Because technology and the IT department are so intimately integrated into so many areas of a church’s operations, there is often a question of where the responsibility for particular policies or recommendations falls. Some believe that IT should drive specific policies because those policies are so closely intertwined with, and enabled by, technology solutions. Others feel that the legal department or those in charge of compliance and strategy should direct policy. In this second view, the IT department is responsible only for implementing the technical processes required to support the policy.
Who is in Charge of Policy?
One example of this confusion of responsibility that we often run into with churches (but this applies to any organization) is the issue of proper data retention policies. At Enable, churches often ask us questions like, “What is the standard or appropriate amount of time or the best practice for how long old accounts should remain active and accessible?” and “How long should we retain old employee data files and information?”
Your IT department or team is probably not the best person to answer the question, but the short answer is, “it depends.”
We know, we know– this frustrating answer feels like no answer at all! But the truth is that these types of questions are not technology questions at their core and are not best answered by technology partners and advisors. These questions touch on critical legal and business considerations and are best answered by team members and advisors in those areas. The specific answers to these types of questions vary widely based upon the individual characteristics of the church or organization asking the question, their specific business or industry sector, any applicable regulations governing their operations, their unique procedures and history, and other possible legal risks or concerns.
Technology Issues vs. Legal Issues
To adequately protect the churches they serve, church leaders need wise legal counsel to address data retention issues and other similar matters. The need for appropriate legal counsel is especially critical in the current legal environment. Privacy, data integrity, security, abuse allegations, and pastoral negligence are growing concerns for leadership in churches and other organizations.
The need for wise and well-constructed policies is present in other areas besides data retention, such as:
- PCI and payment information
- Member data
- Acceptable use policies
A thought commonly expressed by churches and other organizations is, “PCI (or data retention or member data or acceptable use, etc.) is a technology problem, and IT is responsible for technology, so IT should take responsibility for PCI compliance.” Thus, responsibility for implementing policy often lands on IT’s plate because IT is the team that will be assigned to implement the technical controls to protect this type of data.
But PCI is primarily about regulatory compliance, i.e., what should be done, in what way, in what circumstances, by whom, and for how long, etc.? So, personnel responsible for legal compliance and risk management are the most appropriate team members to take the lead in resolving these types of issues.
At Enable, we always strive to be as helpful as possible to our clients. Advising them on all aspects of technology is simply part of the job description for a good, comprehensive technology partner. Therefore, we always advise our clients to receive individualized legal counsel first regarding the issues we have described, e.g., data retention for former staff accounts, email, and documents. Your legal counsel is best positioned to understand and evaluate the nuances of your organization, circumstances, legal requirements, history, challenges, specific vulnerabilities, etc.
While a competent IT company certainly will understand broad industry practice and even the specifics of certain regulations and laws, they are not in the position to advise their clients on the finer points of individualized policy-related compliance and the attendant legal subtleties. At Enable, we commonly speak into these areas and advise our clients on the technical aspects of enabling compliance-related issues; however, it is in our clients’ best interest to retain the responsibility for developing and owning the policies that serve them best. Once the church establishes its individualized policies and guidelines, Enable’s role is to implement the technical framework and solutions to enable the church to follow and comply with the stated policy requirements.
Our Advice? Get Advised.
The key takeaway: In a well-designed team effort, church leaders and their legal counsel develop and define appropriate compliance policies; the IT team enables and supports the execution of those policies.