          |
PRIVACY POLICY
Our Saviour Lutheran Church - ("the Congregation")
BACKGROUND
In order to comply with the Canadian Federal Government's Personal Information Protection and Electronic Documents Act ("PIPEDA") that regulates the collection, use and disclosure of personal information in commercial activities, our Congregation has developed this Privacy Policy. Our Congregation has adopted as the foundation of our Privacy Policy, the 10 Governing Principles that are set out in the National Standard of Canada entitled "Model Code for the Protection of Personal Information" and that form part of PIPEDA. Our objective is to promote responsible and transparent personal information management practices.
The following governing principles guide our Congregation in the collection, use, disclosure and retention of personal information. Since our Congregation regularly review all of our policies and procedures, and since privacy law can be expected to evolve in Canada as the Office of the Privacy Commissioner and the courts provide guidance as to the application of PIPEDA to specific fact situations, as PIPEDA may itself be amended and as provincial privacy laws are enacted, our Congregation may revise this Privacy Policy at any time or from time to time.
A copy of the Privacy Policy is posted predominately in the church. For a copy of the current version of the Privacy Policy please contact the Privacy Officer.
SCOPE AND APPLICATION
The scope and application of our Privacy Policy is as follows:
1. The 10 Governing Principles that form the basis of the Privacy Policy are interrelated, and our Congregation will adhere to them as a whole.
2. The Privacy Policy applies to personal information about the members, volunteers, donors, and other constituents or stakeholders of our Congregation (collectively, our "Stakeholders") that we collect, use or disclose in the course of commercial activities.
3. The Privacy Policy applies to the management of personal information in any form, whether written, oral or electronic.
4. The Privacy Policy does not impose any limits on our collection, use or disclosure of any of the following information:
(a) an individual's name, address and telephone number that appears in a telephone directory that is available to the public, where the individual can refuse to have their personal information appear in such a directory;
(b) an employee's name, title, business address or telephone number; or
(c) other information about an individual that is publicly available or that is specified by regulation pursuant to PIPEDA.
5. The application of the Privacy Policy is subject to the requirements and provisions of PIPEDA, the regulations enacted there under and any other applicable legislation, regulation, court order or other lawful authority.
GOVERNING PRINCIPLES
Principle 1 ? Accountability
Our Congregation is responsible for personal information in our possession or under our control.
Responsibility for compliance with the provisions of the Privacy Policy rests with the Privacy Officer, who can be reached by using the contact information provided on the last page of this Privacy Policy. Each Council and Committee member, employee and volunteer is responsible for maintaining and protecting the personal information under its control and is accountable, for such information, to the Privacy Officer.
Principle 2 - Identifying Purposes for Collection of Personal Information
Our Congregation will identify the purposes for which personal information is collected at or before the time the information is collected.
Our Congregation collects and uses personal information about individuals solely for the following purposes:
a) To identify and enable communication with our Stakeholders;
b) To provide income tax receipts;
c) To meet statutory and regulatory requirements;
d) To manage and develop our business and operations;
e) To carry out our organizational activities, all with a view to advancing the goals of our Mission Statement; and,
f) To record the history of our Congregation, which may be shared with Lutheran Church-Canada as well as with any District of Lutheran Church Canada and their respective agencies and affiliates, and which may be made available to the public through the Lutheran Historical Institute.
The only circumstance under which personal information may be disclosed to third parties is for the fulfillment of any purposes identified above, or as required by law. Where personal information is disclosed to a third party for the fulfillment of any purposes identified above, our Congregation will make known that the information is confidential and may not be released to any other third party, known or unknown, without our Congregation?s expressed consent.
Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information
The knowledge and consent of an individual are required for the collection, use or disclosure of personal information, except where inappropriate.
Unless the Stakeholder advises the Privacy Officer in writing to the contrary, provision of personal information on official congregational forms, constitutes consent for our Congregation to collect, use and disclose personal information for the purposes stated in this Privacy Policy.
A Stakeholder may refuse or withdraw consent at any time, subject to legal and contractual restrictions and reasonable notice. The choice to provide our Congregation with personal information is always the Stakeholder?s. A decision to withhold particular information may limit our Congregation?s ability to meet specific requirements for the provision of certain services.
A Stakeholder may refuse or withdraw consent by contacting the Privacy Officer. The Privacy Officer will explain the options and any consequences of refusing or withdrawing consent, and will record the Stakeholder?s choice.
Principle 4 - Limiting Collection of Personal Information
Our Congregation will limit the collection of personal information to that which is necessary for the purposes that our Congregation have identified. Our Congregation will collect personal information by fair and lawful means.
The personal information typically collected and maintained by us includes an individual's:
a) name,
b) mailing address,
c) e-mail address,
d) telephone number,
e) date of birth,
f) place of employment,
g) baptismal records,
h) confirmation records,
i) marriage records,
j) burial records,
k) participation or membership in committees, financial contributions and pledges, and
l) attendance and communion records.
The information so collected depends upon the project, committee or purpose disclosed at the time of collection.
Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information
Our Congregation will not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Our Congregation will retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.
Principle 6 - Accuracy of Personal Information
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Our Congregation will make all reasonable efforts to ensure that personal information is as accurate, complete, and current as required for the purposes for which it was collected. If a Stakeholder finds any inaccuracies in the information, they should inform our Congregation and corrections will be made. Our Congregation relies on the Stakeholder to ensure that information is current, complete and accurate.
