POPI and the Church

POPI: Safeguarding members and visitors personal details in the church

In South Africa, the Protection of Personal Information (POPI or PPI) bill has become an Act of law in 2013 (Protection of Personal Information Act 4 of 2013). With the coming of POPI comes the responsibility of the church to adhere to the provision of the Act.

[UPDATE] The Office of the Information Regulator has been established. Compliance to POPI would soon be mandatory. Are you prepared.

In South Africa, the Protection of Personal Information (POPI or PPI) bill will become law any moment from now after having being passed by the National Assembly on 11 September 2012. It is believed POPI will become an Act of law most likely before or during third quarter of 2013 (after passing the National Council of Provinces). With the coming of POPI comes the responsibility of the church to adhere to the provision of the Act.

The advent of POPI places requirement on the church to put controls in place to safeguard personal details of members and visitors alike.
Having become law, private and public entities will have 1 year to comply with the requirements therein thereafter (or at a date set by by regulator). For organisations that have not yet begun their compliance journey, immediate mobilisation should be a priority since compliance might require significant changes to an organisations’ processing and operational landscape.

  1. Acts 2:47
    Praising God, and having favour with all the people. And the Lord added to the church daily such as should be saved. – KJV
  2. Acts 9:31
    The church then had peace throughout Judea, Galilee, and Samaria, and it became stronger as the believers lived in the fear of the Lord. And with the encouragement of the Holy Spirit, it also grew in numbers. – NLT
  3. Acts 16:5
    So the churches were strengthened in their faith and grew larger every day. – NLT

It is imperative for a church (house of faith establishment) to grow spiritually and numerically. In The Redeemed Christian Church of God (RCCG), one of its mission is for the church to remain abiding till the coming of Christ and to have a parish within five minutes walk in Nigeria and five minutes drive every other place.

Thus, membership is a crucial element. In practically all churches (especially parishes of the RCCG), first timers (first time guest, people coming to the service for the first time, people worshiping in the church for the first time on a Sunday Morning (or Friday in Middle East)) are acknowledge and welcome.

Part of the welcoming of visitors (apart from warm handshake and/or embrace by Greeters) includes a short reception whereby they are shown hospitality. More so, a welcome pack is given to first timer. One critical component of the welcome pack is a “welcome card“. First timers are required to fill the form in the welcome card and to write their prayer request.

It is noted some first timers might just be passing through (on visit because of a celebrant in church, just in town for a visit or just scanning around). Others are looking for a place of worship to identify with and grow in.

The church must develop policies, procedures and or guidelines, map processes for handling and protecting personal information. Existing processes must be review and gaps addressed.

POPI in a nutshell is geared towards;

  • – to promote the protection of personal information processed by public and private bodies;
  • – to introduce information protection principles so as to establish minimum requirements for the processing of personal information; and
  • – to provide for the rights of persons regarding unsolicited
  • electronic communications and automated decision making;

POPI thus enshrine section 14 of the Constitution of the Republic of South Africa, 1996, that provides everyone has the right to privacy which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.

Processing of special personal information

1. (POPI section 25) – There is prohibition on processing of special personal information including data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour.

2. (POPI section 26) – The church is however exempted and therefore has the right to process information concerning their members or employees or other persons belonging to the institution (data subject’s) religious or philosophical beliefs

3. (POPI section 28) – Whilst spiritual or religious organisations might be exempted from processing their members (data subject’s) religious or philosophical beliefs, they still have obligation to protect other ‘personal information’ of the member. How will spiritual or religious organisations safeguard members and visitors personal information. What does personal information entails.

Information Protection Principles
Principle 1: Accountability
Principle 2: Processing limitation
Principle 3: Purpose specification
Principle 4: Further processing limitation
Principle 5: Information quality
Principle 6: Openness
Principle 7: Security Safeguards
Principle 8: Data subject participation

Principle 1: Accountability
1. (POPI section 7) The church must designate a Responsible Person to give effect to the eight POPI principles and ensure that the principles set out and all the measures that give effect to the principles are complied with.
POPI accountability ultimately lies with the resident pastor or senior pastor or general overseer. This role is delegated to the designated Responsible Person(s).

