Purpose

Mooroolbark Baptist Church has made a commitment to adhere to the Privacy Act (2000) and to the National Privacy Principles (NPP’s) that are contained in the Act. The ten NPP’s contained in the Act cover the areas of:

The range of activities in which our Church is involved means that there are a large number of uses that we have for personal information within the church.

Information that is collected includes names, addresses, email addresses, telephone and facsimile numbers, medical details, family information (including spouses, children, guardians and parents’ details), membership details of groups within the church, credit card numbers and account numbers and any notes that may be taken for counselling purposes.

Our Church only collects personal information that is necessary for our activities and in particular only collects sensitive information where it is consented to by the individual or their parent or guardian. Sensitive information is only shared where the church has a belief that its use or disclosure is necessary to prevent threats to health, life or safety to any individual.

Personal information is not shared without the consent of the individual and it is not distributed to any organisation that is not associated with the Church.

At the Church office, all personal information is stored in secure cabinets, and where possible in secured offices and premises. Any personal information that is in an electronic form is stored in secured facilities.

All papers containing personal data are disposed of either by secure paper destruction, shredding or incineration. Disks and other electronic storage devices containing personal data are destroyed when no longer in use.

Individuals may access data that is held by Mooroolbark Baptist Church on themselves, by notifying the church in writing of their request. The request will be acknowledged by the church within 14 days and a time will be arranged for the viewing of the data. Information that is out of date or is inaccurate will be updated on written request, or the applicant will be notified of the reason the information will not be updated.

Mooroolbark Baptist Church may send out information such as newsletters including information from organisations associated with The Baptist Union of Victoria. If an individual in receipt of this information no longer wishes to receive it they should notify the church in writing of their wish not to receive any further information. Any correspondence of this nature should be addressed to the Church Office Secretary.

A full copy of Mooroolbark Baptist Church’s Privacy Policy is available on request from the Church Office.


Practical applications of the National Privacy Principles

National Privacy Principle 1: Collection

Overview

Collection of personal information must be fair, lawful and not intrusive. A person must be told the church’s name, the purpose of collection, and how to get access to their personal information, and what happens if the person chooses not to give the information,

What information can we collect?

• Information includes data collected on forms and informal notes taken by a Minister or church member.

• It also includes information that has been come across by accident or has not been sought directly.

• You should only collect information that is relevant to the purpose for which it is being collected, e.g. church camp, craft group, community centre, and baptism.

• When information is obtained from a third party you must seek permission from the person concerned before using it.

• Individuals must be given the option of choosing not to have their personal information used by the church.

Collecting information on paper

• Written consent is the best consent

• When information is collected, the following information should be included on the form:

  • The identity of the Church and how it can be contacted

  • That the person can access their information

  • Why the information is being collected

  • To whom the information will be disclosed and any law that requires the information to be collected

  • The consequences (if any) for the individual if the information isn’t provided.

Collecting information verbally

• In many cases a church will legitimately collect information about a person or persons other than through the use of a printed form

• Wherever possible you should still seek consent to collect and retain the information.

Church Offices

• It is important that paid and volunteer office staff are familiar with the principles of the Privacy Act.

General guidelines for the church office are:

• Phone Messages — the person taking the message should only record essential information.

• Phone Pads — message pads should not be left in a public place where others can view personal or sensitive information.

• Standard message sheet — it could be helpful to have a standard sheet for collecting information to encourage a standard process. This sheet should include the statement “Do you consent to this personal information being recorded and given to other appropriate persons in the church?”

Collecting information via a website

If information is collected on-line, the website must have a clearly identified privacy statement. It should be prominent, users should not have to move through several pages to get to it.

Age of Consent

• The Privacy Act does not specify an age after which people can make their own privacy decisions.

• The standard practice used by the Church or requesting parents or guardians to give consent for their child’s participation in an activity still applies.

Contractors

When a church enters into an agreement with a contractor, and that contractor will have access to personal information, the contract should include a clause stating that the contractor will adhere to the requirements of the Privacy Act.

National Privacy Principle 2: Use and Disclosure

Overview

The church should only use or disclose information for the purpose it was collected (primary purpose) unless the person has consented, or the secondary purpose is related to the primary purpose and a person would reasonably expect such use or disclosure.

The most obvious example of this is in the Church Directory. In most churches the contact details of members are contained in a church directory. So that the church is free to use this data for broader purposes, it is recommended that at the time the information be collected consent be obtained to use the information for other church related activities.

The consent form should include an ‘opt out’ clause so that the person can have their information in the church directory (primary purpose) but can determine that they do not want their details used for any secondary purposes.

The ‘opt out’ clause should read:

please tick this box if you wish your details to ONLY be used in our directory and not be available for other church related activity.

There are a number of situations where it is appropriate to disclose information:

• Where it is required by law or a law enforcement agency

• To lessen serious threat to a person’s health or safety

• When it is in the same context as the indicated purpose (related use)

• When consent has been obtained.

Sensitive Information

Sensitive information, such as medical information, should not be used for any other purpose than that stated at the time of collection, unless consent has been obtained. (Refer also to NPP 10, Sensitive Information.

