Canadian Baptist of Western Canada

Privacy’s Everyday Impact

bigstock-Symbol-for-e-mail-privacy--a--18505880Whether or not privacy legislation applies, it is a Best Practice for churches to develop and implement privacy policies and procedures.

General

Churches can develop privacy policies and procedures that comply with legislation in force in their jurisdiction.

Information should be held securely and distributed only as appropriate on a need to know basis to maintain confidentiality.

Churches must appoint a Privacy Officer in BC and should appoint one in other provinces or territories.

Churches have a fiduciary duty to consider donor lists and contact information as charitable property and are restricted from sharing those lists.

Commercial Activities

Sharing, selling or bartering member lists is a commercial activity. This can be done only with prior permission from anyone and everyone on the list. Remember, all organizations that engage in commercial activities must comply with privacy legislation.

Running a daycare, school or business is considered a commercial activity and is subject to privacy laws.

Fundraising is not considered a commercial activity, whether this is for huge capital projects or a church bake sale for the youth ministry.

Sending out newsletters is not considered a commercial activity.

Information Collection

Churches are likely safer to obtain information from members on an ‘opt-in’ basis where individuals intentionally give consent to have their information collected, used and distributed. Usually, it is good for congregants to ‘opt in’ annually.

Keep information collection purposes general so they apply broadly and require information to be
collected only once, such as for:

  • Personal support
  • Spiritual and social opportunities
  • To verify identity
  • For distribution of tax or expense receipts
  • For inclusion in directories
  • Enrolment in programs
  • Inclusion in online databases

Directories

  • Creating a directory is not considered commercial activity.
  • Churches may have member directories that include personal contact information and photos.
  • Directories should specify in writing that they are for private, internal use only and that they are
  • not to be sold, lent or bartered, or to be used by congregants to pursue commercial activities.
  • It is inadvisable to include minor children’s names in directories.
  • Directories should be considered as internal documents provided to members only rather than leaving them to be picked up in places accessible to non-members, such as the church foyer or website.
  • It is safer to have congregants ‘opt in’ to being listed in a directory rather than having them ‘opt out’ of being included automatically. By opting in, congregants have more choice and control over their own information.
  • Everyone listed in a directory should be asked to review their information annually for accuracy and completeness.

Websites

Churches may store personal information and databases on websites, computers, staff notebooks,
sticky notes paper documents, whiteboards, blackboards, etc. provided the information is held with consent, is secure and accessible only for the intended uses and viewers, and is accessible to the individual it belongs to.

Churches may store information and databases on servers in other countries like the United States.

Websites should include a copy of the church’s privacy policy.

Other

During an emergency situation, such as a fire, accident or child abduction, personal information (such as name, age, height, gender, health issues, address) may be given to the appropriate first responders without the consent of the individual.

Common sense, courtesy and pastoral responsibilities for confidentiality should cover most privacy issues related to pastoral care and normal church activities such as personal counselling, sharing prayer concerns, signing up for events.

Use common sense in faxing or emailing financial or sensitive information and do so only when
necessary. A good rule of thumb is to email only information that you would feel comfortable sharing by phone.

Churches must treat the information of both staff and volunteers the same.

Churches may not collect information not reasonable for its purposes, such as medical or financial information. If this information is necessary for the work of the church in relation to the individual it may be collected.

Board meetings are not considered private (unless in-camera) and may be made public, although not if they include personal information. Publication of board minutes on websites isn’t advisable.

Photos of church members that identify the person can only be published with written, verbal or tacit consent.

Prayer concerns should be shared only with those from whom an individual has requested prayer,
such as a pastor, prayer circle or the deacons. Concerns, health information, employment status or personal issues should never be shared publicly without the consent of the individual.

Churches may keep archives or historical records that include personal information as long as the information is not considered too sensitive for disclosure, the person has been dead 20 years or the information has been in a record for more than 100 years.

It is helpful for churches to establish information access protocols defining who should have access to what type of personal information. For example, a treasurer may need to know about an individual’s donations to provide a tax receipt but has no need to know about a person’s prayer concerns.