- Accountability
1.1 Greg Andrist, member of the Board of Directors
serves as the personal information compliance officer (the "officer")
of Metochos Ministries.
1.2 All persons, whether employees, volunteers or
board or committee members who collect, process or use personal
information shall be accountable for such information to the officer.
1.3 This policy shall be made available upon request.
1.4 Any personal information transferred to a third
party for processing is subject to this policy. The officer shall
use contractual or other appropriate means to protect personal information
at a level comparable to this policy while a third party is processing
this information.
1.5 Personal information to be collected, retained
or used by Metochos Ministries shall be done so only after the officer
gives written approval. This information shall be secured according
the officer's instructions.
1.6 Any person who believes Metochos Ministries uses
personal information collected, retained or used for purposes other
than those the person explicitly approved may contact the officer
to register a complaint or make a related inquiry.
1.7 Upon receiving a complaint from any person regarding
the collection, retention or use of personal information, the officer
shall promptly investigate the complaint and notify the person who
complained about his/her findings and corrective action take, if
any.
1.8 Upon receiving the response from the officer,
the person who filed the complaint may appeal to the Executive Officers
of Metochos Ministries to review and determine the disposition of
the complaint at issue.
1.9 The determination of the Executive Officers shall
be final and the officer shall abide by and implement any of their
recommendations.
1.10 The officer shall communicate and explain this
policy and give training regarding it to all employees and volunteers
who might be in a position to collect, retain or use personal information.
1.11 The officer shall prepare and disseminate information
to the constituency which explains Metochos Ministries's protection
of personal information policies and procedures.
- Identifying Purposes
2.1 The officer shall document the purpose for which
personal information is collected to comply with the openness and
individual access principles outlined below.
2.2 The officer shall determine the information that
will be needed to fulfill the purposes for which the information
is to be collected in order to comply with the limited collection
principle.
2.3 The officer shall ensure that the purpose is specified
at or before the time of collecting the personal information from
an individual.
2.4 The officer shall ensure that the information
collected will not be used for any other purpose before obtaining
the individual's approval, unless the new purpose is required by
law.
2.5 The officer shall ensure that a person collecting
personal information will be able to explain to the individual why
the information is being collected, how it will be retained and
if and when it will be disclosed.
2.6 The officer shall ensure that limited collection,
limited use, disclosure and retention principles are respected in
identifying why personal information is to be collected.
- Consent
3.1 The officer shall ensure that the individual from
whom personal information is collected consents to the collection
and to the manner in which it will be used and disclosed.
3.2 The officer shall ensure that the individual can
reasonably understand why and how the information will be used when
consent is given.
3.3 The officer shall ensure that express consent
is obtained wherever possible and appropriate. In some circumstances,
implied consent may be acceptable if the information's sensitivity
and the policy's purpose and intent is respected. (For example,
implied consent might exist if it is generally understood that information
obtained when a camper attends Metochos Ministries will be used
for all camp-related purposes.) Implied consent may not be assumed
if Metochos Ministries passes on personal information to another
organization.
3.4 In obtaining consent, the officer shall ensure
that the individual's reasonable expectations are respected. For
example, a person giving his/her name to Metochos Ministries to
receive the Camp Newsletter, reasonably expects that the camp will
use that personal information to send other information about itself.
The individual would not likely expect that the information would
be used for fundraising.
3.5 The officer shall ensure that the express consent
obtained from an individual is clear and in an appropriately verifiable
form. For example, an application form may be used and kept on file
where the individual consents to the collection and specific use;
a check box may be used to permit information already on file to
be used for a new purpose; consent may be given orally which would
require the receiver of the consent to create appropriate documentary
evidence; or consent might be given by email, requiring an electronic
record to be maintained.
3.6 The officer shall ensure that the individual may
withdraw consent at any time, subject to legal or contractual restrictions
and reasonable notice. The individual shall promptly be informed
of the implications of the withdrawal.
- Limiting Collection
4.1 The officer shall ensure that personal information
will not be collected indiscriminately. Both the amount and type
of information collected shall be limited to that which is necessary
to fulfill the purposes identified.
4.2 The officer shall ensure that information is collected
only by fair and lawful means without misleading or deceiving individuals
as to the reason.
4.3 The officer shall ensure that the identifying
purposes and consent principles are followed in identifying why
personal information is to be collected.
