As the only Service Tracking Platform to join the National Student Data Privacy Consortium, MobileServe takes student data privacy obligations seriously. Properly accounting for specific compliance requirements (COPPA, FERPA, PCI and Data Privacy Agreements) should be a top priority for all EdTech vendors. Let's explore the data obligations you and your software provider may have.
Volunteer service data can take many forms. For academic programs, volunteer service data may include student emails, phone numbers and IDs. For others, volunteer service data may include consent documentation or background checks. Still others may maintain credit card data on gifts made by volunteers. Your unique setup may mean unique obligations.
Maintaining Youth Volunteer Data
If you are reading this, your program likely tracks volunteer service data or uses a third party to track volunteer service data. When tracking and housing youth data digitally, the Federal Trade Commission provides specific guidance for users under the age of 13 via the Children's Online Privacy Protection Act of 1998, commonly referred to as COPPA. As explained in the COPPA compliance survey, if data as basic as the child's name or email is being stored for children 12 or under, a site must:
- "obtain verifiable parental consent before collecting, using or disclosing personal information about a child or before allowing children to open an email account"
- "Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of children’s personal information."
What to Ask: "Is your service software fully COPPA compliant to handle youth data?"
Who to Ask: Any software vendor storing data on youth volunteers.
If you are curious about COPPA compliance, we would be happy to share the compliance measures built into the MobileServe platform.
Data Privacy Agreements
How often are you emailing volunteer service data? UC Irvine provides guidelines that specifically advise against emailing data because it has more risks than most people realize.
- Sending data through email is not secure.
- You are now storing sensitive data on your device and possibly in your sent email folder.
- You no longer have control over your sensitive data.
- Your sensitive data may be forwarded on to non-secure platforms.
It is unrealistic to think volunteer service data will never be transferred via email. For repetitive data transfers (i.e. creating new volunteer accounts, removing volunteer accounts, etc.), direct integrations offer a more secure and more convenient way to transfer data. Direct integrations reduce risk by providing secure data links and save time by happening automatically...something we can all use more of! But, in general, asking your software vendor if they will sign a data privacy agreement is a minimum request.
What to Ask: "Have you signed a data privacy document?"
Who to Ask: Any software vendor receiving or sending your volunteer data.
If you are curious, we are happy to talk about the National Data Privacy Agreement MobileServe has signed to be accepted into the Student Data Privacy Consortium - one of the largest student data consortiums in the world.
Keeping volunteer service data FERPA compliant often takes a multi-front approach. If you are a school welcoming parent volunteers, consider which student data volunteers may access while helping on campus. If volunteers may come across personally identifiable information (PII), the U.S. Department of Education provides a 3 minute video to understand how volunteers should handle PII in the course of their volunteer service.
When it comes to disclosing student volunteer data to nonprofits or software providers, the U.S. Department of Education provides the 15 page Family Educational Rights and Privacy Act Guidance on Sharing Information with Community-Organizations. Although a little less user friendly than a 3 minute video, the document covers a multitude of commonly asked questions.
What to Ask: "Are you aware of your FERPA obligations?"
Who to Ask: Volunteers coming to campus and software vendors receiving or sending your volunteer data.
Payment Card Industry (PCI) Compliance
This one is especially for programs maintaining credit card information. This most often happens when a volunteer makes a donation but it may also be parents paying a fine for missed family service hours. We all know at least one person who has opened a file cabinet and found credit card numbers on a sticky note in a volunteer file!
As described by PCIComplianceGuide.org, "The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment." Because most credit card gifts now happen directly via the website, credit card data is most commonly stored by payment processors. For that reason, PCI conversations in volunteering nowadays most often center around removing non compliant sticky notes from archived volunteer files!
Protecting volunteer service data is a responsibility we all share. Please contact our team if we can be a resource to improving your data integrity.
*Please note: MobileServe does not offer legal advice. Please consult your legal advisor for any specific compliance questions.*