III. Collection of Personal Information
IV. Use and Disclosure of Personal Information
V. Accuracy, Protection, and Retention of Personal Information
VI. Access to Personal Information
VII. Challenging Compliance
The following definitions of terms used in this policy may be helpful for clarity:
Disclosure – refers to showing, sending, or giving personal information to an outside organization or individual.
Employee Personal Information – personal information collected, used, or disclosed solely for the purposes reasonably required to establish, manage, or terminate an employment relationship. This generally includes records involved in human resources management activities related to the duties and responsibilities of employees and volunteers such as personnel records, letters of application, interview results, personal references, evaluations, and letters of resignation or termination of employment. It does not include personal information that is not about the individual’s employment, thus employee personal information is personal information specifically about employment or volunteer work.
Necessary – in regards to collection, use, or disclosure of personal information, “necessary” is more than convenient and is integral to fulfilling the purpose. Personal Information – information that can identify an individual (including name, home address, phone number, or clergy number). It also means information about an identifiable individual (including a physical description or educational qualifications).
Personal information includes “employee personal information” but does not include business contact information or work product information.
You may contact the Privacy Officer at the following address: Privacy Officer Crossroads Community Church PO Box 2196 5511 Shorncliffe Ave Sechelt, BC V0N 3A0 604-741-7568 [email protected]
The Church is responsible for personal information that is collected, used, or distributed on its behalf, and any such personal information that is in its custody or under its control. In order to fulfill all responsibilities in compliance with current legislation:
1.2 The Church shall make known the name of the Privacy Officer and their contact information upon request.
1.6 If the Church makes personal information available to a contracted third party (ex. auditors, insurers, law firms, IT providers), it will hold that party responsible to maintain comparable levels of protection of privacy while the information is in their control.
2.1. The Church will obtain reasonably informed consent of individuals to collect, use, or disclose personal information except where authorized to do so without consent. This commitment to obtain consent will be articulated in the name of form or key document(s) where consent is obtained.
2.2. Consent may be provided orally, in writing, electronically, or through an authorized representative. The Church will take reasonable steps to ensure that consent given is clearly understood.
2.3. Consent may be implied where the purpose for collecting, using, or disclosing the personal information would be considered obvious and any affected individual voluntarily provides personal information for that purpose.
2.4. In general, consent to collect, use, and disclose personal information for identified purposes is implied when an individual accepts employment or benefits from the Church.
2.5. Employee personal information may be collected, used, or disclosed without consent where allowed by law. Consent is also not required for collection, use, or disclosure where the employee personal information is related to managing or terminating an employment relationship, but the employee will be notified by the Church when this occurs.
2.6. Subject to certain legal exceptions, individuals may withhold or withdraw their consent for the Church to use their personal information.
2.7. Individuals may not be able to withhold consent when withdrawal of consent would frustrate the compliance to a legal obligation.
2.8. The Church will not require consent to the collection and use of information in order to access goods or services unless that information is necessary to fulfill the purpose identified. In a situation where an individual’s decision to withhold or withdraw their consent to certain uses of personal information may restrict the ability to provide a particular service or product, the consequences of withdrawing consent will be explained to assist the individual in making a decision.
2.9. The following are examples of when the Church may collect, use, or disclose the personal information of an individual without their consent: • When collection is clearly in the individual’s best interests and the Church is unable to obtain their consent in a timely way. • When it is reasonable to expect that obtaining consent would compromise the availability or accuracy of personal information required for a reasonable investigation or proceeding . • When the personal information is collected by observation at a service, performance, or similar event open to the public and at which the individual voluntarily attends. • When authorized or permitted by law. • For the purposes of collecting a debt. • When the personal information is available to the public, from a source prescribed in the regulations . • When it is necessary to determine suitability to receive an honour, award, or similar benefit or selected for an artistic purpose. • When the information is collected by the Church on behalf of another organization in order to carry out work for the organization. The individual must have already consented to the other organization, and the personal information may only be collected, use, or disclosed by the Church for the purpose it was originally collected.
2.10 The following is an example of when the Church may collect the personal information of an individual without their consent: • When it is necessary for the medical treatment of the individual and they are unable to give consent.
2.11 The following are examples of when the Church may use the personal information of an individual without their consent: • When it is necessary for the medical treatment of the individual and they do not have legal capacity to give consent . • When the use is necessary to respond to an emergency that threatens life, health, or security of an individual.
2.12 The following are examples of when the Church may disclose the personal information of an individual without their consent: • When it is necessary for the medical treatment of the individual and they do not have legal capacity to give consent5. • When the disclosure is required to comply with a subpoena, warrant, or court order. • When the disclosure is to a public body (such as Worksafe BC) or law enforcement agency to assist an investigation of a contravention of law. • When disclosed to respond to an emergency that affects the health or safety of an individual and notice of the disclosure is mailed to the last known address of the individual. • When the disclosure is needed to contact next of kin or a friend of an injured, ill, or deceased individual. • When the disclosure is to a lawyer representing the Church. I
3.1. The Church is committed to ensuring that the purposes for which personal information is used are identified.
3.2. The Church will only collect personal information from individuals as is necessary to fulfill the following purposes: • Employees – human resource management and remuneration • Licensed Workers – human resource management (ex. placement, disciplinary proceedings) • Registrants – event registration, medical emergencies • Investors & Donors – loan and banking information, donations, and tax receipts • Churches – information for management of churches and their employees, volunteers, and members
3.3. The types of personal information that may be collected include names, addresses, phone numbers, email addresses, birthdates, and education.
3.4. The Church will directly make these purposes known to individuals orally, electronically, or in writing at the time that personal information is collected.
3.5. Unless otherwise allowed by law, the Church will directly notify and obtain the consent of an individual before using previously collected information for a new purpose.
