Data Breaches and Confidentiality

WSCADV is learning about the new federal confidentiality policy requirements on reporting disclosures of survivors’ personally identifying information (PII) when receiving services funded by federal dollars. Grant recipients are now required to report actual or imminent breaches of confidentiality. This is important not only to comply with grant requirements, but to protect the privacy and confidentiality of survivors accessing services.

Here are a couple tips we have put together for best practices for confidentiality:

  1. In order for your confidentiality policy to be compliant, it must include procedures to:
    • Report actual or imminent data breach to the Office of Crime Victims Advocacy (OCVA) grant manager within 24 hours;
    • Notify survivor(s) and persons whose data was breached;
    • Address the cause of the breach.
  2. If you’re looking for some sample verbiage to include in your breach of confidentiality policies, please see this sample policy shared with us by our colleagues at the Washington Coalition of Sexual Assault Programs.

This new requirement provides an opportunity not only to update data breach procedures, but to revisit practices, policies and procedures related to confidentiality in our work. We know that electronic records are increasingly common, mobile advocacy is critical and survivors’ information is being exchanged in new and different ways then when we began this work. WSCADV will be offering some additional resources on confidentiality in the coming year so that we can be in dialogue about best practices, troubleshoot issues and support one another as we continue to offer confidential services to our communities.

Additional Resource 

The National Network to End Domestic Violence has developed a resource specific to this requirement that may be helpful. You can find that here: Data Breaches & Victim Service Providers: Considerations for Developing Effective Policies.