Usually, when technology people talk about data compliance, they are referring to policies related to HIPAA, Sarbanes-Oxley, PCI, and other legal and regulatory requirements. These laws list certain requirements for organizations to ensure the security of data with encryption, backup procedures, business continuity plans and data retention plans.
One may think that because a church is not a healthcare provider or publicly held company, these requirements don’t apply. And from a strict legal sense, you may be correct in that understanding. But, from the perspective of having an ethical responsibility to steward the data in your care, churches should implement similar policies and practices. Additionally, some churches have ministries that offer medical and mental healthcare that would be covered under the law.
Churches maintain data that needs to be kept confidential. Donor records, pastoral counseling notes, financial information, and benevolent donations are private. Emails with details about all of these subjects is common. It’s vital that churches have policies to ensure that data is stored only on secure servers and that when it is stored on personal devices such as laptops, tablets, and smartphones, it is encrypted. If a device were stolen, it should be impossible for a thief to gain access to the data.
Bad things happen, even in a church. Sometimes, it is necessary for a church to provide documentation in a lawsuit. Churches must define a policy for what data will be retained, for how long, and who should have access to it. Some thought should be given to how data handled by volunteers, officers, and other non-staff participants is retained. For instance, if a church elder assists a member with marital counseling in his capacity as an elder, the church should have a policy regarding how that data would be retained and available if that member later filed a lawsuit related to his behavior.
Certain data and systems are required to continue the operations of the church. In the event of a natural disaster, hardware failure, or other catastrophe, it is essential that email, accounting, and member management functions carry on. Having a policy and process to resume operations in any of these cases is essential to serving your members and community well.
Have you considered these aspects of compliance? We recommend setting some time with your legal counsel and your IT staff to develop appropriate policies and make a plan to address them.