Principle 7 - Security Safeguards
Our Congregation will protect personal information through the use of security safeguards appropriate to the sensitivity of the information.
Our Congregation uses appropriate security safeguards to protect personal information from risks such as loss, misuse, unauthorized access, disclosure, or alteration. Safeguards include physical, administrative, and electronic security measures.
All employees and volunteers are required to abide by this Privacy Policy. They are also required to work within the principles of ethical behaviour and as sited in Scripture, and must follow applicable laws and regulations. In the course of daily operations, access to personal information is restricted to those employees and volunteers whose job responsibilities require them to access it.
Appendix A: attached and forming part of this Privacy Policy, sets out specific Congregational responsibilities and procedures to safeguard confidentiality of information.
Principle 8 - Openness Concerning Policies and Procedures
Our Congregation will make readily available to our Stakeholders specific information about our policies and procedures relating to our management of personal information.
Contacting the Privacy Officer can access this information.
Principle 9 - Access to Personal Information
Our Congregation will inform an individual of the existence, use and disclosure of his or her personal information upon request, and will give the individual access to that information. An individual will be able to challenge the accuracy and completeness of the information and request to have it amended as appropriate.
Upon request in writing to the Privacy Officer, the individual will be informed of the existence, use, and disclosure of their personal information and will be given access to the information.
In certain exceptional situations, our Congregation may not be able to provide access to certain personal information that it holds about an individual. For example, our Congregation may not provide access to personal information if doing so would reveal personal information about a third party. If access cannot be provided, the Stakeholder will be notified in writing, for the reason(s) for refusal.
Principle 10 ? Process for Enquiries and Complaints
An individual may address concerns regarding compliance with the above principles to our Privacy Officer by:
1. Telephone: 416-741-2110
2. Mail: Our Saviour Lutheran Church
2705 Islington Avenue
Etobicoke, Ontario
M9V 2X7
Attn: Privacy Officer
3. E-mail: privacyofficer@oslc.on.ca
For a copy of PIPEDA or to contact the Privacy Commissioner of Canada, please visit the Office of the Privacy Commissioner of Canada?s web site at: www.privcom.gc.ca
APPENDIX A ? forming part of the Privacy Policy
Specific Responsibilities and Procedures on Maintaining Confidentiality
Where Confidential Information is Located
Information of our Stakeholders resides primarily in the church computer(s) and in the OSLC Membership Directory (the "Directory").
Responsibilities
Be it recognized that Pastor and the Elders are stewards for Christ and the well-being of our Congregation. As stewards, Scripture mandates that they have undertaken a vow of confidentiality and discretion. Consequently they are also charged with the confidentiality and privacy of information that may be contained in the Directory and on the church computer, in paper and electronic format.
Further, under the principals contained within this Privacy Policy, each Council and Committee member, employee and volunteer is responsible for maintaining and protecting the personal information of Stakeholders under its control. This means that all personal information will be limited to as few individuals as possible and on a need-to-know basis only.
It is the responsibility of the Privacy Officer, to ensure from time to time and at a minimum annually when a new Council has been elected, that all who are serving our Congregation and have access to personal information as part of their duties are expected to read and become familiar, and act in accordance, with the provisions contained within the Privacy Policy.
Procedures and Controls over Electronic Media
1. Access to computers is limited to only that individual(s) responsible for maintaining and updating Stakeholders? information. Note that the information contained within the Directory is a subset of Stakeholders? information.
2. All access to computers containing Stakeholders? information shall be located in a locked office(s) and be restricted by password sign-on.
3. Where possible, any specific database or files within a computer (or saved to an externally stored file or backup facility) containing Stakeholder information must be protected by password access.
4. Where a Stakeholder has refused or withdrawn consent in writing through the Privacy Officer; the Privacy Officer shall keep a copy of the request on file and shall order all of the Stakeholder?s information, except name, be stricken from our Congregation?s computer records/database.
Procedures and Controls over the Directory
1. Our Congregation will publish/print the Directory from time-to-time. The source of this data is the computer record.
2. Each page of the Directory will be printed with an italicized footer with the following disclaimer; ?Proprietary Notice ? The information contained herein is private and confidential. It is the property of and for the use of OSLC members only. Use by third parties is prohibited.?
3. At the time Council agrees to publication of a new Directory; this must be announced to the Congregation a minimum of 3 times. One of these times would constitute announcement in a Sunday Bulletin. The Privacy Officer must keep a copy of this Bulletin as a permanent record, along with a copy of the new Directory.
4. Only the person(s) charged with the maintenance of the electronic Stakeholders? record is authorized to print the Directory. The same individual charged with printing it will control storage of any undistributed copies and storage shall be under lock and key.
5. Any spoiled pages resulting from printing of the Directory, will be destroyed immediately by shredding.
6. When a Directory is printed for distribution to OSLC members, it shall be distributed by those authorized in maintaining the Stakeholders? electronic records/database. Distribution shall be made directly to members of OSLC only, either personally by hand or by mail. At no time shall a Directory, or a stack of Directories, be left for distribution or review in any area or table of the church.
7. Where a Stakeholder has refused or withdrawn consent in writing through the Privacy Officer, only the Stakeholder?s name may be published in the Directory.