In 2019, federal grant applications began including confidentiality policy requirements on reporting disclosures of survivors’ personally identifying information (PII) when receiving federally-funded services. Grant recipients are required to report actual or imminent breaches of confidentiality. This is important not only to comply with grant requirements, but to protect the privacy and confidentiality of survivors accessing services.
In order for your confidentiality policy to be compliant, it must include procedures to:
- Report actual or imminent data breach to the Office of Crime Victims Advocacy (OCVA) grant manager within 24 hours;
- Notify survivor(s) and persons whose data was breached;
- Address the cause of the breach.
This requirement provides an opportunity not only to update data breach procedures, but to revisit practices, policies, and procedures related to confidentiality in our work. We know that electronic records are increasingly common, mobile advocacy is critical, and survivors’ information is being exchanged in new and different ways.
The National Network to End Domestic Violence has developed a resource specific to this requirement that may be helpful. You can find that here: Data Breaches & Victim Service Providers: Considerations for Developing Effective Policies.