Principle 2: Processing limitation
1. (POPI section 8) – Personal Information must be processed (a) lawfully; and (b) in a reasonable manner that does not infringe the privacy of the data subject.
Hence, due care must be taken over the First Timer Welcome Card, altar call decision card, prayer point card (if including name), Tithe card (if including name) …
The filled cards must be kept appropriately, viewable only by those required/designated, filed away securely and discarded with care (shredding, burn …)
2. (POPI section 9) – Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
A prayer card is not the source for getting members name for inviting for programs et al, likewise tithe card or decision. Such can be done from membership card or first timer welcome card
3. (POPI section 10) – Personal information may only be processed if the data subject consents to the processing, it is necessary to carry out ministerial (such as follow-up, invitation, reporting), processing complies with an obligation imposed by law on the responsible party and processing protects a legitimate interest of the data subject;
It is to be noted that the data subject may object, at any time, on reasonable grounds relating to his, her or its particular situation, in the prescribed manner, to the processing of personal information such as when a member chooses to or stop being a member.
Where or when the data subject has objected to the processing of personal information in terms of section 10, subsection (2), the church should no longer process the personal information.
4. (POPI section 11) – Personal information must be collected directly from the data subject when they come to church or outreached programs. It is fine if the information is contained in a public record or has deliberately been made public by the data subject.
In churches with many parishes and hierarchical structure such as RCCG, it is imperative that the data subject be made aware and consented to the parish of collection of the information.

Principle 3: Purpose specification
1. (POPI section 12) – Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the church. More so, the member (data subject) must be aware of (specific) purpose of collection of information in accordance with section 17(2).
A down the funnel approach would not be appropriate. This includes using decision card for purpose of membership record or similar.
2. (POPI section 14) – It is imperative that records of personal information must not be
retained any longer than is necessary for achieving the purpose for which the
information was collected or subsequently processed.
Hence, for membership card record, the data subject should consent to the retention of the record. The church must established appropriate safeguards against the records being used for any other purposes.
(3) Where retention may be required or prescribed by law or a code of conduct such as when a church store banking details especially credit card record, then the church must also established appropriate safeguards yet affording the member (data subject) to request access to the record.

Principle 4: Further processing limitation
1. POPI section 15) – Further processing of personal information (where such data has been save in a database or spreadsheet) must be compatible with the purpose for which it was collected in terms of principle 3.
2. The church Responsible Person must take account of consent to process, member has not requested deletion, compatible with the purpose of collection, available in a public record.

Principle 5: Information quality
1. (POPI section 16) – The church Responsible Person must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary for the purpose it is intended.

Principle 6: Openness
1. (POPI section 17) – Personal information collected as part of membership or transaction should include name and address (or contact detail such as email) of the member (data subject) collected in a fair and transparent manner.
It is founded on the notion that in order for processing to be fair, individuals must be aware of their specific personal information that is being held by particular organisations.
2. (POPI section 50) – Section 17 as read with section 50 mandate the church to ‘register’ by submitting a notification to the Regulator before commencing the processing of personal information. Details of the notification content are stipulated in section 51.

Principle 7: Security Safeguards
1. (POPI section 18) – The church through the Responsible Person must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.
2. Appropriate internal control measure must be in place and regularly verify giving due regard to generally accepted information security practices and procedures.
3. (POPI section 19) – All workers (Ushers, administrator, Ministers, technical team) processing personal information on behalf of the church must —
(a) process such information only with the knowledge or authorisation of the
responsible party; and
(b) treat personal information which comes to their knowledge as confidential and
must not disclose it,
4. (POPI section 21) – Should there be a breach (unauthorised access to the record or other compromise), the church must notify the POPI Regulator and the data subject in writing (at last known address) as soon as reasonably practicable, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
5. A notification must provide sufficient information to allow the data subject to take
protective measures against the potential consequences of the compromise, including, if
known to the church, the identity of the unauthorised person who may have
accessed or acquired the personal information.

Principle 8: Data subject participation
1. (POPI section 22) – The church must make provision for the member (data subject), who have provided adequate proof of identity, to request, free of charge, if, what and extent of personal information the church holds about him/her, including third parties the church have shared the member’s personal information with.
This must be done;

(i) within a reasonable time;
(ii) at a prescribed fee, if any, that is not excessive;
(iii) in a reasonable manner and format; and
(iv) in a form that is generally understandable.


‘‘data subject’’ means the person to whom personal information relates;
‘‘de-identify’’, in relation to personal information of a data subject, means to delete
any information that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the
data subject; or
(c) can be linked by a reasonably foreseeable method to other information that
identifies the data subject;
‘‘person’’ means a natural person or a juristic person;
‘‘personal information’’ means information relating to an identifiable, living,
natural person, and where it is applicable, an identifiable, existing juristic person,
including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status,
national, ethnic or social origin, colour, sexual orientation, age, physical or
mental health, well-being, disability, religion, conscience, belief, culture,
language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or
employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone
number or other particular assignment to the person;
(d) the blood type or any other biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private
or confidential nature or further correspondence that would reveal the contents
of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to
the person or if the disclosure of the name itself would reveal information
about the person;
‘‘re-identify’’, in relation to personal information of a data subject, means to
resurrect any information that has been de-identified, that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the
data subject; or
(c) can be linked by a reasonably foreseeable method to other information that
identifies the data subject;
‘‘responsible party’’ means a public or private body or any other person which,
alone or in conjunction with others, determines the purpose of and means for
processing personal information;

 A. Kayode

Leave a Reply

Your email address will not be published. Required fields are marked *