Policy To Protect Personal Information
At Our Savior Lutheran Church In Edmonton, Alberta, Canada
- Accountability
1.1 The personal information compliance officer is appointed by church council for a one year term, with no limit on the number of terms. The compliance officer must be a member in good standing of Our Savior Lutheran Church. Currently, Laura Haugen serves as the personal information compliance officer (the "officer") of Our Savior Lutheran Church, Edmonton (OSLC).
1.2 All persons, whether employees, volunteers or board or committee members who collect, process or use personal information shall be accountable for such information to the officer.
1.3 This policy shall be made available upon request.
1.4 Any personal information transferred to a third party for processing is subject to this policy. The officer shall use contractual or other appropriate means to protect personal information at a level comparable to this policy while a third party is processing this information.
1.5 Personal information to be collected, retained or used by OSLC shall be done so only after the officer gives written approval. This information shall be secured according the officer's instructions.
1.6 Any person who believes OSLC uses personal information collected, retained or used for purposes other than those the person explicitly approved may contact the officer to register a complaint or make a related inquiry.
1.7 Upon receiving a complaint from any person regarding the collection, retention or use of personal information, the officer shall promptly investigate the complaint and notify the person who complained about his/her findings and corrective action take, if any.
1.8 Upon receiving the response from the officer, the person who filed the complaint may appeal to the Executive Officers of OSLC to review and determine the disposition of the complaint at issue.
1.9 The determination of the Executive Officers shall be final and the officer shall abide by and implement any of their recommendations.
1.10 The officer shall communicate and explain this policy and give training regarding it to all employees and volunteers who might be in a position to collect, retain or use personal information.
1.11 The officer shall prepare and disseminate information to the constituency which explains OSLC's protection of personal information policies and procedures.
- Identifying Purposes
2.1 The officer shall document the purpose for which personal information is collected to comply with the openness and individual access principles outlined below.
2.2 The officer shall determine the information that will be needed to fulfill the purposes for which the information is to be collected in order to comply with the limited collection principle.
2.3 The officer shall ensure that the purpose is specified at or before the time of collecting the personal information from an individual.
2.4 The officer shall ensure that the information collected will not be used for any other purpose before obtaining the individual's approval, unless the new purpose is required by law.
2.5 The officer shall ensure that a person collecting personal information will be able to explain to the individual why the information is being collected, how it will be retained and if and when it will be disclosed.
2.6 The officer shall ensure that limited collection, limited use, disclosure and retention principles are respected in identifying why personal information is to be collected.
- Consent
3.1 The officer shall ensure that the individual from whom personal information is collected consents to the collection and to the manner in which it will be used and disclosed.
3.2 The officer shall ensure that the individual can reasonably understand why and how the information will be used when consent is given.
3.3 The officer shall ensure that express consent is obtained wherever possible and appropriate. In some circumstances, implied consent may be acceptable if the information's sensitivity and the policy's purpose and intent is respected. (For example, implied consent might exist if it is generally understood that information obtained when a new member joins OSLC will be used for all church-related purposes.) Implied consent may not be assumed if OSLC passes on personal information to a para-church organization.
3.4 In obtaining consent, the officer shall ensure that the individual's reasonable expectations are respected. For example, a person giving his/her name to OSLC to receive the OSLC Weekly Newsletter, reasonably expects that the church will use that personal information to send other information about itself. The individual would not likely expect that the information would be used for fundraising.
3.5 The officer shall ensure that the express consent obtained from an individual is clear and in an appropriately verifiable form. For example, an application form may be used and kept on file where the individual consents to the collection and specific use; a check box may be used to permit information already on file to be used for a new purpose; consent may be given orally which would require the receiver of the consent to create appropriate documentary evidence; or consent might be given by email, requiring an electronic record to be maintained.
3.6 The officer shall ensure that the individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The individual shall promptly be informed of the implications of the withdrawal.
- Limiting Collection
4.1 The officer shall ensure that personal information will not be collected indiscriminately. Both the amount and type of information collected shall be limited to that which is necessary to fulfill the purposes identified.
