1. Policy Objectives:
Epsom Baptist Church (EBC) during operations and administration must undertake the processes of collecting, holding, distributing, and archiving information. Being a legitimate “Data Agency”, EBC is required by the New Zealand Privacy Act 2020 to exercise diligent measures to protect the interests of related information owners, members, vendors, direct and indirect third parties as well as the church itself. When a breaching case arises, immediate assessments and remedies must be taken to minimize consequential liabilities and risks. This document is needed to provide a clear and practical reference to guide organizational compliance and variance handling.
2. Policy Scope:
Privacy protection is a collaborative work within the church. This policy is set to guide and educate authorized delegates and general members of EBC in genuine practices of good information protection. It will cover the framework of:
a. Committed leadership support
b. Principles of information privacy practice
c. Education and communication
d. Breach and risk management
e. Annual Privacy Impact Assessment (APIA)
EBC must assign dedicated resources to assure the whole privacy protection framework is designed, organized, launched, and continuously reviewed in the fulfilment of updated legal requirements and members’ expectations.
This policy applies to church leaders, information owners, information users, church members in general, and third parties whose concerns about their information protection are explicitly made known to EBC.
3. Privacy Protection Principles and Framework:
3.1 Committed leadership support
EBC must implement an internal governance structure to foster a privacy respectful culture which nurtures leaders and members in a responsible manner and in compliance with external legal and internal organizational ordinances.
Church leaders, through deacons’ meetings, must appoint a Church Privacy Officer; endorse programme control in relation to privacy protection; allocate adequate resources (including finance and human resources); and actively participate in the assessment and review of programmes regarding changing operational environments.
The appointment of a Church Privacy Officer is required by the New Zealand Privacy Act 2020. The officer, who should hold a term of 2 years, must be endorsed at the Annual General Meeting. The officer must be responsible, at least, in the following roles:
• assure compliance with the information privacy principles stipulated below in section 3.2,
• deal with request for and issues around personal and private information,
• work with other church leaders, or if needed the Privacy Commissioner, when investigating complaints of interference with privacy,
• nurture a responsible organization culture within which every leader and member respect protection of information privacy.
3.2 Principles of information privacy practices
i. EBC should only collect information if it is for a lawful purpose, and the information is necessary for that purpose; information collected should be necessary but not excessive,
ii. EBC should generally collect personal information directly from the person it is about, unless the person concerned gives his/her permission to seek it from another source,
iii. EBC should take reasonable steps to assure the person from whom information is collected that they know: a) why it’s being collected; b) who will receive it; c) whether giving it is compulsory or voluntary; and d) what will happen if they don’t give the information,
iv. EBC should only collect information in ways that are lawful, fair and not unreasonably intrusive, and take particular care when collecting personal information from children and young people so as to comply with the Oranga Tamariki Act 1989,
v. EBC must make sure that there are reasonable security safeguards in place to prevent loss, misuse, unauthorized access and disclosure, of collected information,
vi. EBC must make information owners aware of their right to access their information for the purposes of correction, updating and deletion,
vii. EBC must not keep the information for longer than is necessary,
viii. EBC must only use the information for the purpose for which it was originally collected,
ix. EBC can only disclose the information under the original purpose of collection; or upon being authorized by the owner; or if used in an anonymous way.
3.3 Education and communication
The church privacy officer is responsible for educating the church members as to the importance of information privacy protection. The communication channels include:
i. Sharing and explaining this policy at members’ meetings or to the congregations (English and Chinese) when needed,
ii. Posting a physical copy of this policy and procedures in a prominent place within the church where members have easy access; concurrently this policy should be posted on the church webpage (www.epsombaptistchurch.org.nz) for reference when needed,
iii. Informing the church members to approach either the church privacy officer or the church pastors with concerns relating to information privacy,
iv. Advising the church members to approach the church privacy officer to make information update/correction/deletion requests,
vi. Subject to church leaders’ majority consensus, breaching cases are to be concluded and communicated on a “need-to-know basis” to church members who may retain misunderstanding and suspicion.
3.4 Breach escalation and handling
There should be an established channel and process for members and information stakeholders to raise a likely breaching case. Church privacy officer, in conjunction with the church pastors, should deal with the case in a timely manner so the consequential risks and liabilities to all parties relating to the case can be contained. Deacons should be involved in the investigation of cases where pastors and privacy officer consider them serious.
3.5 Annual Privacy Impact Assessment (APIA)
An APIA should be conducted by the privacy officer once a year for the valid purposes of:
a. identifying potential risks of information breach when there are changes in key personnel capacities, policies and procedures, or external regulations,
b. reviewing principles and practices to ensure they are being correctly observed, understood, and implemented; or areas that need to be taken out or streamlined; or more debriefings are needed,
c. presenting the assessment result to church leaders and members at the AGM, including levels of compliance as well as potential risk areas that need to be addressed by the church collectively.
The assessment should address the following topics:
a. data protection principle – purpose and manner of information collection:
b. accuracy and duration of information retention:
c. use of information:
d. security of information:
e. openness of information:
f. access to and correction of information:
g. variance handling:
h. communication and training:
4. Procedures and Process Flows:
4.1 Procedure for accessing church information
b. the completed form should be returned to the church privacy officer by either in person or by email,
c. the form will be reviewed and signed by BOTH the church privacy officer and church senior pastor,
d. request result (accepted or rejected) will be notified back to the applicant by the church privacy officer either in person or by email,
e. the church privacy officer will share the reason(s) if request is being rejected,
f. when the request is accepted, the church privacy officer will notify the applicant as to the approved channel by which to access the related information.
4.2 Procedure for breaching escalation and handling
b. upon receipt of the completed form, the church privacy officer and the pastors will approach the reporting person(s) to gather and clarify essential information relating to the breach,
c. alternatively, the reporting person(s) can ask the church privacy officer and/or pastors for a direct dialogue either by phone or meeting in person, where the church privacy officer can complete the form on their behalf if needed to,
d. the church privacy officer, in collaboration with the church pastors as a special team, will investigate the case; once the case is justified, the team will decide (in some serious circumstances engaging deacons if it is needed) to:
i. notify the information owner the potential impacts to them,
ii. implement measures to immediate contain the damages of the breach,
iii. notify regulatory bodies / law enforcement agencies if needed,
iv. conduct a post-incident review and identify areas to prevent recurrence,
v. communicate and explain to the church members if needed.
4.3 Process for information management
a. the church information management refers to the following areas:
i. any parties who intend to collect private or personal information from church members,
ii. assignment or change of information storage locations,
iii. the church privacy officer, pastors, leaders, or deacons recommend the purging of information that is being regarded as outdated, obsoleted, or redundant.
b. the procedure:
ii. the filled form should be returned to the church privacy officer by either in person or email,
iii. the form will be reviewed and signed by BOTH the church privacy officer and church senior pastor,
iv. request result (accepted or rejected) will be notified back to the requestor by the church privacy officer either in person or by email,
v. the church privacy officer will share the reason(s) if request is being rejected,
vi. when request is being approved, the related information management action will be conducted by the church privacy officer, or an appropriate designated party.
With the abundant blessings from our heavenly God, EBC is growing in terms of membership, ministry complexity and activity diversity. This is resulting in ever-growing interactions, both internally and externally, with a diverse group of communities, and hence a proliferation of collected information. Against such promising circumstances that will further flourish down the road, EBC must endeavour to establish and maintain good privacy protection with the committed support of its church leaders’ and members, so that potential liabilities can be contained while the interests of information stakeholders are protected.
*** End ***
Attachment A – Access Information Request Form
Attachment B – Breach Escalation Form
Attachment C – Information Management Form