Table of Contents
- Executive Summary
- Introduction
- Aligning Around a Clear Vision
- Determining your Funding Strategy
- Choosing Your Partnerships with Community-Based Organizations
- Privacy Best Practices
- Implementing Your Program
- Managing the Program
- Delivering Cash
- Building Toward the Future
- Additional Resources
- Worksheet 1: Putting your Cash Assistance Program Strategy in Place
- Worksheet 2: Program Checklist: Use two weeks into your program
Privacy Best Practices
We want to encourage you to think about privacy best practices in every step of implementing your program. It’s inevitable that you will be providing cash to vulnerable individuals who need you to be a vigilant steward of their personal information.
Whenever you collect personal information, you become responsible for protecting it. This means safeguarding the information and communicating transparently about how it will be used and managed. There are a number of privacy best practices that you should use to protect the personal information that you’ll collect and manage as part of your program. We consulted with privacy experts to gather best practices for this document, which we’ve included as Q&A below.
Q: How do I protect personal information? Is there a checklist of what to collect and what not to collect that I can follow?
A: The best way to protect personal information is to not collect it in the first place; you should only collect information that you need to process the cash transfer. The types of information that you need will be unique to the eligibility and reporting requirements of your program—there is no one-size-fits-all checklist. But when setting up your application, ask whether the information you're requesting is necessary to process the payment. If not, then the best privacy practice would be to leave it out.
Another privacy best practice is to get rid of data as soon as you no longer need it. Learn more about how your state performs auditing to understand what information you might want to hold on to for tax reporting reasons (to show that you distributed the funds as you said that you would). If you are distributing one-time payment cards, can the card ID number be enough of a record after the money allocation? Do you need to retain personally identifiable information about the recipients?
Q: Should I trust software applications by large tech companies with our sensitive data?
A: Well-resourced companies like Google, Stripe, PayPal, Salesforce, etc. incorporate cybersecurity practices into their software and services. They also have to comply with a variety of federal privacy and security regulations. You may not have many options depending on your goals. If you do use their products, reduce the number of people who have access to personal information. Ask yourself: do all of your team members need access to records? Probably not. If you are partnering with other organizations, do they need access to personal information? If you are using GSuite, check your default access setting and make sure that you’re only granting access to those who need it.
If you want to know more about data sharing policies by major tech companies whose products you may use, you can read more at Google’s Transparency Report page, which includes transparency reports for many of the products that you might use.
Q: Are there other privacy concerns for cash assistance programs to think about?
A: Outside of protecting digital data, it’s also important to keep fund distribution discreet. You don’t want to create new risks for anyone. Think about how you maintain privacy when interacting with applicants and cash recipients. Those who participate in your program will likely have preferences around how they receive their funds—listen to them and shape your outreach and distribution strategies accordingly.