Managing Technology Use Risks

Every nonprofit should adopt a policy covering both the privacy aspects of technology use by employee and appropriate use issues. The potential harm to a nonprofit stemming from employee misuse of technology is staggering. The results range from civil and criminal penalties for software piracy to third-party liability for client-privacy violations and irreparable damage to the nonprofit's reputation.

Policy goals

Critical goals of a your policy should include:

• dispelling employee expectations of privacy with respect to their use of equipment and systems owned by the nonprofit, as well as privacy with respect to employee-owned equipment that is brought to the office for business use; and
• establishing clear guidelines about what constitutes acceptable use of your equipment and systems, what constitutes prohibited activities, and what the consequences will be for violating the nonprofit's policies.

Technology Policy Elements

If you haven't already integrated rules concerning the use of equipment and technology into your Employee Handbook or developed a separate Office Technology Policy, tackle this important task as soon as possible. If you already have a policy in place, consider evaluating your current policy against the following list, to determine if your policy should be updated to include additional instructions or prohibitions:

• Notify employees up front that their e-mail may be monitored. The purpose of this notification is to invalidate an employee's expectation of privacy in e-mail, voice mail, and any other form of electronic communication. According to the American Management Association, 40 percent of major U.S. companies monitor employee e-mail. This figure is up from 15 percent who did so in 1997.
• Tell employees what is and what isn't appropriate use of e-mail at your nonprofit. To draw attention to issues related to use, many technology policies are called "Acceptable Use Policies" or AUPs. Your list of inappropriate or prohibited e-mail might include messages that are inflammatory, defamatory, impolite, discriminatory, pornographic, or contain profanity or other offensive language or that constitute solicitations. Consider dispensing guidance in plain language, such as telling employees to only send e-mails that they wouldn't mind having read in a room full of people they know.

• Explain your nonprofit's policy concerning use of the organization's equipment for personal purposes. Many nonprofits limit personal use of e-mail and the Internet to break times. Others prohibit personal use altogether. The latter policy may be impractical. If you allow employees to make and accept personal phone calls, you should consider whether it's appropriate to also allow staff to send and receive personal e-mails and use your Internet access for occasional personal reasons.

  Some organizations are using or adapting more flexible language, such as "[Nonprofit?s] e-mail and telephone systems are primarily for business use, but limited and reasonable personal use is permitted." Using language such as this works best when it appears in tandem with details on specifically prohibited activities or uses. You don't want to wind up in a debate with an employee about what is "reasonable."

  You might also want to consider how you want to address employees accessing personal e-mail accounts using your equipment and Internet access. Is it OK at lunch? Would it be virus protected? Could it slow down the speed of your Internet access for the network?

• Specifically prohibit activities that should never constitute permissible use of your equipment. These activities might include:

  • using the nonprofit's systems to look for another job,
  • knowingly opening a virus;
  • sending or forwarding chain letters;
  • representing personal views as the nonprofit's (such as Letters to the Editor), or disseminating harassing or offensive materials;
  • knowingly accessing pornographic or other blatantly offensive content;
  • expressing political views; or
  • soliciting or advertising matters unrelated to the business of the nonprofit.
• Explain that use of your equipment and systems is a privilege, not a right, and that privileges may be suspended at management's discretion for any employee who violates the nonprofit's policies or demonstrates poor judgment in the use of equipment or systems.
• Suggest a strategy for reporting inadvertent policy violations to management. For example, you might encourage employees to notify the MIS Director or Executive Director immediately if they believe they may have sent, forwarded, or received an inappropriate message, or viewed an inappropriate Web site.
• Caution employees about your strict prohibitions on copying licensed software owned by the nonprofit or others and the illegality of such actions.
• Indicate whether employees are permitted to install software, programs or files they have purchased or downloaded or whether they must first obtain permission from the person responsible for technology and software in your nonprofit.

These are a few things you can do to keep your nonprofit out of harm's way.