Aimee, I think what is needed (if it doesn't exist) is a formal College "Data Acquisition and Use Policy." Every employee and volunteer (including Board members) should annually acknowledge this policy to receive access to any CRM-stored data.
When I draft these for clients, I always include the following at the beginning of the policy:
- Data collected and maintained by XYZ employees, volunteers, or consultants is considered institutional data. XYZ retains ownership of all institutional data, and each authorized user of XYZ data is responsible and accountable for its proper and authorized use.
· Using donor data for purposes other than Advancement and internal fundraising activities, especially for commercial or political reasons, is strictly forbidden.
· Information maintained as part of an official XYZ record should be viewed only by authorized XYZ employees and representatives (including select volunteers) who need it to perform legitimate XYZ business.
· XYZ employees and volunteers who access or use donor data should remember that the full range of information collected on any living or deceased individual may be subpoenaed, subject to a court order or warrant, or entered into a court record. Therefore, caution must be exercised when drafting any document, such as a contact report, that will be stored electronically or on paper and could be disclosed if legally required.
I also include this section regarding volunteer access:
1. Data Access & Use by Volunteers
· Volunteers may receive hard copies of information from files, including edited research reports, only when released through authorized Advancement staff. Materials shared with and used by volunteers supporting Advancement must be collected by XYZ personnel and destroyed. Under no circumstances should non-employees (i.e., volunteers) keep possession of confidential work products, pass the material to other employees or volunteers, or copy it in any format.
· Volunteers may be granted read-only access to the Advancement/Donor database once they agree to follow these donor privacy guidelines and complete the required training.
The policy goes on to discuss the differences between public, private, and confidential information; donor rights to opt out; data transfer and storage; anonymity, etc.
Then, on the signature page of the policy, there's this statement:
By signing this document, I acknowledge that I have read and understood this statement – XYZ: Data Acquisition and Use Policy – and that I agree to follow the principles it promotes. I also understand that failing to comply with these directives could lead to immediate removal from my duties and could expose me to personal legal liability.
I hope this is useful.