3.7. The Church will not collect personal information indiscriminately.
3.8. The purposes for collecting personal information shall be reasonable and clear at the time of collection and we will not deceive or mislead individuals as to why information is being collected.
4.1. The Church will only use and disclose personal information where necessary to fulfill the purposes identified at the time of collection, or for a purpose reasonably related to those purposes, except where authorized to do so (see section II – Consent).
4.2. The Church will not use or disclose personal information for any additional purposes unless, directly or indirectly, consent is obtained to do so.
4.3. The Church will not sell individuals’ names, lists, or personal information to other parties.
5.1. The Church is committed to ensuring the accuracy of its information and will take reasonable efforts to ensure that personal information is accurate and complete.
5.2. The Church will update information when necessary or when notified of changes. Individuals may request corrections to their personal information in order to ensure its accuracy and completeness. A request to correct personal information may be made via letter, email, or telephone.
5.3. If the Church determines that a correction to personal information should be made, the corrections will be implemented and other organizations (i.e. other churches, the Canadian Pacific District Office, the National Ministry Centre) that may have shared the information in the previous year will also be notified of the correction.
5.4. The Church is concerned about the safety of personal information. In order to address security concerns, the following safeguards are in place: • Physical security measures including locked cabinets, restricted access areas where sensitive personal information is kept, security alarm systems, and other similar measures instituted from time to time. Restricted access areas will be kept locked overnight, on weekends, and while the office closed for holidays or other extended periods of time. • Security measures including the Employee Confidentiality Agreement, sensitive information restricted to those involved, mass emails sent out blind-copied, and other similar measures instituted from time to time • Technological security measures including use of passwords, firewalls, and security encryptions
5.5 The Church shall protect personal information disclosed to third parties by contractual agreement that stipulates that confidentiality and safeguard requirements that are comparable to its own. The Church will use security measures when destroying personal information including: • Shredding any documents containing personal information • Deleting electronic records containing personal information which are no longer needed.
5.6 The Church will review and update its security measures annually.
5.7 The Church will stress to all employees the importance of safeguarding the confidential nature of personal information, and will require all employees to sign the Employee Confidentiality Agreement.
5.8 The Church will only retain personal information as long as it is needed to achieve its purposes. Certain information required by law to be retained at least six years will be evaluated after that period as to the need for retention. Other information, such as may be needed for future reference, legal purposes, or benefits will be retained permanently.
5.9 If the Church uses personal information to make a decision that directly affects an individual, it will retain that personal information for at least one year to give that individual a reasonable opportunity to request access to it.
6.1. Individuals have a right to access their own personal information, subject to limited exceptions including, but not limited to: • Situations of solicitor-client privilege • Where the information was collected for an investigation or proceeding that is not yet concluded • Where the information was collected or created by a mediator or arbitrator appointed by law or a court • Situations where disclosure may reveal the personal information of another person • Situations where the health or safety of a person may be jeopardized
6.2. The Church may charge a minimal cost for individuals to access their information. Should a minimal cost be charged, the Church will provide a written estimate to the individual.
6.3. A request to access personal information must be made in writing to the attention of the Privacy Officer and provide sufficient detail to identify the personal information being sought. The requested information will be made available within 30 business days, or written notice of an extension where additional time is required to fulfill the request will be provided.
6.4. The Church will endeavour to make all information provided easy to understand and explain any acronyms or abbreviations used.
6.5. The Church reserves the right to confirm the identity of the individual seeking access to their personal information before complying with any requests. In this event, information related to the individual’s identity would be used exclusively for the purposes of allowing access.
6.6. When responding to a request for personal information, the Church will inform the individual of the following: • whether the Church has a document that contains the individual’s personal information • whether the Church will give access to all or part of the personal information • if access will be given to personal information, and when, where, and how it will be given In certain situations, it may not be possible to provide access to all the personal information held by the Church and a request may be refused in part or in whole for reasons such as those stated in 6.1.
6.7. If an individual’s request for personal information is granted, the Church will provide their personal information, information about the ways their personal information has been used by the Church, and information about any other organizations that the personal information has been disclosed to.
6.8. If a request is refused in full or in part, or if the information requested is not available, the Church will notify the individual in writing and provide the following: • the reasons for refusing access and the sections of PIPA that allow or require refusal of access • the name of the person in the Church who can answer questions about the refusal • that the applicant may ask the Information and Privacy Commissioner of British Columbia to review the Church’s decision to refuse access The notification to the individual will be kept on file.
6.9. The Church must refuse a request where the disclosure could reasonably jeopardize the health and safety of another individual or cause immediate, grave harm to the health and safety of the individual who made the request.
6.10. If a disclosure would reveal personal information about another individual or reveal the identity of the person who provided the Church with the personal information, and that person has not consented to the disclosure of their identity, the Church must refuse the disclosure.
6.11. If personal information provided is shown to be incomplete or inaccurate, it will be amended appropriately. When necessary, the Church will transmit this correction to third parties with access to the information. When a challenge is not resolved to the individual’s satisfaction, either the personal information in issue will be corrected or all personal information under Church care and control will be destroyed, at the option of the Church.
7.3 If the Privacy Officer is the subject of the complaint, then the Board of Elders Chair will address any complaints or concerns. If the Privacy Officer (or, in the case of a complaint against the Privacy Officer, the Board Chair) is unable to resolve the concern, the affected individual may also write to the Information and Privacy Commissioner of British Columbia.
7.4 The Church’s procedure for dealing with complaints involving personal information is as follows: • Record the date and nature of a complaint when it is received • Acknowledge receipt of the complaint promptly • Review the matter fairly and impartially, providing access to all relevant records to the individual where possible • Notify the individual of the outcome of the investigation promptly and clearly • Correct any inaccurate or incomplete information when possible