// Disciple A City Privacy Policy
1. Accountability
1.1. The Director of Disciple a City is the Personal Information Compliance Officer (the “Officer”) for Disciple a City (“DAC”).
1.2. All persons, whether employees, volunteers, or board or committee members who collect, process, or use personal information shall be accountable for such information to the Officer.
1.3. DAC’s Policy to Protect Personal Information (the “Policy”) shall be made available via DAC’s website (discipleacity.ca), or a paper copy provided upon written request.
1.4. Any personal information transferred to a third party for processing is subject to this Policy. The Officer shall use contractual or other appropriate means to protect personal information at a level comparable to this Policy while a third party is processing this information.
1.5. Personal information to be collected, retained, or used by DAC shall be done so only after the Officer gives written approval. This information shall be secured according to the Officer’s instructions.
1.6. Any person who believes DAC uses personal information collected, retained, or used for purposes other than those that person explicitly approved may contact the Officer to register a complaint or to make any related inquiry.
1.7. Upon receiving a complaint from any person regarding the collection, retention, or use of personal information, the Officer shall promptly investigate the complaint and notify the person who complained about his/her findings and corrective action taken, if any.
1.8. Upon receiving the response from the Officer, the person who filed the complaint may, if he/she is not satisfied, appeal to DAC’s Board of Directors to review and determine the disposition of the complaint at issue.
1.9. The determination of the Board of Directors shall be final and the Officer shall abide by and implement any of its recommendations.
1.10. The Officer shall communicate and explain this Policy and give training regarding it to all employees and volunteers who might be in a position to collect, retain, or use personal information.
1.11. The Officer shall prepare and disseminate information to the public which explains DAC’s protection of personal information policies and procedures.
1.12. DAC collects some information of people who are in partnership with its mission and mandate to equip the Church of Canada. The information collected is only collected with the consent of those who give it and used only for the furthering of DAC ministry.
1.13. Access to all private information kept with DAC is protected with a minimum of 2 passwords. Example: the emails, names and donation amounts of DAC’s financial partners are accessed from both password protected computers and through a password protected cloud platform.
| Type of Information Collected: | Why that Information is Collected: |
| E-mail addresses | For Donation receipting, annual report sending, ministry updates, ministry event travel planning, event information reporting and registration. |
| First Names and Last Names | Event registration, donation receipting |
| Birthdates | Donation prayer thanking |
| Payment Information | DAC does not collect payment information. Our donation payment processor is a third party processor who operates under its own trusted privacy policy. DAC is able to see what people give but does not ever possess payment information (such as credit card numbers or bank account numbers). |
| Passport Numbers | Only at special occasions on international mission trips does DAC collect the passport numbers of mission trip attendees. This information is only collected for plane ticket booking and is immediately deleted or destroyed. |
| Mailing Address | For Donation receipting. |
| Media |
Disciple A City captures photos and videos at our ministry events to further our reach and share the impact of our minsity.
You as a individual, upon participating at or in any of our events (or the events/ministries we partner with), aknowledge and consent to the capturing, storing and use of any photos or videos taken of you. The use of these photos and videos will be used at DAC’s discretion. |
2. Identifying Purposes
2.1. The Officer shall document the purpose for which personal information is collected to comply with the openness and individual access principles outlined below.
2.2. The Officer shall determine the information that will be needed to fulfill the purposes for which the information is to be collected, to comply with the limited collection principle below.
2.3. The Officer shall ensure that the purpose is specified at or before the time of collecting the personal information from an individual.
2.4. The Officer shall ensure that the information collected will not be used for any other purpose before obtaining the individual’s approval, unless the new purpose is required by law.
2.5. The Officer shall ensure that a person collecting personal information will be able to explain to the individual why this is being done.
2.6. The Officer shall ensure that limited collection, limited use, disclosure, and retention principles are respected in identifying why personal information is to be collected
3. Consent
3.1. The Officer shall ensure that the individual from whom personal information is collected consents to this and to it being used and disclosed.
3.2. The Officer shall ensure that the individual can reasonably understand why and how the information will be used when consent is given.
3.3. The Officer shall ensure that no condition is given to supply any benefits (because of DAC’s activities), requiring the individual to give consent for the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
3.4. The Officer shall ensure that express consent is obtained wherever possible and appropriate. In rare circumstances where, in the Officer’s opinion (having regard to the information’s sensitivity and the Policy’s purpose and intent), implied consent might be acceptable.
3.5. In obtaining consent, the Officer shall ensure that the individual’s reasonable expectations are respected.
3.6 The officer shall ensure that the express consent obtained from an individual is clear and in an appropriately verifiable form. (For example, an application form may be used and kept on file whereon the individual consents to the collection and specific use; a checkoff box may be used to permit information already on file to be used for a new purpose; consent may be given orally which would require the receiver of the consent to create appropriate documentary evidence; or consent might be given by email which would require an electronic record to be maintained.)
3.7. The Officer shall ensure that the individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The individual shall promptly be informed of the withdrawal’s implications.
4. Limiting Collection
4.1. The Officer shall ensure that personal information will not be collected indiscriminately. Both the amount and type of information collected shall be limited to that which is necessary to fulfil the purposes identified. The Officer shall specify the type of information to be collected, according to the openness principle.
