January 2022
INTRODUCTION
Westville Riverside Church is committed to protecting personal data and respecting the rights of our data subjects (people whose personal data we collect and use). Westville Riverside Church values the personal information entrusted to us and we respect that trust by complying with all relevant laws*, and adopting good practice. (*Protection of Personal Information Act, hereinafter “POPIA”)
We process personal data to help us:
- Maintain a database of our church members
- Provide pastoral support for members and others connected with our church
- Provide services to the community
- Safeguard children, young people, and adults at risk
- Recruit, support and manage staff and volunteers
- Maintain our church accounts and records
- Promote our services
- Maintain the security of property and premises
- Respond effectively to enquirers and handle any complaints
- For any fundraising events that might require this information
This policy has been approved by the Westville Riverside Church Leadership Team who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we gather, process, store or use personal data.
WHY THIS POLICY IS IMPORTANT
A. We are committed to protecting personal data from being misused, getting into the wrong hands because of poor security or being shared carelessly, or being accurate.
B. This policy sets out the measures we are committed to taking as a church and what each of us will do to ensure we comply with the relevant legislation.
C. For instance, we will make sure that all personal data is:
- Processed lawfully, fairly and done transparently
- Processed for specific and legitimate purposes and not in a manner that is
incompatible with those purposes - Adequate, relevant, and limited to what is necessary for the purposes for which it is being processed
- Accurate, complete, and up to date
- Not kept longer than necessary for the purposes for which it is being processed.
- Processed in a secure manner, by using appropriate technical and organizational means
- Processed in keeping with the rights of data subjects regarding personal data
HOW THIS POLICY APPLIES TO YOU AND WHAT YOU NEED TO KNOW
A. As an employee or volunteer, processing personal information on behalf of the church, you are required to comply with this policy. If you think that you have accidently breached the policy, it is important that you contact our Information Office immediately so that we can take action try to and limit the impact of the breach. Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly or for personal benefit they may also be liable for prosecution or to regulatory action.
B. As a leader and/or manager you are required to make sure that any procedures thatinvolve personal data, which you are responsible for in your area, follow the rules set out in this Data Protection Policy.
C. As a data subject of Westville Riverside Church, you can be assured that we will handle your personal information in line with this policy.
D. As an appointed data processor/contractor, you are required to comply with this policy under the contract with us. Any breach of this policy will be taken seriously and could lead to us taking contract enforcement action against the company or terminating the contract.
E. Our Information Officer is responsible for advising Westville Riverside Church and its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy. Any questions about this policy or any concerns that the policy has not been followed should be referred to them at : info@Riversidechurch.org.za
Before you collect or handle any personal data as part of your work (paid or otherwise) for Westville Riverside Church, it is important that you take the time to read this policy carefully and understand exactly what is required of you, as well as the organisation’s responsibilities when we process data.
HR & INTERNAL DATA COLLECTED, STORED AND PROCESSED
A. Employees and staff are periodically trained on what is lawful processing of personal information, and the risks associated with day-to-day handling and processing of personal information should be addressed and limited through education.
B. A clause has to be added to each employment contract to confirm the company’s undertaking to ensure that the employee’s personal data will be securely held and lawfully processed in terms of POPI (data protection clause).
WEBSITE, COOKIES AND MARKETING
A. We believe that transparency is important when dealing with data subjects and their personal information, therefore our website collects no personal information but is still compliant with POPI.
B. The Westville Riverside Church POPI Act: Procedures and Policies’ document is available on the website for data subjects to peruse should they need to know how their data is processed within each department and by each service provider of the church.
We sent out a consent form to all existing members to reaffirm the church’s undertaking to continue to process any personal information in its possession lawfully and securely in terms of POPI.
CYBERSECURITY & DATA BREACH PROTECTION
A. All personal data collected, stored and processed by Westville Riverside Church is done within a POPI compliant framework – accompanied by the necessary consent from all members, visitors or staff (to have their data processed).
