In 2019, federal grant applications began including confidentiality policy requirements on reporting disclosures of survivors’ personally identifying information (PII) when receiving federally-funded services. Grant recipients are required to report actual or imminent breaches of confidentiality. This is important not only to comply with grant requirements, but to protect the privacy and confidentiality of survivors accessing services.
In order for your confidentiality policy to be compliant, it must include procedures to:
- Report actual or imminent data breach to the Office of Crime Victims Advocacy (OCVA) grant manager within 24 hours;
- Notify survivor(s) and persons whose data was breached;
- Address the cause of the breach.
Please see this sample policy shared with us by our colleagues at the Washington Coalition of Sexual Assault Programs for sample verbiage to include in your confidentiality policies.
This requirement provides an opportunity not only to update data breach procedures, but to revisit practices, policies, and procedures related to confidentiality in our work. We know that electronic records are increasingly common, mobile advocacy is critical, and survivors’ information is being exchanged in new and different ways.
Additional Resource
The National Network to End Domestic Violence has developed a resource specific to this requirement that may be helpful. You can find that here: Data Breaches & Victim Service Providers: Considerations for Developing Effective Policies.