and donors who give to both of our organizations will be invited. As a first step of the project, we need to identify said donors. We were asked by leadership to provide our list to a third party. They will evaluate both organizations’ lists to identify these donors and share any overlap to both of our organizations. I’m a little concerned as this doesn’t feel right to me. I feel like there are stewardship or confidentiality issues, but I can’t put my finger on a specific policy or standard this violates. Please help.
Joint Project Jitters
Thank you for channeling your inner ethicist and asking this important question. It is something that many organizations may deal with at one point or another. Sharing data with third parties may seem ethically counterintuitive; however, you also have a need to achieve your organization’s mission. Fear not, there is an ethical route for data sharing!
In your case, it sounds like a legitimate business purpose ― a joint cultivation and stewardship venture. If the joint venture has been vetted and signed off on by your leadership, then let’s agree the project has been well thought out and is legitimate. But, make sure the business purpose is clear and defined to all parties involved.
Now, about data sharing. Let’s take a step back. You are probably already sharing data with third parties on a regular basis ― mail houses, wealth screening vendors, groups administering surveys, etc. This situation is no different. Whatever process and standards your organization has established for approving sharing data with these third parties can be applied to this scenario. Specifically, consider these questions:
- What does your data-sharing policy and process state about the types of personal data shared? Are there any restrictions on the type or category of data that can be shared with a third party?
- Does your data-sharing policy and process require confidentiality agreements?
- Does your organization’s data sharing policy and process require that the third party delete your organization’s data upon termination/completion of the work?
- Does your organization’s data-sharing policy and process require certain security measures and incident/breach notification processes on the part of your organization’s third-party vendors?*
There should be a similar agreement in place with the other fundraising organization and with the third party identifying the overlapping donors. Your agreement can delineate your expectations ― how they will treat and handle your organization’s data, what they will do with it at the end of the joint fundraising venture, what security and privacy measures will be used, who is going to see the data and so forth. Get your legal counsel involved if you aren’t sure how to proceed.
As always, only send the data points that are needed and no more. This will help minimize risk for your organization and donors. You can even try sharing the donors’ names since many organizations make it public in honor rolls.
In essence, get them to sign, minimize what’s shared and agree to what happens at the end.
Good luck on the joint venture!