Serious threats to life, health or safety

• Personal information can be given out where it is believed there is a serious and imminent threat to the life or health of the person concerned or to a third party.

• Where personal information is disclosed in these circumstances it is important that a record of the disclosure is kept.

   

Direct Mailing

• There may be occasions where the church will use personal information for direct mailing and emailing purposes.

• Only non-sensitive information can be kept for direct marketing.

• Recipients should be given an opportunity to ‘opt out’.

• Information collected by the Church CANNOT be passed onto any other organisation so that the latter can use the information to direct market unless consent has been given.

Unlawful Activity

• The Church can use or disclose personal information when it has reason to suspect that an unlawful activity has occurred.

• Where possible, the Baptist Union of Victoria Director of Admin Services should be contacted prior to making contact with a recognized law enforcement agency.

Required or Authorised by Law

The Church will use or disclose personal information where this is required by Commonwealth, State or Territory legislation or by the common law. This is a legal obligation. When the use or disclosure of personal information is authorised by law, the Church can decide for itself whether to disclose the information or not. If a situation arises and the Church Leadership is uncertain of what can be required or authorized by law, contact should be made with the BUV’s Director of Admin Services.

National Privacy Principle 3: Data Quality

Overview

The church will take reasonable steps to ensure the personal information it collects is accurate and up-to-date.

• The Church must take reasonable steps to correct information about an individual where that information is not accurate, up-to-date and complete.

• If an individual and the Church are unable to agree about whether personal; information is accurate, up-to-date and complete, the Church must, at the request of the individual, take reasonable steps to note on the person’s record their claim that the information held on them is not accurate, complete and up-to-date.

As an example, the church produces an annual church directory. It would be reasonable to anticipate that all members in that directory would have the opportunity to update their details or opt out of inclusion in the directory at the time of its reprinting.

If the church was informed partway through the year that someone no longer wished to be included in the directory it would not be necessary to re-call all the directories. However, any directories that were held in reserve should be updated.

National Privacy Principle 4: Data Security

Overview

The church will take reasonable steps to protect the personal information it holds against misuse, loss and unauthorised access, modification or disclosure.

Storage and backup

• All paper records should be kept in lockable storage in a central location, e.g. a filing cabinet.

• All computers should be password protected with the passwords updated on a regular basis. ‘When multiple users access computers it is advisable to limit access to only the files they need to use.

• When sending emails to multiple users, addresses should be placed in the BCC (blind carbon copy) field.

• Backup files should also be held in a secure location.

Destroying records

• Information no longer needed should be destroyed.

• Personal information should only be destroyed by secure means; i.e. shredding.

• Garbage disposal or recycling of documents should only be used for documents that do not contain personal information.

Sharing Information

If personal information is shared by phone facsimile or email, the church should take steps to ensure the information is sent to the intended recipient. Such steps will include double-checking facsimile numbers and email ‘addresses before sending personal information, and confirming receipt, and checking a person’s identity before giving our personal information over the telephone.

National Privacy Principle 5: Openness

Overview

The church will have a document outlining its information handling practices and make this available to anyone who asks for it.

In creating our own document, which is recommended, to cover activities and events run by the church we will need to include the following information:

• The church’s contact details:

• The name Street and postal addresses

• Main telephone and facsimile numbers

• Appropriate email addresses

• The kinds of personal information the church holds

• The main purposes for which the church holds the information

• How the information is collected

• To whom the information will be disclosed

• How to contact the Privacy Contact Person

• How the church handles requests for access to personal information.

National Privacy Principle 6: Access and Correction

Overview

An individual has the right to access the personal information that the church holds about them (although there are some exceptions).

Prior to granting a person access to the information the Church holds about them, as a minimum, the following basic checklist should be followed:

• Ask for the request in writing

• Record the request in our Privacy Register

• Determine if an exception is applicable (exceptions are);

• It is unlawful to provide the information

• It poses a serious and imminent threat to the life or health of any individual

• It has an unreasonable impact upon the privacy of other individuals

• The request is frivolous or vexatious.

If an exception is used, the Church is required to give the reasons for denying access or refusing to correct personal information, however, this is not required where such a disclosure would prejudice an investigation against fraud or other unlawful activity.

• Acknowledge the request and arrange a time to view the information

• A request to access personal information does not need to be acted upon immediately

• A written request for access should be acknowledged within 14 days

• If granting access is straight forward, the church should do so within 14 days or if giving access is more complex, then within 30 days.

• Authenticate the identity of the person seeking access to the personal information

• If the information needs to be corrected this should be done as soon as possible

National Privacy Principle 7: Identifiers

Overview

The church must not adopt, use or disclose an identifier that has been assigned by a Commonwealth government agency (i.e. Tax File number, Medicare number).

• The Church may allocate its own identification numbers or codes to identify members of the church it so wishes.

• The Church cannot adopt a Tax File or Medicare number as that identification number.

National Privacy Principle 8: Anonymity

Overview

Organisations must give people the option to interact anonymously whenever it is practical and lawful to do so.

