Privacy is a subject of much interest and discussion. Concern about how federal privacy legislation – the Canada Personal Information Protection and Electronic Documents Act (PIPEDA) – may or may not apply to our work is widespread. The FAQs that follow will help you determine what steps to take and what issues to consider.
Remember that PIPEDA applies on an activity basis, regardless of the nature of the organization. If you’re engaging in commercial activity that involves the collection, use or disclosure of personal information, PIPEDA does apply.
The Diocesan Centre has a Privacy Standards Policy, approved by Diocesan Council in 2002.
You can also consult guidelines for parishes about parish directories and how to respond to requests for access to parish records. See the Parish Leaders’ Manual for more information on protecting personal information.
What is personal information?
Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. It includes information in any form, such as: home address, home phone number, personal email address, age, marital status, family members’ names, employee files, identification numbers, ethnic origin, evaluations, disciplinary actions, the existence of a dispute, opinions, comments, social status, income, credit records, donation information, loan records or medical records.
Personal information does not include the name, title, business address or business phone number of an employee of an organization.
If someone calls the Diocesan Centre and requests a cleric’s home phone number, what happens?
The Diocese doesn’t provide clergy’s home information. Depending upon the nature of the inquiry, staff might provide the parish’s office number. In the case of an emergency or pastoral concern, staff will call the clergy and let them know that their home number has been requested. We ask for permission to give it out, or we give the priest the name and phone number of the inquirer.
If we’re unsuccessful in reaching the priest on the phone, we’ll leave a message. We may also suggest the caller try Canada 411.
How are email addresses handled?
Email addresses are handled in the same way as regular addresses. The Diocesan Centre doesn’t give out personal email addresses. The diocesan website has email addresses listed for those who want them to be public.
A church email address may be made public because it’s considered to be business information, and its publication is needed to perform the work of the Diocese.
If the email address is personal, it won’t be disclosed or made public unless the individual’s consent has been obtained. It’s always a good idea to ask people their preferred method of contact.
Can we put people’s names on prayer lists?
Yes. It has always been appropriate to ask a person’s permission to put their name on a prayer list if you can. You might ask whether both the first and last names should be used. If the person’s name will appear on a list or bulletin, you should let them know.
There’s an expectation that parish staff and volunteers won’t disclose information about people’s health they may learn in the course of their work. This includes information about a hospital stay. No information about a person’s health should be shared without their specific consent.
Does the Diocese provide templates for privacy policies?
It’s best for the members of a vestry to develop their own privacy policies and practices on the use of personal information. You can check the Diocesan Centre Privacy Standards Policy, especially as it pertains to employee information. Many organizations, other dioceses and some parishes also have privacy policies on their websites.
Policies and practices that suit a vestry in a small community in a rural area may be quite different from a large community in an urban centre. But remember, if you engage in commercial activity, the federal legislation will apply.
It’s a good idea for all members of a vestry, especially new members, to understand how their personal information may be used in the life of the parish community so there’s no anxiety or unpleasant surprises. The expectations and practices should be clearly outlined when the personal information is collected.
Who can have access to the parish list?
First think about how you, as a parishioner, expect your information to be used. You might ask yourself, “What would I or another reasonable person consider appropriate under the circumstances?”
Parish staff and volunteers will normally have access to the parish list in the course of carrying out their duties and organizing parish activities. It would be unreasonable for them not to have this information, but they can use it only for church-related activities. Those in such positions need to be familiar with privacy and confidentiality issues. Parish statements about privacy of information should be readily available and publicized.
Each year the churchwardens are required to post the names of the members of the vestry before the annual vestry meeting. This is a canonical requirement (outlined in Canon 14, sec. 4) and part of the preparation for the meeting.
Who can have access to donor information in a parish?
The envelope secretary must not allow others to see the envelope records during the normal course of the year. There are two exceptions. The first is the annual audit of the parish records; the auditor has the right to review all the records, including those of the envelope secretary.
The other exception is the churchwardens, who always have unfettered access to all the books and records of the parish corporation, including envelope records. The reason is twofold: first, the churchwardens are ultimately responsible for the completeness and accuracy of these records; second, it would be unacceptable from an internal control perspective if the churchwardens weren’t able to access the envelope records or any other financial records of the corporation. This would represent an unacceptable breakdown of internal controls and would require immediate action to fix the situation.
The key is balancing the need for confidentiality with the need for good internal controls. The churchwardens can review the envelope and other donor records to make sure there’s proper record keeping. (Indeed, they must verify these things personally and not take it on faith.) They can also review these records to develop a more precise understanding of the parish’s financial affairs. This must be done with complete respect for the confidential nature of the records.
In some parishes there is a third exception: the incumbent. There’s nothing that happens in the parish that shouldn’t be seen or known by the incumbent, but some priests choose not to look at donor information. There’s no requirement that they do so, and no expectation that this is automatically something they’ll do.
Start by holding discussions about what privacy means in the parish. Keep the conversations focused on what members think is best for the type of community you want to create. Appoint one individual to be the Privacy Officer. Develop a privacy statement that can be widely publicized and easily understood. Try to not overload yourselves with detailed rules and burdensome restrictions.
You may want to refer to the 10 fair information principles for handling personal information set out in schedule 1 to the Personal Information Protection and Electronics Document Act of Canada.
Above all, remember that the intent of the exercise is to agree on, and write down, how fellow parishioners will use their personal information as they carry out activities in their church community. This can be shared with new members and referred to from time to time so everyone can feel comfortable that their information will be used in appropriate and respectful ways.