PRIVACY AND DATA SECURITY RISK MANAGEMENT POLICY
Privacy and Data Security
Mid-Plains United Way (MPUW) needs to gather and use information about individuals including donors, business contacts, employees, and other people whom the organization may need to contact. This policy ensures that MPUW protects the rights and privacies of staff, donors, board members, agencies and other organizations doing business with us; complying with both U.S. federal and state laws as pertaining to non-profit organizations. This policy applies to all MPUW office staff, volunteers, and any other people working on behalf of MPUW. Everyone working or volunteering for MPUW must review and sign a Code of Ethics/Conflict of Interest form on an annual basis, holding each individual accountable to this policy detailed below.
Responsibilities: All Mid-Plains United Way staff and volunteers hold responsibilities to ensure that all data is collected, stored, and handled properly. All data shall be kept confidential by our organization’s staff and volunteers except where it directly relates to duties as a volunteer or employee.
Personal data should not be disclosed to unauthorized people, externally nor within the organization.
Data should be regularly reviewed and updated.
If any staff member or volunteer is unsure about any aspect of data protections or disclosures, they should always request help prior to relevant decision-making.
Data Collection: These policies apply to all data that MPUW holds relating to identifiable individuals, including:
Names of individuals
Addresses of individuals
Email addresses of individuals
Telephone numbers of individuals
History of giving/amounts of gifts
Any other personal information relating to individuals
Data Storage: All data tangibly stored on paper should be kept in a secure place in which only authorized individuals can access when necessary. Data printouts should be shredded and securely disposed of when no longer required for authorized use. All electronically stored data will also be protected by unauthorized access and misuse:
Data should be protected by strong passwords which are only known by authorized staff.
Data should only be stored on designated drives and servers and never on personal computers.
All servers and computers containing data should be protected by approved security software.
All computers containing data should be locked if unattended.
Personal data should never be shared informally.
To ensure the security of data, the Mid-Plains United Way staff will complete a weekly back-up of both computers at the end of every week. Additionally, QuickBooks will be backed up separately after financial inputs to take place bi-weekly. If financial inputs are done sooner, the backup will be completed immediately after. Donation Tracker will also have a separate backup to be completed at the end of every week. If no data is inputted in that week, the backup will take place in the following week in which data is recorded.
Computer and Internet Use
Mid-Plains United Way has a computer or computers that are connected to the internet. Such computers are the property of the Mid-Plains United Way and are for the exclusive use of the organization and its employees. The use of such computers and internet access shall be limited to official use in conformity with the needs of staff in order to perform their duties and responsibilities as employees of the Mid-Plains United Way.
The personal use of the computers and internet services by staff is limited to reasonable usage and shall not be for personal business ventures, viewing pornographic material, or conducting illegal activities.
The documents, reports and records of Mid-Plains United Way will be maintained, either hard copies or electronic files, for the following time periods, after which they may be discarded.
Document or Record Retention Period
a. Articles of Incorporation and By-Laws Permanent
b. Corporate Minutes Permanent
c. Corporate Records Permanent
d. Accounting Records 7 Years
e. Bank Statements 7 Years
f. Capital and Fixed Assets Records Life of Asset + 7 yrs
g. Personnel Records Termination + 7 yrs
h. Salary Records 6 Years
i. Executed Professional Service Agreements Permanent
j. Correspondence Completion of Assignment +10 yrs
k. Computer Software Permanent
l. Tax Returns (State, Federal, Payroll, Other) Permanent
m. Insurance Policies Permanent
n. Audit Reports Permanent
o. Financial Statements Permanent
p. IRS Approval Letter Permanent
Destroying Documents: All confidential documents shall be shredded.
Formal Problem Resolution Procedure
Mid-Plains United Way maintains an open door policy regarding employee concerns. Most complaints and concerns can be resolved when they are brought to the attention of the staff member’s immediate supervisor through informal, supervisory conferences and communications. When an employee and his/her immediate supervisor are unable to resolve a concern through informal efforts, the formal problem resolution may be initiated by the employee without fear of jeopardizing his or her employment status. Once initiated, the procedure may be terminated at any time by the employee.
All employees will have access to the formal problem resolution procedure. The number of steps in the procedure available to an employee depends upon his/her position within the organization. Staff members reporting directly to the Executive Director will have a one-step process. Since the Executive Director serves at the pleasure of the Board of Trustees, this procedure is inapplicable to such position.
Step 1. The employee sends a written statement to his/her supervisor immediately after the occurrence of the event giving rise to the complaint. Within five working days, the supervisor will meet with the employee to discuss the employee’s concerns. The supervisor will send a written response to the employee within five working days of the meeting with an explanation of the decision.
If the employee does not receive a response or if the employee is not satisfied, the employee may proceed to Step 2.
Step 2. Within five working days of receiving the response to Step 1 or failing to receive a response in a timely manner, the employee will send a written notice to the Policy and Administration Committee. The notice will indicate the desire to continue the formal problem resolution procedure and will include all documentation form Step 1.
Within five working days of receipt, the Policy and Administration Committee or a designee will meet with the employee and the immediate supervisor. Further review of the facts may be undertaken to resolve the complaint or concern. A written decision will be provided to the employee within ten working days of the meeting.
If the employee does not receive a response or is not satisfied with the resolution, the employee may proceed to Step 3.
Step 3. Within five working days of receiving the response to Step 2 or failing to receive a response in a timely manner, the employee will send a written notice to the Executive Committee. The notice will indicate the employee’s desire to continue the problem resolution procedure and must include documentation from prior applicable steps. Within five working days of receipt of the notice, the Executive Committee or a designee will meet with the employee and immediate supervisor. Further review of the facts may be undertaken to resolve the complaint or concern. A written decision will be provided to the employee within ten working days of the meeting.
No further appeal will be available. Time limitations may be adjusted upon consent of all parties involved.
Reliance upon the formal problem resolution procedure does not prevent an employee from seeking to resolve the problem by more informal means, such as counseling, at any time during the formal procedure.
Policy first approved on November 16, 2006
Policy revised on January 23, 2012
Policy revised on May 28, 2019