Ethics and Compliance Toolkit

All fundraising professionals should support and further an individual's fundamental right to privacy and protect the confidential information of their institutions. Fundraising professionals should be committed to the ethical collection and use of information and follow all applicable global, national, state, and local laws, as well as institutional policies governing the collection, use, maintenance, and dissemination of information in the pursuit of the missions of their institutions. See Ethics Principles of Ethics and Compliance.. Four fundamental principles provide the foundation for the ethical conduct of prospect development: integrity, accountability, practice, and conflict of interest.

• Integrity – Be truthful and transparent with respect to your personal identity and purpose and the identity of your institution during the course of your work. Continually strive to increase the recognition and respect of the fundraising, advancement, and development professions.
• Accountability - Respect the privacy of donors and prospects and conduct your work with the highest level of discretion. Adhere to all applicable laws and all policies of your organization. Conduct yourself in the utmost professional manner in accordance with the standards of your organization.
• Practice – Ensure your work is as accurate as possible. Only record data appropriate to the fundraising process and protect the confidentiality of all personal information at all times.
• Conflicts of Interest – Avoid competing professional or personal interests. A conflict of interest can create an appearance of impropriety that can undermine confidence in an individual, their organization, and the profession.

In the conduct of their work, prospect researchers and fundraising professionals must balance an individual’s right to privacy with the business needs of the institution to collect, analyze, record, maintain, use, and disseminate information. Social media outlets create extraordinary opportunities for the practice of prospect research. However, because users are not passive participants in social media, but engage with and participate in it both personally and professionally, the use of social media presents unique challenges in the ethical conduct of research. These guidelines have been created to assist professionals in making ethical choices about the use of social media in their fundraising research activities. See Social Media Guidelines.

• Integrity – Exercise transparency with respect to your identities, the identity of your institution, your relationship with it, and to the purpose of your online presence and communication. Institutional guidelines regarding social media use should be adhered to. All communication should be truthful, and respect other third-party rights in online space. Be mindful, professional, and respectful regarding all content shared. Remember that social media content is public and permanent.
• Accountability – Respect the privacy of individuals and conduct your work with the highest level of professionalism and discretion. Maintain appropriate boundaries when gathering and sharing information. All information gathered from social media sites should be considered confidential and be shared only with authorized staff as part of standard business operations. No private or confidential institutional or individual information should be posted, shared, or disclosed to the public without specific authorization.
• Practice – When gathering, communicating, storing, and protecting information, take all necessary precautions, and comply with federal, state, and institutional regulations. Only record and disclose information that is appropriate to fundraising activities and can be used for fundraising purposes and stored legally in your organization’s database. Information gathered via social media should be verified by other sources to ensure it is as accurate as possible.
• Conduct – As social media is highly relational and publicly-available, the use of this social media should adhere to the highest standards of professional communication and fundraising. Development professionals shall conduct themselves in a manner that encourages positive relationships with the institution they represent and assists in achieving its goals. Be mindful that information posted in one context may be publicized in another. Members should always be aware that they are accountable for all online behavior, and adhere to all standards of professional conduct and business practices.
• Do not create fake profiles on social media platforms. The practice is deceptive and therefore unacceptable. See Apra’s Social Media Guidelines for additional information regarding ethics and social media research practices.

LinkedIn Guidelines

• As a continuation of Social Media Guidelines, read Apra’s LinkedIn Statement.

Prospect development reports should be used as internal documents only and are not intended for public distribution or for publication. Prospect development, including research, relationship management, and analytics, is intended to inform and assist fundraising activities. Such information is for internal use only and should always be considered confidential. When shared internally, one should utilize secure methods for distribution and disposal and only share information in accordance with organizational policies and procedures.

Best Practice:

• Set internal guidelines regarding methods of sharing confidential data internally, such as using a secure file sharing server or password protecting files when sending via email. If your organization has already established guidelines for sharing data internally, comply with such guidelines and include such policies and procedures within your own department’s processes. Due to its highly confidential nature, any biographical information gathered through prospect development should not be used as an introduction for donors or prospective donors at a public function or published without the donors’/prospect donors’ explicit consent.

Best Practice:

• Call a prospect for his/her official picture and bio. This gives development officers an opportunity to further connect with the prospect and gives that prospect a way to share his/her accomplishments.

Use care when collecting, researching, and distributing list information as you would with any other prospect development document, data, or information.

• In higher education, gathering lists from Financial Aid in accordance with university procedures is acceptable.
• Gathering lists from your organization (including but not limited to, supporters/members, performance attendees, event attendees, etc.) is an acceptable practice.
• Gathering lists from outside organizations (for proactive prospecting) is an acceptable practice, but one must comply with country, state, and local laws regarding data harvesting and/or scraping. Some websites and services have permissible use policies which should also be evaluated. However, the law will always take precedence over such terms of use.

