This blog post will look at some privacy-related concerns and risks in the operation of churches and other religious organisations. It is intended to help religious organisations understand the multiple aspects of protecting the personal information they use and find guidance following the coming into effect of the Personal Information Protection Act 2016 (PIPA) on 1 January 2025.
Bermuda has more churches per square mile than any other country in the world. Faith is an important part of Bermuda’s history and present-day culture. A common sight on a Sunday morning is groups of people, both Bermudians and non-Bermudian residents, congregating for Sunday services in front of the more than 100 places of worship on the island. This unique cultural fabric has very distinct implications for people’s privacy.
Churches use a variety of personal information, both physically and electronically, including sensitive personal information and financial information. This makes privacy – i.e., the protection of individuals’ personal information – a crucial aspect of how religious organisations in Bermuda operate. Importantly, PIPA does not apply to personal or domestic use of personal information. The law applies where personal information is used either by automated means or as part of a structured filing system. For example, the contents of a conversation may not be covered by PIPA, unless the conversation is sharing personal information from a structured filing system.
The Office of the Privacy Commissioner (PrivCom) is charged with helping the public to understand PIPA. PrivCom has previously published a detailed Guide to PIPA for organisations, as well as Individuals’ Guide to PIPA to help people understand their rights.
Small churches and religious organisations may also find useful the resources in the Advice to Small Business. If they are unsure how to get started, PrivCom recommends they use the Road to PIPA as an instruction manual.
Here are key privacy-related areas to consider that are specific to religious organisations.
1. Protection of personal information
Churches and other religious organisations collect, use, and store personal information, such as individuals’ full names, addresses, phone numbers, emails, and financial information for tithes and donations. Some churches use CCTV for security reasons, which has a series of implications for people’s privacy (see our guidance note on risks and best practices).
Like all organisations, churches should identify the minimum amount of personal information they need in order to fulfil their purpose. They should hold only that amount of information, not more. This is sometimes referred to as “data minimisation”. Churches need to be able to demonstrate that they have appropriate processes in place, ensuring that their use of personal information is proportionate (that is, they only collect and hold the personal information they need), fair and lawful.
Churches and religious organisations must notify individuals of the above uses of their personal information through a clear, easy to understand privacy notice. The privacy notice must include all uses of personal information, including which other organisations or third parties it is shared with. Churches should determine who should be the privacy officer (PO). The PO’s role is to help with the privacy programme and also to perform other tasks such as train other staff on privacy. The PO also helps identify members of an internal Privacy Committee: in the case of churches and religious organisations, this could be officials, members, and volunteers who have responsibility for or some connection to handling personal information. Through the implementation of policies and procedures that have to be updated throughout the life cycle of personal information, the PO and members of the Privacy Committee document activities, duties, responsibilities, as well as expectations with respect to how the organisation and the various roles within the organisation use personal information. The PO’s contact details must be included in the privacy notice so that individuals can contact the organisation about their privacy rights, concerns, or complaints, or to ask questions about the organisation’s information handling policies and practices.
2. Sensitive personal information and information about children
PIPA considers some personal information to be “sensitive” because it could be used for discriminatory reasons. ‘Religious beliefs’ is one element of sensitive personal information. Where individuals can be identified from the personal information that churches keep, an association may be made between the individual and their respective religion.
Some churches operate Sunday schools, youth programmes or clubs, as well as summer camps. They should consider the unique risks and harms relating to children’s personal information.
Churches may also collect health-related information on individuals’ medical conditions and special needs. By its very nature, this sensitive information requires organisations to implement enhanced protections. Churches should ensure they only use the information in appropriate ways and in accordance with the purposes outlined in their privacy notice. Importantly, no organisation, including churches and religious organisations, may use sensitive personal information to discriminate against any person contrary to any provision of Part II of the Human Rights Act 1981.
3. Financial information
Churches collect tithes and donations physically and online. They also process payments. Such information may be vulnerable to physical misappropriation, identity theft, and/or cyberattacks. Under PIPA, organisations must protect information according to the risk.
4. Consent
Churches should make sure they identify one or more conditions for using personal information that are required under PIPA section 6. Individuals’ consent, which can be withdrawn, is one condition that would allow organisations to use personal information – but it is not the only one. Other conditions for using personal information include, for example, fulfilling a legal obligation, contractual necessity, or in relation to employment.
Where churches record sermons or livestream religious services or special occasions such as weddings and funerals on social media platforms, they must seek individuals’ consent prior to or at the time of doing so. As a good practice, churches may provide a seating option for people who do not wish to be recorded on video.
5. Confidentiality
Individuals may seek spiritual guidance and pastoral care from pastors and other authorised members of the clergy. There is a long tradition that such information is strictly confidential. Unauthorised disclosure of or access to the information might result in ethical issues (like a breach of trust) or legal challenges (like breaches of confidentiality agreements and/or codes of conduct). If a record is kept, such as in a filing system, then such information may also be considered personal information under PIPA.
6. Information security
Churches and other religious organisations should know what types of personal information they store, where they store it, for how long they keep it, who has access to it, and who they share it with. They should implement appropriate security protocols to protect all types of personal information, especially specific elements of personal information that are sensitive by their very nature. Security can be as simple as using a lock-and-key on a cabinet or a password on a computer – however, security should be appropriate to the context.
7. Breaches of security
If the security measures used by churches and religious organisations are inadequate or weak, this may lead to unauthorised access to information. In PIPA, this is called a breach of security. Such incidents may expose individuals’ personal information, including sensitive personal information or financial information. Breaches of security could potentially result in the loss, misuse, or unauthorised disclosure of or access to that information, and the affected individuals may become the victims of financial fraud, identity theft, and/or suffer other types of harm and hardship. When an organisation suffers a breach of security that is likely to adversely affect an individual, they must notify PrivCom and the affected individuals.
Importantly, even organisations with the strongest possible safeguards may be hacked. In light of this potentiality, it is recommended that organisations plan ahead and put in place a robust incident response plan (IRP). They can start by considering a series of incident response-related questions.
8. PIPA Rights Requests
Under PIPA, individuals have the ability to ask organisations questions, such as what information the organisations have or how they use it. If the organisation no longer has a need to use the information for a specific purpose, the individual could ask the church or religious organisation to delete it. These rights have exceptions when the organisation has a reason to keep personal information under the law. Churches should make sure that their privacy officer is ready to answer these requests, because there is a 45-day time limit to respond. More details can be found in the Road to PIPA, Guide to PIPA and Individuals Guide to PIPA.