4.2. The Officer shall ensure that information is collected only by fair and lawful means without misleading or deceiving individuals as to the reason.
4.3. The Officer shall ensure that the identifying purposes and consent principles are followed in identifying why personal information is to be collected.
5. Limiting Use, Disclosure, and Retention
5.1. The Officer shall ensure that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law, and any use of personal information shall be properly documented.
5.2. The Officer shall ensure that all personal information is destroyed, or made anonymous as soon as the purpose for which it was collected is no longer relevant, or as permitted by law. Except as required to be retained by law, all personal information shall be erased or made anonymous of inactive contacts with a minimum retention period of 10 years. After the retention period, we will follow the destroying records policy.
5.3. The Officer shall ensure that all use, disclosure, and retention decisions are made in light of the consent principle, the identifying purposes principle and the individual access principle.
6. Accuracy
6.1. DAC collects personal information from individuals and therefore the accuracy of that information is limited to what the individual has provided. Therefore, DAC is not responsible to verify the accuracy of the information provided.
7. Safeguards
7.1. The Officer shall ensure that DAC has security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. He/she shall do this regardless of the format in which DAC holds the information.
7.2. Depending on the information’s sensitivity, the Officer may permit reasonable discretion regarding the information that has been collected: the amount, distribution, format, and the method of storage. A higher level of protection shall safeguard more sensitive information according to the consent principle’s considerations.
7.2.1. The Officer shall ensure that the protection methods include,
7.2.2. physical measures, for example, locked filing cabinets and restricted access to offices;
7.2.3. organizational measures, for example, security clearance and limiting access on a “need-to- know” basis; and
7.2.4. technological measures, for example, the use of passwords and encryption.
7.3. The Officer shall ensure that all employees and volunteers know the importance of keeping personal information confidential.
7.4. The Officer shall ensure that care is taken when personal information is disposed of or destroyed to prevent unauthorized parties from gaining access to it.
8. Openness
8.1. The Officer shall ensure that DAC is open about its policies and practices regarding the management of personal information. The policies and information about the related practices shall be available without unreasonable effort in a format generally understandable.
8.2. The Officer shall ensure that the information available shall include:
(a) the name or title and address of the Officer who is accountable for DAC’s policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by DAC;
(c) a description of the type of personal information held by DAC, including a general description of its use;
(d) a copy of any brochures or other information that explain DAC’s policies, standards, or codes; and
(e) what personal information is made available to related organizations (e.g., organizations that are affiliated).
8.3. The Officer shall ensure the information that must be provided according to 8.2 is available at the locations DAC operates, online, or through the mail.
9. Individual Access
9.1. A person requesting his/her personal information may be required by the Officer to give sufficient information to permit DAC to provide an account of the existence, use, and disclosure of personal information. Information shall be used only for the purpose for which it
was obtained.
9.2. If DAC has supplied personal information about an individual to third parties, the Officer shall ensure that an attempt is made to be as specific as possible. When it is impossible to give a list of organizations to which DAC has actually disclosed information about an individual, DAC shall provide a list of organizations to which it might have disclosed information about the individual.
9.3. The Officer shall ensure that DAC responds to an individual’s request within 10 business days and at minimal or no cost to the individual. The requested information shall be made available in a generally understandable form. For example, DAC shall explain abbreviations or codes it uses to record information.
9.4. The Officer shall ensure that when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, DAC shall amend the information as required. Depending on the information challenged, amendment involves the correction, deletion, or addition of information. When appropriate, the amended information shall be transmitted to third parties having access to the information in question.
9.5. The Officer shall ensure that when a challenge is not resolved to the individual’s satisfaction, DAC shall record the unresolved challenge’s substance. When appropriate, the unresolved challenge’s existence shall be transmitted to third parties having access to the information in question.
10. Challenging Compliance
10.1. The Officer is authorized to address a challenge concerning compliance with the above principles
10.2. The Officer shall develop procedures to receive and respond to complaints or inquiries about the policies and practices regarding the handling of personal information. The compliance procedures shall be easily accessible and simple to use.
10.3. The Officer shall inform individuals inquiring about lodging complaints that relevant complaint procedures exist.
10.4. The Officer shall investigate all complaints. If a complaint is found to be justified, the Officer shall take appropriate measures, including, if necessary, amending this Policy and general policies and practices pertaining to personal information entrusted to DAC
Protecting your information
DAC has put procedural, physical, and electronic means in place to safeguard the consented information our partners give us in regard to their personal information.
The private information DAC collects is used for year-end tax receipting, mission updates (including mailouts), annual reporting, donor thanking and event/trip planning. The information we collect includes emails, addresses, group pictures (from events) and only necessary travel information should someone travel on a DAC missions trip.
DAC has also verified the security and privacy provisions of other organizations (for example, our third-party payment processor iATS) that collect information about donations. These include our bank and iATS (our donation processor).
DAC does not rent, exchange or sell mailing lists or private information of our supporters to other organizations.
Supporters’ information is kept in an electronic form. DAC has documented procedures to safeguard this information. Safeguards include storing information in password-protected cloud-based systems.
To protect a partner’s credit card or banking information via the Internet,
DAC uses iATS payment systems to ensure a secure place to transfer your confidential data from your browser to our financial institution.
Email DAC about any part of this policy at information@discipleacity.ca