Our treasurer has directed us to include client names, contact information, and reason for intervention on our weekly activity reports. These reports go to the finance department and are seen by the bookkeeper, accountant, and finance committee. She said the information is necessary to back-up our outcomes reports. Our clients see us on very sensitive issues, and the client files have always been treated as confidential.

First, no board member at any organization can order staff to do anything on their own. It is usually politic to comply with board member requests, but only the full board can make decisions for the organization. Those decisions sometimes involve delegating limited authority to certain directors, such as the treasurer, but that delegated authority should not include making policy.

You should ask if the board passed a motion about the new policy. It might have passed a general motion about future reporting requirements without getting into detail. Was the board told that the changes would violate the organization’s privacy policy and perhaps privacy law? Was it told that clients might stop coming if they knew their information was going to be seen by people not involved in providing service to them? Is the decision being misinterpreted? The executive director should be able to explain what happened, and go back to the board if its decision is causing unexpected problems. In the interim, implementing the policy should be delayed. The issues are too serious.

Client files cannot be 100% confidential. Someone may need to cover if the social worker who usually handles the file is away. A peer review system may be in place for quality control or performance review purposes. These uses are part of providing service to the client. Some health-related government programs require demographic information as part of a funding arrangement, and must ensure that privacy requirements are met in that transfer of information.

None of this justifies giving personal data to the bookkeeper. If there is a need to track the number of unique clients served and types of services, the records could use client numbers and service codes. The organization can put a system in place to control access to identifying data.

By the way, even though board members should sign confidentiality agreements, most organizations avoid including client names in any communications with the board. They should not need that information to make strategic decisions, and it is just too easy to let a name slip out inadvertently in a public setting. Government departments avoid giving names to Cabinet ministers for the same reason.

An ethical nonprofit, particularly one dealing with sensitive personal information, should do a comprehensive privacy assessment. See if you can get your organization to defer the treasurer’s request until there is a proper review of privacy policy, issues, and processes. Privacy laws vary by jurisdiction so ensure that the organization is using the right one for minimum legal compliance decisions. It may be appropriate to exceed minimum requirements to meet the expectations of your clients and other stakeholders. You cannot achieve your mission if your organization is not trusted.

Since 1992, Jane Garthson has dedicated her consulting and training business to creating better futures for our communities and organizations through values-based leadership. She is a respected international voice on governance, strategic thinking and ethics. Jane can be reached at jane@garthsonleadership.ca.

To submit a dilemma for a future column, or to comment on a previous one, please contact editor@charityvillage.com. For paid professional advice about an urgent or complex situation, contact Jane directly.

Disclaimer: Advice and recommendations are based on limited information provided and should be used as a guideline only. Neither the author nor CharityVillage.com make any warranty, express or implied, or assume any legal liability for accuracy, completeness, or usefulness of any information provided in whole or in part within this article.