• Under the United States’ Federal Election Campaign Act (the Act), information about individual contributors taken from Federal Election Commission (FEC or Commission) reports cannot be sold or used for soliciting contributions (including any political or charitable contribution) or for any commercial purpose. To protect the privacy of individual contributors, the Act prohibits the sale or use of any information about those donors, including their names and addresses, for the purpose of soliciting contributions or for commercial purposes. Commission regulations also prohibit the use of this information to solicit donations, including charitable donations.
• This restriction applies only to the use of individual contributor information. Any person may compile and sell the names of political committees. Additionally, Commission regulations provide that the restriction does not apply to the use of individual contributor information in newspapers, magazines, books or similar communications, as long as the principal purpose of the communication is not to solicit contributions or conduct commercial activity. https://www.fec.gov/updates/sale-or-use-contributor-information/
• While prior advice from Apra’s Ethics & Compliance Committee suggested looking up political contribution data for an organization’s donors/prospective donors was not in violation of the Act, the strict interpretation of the above language directs otherwise. Additionally, FEC Record, Outreach, November 2, 2018, further confirmed the use of any information obtained from FEC reports about individual contributors for the purpose of soliciting contributions is in violation of the Act. The November 2, 2018, publication can be viewed here. The specific section of the CFR pertaining to the sale or use restriction can be viewed here. Federal Election Campaign Act (FECA) amendments and legislative recommendations to Congress can be viewed here. Advisory opinions from the FEC can be searched here.

• This should be used for specific internal purposes only.
• Never share constituents’ personal information with anyone outside of your department, unless you have specific organizational policies and processes in place to do so and then share only for specific and time-limited uses (e.g., event list, prospecting, etc.). Such internal policies should include identification of noncompliance and remediation steps.
• A confidentiality statement/disclaimer should be appended to the shared information to make sure recipients adhere to privacy and security standards (e.g., “By possessing this document, I acknowledge my responsibility for maintaining the confidentiality, integrity, and application of this data; I agree to store, transmit, and dispose of this document securely; and I agree to share only with authorized users in a secure manner.”)

In the conduct of work, fundraising professionals must consider who has access to personally identifiable information (PII) and financial data that is collected during the process of research within the organization.

• Does the organization have a policy regarding what security measures are in place to protect stored information?
• Does the organization have guidelines and safeguards in place to control access to such information?
• Are there safeguards in place to end access to information when a professional leaves the organization?

Best Practice:

• Work with your organization’s privacy and security specialists to determine the best method of sharing prospect development information within your organization and for help developing a data classification matrix.
• See Apra’s Ethics Guidelines for considerations for writing your own confidentiality statement.

United States’ Social Security Numbers are considered personally identifiable information (PII). As such, one must adhere to regulations regarding usage of Social Security Numbers, whether at the organization level or the laws of one’s donors/prospective donors’ country and/or state of residence.

" Net worth implies knowing about someone’s liabilities in addition to their assets. As prospect researchers, we only have information available to us, which is in the public domain. For example, we never access credit reports, meaning we don’t have access to the debt that is carried by an individual. Therefore, a true picture of net worth is not really possible." From The NonProfit Times, "NPT Blog: Prospect Research: It's More Than Net Worth," Maria Semple, 11/8/2013.

If the phrase “net worth” is used, it should be SOURCED (for example, Larkspur Data reports an estimated net worth of $10M - $19.9M, 2/18/2018).

Best Practices include:

• See ePhilanthropy email ethics policy as well as related documents including but not limited to, CASE, AFP, and AASP.
• The ePhilanthropy Foundation, which was acquired by Network for Good in 2008, provided for a code of ethics which included processes for an always online world. This code remains relevant and, in part, stated as a best practice: “Provide either an ‘opt in’ or ‘opt out’ mechanism to prevent unsolicited communications or solicitations by organizations that obtain email addresses directly from the donor. Should lists be rented or exchanged, only those verified as having been obtained through donors or prospects ‘opting in’ will be used by a charity.” See also Network for Good, ePhilanthropy Code of Ethics.
• Additional organizations, such as Council for the Advancement and Support of Education (CASE), Association of Fundraising Professionals (AFP), and Association of Advancement Services Professionals (AASP) provide guidance regarding the ethical use of email addresses.
• Unless your organization already has a relationship with the individual, do not email them other than with an introductory note offering them an opt-out.
• In higher education, membership programs, schools, and colleges may collect emails and, if their use of such emails is clearly stated to be in compliance with FERPA, then, in theory there is no ethical issue. An opt-out should be included in all email correspondence.
• • Healthcare institutions may collect email addresses from patients, and, if the institution’s use of such email addresses is clearly stated to be in compliance with HIPAA, CDN, etc., then in theory there are no ethical issues. Patients, or their guarantors, are required to be given the opportunity to opt-out of any email communications from the healthcare institution, for fundraising purposes, and that opportunity must be “clear and conspicuous” on any form reviewed/signed by the patient/guarantor.
• Save the opt-in from the prospect and include the date, so you can reference the communication if needed.
• On a practical note:
  • Consider how the email address was located. If the prospect did not provide the email address which was obtained by your organization under different circumstances, will reaching out to the prospect through that email address jeopardize any future or current relationship with the prospect? Best practices suggest using communication avenues which already exist for your organization to reach said prospect.
  • If you do contact a prospect using a “found/harvested” email, anticipate the prospect asking, "How did you get my email address?" If you can't answer that in a reassuring way, it is advised to not use that email.
  • Consider not using emails such as Gmail, AOL, Yahoo!, etc., which are more likely to be personal accounts.
  • You can use information from a vendor to confirm emails from public sites.
  • If you can’t find an email address, find other means of communication (e.g., phone, LinkedIn InMail, snail mail letter).

