Your nonprofit's reputation increasingly lives online. A board member's divisive social media post, an employee sharing confidential information, a staff member representing the organization unprofessionally — these affect your organization's credibility and mission.

A digital conduct policy sets expectations for how staff and board members represent the organization online, what they can share, and how they communicate digitally.

Key Areas to Address

1. Social Media Use

Define: What social platforms does your organization use? (Facebook, Instagram, TikTok, LinkedIn, Twitter/X?) Who has access to official accounts? What are the rules for posting?

Rules might include:

  • Official accounts must be approved by [person/committee] before posting
  • Posts should reflect organizational values and mission
  • No sharing of confidential information or unpublished plans
  • All opinions shared in professional context (as staff/board) should be fact-based and respectful
  • Engage in comments professionally. Don't engage in personal arguments or flame wars

Personal accounts: Should staff and board post personally about the organization? Most policies allow it, with conditions: be truthful, don't share confidential information, be respectful. Staff posting personal opinions about work should make clear these are personal opinions, not organizational positions.

2. Online Representation of the Organization

Define: When someone is clearly acting as a representative of the organization (using organization email, speaking at an organizational event, running an organizational page), how should they conduct themselves?

Rules might include:

  • Represent the organization honestly and accurately
  • Be professional and respectful, even in disagreement
  • Don't make commitments the organization can't keep
  • Don't make public statements about organizational conflicts without approval from leadership
  • Don't badmouth partners, funders, or other organizations publicly

3. Confidentiality and Information Sharing

Define: What information is confidential? (Financial data, personnel issues, strategic plans, donor information, participant information.) What's the penalty for sharing it?

Confidential usually includes:

  • Personal information about members, participants, or beneficiaries
  • Financial information (budget, revenue sources, donor names)
  • Personnel matters (salaries, performance issues, hiring decisions)
  • Strategic plans before they're public
  • Board discussions marked as confidential
  • Legal proceedings or disputes

Exceptions: Define when sharing is required or allowed. (Whistleblowing for illegal activity? Consulting with a personal attorney? Public records requests?)

4. Communication Norms

Define: How should staff and board communicate with each other digitally?

Norms might include:

  • Email is for formal communication. Use it when you need a record
  • Respond to work email within 24 hours during business days
  • Don't send work emails on nights/weekends unless urgent. Respect people's off-hours
  • Use appropriate platforms: confidential info via email, not Slack. Major decisions documented in writing, not just chat
  • Avoid "reply all" unless necessary
  • Be respectful in all digital communication, especially when disagreeing

5. Device Security and Data Protection

Define: What devices can staff use for work? How should they be secured?

Rules might include:

  • Use organizational devices when available for organizational work
  • If using personal devices, install [required security software]
  • Lock your computer/phone when leaving it unattended
  • Use strong passwords and change them quarterly
  • Don't connect to public WiFi when accessing organizational data
  • Report lost/stolen devices immediately

6. Remote Work Communication

Define: If staff work remotely, what are expectations for video calls, response times, and availability?

Rules might include:

  • Use organizational platforms (Zoom, Google Meet) for work meetings, not personal accounts
  • Be visible in video calls (unless you have accessibility needs)
  • Communicate your working hours and availability
  • Use background blur or organizational background in video meetings
  • Don't discuss confidential organizational matters in places where household members might overhear

Enforcement Approach

A digital conduct policy is only as good as its enforcement. Consistency matters.

Minor violations (slow email response, slightly unprofessional tone): Gentle reminder, conversation.

Moderate violations (sharing minor confidential information accidentally): Written warning, training on the policy, agreement to change behavior.

Serious violations (sharing sensitive donor info or participant data online, making public statements that damage the organization): Escalation to supervisor/board, potential termination.

The key: consistency. If you enforce standards for some staff but not others, you lose credibility.

Policy Template Outline

Purpose: "This policy guides staff and board member digital conduct to protect our organization's reputation and values, and to protect confidential information."

Scope: "This applies to all staff, board members, and contractors when they're representing the organization or discussing organizational matters."

Social Media: [Your rules around personal vs. organizational accounts]

Confidentiality: [What's confidential, what's not, penalties for breaches]

Professional Communication: [Email norms, response times, respectfulness]

Online Representation: [How to represent the organization, what statements require approval]

Device Security: [Device use, passwords, data protection]

Consequences: [Minor to serious violations and corresponding actions]

Common Mistakes

1. Too restrictive. Banning all personal social media use or personal opinions isn't realistic. Give people space for personal expression while protecting organizational interests.

2. Only about technology. The policy should be about conduct, not just technology. It's less about HOW you communicate and more about WHAT you communicate.

3. Not updated for new platforms. When TikTok or whatever new platform emerges, your policy might not address it. Review annually and update for new tools.

4. Enforcement gaps. Many organizations have great policies but don't enforce them consistently. Either enforce consistently or don't bother having the policy.

Building Your Policy

Draft a policy addressing the 5-6 areas above. Get feedback from staff (they'll tell you what's realistic). Get board approval. Roll out with training. Enforce consistently.

Review annually. Is it working? Do staff understand it? Are we enforcing it fairly?

For related guidance on codes of conduct and community standards, see Lecture 1.5.1, Lecture 1.5.2, and Lecture 1.5.3. To continue learning beyond Level 1, see our Level 2 curriculum on community building.

Frequently Asked Questions

Can we monitor staff's social media or email?+
You can monitor organizational email and devices. Many organizations monitor social media where staff are using organizational accounts. You can't monitor personal social media without consent and for a legitimate reason (security investigation). Always inform staff of monitoring and have a clear policy.
What if a staff member posts something politically controversial on their personal account?+
If it's on their personal account and they're not identifying as representing the organization, it's generally their protected speech. You can only take action if it violates organizational values AND they're clearly identified as organizational staff. Most policies avoid policing personal views.
Should we require staff to disclose their social media accounts?+
You can ask for accounts used professionally. But requiring disclosure of all personal accounts is invasive and rarely enforceable. Most policies ask for disclosure only of professional accounts.
What if a staff member accidentally shares confidential information online?+
Treat it seriously but proportionally. First, have them take down the post and report what happened. Then have a conversation about the mistake and provide training. Punishment depends on: Was it clearly labeled confidential? Did they know? How much damage resulted? Usually this is a learning moment, not firing offense.