That is an interesting and potentially good idea you have for improving the business practice of the non-profit. Your idea is not a practice that is required by law, but there is nothing to stop you from making the suggestion or request that the non-profit do it your way.
However, the present practice of the n-p is not an unlawful invasion of privacy -- not even close.
My responses to questions on Avvo are never intended as legal advice and must not be relied upon as legal advice. I give legal advice only in the course of an attorney-client relationship. Exchange of information through Avvo's Questions forum does not establish an attorney-client relationship with me. That relationship is established only by individual consultation and execution of a written agreement for legal services.
It sounds like an easy enough technical and procedural change for them to make. As my colleague recommends, make the suggestion. As it stands, certainly a security risk, as well as providing public access to private information. Write them a letter.
We do not have a client/attorney relationship until you make an appointment, we discuss your case face to face, I accept a retainer, and we explictly agree to enter into representation.