B. Please note that Westville Riverside Church deals with a lot of personal information including medical conditions and certain preferences or conditions. We ensure that our internal practices are backed up by written policy or secure procedure which promotes secure and lawful processing of personal information at all times.
POLICY AND PROCEDURES
Finance
1. Vendor/Supplier Invoices
1.1 Staff member receives invoice from supplier.
1.2 Staff member pays the invoice after being checked.
1.3 All paid invoices with paperwork are then filed in a locked office with
camera monitoring.
2. All HR/employee contracts etc.
2.1 These are stored in a lockable office with camera monitoring when the employee is out of the office.
2.2 Staff reimbursement forms/staff fuel claims.
2.2.1 Staff member hands in payment reimbursement/claim (original).
2.2.2 All paid paperwork is then filed in lockable filing cupboard.
2.2.3 Office is lockable and camera monitored, when employee is out of office.
3. Financial documents/records from previous years (up to 5 years)
3.1 These are stored in a lockable room.
Next Steps
1. A disclaimer is present on all Next Steps cards.
2. Growth Track
2.1 Guests put names on a list and this is placed in a locked church office.
2.2 These names are recorded on the Growth Track Database and then the lists are destroyed.
3. Visitors and Salvations
3.1 People fill in a visitor’s card from the auditorium and these cards are placed in a lockable perspex box at the Information Desk. They are collected after the service and placed in a lockable office.
3.2 After a sms/letter/whatsapp is sent to the person and details put on to the visitors/salavation data base, the cards are destroyed.
4. Baptism
4.1 People sign up by filling out the form.
4.2 The process for Growth Track above is followed.
4.3 Once the person gets baptized and recorded on a database the form is destroyed.
5. Dream Team sign ups
5.1 Each person fills in an application form to be on the Dream Team.
5.2 Each person’s details on the dream team are then added to the database.
5.3 The application form is then destroyed.
Financial Documents
1. Giving envelopes are placed at the back of the seats for congregation and have no personal details thereon.
2. When the offering is taken up the people put their envelopes in the offering bag which is locked in the safe by two people.
3. As people exit the service they are also able to put their giving envelopes into a locked container. The monies in the container are collected by two volunteers and added to the offering bags.
4. The offering bags are then locked in a safe in a locked office.
5. After the services, monies contained in the envelopes are counted by a vetted team. (the room in which counting takes place has a camera and a locked door. Once counting is complete the envelopes are ripped up and destroyed.
6. Covid screening forms
6.1 Covid screening lists are placed at the entrance to the building.
6.2 People willingly put on all their personal information on these lists.
6.3 These lists then get put into a locked office.
6.4 After two weeks the lists are shredded.
7. Info Desk sales
7.1 Sales are recorded by a volunteer and money placed into a money box.
7.2 The volunteer gives the money box and record sheet to be locked in the office safe .
7.3 The volunteers reconcile the lists and money and the lists are shredded thereafter.
Life Groups
1.1 Life Group members are recorded on a database locked by passwords.
1.2 Requests to join a Life Group on the Visitor Cards, which, once dealt with are destroyed.
2. People joining Life Groups:
2.1 These people are, with their permission, placed on a Whatsapp Group for
communication purposes, once they join.
Pastoral
1. Prayer Cards are available for prayer requests. These are given to the Pastor and he deals with the contacts. When these cards have been processed by the Pastor and put onto a database, the card is destroyed.
Courses
1. Registration for courses is by registration at the Information Desk.
2. These lists are locked in an office and the details are put on a database, after which they are destroyed.
Worship
1. Details of the people in the worship team are collected and placed on a database.
2. The database is password and permissions protected.
3. No written details are taken.
Young Adults
1. Same as Life Group procedure
Reception
1. If someone calls asking for a staff member’s personal information, the Receptionist will not give it out and will rather take down the caller’s number and convey a message to the relevant staff members.