4.2 The officer shall ensure that information is collected only by fair and lawful means without misleading or deceiving individuals as to the reason.
4.3 The officer shall ensure that the identifying purposes and consent principles are followed in identifying why personal information is to be collected.
- Limiting Use, Disclosure And Retention
5.1 The officer shall ensure that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law, and any use of personal information shall be properly documented.
5.2 The officer shall ensure that all personal information is destroyed, erased or made anonymous as soon as the purpose for which it was collected is no longer relevant.
5.3 The officer shall ensure that all use, disclosure and retention decisions are made in the light of the consent principle, the identifying purposes principle and the individual access principle.
- Accuracy
6.1 The officer shall reasonably ensure that the personal information is accurate, complete and up to date, taking into account the individual's interests. The officer shall ensure that the information is sufficiently accurate, complete and up to date to minimize the possibility that inappropriate information might be used to make a decision about an individual.
6.2 The officer shall ensure that OSLC does not routinely update personal information unless it is necessary to fulfill the purposes for which it was collected.
6.3 The officer shall ensure that personal information used on an ongoing basis should be generally accurate and up to date, unless limits to the requirement for accuracy are clearly outlined.
- Safeguards
7.1 The officer shall ensure that OSLC has security safeguards to protect personal information against loss or theft and unauthorized access, disclosure, copying, use or modification. This shall be done regardless of the format in which OSLC holds the information.
7.2 Depending on the information's sensitivity, the officer may permit reasonable discretion regarding the information that has been collected: the amount, distribution, format and method of storage. A higher level of protection shall safeguard more sensitive information according to the consent principle's considerations.
7.3 The officer shall ensure that the protection methods include:
- Physical measures (locked filing cabinets, restricted access to offices);
- Organizational measures (security clearance, limiting access on a 'need to know' basis); and
- Technological measures (passwords and encryption)
7.4 The officer shall ensure that all employees and volunteers know the importance of keeping personal information confidential.
7.5 The officer shall ensure that care is taken when personal information is disposed of or destroyed to prevent unauthorized parties from gaining access to it.
- Openness
8.1 The officer shall ensure that OSLC is open about its policies and practices regarding the management of personal information. The policies and information about the related practices shall be available without unreasonable effort in a generally understandable format.
8.2 The officer shall ensure that information about OSLC's policies and practices shall include:
- The name or title and address of the officer who is accountable for OSLC's polices and practices and to whom complaints or inquiries may be forwarded;
- The means of gaining access to personal information held by OSLC;
- A description of the type of personal information held by the OSLC, including a general account of its use;
- A copy of any information that explains the OSLC's policies, standards or codes; and
- What, if any, personal information is made available to related organizations.
8.3 The officer shall ensure the information that must be provided according to 8.2 is available on OSLC website or in print as requested.
- Individual Access
9.1 The officer shall ensure that upon request, an individual shall be informed whether OSLC holds personal information about him/her. If possible, the information's source shall also be given. OSLC shall allow the individual access to this information. It shall also account for the use that has been made or is being made of this information and give an account as to any third parties to whom it has been disclosed.
9.2 If OSLC has supplied personal information about an individual to third parties, the officer shall ensure that an attempt is made to be as specific as possible with a list of the organizations to which it has actually disclosed the information. If an actual list is impossible to provide, a list of organizations to which it might have disclosed information about the individual is to be provided.
9.3 The officer shall ensure that OSLC responds to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be made available in a generally understandable form with abbreviations or codes explained.
9.4 The officer shall ensure that when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, OSLC shall amend the information as required. When appropriate, the amended information shall be transmitted to third parties having access to the information.
- Challenging Compliance
10.1 The officer is authorized to address a challenge concerning compliance with the above principles.
10.2 The officer shall develop procedures to receive and respond to complaints or inquiries about the policies and practices regarding the handling of personal information. The compliance procedures shall be easily accessible and simple to use.
10.3 The officer shall inform individuals inquiring about lodging complaints that relevant complaint procedures exist.
10.4 The officer shall investigate all complaints. If a complaint is found to be justified, the officer shall take appropriate measures, including, if necessary, amending the policies and practices.
