That is a question to ask an online privacy attorney in your jurisdiction. Nothing in this blog post is legal advice. This is a general answer intended to help you begin answering this important question about online membership directories, in accordance with our terms of service and disclaimer.
Want the short answer? Yes, you can have a legal online membership directory for your church, club, professional organization, alumni association or other entity. You need to properly handle consent, access and security. If your members are wanting to connect with one another, offer them a secure platform through which they can individually choose to share their own information, or not, as they wish.
Want the magic wand so you don’t have to worry about not getting fined or sued or violating the rights of people who trusted you? While there is no magic wand, I can tell you that to do this right, you should start by focusing on three things.
In this blog, I’ll run through the basics, including a thought experiment to get you thinking about this for yourself, and a client testimonial that will give you pause, in order to help you decide your organization’s practices. Okay? Let’s do this.
Table of contents
What is personally identifiable information (PII)?
Membership directories contain what is known as personally-identifiable information (PII). PII comprise data which are, to varying degrees, able to identify an individual person. (Yeah, this is an uninteresting and obvious legal term.) The formal definition may also vary by jurisdiction.
Some examples of PII include name, date of birth, and address. Contact information such as email address and phone number are also to be treated as PII.
Some PII need other PII to function as PII, but taken together hold increased value as PII and require further safeguarding. For example, suppose you live at 123 Main Street. Somebody who knows that you live on Main Street will find the “123” data more valuable. Somebody who does not know which municipality we’re in will not find 123 Main Street as valuable as someone who does.
It’s all PII, and a membership directory that also includes your full name, along with other information such as name of partner, date of birth, phone number, and email, and squishes it all together then creates a collection of information that your organization definitely needs to protect.
When handling the PII of your members, you need to consider at least three things: consent, data protection and data privacy.
What is consent?
Consent says that individuals have rights to privacy over their PII and who has access to it. Among other rights, they must give your organization permission to store their PII to begin with, and to know how you will use their PII, who will have access to it at any point in time, and how they can revoke their consent and even remove their PII from your database.
If we built your website and your site has membership features, this will be addressed by opt-in consent at the time that individual users register on your website, by members having access to edit, update, and/or to remove their PII at any time, and by having a complete set of auto-updating legal documents provided by Termageddon, policies which advise your members about how you will store, share, and protect their data.
What is data protection?
Data protection is like the bouncers outside the club keeping away the bad guys, prohibiting unapproved access. Data protection usually involves things like having secure databases in which information is stored, and a website that is protected, with multiple levels of tools and policies, from bad actors gaining access to the backend.
What is data privacy?
Data privacy is like the bouncers outside the club deciding who gets to enter, because this is about approved admittance, something generally known as authorized access to personally identifiable information.
In the case of an online membership directory, who gets to access this information within your organization? Let’s think about this in terms of you as a community member somewhere, rather than you as a business owner or leader in a nonprofit organization. This is a thought exercise, designed to help you understand data privacy for your organization. Ready?
Suppose you join a gym, and they have an online membership portal, which you complete when you join. You enter you name, address, email, phone number, and maybe some of your fitness goals. And you consent to them storing this information, because you want them to know this about you so that they can do what they do.
Okay. Well, who in the gym should get that information? The owners will have it, as will their IT staff who maintain the database. Should all the trainers get access or just the trainers you work with? What about other staff?
The front desk needs some information for security reasons. The marketing team wants to send you mailings. The billing department needs to send you invoices and receipts. What about the staff who do building maintenance, should they have access to your home address and phone number?
If we did not build your site and you are interested in discussing your options for a more compliant online presence, contact us to schedule a conversation.
You may also be interested in reading our About Legal Policies write-up for more information about the legal policies needed on websites.
What about sharing our directory?
As you can see especially from the data privacy discussion above, it’s debatable whether all staff should have access to the PII in the membership directory, but certainly many staff do need access to perform the functions of the organization. But we are not done considering data privacy, right? What about sharing among members?
Should other members have access to this directory information? Let’s continue the thought experiment we began with the data privacy discussion, about you having joined a gym. What if you want to make friends at this gym? What if you start a walking group and need to coordinate the schedule and formalize it as a part of the gym’s activities?
