Information management is an important risk and opportunity for nonprofits. While most nonprofits have minimal information requirements, they still must manage personal information responsibly. An information framework can help organizations tailor policies and procedures as well as make better technology acquisitions.

Congratulations, your nonprofit organization has decided to take information management seriously. A quick trip to your preferred internet search engine returns millions of hits. Ignoring the ads, you are quickly lost in a myriad of theories and models. US and Canadian legal requirements blur. After an hour or so you conclude, ‘we are probably good’, and you close your computer.

1. Starting with the Usual Caveats
2. The Good News – You Are Probably Good
3. The Bad News – You Are Probably NOT Good
4. The Great News – You can be Good and Great!
5. Just Enough Information Management Framework
6. Don’t Forget to Delete… Properly
7. Governance is the Hard Part
8. Starting and Ending with Governance
9. Just Enough on the Just Enough Framework
10. References and Further Reading

Starting with the Usual Caveats

For the purposes of this article, I am going to use Alberta for reference. Alberta is close enough to most other provinces and US states legal and social references.

References to statues are for illustrative purposes and not legal advice. Always consult a lawyer as the following is for information purposes only.

The Good News – You Are Probably Good

First the good news, you are ‘probably’ good. Most nonprofits have simple information requirements. The information you hold is ‘probably’ of low value to bad guys and you are ‘probably not‘ required to comply with the Personal Information Protection Act (PIPA) [1].

The Bad News – You Are Probably NOT Good

Whether your organization falls under PIPA or not, it still has an obligation to protect personal information. What exactly is personal information? The act is a bit vague: “1(k)    “personal information” means information about an identifiable individual” [2].

Treat personal information like Limburger cheese. Delicious if used correctly and a risky thing to have laying around the house. As for retaining credit card information or photocopies of cheques – treat that as highly-radioactive Limburger cheese; AVOID at all costs!

The Great News – You can be Good and Great!

So now that I have frightened you against collecting information (or made you hungry for Dutch cheese), things are not so bad and in fact you can turn your information collection into an asset for your organization. All you need is a framework to think about information management, systems, and a commitment to doing the right thing. Spoiler alert – the last thing is the hardest of the three.

Just Enough Information Management Framework

If you are a data architect, my apologies for oversimplifying your technical-calling. Otherwise, the following framework is Just Enough for a typical nonprofit.

The framework has an upper and lower part. The Upper part is the information life cycle. Data is created, stored, used, and then deleted. A nonprofit board should be concerned with each step. Deletion is the forgotten-orphan of the bunch.

Don’t Forget to Delete… Properly

Data deletion is missed because a nonprofits is off to the next event, volunteers leave, and because it is REALLY BORING. A treasure trove can be left behind for scammers and bad guys. Less dramatic, the information is inadvertently exposed and is embarrassing for the organization. Annoying is the lost of the nonprofit’s records because of a crashed hard drive. Not the type of deletion you want!

Governance is the Hard Part

The Lower part is the foundation for the framework, and cuts across the life cycle. The first is security and ensuring the organization is compliant with PIPA or good practices. Below that is the board’s accountability for the policies, procedures, and technology to make everything else work.

Governance is the hardest part. It is tempting to find policies on the internet and search and replace the organization’s name. However, if there is a data breach, this policy may come back to haunt the board. It might describe activities way beyond the organization’s capacity. Acknowledging your organization’s information requirements are unique but fit within this framework is the first step to good governance.

Starting and Ending with Governance

The governance block also contains the seemingly simple question of…

What is the business problem the nonprofit is trying solve and how can better information help with the solution?

It is tempting to jump to solution before really answering this question. It is just as tempting to stay on the question and never more forward. In the post A Tale of Two Business Problems, we meet two organizations who (do not) share similar business requirements.

Just Enough on the Just Enough Framework

This is where this blog stops. It is hopefully simple enough that most people will ‘get it’. Future blogs will drill down on different elements but always with the ‘Just Enough’ lens.

What are your thoughts? Are you a data/information expert, did I leave out a critical bit and if so, what is it? Are you a struggling volunteer board member, does the framework help or is it just more noise to wade through? Leave a comment and let me know.

References and Further Reading

1. Alberta has a great worksheet to determine if nonprofits need to comply with PIPA. Even if you are not required to comply, consider adopting PIPA as a best practice: https://www.alberta.ca/personal-information-for-non-profits-and-other-organizations.
2. This is includes Name, Address, and Email. Treat Birth Date, Home Address, Financial Information, and Birth Date as limburger cheese – keep, use, and dispose of as fast as possible. Collecting information on Children, Credit Card Numbers, vacation dates, etc. as Radioactive Limburger. https://kings-printer.alberta.ca/570.cfm?frm_isbn=9780779843312&search_by=link.