When evaluating prospect development tools offered by vendors, conduct due diligence regarding the company as well.

• Gather information regarding the vendor’s history of success within our sector as well as the vendor’s reputation as a good data steward.
• Pay close attention to the terms of conditions of your vendor’s agreement, specifically with regard to how they will handle your organization’s data, as well as liability for using specific data and/or breaches. Inquire regarding the vendor’s data disposal and retention policy.
• The Apra Ethics and Compliance Committee does not endorse products. Instead, it is recommended you evaluate the possible ethical issues of a vendor/product in the context of your own organization and personal ethical values, including any legal considerations. Conferring with your organization’s internal legal counsel for advice/opinion on products/vendors and terms of service is also advised.

Make sure your development officers understand and the confidential nature of all prospect development documents and best practices for their use.

Best Practice:

Set up guidelines/templates for development officers so they know what you need from them to conduct a smart search. For example:

• Prospect Research Request Template:
  • Name
  • Home Address, City State
  • Employer/Title
  • Please include any other information you may know about the prospect/donor (e.g., family relations, hobbies/interests, professional and/or community affiliations, etc.)
  • Is there certain information that you are specifically interested in?

Create a statement of ethics and confidentiality for your organization or for your department. A sample code of ethics, as well as a template, may be found here.

• Create a profile header/footer that indicates its confidentiality and intentions for use.
  • Examples of headers/footers:
    • By possessing this document, I acknowledge my responsibility for maintaining the confidentiality, integrity, and application of this data; I agree to store, transmit, and dispose of this document securely; and I agree only to share with authorized users in a secure manner
    • This document contains confidential information and was prepared only for use by YOUR ORGANIZATION NAME staff and volunteers. The information was obtained from public sources, interviews, and/or internal records. Information contained in this document was confirmed via publicly-available resources; however, some of the sources may contain errors and omissions. Corrections and additions should be sent to YOUR NAME/EMAIL OR YOUR SUPERVISOR’S NAME/EMAIL.

Apra is the premier international organization serving professionals in Prospect Development, the strategic arm of an organization’s fundraising operation. Apra provides leading-edge educational and networking opportunities, establishes and promotes high professional standards and ethical guidelines, and serves as a representative voice for the profession.

• Apra Website: www.aprahome.org

Established in 2014, this guide is designed to help each organization develop a tailored system that will ensure the confidentiality and security of information and materials involved in the work of prospect development professionals and the organizations for which we work.

• Apra Ethics and Professional Standards

Approved in 2013, The Social Media Ethics Statement was created to assist Apra members in making ethical choices about the use of data gathered from social media in their fundraising research activities. The Apra Social Media Ethics Statement follows immediately after the Apra Code of Ethics on this webpage:

• Apra Social Media Guidelines

Adopted in 1964 and amended in 2014, the Association of Fundraising Professionals (AFP) Code of Ethical Standards is designed to help development officers adhere to the highest standards of ethical behavior in their fundraising work. These standards include treatment of confidential and proprietary information.

• AFP Code of Ethical Standards

Ethics & Compliance Resources

• The Direct Marking Association (DMA) and the Association of National Advertisers (ANA) merged to form one association (ANA). The association provides resources regarding email marketing regulations:
  • Marketing permissions guidance, including usage of email addresses, can be explored here.
  • Additionally, the ANA Nonprofit Federation website provides Ethics & Policy Resources for Nonprofits, including an update on privacy and data usage legislation, such as GDPR and the CCPA.

The CAN-SPAM Act requires the Commission to issue regulations “defining the relevant criteria to facilitate the determination of the primary purpose of an electronic mail message.” The CAN-SPAM Act applies almost exclusively to “commercial electronic mail messages.”