As a member, you might feel that you need access to other member’s PII in order to build community. But does that mean the gym should let you have access to their entire membership directory? Can you think of reasons why this is problematic?
Why might some members not want all other members to have complete access to their home address, email, phone number, and whatever else is contained in a directory, even though they did consent to it being stored by the organization? Is every single person in that gym a safe person to every other person, to the extent that everyone can know where everyone else lives?
That level of access to other people’s personal information should feel wrong to you, because it would be wrong.
Who’s allowed access to your membership directory is a very important question, with legal ramifications in terms of privacy laws, as well as justice implications in terms of doing the right thing by not betraying your members by revealing their personally-identifiable information to every other contact in your database.
We recently had a conversation with a client about an experience they had with an online membership directory for alumni, and we are sharing their anonymized experience here with their permission, because it illustrates how good intentions on the part of an institution can go very wrong when it comes to membership directories and sharing PII.
Our client received an email one day from the alumni association of where she went to school, which is a large university. The email had a party-like tone to its marketing, celebrating the launch of their alumni directory, and inviting our client to log in and check it out. What she discovered upon logging in was that her alma mater had not only betrayed her trust but put her life at risk.
You see, our client had ended an abusive marriage. She met her ex-partner in school. They are both alumni, and so they both received this same happy email celebrating the launch of this new “alumni networking” site. And our client logged in only to be met with her current home address, email, and phone number displayed in that membership directory.
She immediately contacted the university’s alumni association. How did they respond? They happily told her, “Oh, don’t worry. Only other alumni can access it!”
It took her weeks but finally she got them to remove her contact information from their directory, but the damage was done as soon as they released her personally-identifiable information to their entire membership without her consent.
It’s wrong. And organizations that do this sort of thing probably do not intend harm, but they may be putting lives at risk. And that is why, in the United States, people have legal rights to the privacy of their PII, and to consent about when it is shared, and this is why you, as an organization, have a duty to safeguard the PII of your members through proper data privacy and data protection practices.
“What should we do?”
We advise you to get these questions answered by an online privacy attorney in your jurisdiction. In the meantime, our best advice, based on our experience as data privacy experts who are non-attorneys is to restrict access to your membership directory to the staff and other elected and appointed leadership within your organization who need to access this PII in order to carry out the functions of your organization – i.e. the person who sends out mailings will need to access the names and mailing addresses to do so.
We urge you to not betray the trust of your membership by giving away their data, even if you think that “just giving it to other members” is somehow okay, even if you know of other organizations who have violated their members’ rights to this extent, and even if you don’t care about the legal risks that disseminating your member’s PII would entail.
And have a system in place that prioritizes consent, data protection, and data privacy, so that when a member who means well wants to contact another member, you can facilitate that community-building without breaking the law or violating people’s trust and privacy rights.
Nothing stops members from giving their contact information to one another as they wish. This is all about the information that you hold as an organization, that members have trusted you to safeguard, and that comes with a lot of responsibility. And unless they are completely irrational, your members will appreciate the care and concern you put into protecting their rights and their privacy.
Where we stand
It’s your job to help your membership understand what you are doing when you restrict access to your online directory to those in leadership roles who need to access it.
It can help to remind them that while welcoming people into your community is great, giving the complete contact information of every single person in your directory to every single other person who comes in your doors puts people at risk, does harm, and opens your organization up to a lot of liability. It is because you care about the safety of your members, in addition to their rights, that there is not such open access to your membership directory.
If we manage your website, we cannot allow such a data breach and violation of member privacy to occur, as we are unwilling to be a part of the potential liability that would ensue.
If your site is on one of our management plans and you decide to share your membership directory to this extent, that would constitute an intentional data privacy breach of the PII of your membership, which would exceed the scope of what we can manage, and would create liability we are unwilling to share with you. In short, you would need to find another provider to manage your site.
You wouldn’t be our client if we didn’t think you cared about your own. Hopefully this detailed write-up has been useful in helping you understand that protecting the PII of your membership is caring for them. Help them to build community and to share their contact information amongst themselves between individuals in a way that builds community, is legal, and respects everyone’s rights.