Boys & Girls Club of Newburgh & Poughkeepsie
Policy on Data Security and Privacy
Purpose:
The Boys & Girls Club of Newburgh & Poughkeepsie is committed to maintaining the privacy and security of all personally identifiable information (PII) related to our program participants, staff, and stakeholders. This policy outlines the measures taken to ensure compliance with all applicable laws and regulations concerning data security, privacy, and protection.
Program Participant and Parent Rights Under State and Federal Law
This policy includes all protections granted to program participants and their families under applicable state and federal laws, including but not limited to the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA).
Parents’ Bill of Rights for Data Privacy and Security
The Boys & Girls Club of Newburgh & Poughkeepsie shall publish a Parents’ Bill of Rights on its website to inform parents and guardians that:
1. A child’s personally identifiable information (PII) will never be sold or used for commercial purposes.
2. Parents have the right to review their child’s personal data maintained by the Club and may request changes or deletions if necessary.
3. The Club follows strict security standards, including encryption, firewalls, and password protection, to safeguard PII.
4. A list of all data elements collected by the Club is available for review upon request.
5. Parents have the right to file complaints regarding potential data breaches or misuse of their child’s information. Complaints should be directed to the designated Data Protection Officer listed on the Club’s website.
Use and Disclosure of Personally Identifiable Information
• The Boys & Girls Club will minimize the collection, processing, and storage of personally identifiable information to only what is necessary to fulfill its mission.
• All use and disclosure of personally identifiable information must benefit the Club’s program participants and operations, such as improving program services, tracking progress, and ensuring participant safety.
• Personally identifiable information will never be included in public reports or promotional materials unless authorized by law and with proper consent.
Data Protection Officer
The Data Protection Officer will be responsible for ensuring the implementation and oversight of this policy. This individual will also serve as the point of contact for any data privacy or security concerns.
The Boys & Girls Club will ensure that the Data Protection Officer has the appropriate training and expertise to administer data privacy and security functions.
Club Data Privacy and Security Standards
The Boys & Girls Club will follow the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity as the foundation of its data privacy and security program.
Third-Party Contractors
• Any contract between the Boys & Girls Club and third-party contractors that involves access to program participant or staff data must include provisions ensuring confidentiality and compliance with all applicable data protection laws.
• The Club will require signed Data Privacy Agreements with all vendors handling personal data.
• A Parents’ Bill of Rights Supplement will be made available online for any contractor receiving personally identifiable information from the Club.
Reporting a Breach or Unauthorized Release
Any suspected or confirmed data breach must be reported immediately to the Data Protection Officer, who will investigate and take necessary actions. The Club will notify affected parties promptly and will report serious breaches to relevant authorities within ten calendar days of discovery.
Annual Data Privacy and Security Training
• All Club staff and officers with access to personally identifiable information will receive annual data privacy and security training.
• Training will include best practices for handling data securely and compliance with privacy laws.
Notification and Compliance
This policy will be published on the Boys & Girls Club of Newburgh & Poughkeepsie’s website and will be provided to all staff and parents upon request. Updates to this policy will be communicated as necessary to ensure continued compliance with evolving data privacy laws and best practices.
By implementing this policy, the Boys & Girls Club of Newburgh & Poughkeepsie reaffirms its dedication to protecting the privacy and security of all data related to its program participants, staff, and community.
Revised 3/2025
