Privacy is a subject of much interest and discussion. Concern about how federal privacy legislation – the Canada Personal Information Protection and Electronic Documents Act (PIPEDA) – may or may not apply to our work is widespread. The FAQs that follow will help you determine what steps to take and what issues to consider.

Remember that PIPEDA applies on an activity basis, regardless of the nature of the organization. If you’re engaging in commercial activity that involves the collection, use or disclosure of personal information, PIPEDA does apply.

Privacy standards

The Diocesan Centre has a Privacy Standards Policy, approved by Diocesan Council in 2002.

You can also consult guidelines for parishes about parish directories and how to respond to requests for access to parish records. See the Parish Leaders’ Manual for more information on protecting personal information.

FAQ about Privacy

What is personal information?
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. Personal information includes information in any form, such as: home address, home phone number and personal email address, age, marital status, family members’ names, employee files, identification numbers, ethnic origin, evaluations, disciplinary actions, the existence of a dispute, opinions, comments, social status, income, credit records, donation information, loan records or medical records.

Personal information does not include the name, title, business address or business telephone number of an employee of an organization.

If an individual calls the Diocesan Centre and requests a home telephone number for a parish priest, what happens?

The Diocese does not provide clergy home information. Depending upon the nature of the inquiry, staff might provide the office number of the parish. In the case of an emergency or pastoral concern, diocesan staff will call the clergy and advise them that their home number has been requested. We ask for permission to give it out; or we provide the priest with the name and phone number of the inquirer.

If we are unsuccessful in reaching the priest on the phone, we will leave a message for the priest and, in addition, we may suggest the caller try Canada 411.

How are email addresses handled?
The Diocesan Centre does not give out personal email addresses. The diocesan website has email addresses for those wishing them to be public.

Email addresses are handled in the same way that regular addresses are handled.

A church email address may be made public, as that is considered to be business information, and its publication is needed to perform the work of the Diocese.

If the email address is personal, it will not be disclosed or made public unless the individual’s consent has been obtained. It is always a good idea to ask people their preferred method of contact.

Can we put people’s names on prayer lists?
Yes. It has always been appropriate to ask a person’s permission to put their name on a prayer list if there is an opportunity to do so. You might ask whether first and last name should be used. If the person’s name will appear on a list or bulletin, you would want to let them know.

There is an expectation that parish staff and volunteers will not disclose information about people’s health that they may become aware of in the course of their work. This includes information about a hospital stay. No information should be shared regarding a person’s health without their specific consent.

Does the Diocese provide templates for privacy policies?
It is best if the members of a vestry develop their own privacy policies and practices on the use of personal information. It may be helpful to check the Diocesan Centre Privacy Standards Policy, especially as it pertains to employee information. In addition, many organizations and other dioceses and some parishes have privacy policies on their websites, which could be reviewed.

The policies and practices that may suit a vestry in a small community in a rural area may be quite different from a large community in an urban centre. But remember, if you engage in commercial activity, the federal legislation will apply.

It is a good idea if all members of a vestry, and especially new members, understand how their personal information may be used in the life of the parish community so that there is no anxiety or unpleasant surprises!  The expectations and practices should be clearly outlined at the time the personal information is collected.

Who may have access to the parish list?
To answer this question, first think about how you, as a parishioner, expect your information to be used. You might ask yourself, “What would I or another reasonable person consider appropriate under the circumstances?”

Parish staff and volunteers will normally have access to the parish list in the course of carrying out their duties and organizing activities in the parish. It would be unreasonable for them not to have this information, but its use must be for church-related activities only. It is important that those in such positions be familiar with privacy and confidentiality issues. Parish statements regarding privacy of information should be readily available and publicized.

Finally, each year the Churchwardens are required to post the names of the members of the vestry prior to the annual vestry meeting. This is a canonical requirement as outlined in the Canon (Canon 14, sec. 4), and part of the preparation for the meeting.

Who may have access to donor information in a parish?
The envelope secretary must not allow others to see the envelope records during the normal course of the year. There are two exceptions to this. The first exception is the annual audit of the parish records, wherein the auditor has the right to review all the records, including those of the envelope secretary.

The other exception is that the Churchwardens always have unfettered access to all the books and records of the parish corporation, including envelope records. The reason for this is twofold: first, the Churchwardens are ultimately responsible for the completeness and accuracy of these records; second, it would be quite unsatisfactory from an internal control perspective if the Churchwardens were not able to have access to the envelope records, or any other financial records of the corporation. Indeed, should the Churchwardens not be able to have access to and view the envelope records at any time, this would represent an unacceptable breakdown of internal controls and would require immediate action to remedy the situation.

The key to this is balancing the need for confidentiality with the need for good internal controls. The Churchwardens can review the envelope and other donor records to ensure that there is proper record keeping. (Indeed, they must verify these things personally and not take it on faith.) They can review these same records to develop a more precise understanding of the financial affairs of the parish. However, this must be done with complete respect for the confidential nature of these records.

In some parishes there is a third exception, and that is the incumbent. There is nothing that happens in the parish that should not be seen or known by the incumbent. However, some priests choose not to look at donor information. Therefore, there is no requirement that they do so; nor is there an expectation that this is automatically something they will do.

How should a parish begin to implement a privacy policy?
Begin by holding discussions as to what Privacy means in the parish. Keep the discussions focused on what members think is best for the type of community you want to create. Appoint one individual to be the Privacy Officer. Develop a Privacy statement that can be widely publicized and easily understood. Try to not overload yourselves with detailed rules and burdensome restrictions.

You may want to refer to the ten fair information principles for handling personal information, set out in Schedule 1 to the Personal Information Protection and Electronics Document Act of Canada.

These principles should guide your privacy policy. Remember, if you engage in a commercial activity that involves the collection, use or disclosure of personal information, you must abide by these 10 principles when carrying out that activity.

Above all, remember that the intent of the exercise is to agree on, and write down, how fellow parishioners will use their personal information as they carry out activities in their church community. Then this can be shared with new members, and referred to from time to time only, so that everyone can feel comfortable that their information will be used in appropriate and respectful ways.

Privacy resources

For more information, contact Claire Wilton, Privacy Officer, at 416-363-6021, ext. 219 (1-800-668-8932).