Apps. There’s a ton of them. Need to track your most recent run? There’s an app for that. Want to keep track of your expenses? There’s an app for that. Need to go to the bathroom in the middle of the a movie and don’t want to miss out on any of the action? There’s an app for that.
We all know there are plenty of smart phone apps out there, but do we really understand what they do once they are downloaded onto your phone?
This past week, Facebook, Apple, Twitter, Yelp and fourteen other social media sites were listed in a lawsuit for distributing “privacy-invading” applications. According to a PC World article, these applications are accused of collecting user address book data and storing it on their servers without the user knowing.
This issue is at the top of many minds in the technology field as just last month, the popular social network Path issued a public apology after it was discovered the company used address book data to notify users when their friends had joined the network.
So what does this mean for your non-profit agency? Well, not much if your agency doesn’t allow staff members to use data based applications on their phones. I am guessing though, that nowadays that is a rarity.
When I read stories like this, I often think of non-profit organizations that deal with HIPAA on a daily basis. Many of the employees may have access to company smart phones that allow employees to check in on email while away from the office. Or what if the agency doesn’t supply cell phones and staff members use their personal cell phones to update the organization’s Facebook page?
Phones are so smart these days that . . .
- information from the email the staff person replied to,
- the new Facebook friend that was just confirmed, and
- the phone call that was just made
might be added to the phone’s address book and sent to third-party servers without the user even being aware.
In the case of the HIPAA abiding non-profit (and even those who wish to protect board member and donor information), there could be a violation without anyone’s knowledge.
Even if your agency doesn’t need to protect the identity of their clients, do you really want address book information being shared without your knowledge? These days, with security breaches more rampant, you can’t take privacy seriously enough.
So what can we do?
Decide if your organization really needs to use cell phones. Yes, it is nice for staff members, but is it necessary? Can you get by without them? A radical idea, but it just might be the right one.
If you decide that cell phones are needed, consider providing them only for “necessary staff” instead of allowing staff to use their personal phones. I know this costs money, however; it ensures more control over the use of the phone on behalf of the agency.
Also, consider what type of phone is needed. Does the user really need all of the bells and whistles of an iPhone or can she be as productive with an older generation Android device?
In addition, regardless if phones are being provided by the agency or not; a clear and strict technology policy must be in place and understood by all employees.
If staff members are provided smart phones, what applications can they use? If it is decided that apps can be downloaded to agency phones, then make sure the person overseeing the policy reads up on the privacy policies of the allowed apps. Most of them can be found online in either the iTunes App Store or Google Play Store. Keep in mind that these policies can change.
Audit your agency’s technology. If your organization currently allows staff members to use their personal phones, there is not much you can do other than make them aware of the issue of apps and how they can compromise your clients’ privacy. However, on phones provided by your agency, see if any of these applications are already downloaded and check out their settings to see if any sharing options can be turned off. When in doubt, hard reset the phone and start all over.
I will be the first to admit that managing the technology of business is not easy. And these privacy concerns do not make it any easier. However, until applications stop sharing information, taking the time to address these issues now could mean avoiding a sticky legal situations later.