Unless the church has a good practical reason which we have described at the time of the collection of the information e.g. ‘we want to send you information about our church’ or legal reasons to require identification, people must be given the opportunity to remain anonymous

National Privacy Principle 9: Transborder Data Flows

Overview

The church can only transfer personal information to a recipient in a foreign country in circumstances where the information can have the appropriate protection.

Before the Church sends information internationally it must obtain the individual’s consent in writing and the individual’s directions for secure transfer of the information.

National Privacy Principle 10: Sensitive Information

Overview

An organisation must not collect sensitive information unless the individual has consented, it is required to do so by law or the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual.

Sensitive information is information about an individual’s racial or ethnic origin, political opinions, memberships or affiliations, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record or health information.

• The Church will only collect and use sensitive information where the individual has consented.

• Further consent will be obtained if sensitive information is to be used for another use other than the purpose stated at the time of collection.

• If the individual cannot give consent due to some incapacity, consent can be obtained from the individual’s guardian.

• If the individual does not give consent, the individual must be made aware of the consequences (if any).

• Sensitive information should not be collected on the ‘off chance’ that it would be helpful to have it some time in the future.

• Sensitive information should be destroyed when it is no longer required.

An individual’s consent MUST be obtained before any medical condition or operation is mentioned either in a prayer chain or in a worship service If consent is given, it must also indicate what level of information the individual wishes the faith Community to know.

If information regarding a medical condition is obtained in a counselling session, it is NOT APPROPRIATE for that information to be passed to a third party even if that was simply to invite the individual to a healing service.

Appendix A

Disclosure and collection statements

Wording for Church Directories:

“In accordance with the Privacy Policy of Mooroolbark Baptist Church any information contained in this directory will be used only for the ministry of this church and activities related to this church. The information will not be released to any organisation outside of this church”.

Wording for Care or Prayer Cards:

“In accordance with the Privacy Policy of Mooroolbark Baptist Church, any information collected on this card will be used only for the ministry of this church and activities related to this church. You are free not to complete any part of this card but this may limit our ability to respond to your request. It is also a requirement of our Privacy Policy that any information given on behalf of another person is done so with their consent. If you are seeking prayer on behalf of a third person please use only first names.

Appendix B

Checklist for Collection of Information

In the future when our church collects information it should adhere to the Privacy Act.

It is best to request all information in writing. If information is collected verbally then it should be checked for correctness.

Here are 11 simple steps to follow:

1. Clearly state who is collecting the information, e.g., Mooroolbark Baptist Church on behalf of Tuesday Craft Group.

2. Be clear about what information is being collected, e.g., name, address & phone number.

3. State clearly the purpose you will use the information for, e.g., the church directory.

4. Explain to whom the information will be disclosed, e.g., the directory will only be distributed to attendees of the church.

5. Explain how the information will be stored, e.g., we will store the information on our church computer database that is stored in a secure location.

6. Explain who is responsible for updating the information, e.g. the office secretary updates the database annually.

7. Explain that you will destroy the information when it is no longer required.

8. Include an “opt out” clause, e.g., you do not have to complete this form. If you choose not to, you may limit the church’s ability to care for you pastorally.

9. If your form includes a print out of current data you need to state where you got the information from, e.g., below is a copy of the details printed in last year’s church directory. Please notify us of any changes or incorrect information.

10. Explain how people can access the information that has been collected about them, e.g., if you wish to view the information we hold about you, please contact our Office Secretary.

11. If requesting sensitive information, you should state in what circumstances you will disclose it, e.g., if you have a form collecting medical information in case of an emergency, the form should make it clear that the information will only be disclosed in the event of a medical emergency.

Appendix C

Keeping a Privacy Register

• The Church’s Privacy Contact Person (usually the Secretary, Administrator or Pastor) should keep a Privacy Register.

• A register is a record of all the matters relating to compliance with the Privacy Act in your church. It should include;

  • A record of how the Privacy Act has been implemented in your church

  • Audit information for each activity

  • A record of any enquiries or complaints made in relation to personal information

  • A record of any disclosure of any personal information other than what consent has been gained for

  • A record of all requests to ‘opt out’.

• All records should be kept for a minimum of seven years unless otherwise directed by law or the Privacy Commissioner.

• Other important information about church records

• Some church records contain information that is required to be kept permanently and never destroyed such as Baptisms, Weddings, Funerals and Membership.

• The register of Marriages should also be permanently kept. All of these records should be kept in a locked filing cabinet or cupboard.

• Historic church records that are no longer used such as full membership roles and records of funerals and baptisms should be forwarded to the Baptist Union of Victoria Archives where they will be catalogued and stored.

Appendix D

Audit Information Sheet

NOTE: There are no “right” answers. This form is designed to help you think through the issues and required actions.

Name of activity: _________________________________________________________________________

All sections of this form have been completed and steps are in place to undertake any actions required.

_____________________________________

Privacy Contact Person’s signature

_______________________________________

Activity Coordinator’s signature

_______________________________________

Date