2. The receptionist will then let the person (staff member) or volunteer know to phone that person back.
Youth
1.1 People register on lists as they arrive.
1.2 Information provided on registration is then used to add registrants onto a whatsapp group for communication, with their permission.
1.3 The Registration forms are stored in a lockable cupboard.
1.4 Details are loaded onto a database.
1.5 After use, these forms are destroyed.
Marriage Registers
1. A request comes in from the couple, normally telephonically.
2. Once the marriage has taken place, the details of the couple are stored on a database. All written communication is destroyed.
Kids Vibe
1. All our children are in a secure locked hall for the duration of kids vibe.
2. The children are registered when they arrive and these lists are placed in a locked office after Kids Vibe. These lists are destroyed once loaded on to a database.
Financial Service Providers/Bankers
Standard Bank of SA, Ltd
WESTVILLE RIVERSIDE CHURCH LEADERSHIP
This policy has been approved by the Westville Riverside Church Leadership Team who are responsible for ensuring that we comply with all our legal obligations.
WESTVILLE RIVERSIDE CHURCH COMPLIANCE
APPOINTMENT LETTER FOR INFORMATION OFFICER ROLE: WESTVILLE RIVERSIDE CHURCH
The Information Officer role is by default that of the Designated Head of a Private Body in terms of the provisions of both the Promotion of Access to information Act 2 of 2000 (PAIA) and the Promotion of Personal Information Act 4 of 2013 (POPI).
The responsibilities defined for these roles in Westville Riverside Church,
a private body in terms of the aforementioned Acts are:
1) POPI Act Section 55(1): An Information Officer’s responsibilities include:
a) the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
b) dealing with requests made to the body pursuant to this Act;
c) working with the Regulator in relation to investigations conducted pursuant to Chapter 6 (prior authorization) in relation to the body,
d) otherwise ensuring compliance by the body with the provisions of this Act;
e) as may be prescribed.
POPI Regulations 2018: Responsibilities of Information Officers
2) Regulation 4:
a) An Information Officer must, in addition to the responsibilities referred to in s55(1)
of the POPI Act, ensure that:
i) A compliance framework is developed, implemented, monitored and maintained;
ii) A personal information impact assessment is done to ensure that adequate
measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
iii) A manual is developed, monitored, maintained and made available as prescribed in s14 and s51 of the PAIA Act;
iv) Internal measures are developed together with adequate systems to process
requests for information or access thereto; and
v) Internal awareness sessions are conducted regarding the provisions of the
Act, regulations made in terms of the Act, codes of conduct, or information
obtained from the Regulator.
b) The Information officer shall upon request by any person, provide copies of the manual to that person upon the payment of a fee to be determined by the
Regulator from time to time.
Westville Riverside Church Information Officer role appointment acceptance:
Signature
![SGreer1](https://riversidechurch.org.za/wp-content/uploads/2022/02/SGreer1.jpg)
Full Name
![SGreer2](https://riversidechurch.org.za/wp-content/uploads/2022/02/SGreer2.jpg)
Date of Appointment Acceptance :
![SGreer2date](https://riversidechurch.org.za/wp-content/uploads/2022/02/SGreer2date.jpg)
POPI Act: Section 56: Designation and delegation of Deputy Information Officer(s)
3) Each public and private body must make provision, in the manner prescribed in Section 17 of the Promotion of Access to Information Act, with the necessary
changes, for the designation of –
a) Such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
b) Any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.
Westville Riverside Church Information Deputy Officer role appointment acceptance:
Signature
![sig2](https://riversidechurch.org.za/wp-content/uploads/2022/02/sig2.jpg)
Full Name
![sig1](https://riversidechurch.org.za/wp-content/uploads/2022/02/sig1.jpg)
Date of Appointment Acceptance :
![sigdate](https://riversidechurch.org.za/wp-content/uploads/2022/02/sigdate.jpg)