The United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information (PII) maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. Title II of HIPAA establishes policies and procedures for maintaining the privacy and the security of individually identifiable health information, outlines numerous offenses relating to health care, and establishes civil and criminal penalties for violations.

• HIPAA Privacy Rule
• HIPAA and Fundraising: 
  • The HIPAA Privacy Rule: What Fundraisers Need to Know,9/11/2015
  • Association for Healthcare Philanthropy also offers a print edition and an eBook edition of, Fundraising Under HIPAA, available through the Association for Healthcare Philanthropy bookstore. (NOTE: You do not have to be a member to purchase from AHP’s bookstore.)

The Family Educational Rights and Privacy Act (FERPA) is a United States Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Under FERPA individuals can request that their directory information not be released to third parties. Universities are allowed to define “directory information,” so check your university’s policies to find out which data elements are covered at your organization. Individuals who have blocked their directory information from release should be clearly flagged in databases and users should be educated in the protection of this information.

Managing and governing digital data in ways that advance your mission and respect the rights of the people you serve is a core capacity of foundations and nonprofits. While digital data hold tremendous promise for how we do our work in the social sector, they also raise new challenges. Digital data should be viewed as both an asset and a liability. This site, produced by the Stanford Center on Philanthropy and Civil Society, allows an organization to explore its necessity for various data policies. 

• Data Governance Worksheets are also available.

The Privacy Act of 1974 establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

Personally identifiable Information (PII) is defined as "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc."

The Donor Bill of Rights was created by the Association of Fundraising Professionals (AFP), the Association for Healthcare Philanthropy (AHP), the Council for Advancement and Support of Education (CASE), and the Giving Institute: Leading Consultants to Non-Profits. It has been endorsed by numerous organizations.

The Donor Bill of Rights was created by the Association of Fundraising Professionals (AFP), the Association for Healthcare Philanthropy (AHP), the Council for Advancement and Support of Education (CASE), and the Giving Institute: Leading Consultants to Non-Profits. It has been endorsed by numerous organizations.

Additionally, AFP established the eDonor Bill of Rights to address concerns and challenges arising from Internet charitable giving.

The United Nations Conference on Trade and Development has assembled a website which keeps track of all data protection and privacy legislation around the world. One can download links to all of the legislation from each country. The site also provides an interactive world map.

The California Consumer Privacy Act of 2018 (CCPA) grants California residents rights with respect to the collection of their personal data. While nonprofit organizations are currently excluded entities, the CCPA does impact third-party data vendors. The CCPA applies to businesses whether or not the business is physically located in California.

Apra Canada has prepared links to a number of privacy guidelines used throughout Canada and its charitable organizations. The guidelines were compiled by a privacy working group from Apra, AHP (Association for Healthcare Philanthropy), AFP (Association of Fundraising Professionals), and the CPP (Canadian Centre for Philanthropy, Imagine Canada). To access these Canadian privacy documents, please go to the Apra Canada Privacy Tool Kit.You do not need to be a member of Apra Canada to access this kit.

View Deloitte's Q&A regarding the Law

Personal Information Protection and Electronic Documents Act, PIPEDA is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents.

View this OverDrive Presentation

How to keep track of what’s new with GDPR

Additional Resources:

• European Union’s General Data Protection Regulation
• ICO website
• Data Protection Network’s Legitimate Interest guidance
• Factary’s GDPR resources page
• The Institute of Fundraising’s Connecting People to Causes: A Practical Guide to Fundraising Research
• The Institute of Fundraising’s Spotlight Series- published guidance on GDPR which has been reviewed and co-badged by the Information Commissioner’s Office
• The Data Protection Network’s Legitimate Interest guidance
• Factary’s Guide to GDPR compliant wealth screening

The ICO recommends conducting a Data Protection Impact Assessment ((DPIA) to better understand how your organization uses and processes personal data and to identify any weaknesses in GDPR compliance and practices that needs to be addressed. The ICO has produced some guidance on conducting DPIAs below:

• What is a DPIA?
• Sample DPIA ICO template

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Code of Fundraising Practice represents the standards expected of all Institute of Fundraising members, set by the fundraising community through the work of the Institute of Fundraising’s Standards Committee.

Researchers in Fundraising (RiF) is a Special Interest Group of the Institute of Fundraising and is the leading representative body for prospect researchers in the UK.

The US Federal Trade Commission, which regulates the Privacy Shield, does not have jurisdiction over most nonprofits.

The Freedom of Information Act provides public access to information held by public authorities. Public authorities are obliged to publish certain information about their activities; and members of the public are entitled to request information from public authorities.

Here is a guide for those who have day-to-day responsibility for data protection.