- Limiting Use, Disclosure and Retention
5.1 The officer shall ensure that personal information
shall not be used or disclosed for purposes other than those for
which it was collected, except with the consent of the individual
or as required by law, and any use of personal information shall
be properly documented.
5.2 The officer shall ensure that all personal information
is destroyed, erased or made anonymous as soon as the purpose for
which it was collected is no longer relevant.
5.3 The officer shall ensure that all use, disclosure
and retention decisions are made in the light of the consent principle,
the identifying purposes principle and the individual access principle.
- Accuracy
6.1 The officer shall reasonably ensure that the personal
information is accurate, complete and up to date, taking into account
the individual's interests. The officer shall ensure that the information
is sufficiently accurate, complete and up to date to minimize the
possibility that inappropriate information might be used to make
a decision about an individual.
6.2 The officer shall ensure that Metochos Ministries
does not routinely update personal information unless it is necessary
to fulfill the purposes for which it was collected.
6.3 The officer shall ensure that personal information
used on an ongoing basis should be generally accurate and up to
date, unless limits to the requirement for accuracy are clearly
outlined.
- Safeguards
7.1 The officer shall ensure that Metochos Ministries
has security safeguards to protect personal information against
loss or theft and unauthorized access, disclosure, copying, use
or modification. This shall be done regardless of the format in
which Metochos Ministries holds the information.
7.2 Depending on the information's sensitivity, the
officer may permit reasonable discretion regarding the information
that has been collected: the amount, distribution, format and method
of storage. A higher level of protection shall safeguard more sensitive
information according to the consent principle's considerations.
7.3 The officer shall ensure that the protection methods
include:
- Physical measures (locked filing cabinets, restricted
access to offices);
- Organizational measures (security clearance, limiting
access on a 'need to know' basis); and
- Technological measures (passwords and encryption)
7.4 The officer shall ensure that all employees and
volunteers know the importance of keeping personal information confidential.
7.5 The officer shall ensure that care is taken when
personal information is disposed of or destroyed to prevent unauthorized
parties from gaining access to it.
- Openness
8.1 The officer shall ensure that Metochos Ministries
is open about its policies and practices regarding the management
of personal information. The policies and information about the
related practices shall be available without unreasonable effort
in a generally understandable format.
8.2 The officer shall ensure that information about
Metochos Ministries's policies and practices shall include:
- The name or title and address of the officer who
is accountable for the Metochos Ministries's polices and practices
and to whom complaints or inquiries may be forwarded;
- The means of gaining access to personal information
held by Metochos Ministries;
- A description of the type of personal information
held by Metochos Ministries, including a general account of its
use;
- A copy of any information that explains Metochos
Ministries's policies, standards or codes; and
- What, if any, personal information is made available
to related organizations.
8.3 The officer shall ensure the information that
must be provided according to 8.2 is available on Metochos Ministries'
website or in print as requested.
- Individual Access
9.1 The officer shall ensure that upon request, an
individual shall be informed whether Metochos Ministries holds personal
information about him/her. If possible, the information's source
shall also be given. Metochos Ministries shall allow the individual
access to this information. It shall also account for the use that
has been made or is being made of this information and give an account
as to any third parties to whom it has been disclosed.
9.2 If Metochos Ministries has supplied personal information
about an individual to third parties, the officer shall ensure that
an attempt is made to be as specific as possible with a list of
the organizations to which it has actually disclosed the information.
If an actual list is impossible to provide, a list of organizations
to which it might have disclosed information about the individual
is to be provided.
9.3 The officer shall ensure that Metochos Ministries
responds to an individual's request within a reasonable time and
at minimal or no cost to the individual. The requested information
shall be made available in a generally understandable form with
abbreviations or codes explained.
9.4 The officer shall ensure that when an individual
successfully demonstrates the inaccuracy or incompleteness of personal
information, Metochos Ministries shall amend the information as
required. When appropriate, the amended information shall be transmitted
to third parties having access to the information.
- Challenging Compliance
10.1 The officer is authorized to address a challenge
concerning compliance with the above principles.
10.2 The officer shall develop procedures to receive
and respond to complaints or inquiries about the policies and practices
regarding the handling of personal information. The compliance procedures
shall be easily accessible and simple to use.
10.3 The officer shall inform individuals inquiring
about lodging complaints that relevant complaint procedures exist.
10.4 The officer shall investigate all complaints.
If a complaint is found to be justified, the officer shall take
appropriate measures, including, if necessary, amending the policies
and practices.
