📄 DATA PROTECTION POLICY

Introduction

Our Lady Queen of Africa Catholic Church (OLAQA), based in Oshuiman, Ghana, is committed to protecting the personal data of its members, clergy, staff, and volunteers in compliance with both civil and ecclesiastical laws. This policy outlines our approach to data collection, storage, processing, and sharing in a way that respects privacy and the dignity of the human person, in accordance with the teachings of the Catholic Church.

Purpose of the Policy

The purpose of this policy is to:

• Ensure compliance with Ghana's Data Protection Act (Act 843) and international data protection laws such as the GDPR.
• Promote transparency in how we handle personal data.
• Safeguard the dignity and privacy of individuals in accordance with Catholic moral teachings.
• Provide a framework for the secure and ethical management of personal data collected for pastoral, administrative, or communication purposes.

Scope

This policy applies to:

• All personal data processed by OLAQA.
• All staff, volunteers, clergy, catechists, and service providers with access to parish data.
• Data systems used (manual or electronic) for member registration, sacraments, group affiliation, communication, financial giving, etc.

Legal and Ethical Framework

This policy aligns with:

• Ghana Data Protection Act, 2012 (Act 843)
• EU General Data Protection Regulation (GDPR) – for international best practice.
• Catholic Church Canon Law (Canons 220, 471, 1548, etc.)
• Pontifical Council for Social Communications' documents on ethics in data and communication.

Definitions

• Personal Data: Any information relating to an identifiable person (e.g., name, photo, phone number).
• Sensitive Data: Includes sacramental records, financial giving, health details, marital status.
• Processing: Any operation on data—collection, recording, storage, retrieval, deletion.
• Data Subject: Any parishioner, staff member, or other person whose data is held.
• Data Controller: The Church body that determines how and why data is processed.
• Data Processor: A person or third party who handles data on behalf of the Church.

Types of Data Collected

We collect the following categories:

• Identity Data: Full name, date of birth, photo, nationality.
• Contact Data: Phone number, address, email.
• Sacramental Data: Baptism, First Communion, Confirmation, Marriage.
• Pastoral Records: Group membership, service roles, counseling notes.
• Financial Data: Tithe records, donations.
• Health Data: Where required for ministry or care.

Lawful Basis for Data Collection

We collect data based on:

• Consent (e.g., member registration)
• Legitimate interest (e.g., communicating church events)
• Legal obligations (e.g., financial records for audit)
• Pastoral care under Canon Law

Principles of Data Protection

Rights of Data Subjects

All individuals have the right to:

• Access their data
• Correct or update data
• Withdraw consent
• Request data deletion
• Lodge a complaint with the Data Protection Commission (Ghana)

Data Access and Sharing

• Only authorized staff and clergy may access data.
• Third parties (e.g., website or app developers) must sign data processing agreements.
• No data is sold or shared without consent unless legally required.

Data Retention and Disposal

• Sacramental records are archived permanently.
• General personal data is retained for no longer than 7 years.
• Secure disposal methods are used (shredding, digital wiping).

Security Measures

We enforce:

• Password-protected access to databases
• SSL encryption on online platforms
• Regular backups
• Role-based access control
• Secure storage for physical documents

Role of the Data Protection Officer (DPO)

The appointed DPO is responsible for:

• Ensuring compliance
• Conducting data audits
• Handling complaints or breaches
• Training staff and volunteers

Data Breach Protocol

In the event of a breach:

• The DPO investigates within 24 hours
• Affected individuals are informed
• A report is made to the Data Protection Commission

Consent and Communication

• Written or electronic consent is obtained for registrations.
• Parish communications (e.g., newsletters, SMS alerts) require opt-in consent.
• Withdrawal of consent is honored promptly.

Children's Data

• Data of minors is collected only with parental/guardian consent
• Catechism and school-related records are stored securely and accessed only by authorized catechists or pastoral workers.

Confidentiality and Clerical Ethics

Use of Technology

The Church utilizes secure digital platforms for collecting, storing, and managing member data. These platforms operate under written agreements as third-party data processors and are selected based on their compliance with applicable data protection laws and international standards.

All data stored or transmitted through these platforms is:

• Encrypted using industry-standard protocols (e.g., SSL/TLS)
• Access-controlled based on roles and responsibilities
• Backed up regularly to prevent loss
• Hosted in secure environments with strict data residency and privacy safeguards

The Church does not disclose the specific service providers publicly to maintain security integrity, but ensures that all processors adhere to relevant provisions of the Ghana Data Protection Act (Act 843) and, where applicable, the General Data Protection Regulation (GDPR).

Training and Awareness

• Regular workshops are held for staff and volunteers on data protection.
• Orientation for new catechists, youth leaders, and group leaders includes data privacy modules.

Complaints and Redress Mechanisms

Complaints may be lodged to the:

• Parish DPO
• Parish Priest
• Data Protection Commission of Ghana

Steps:

1. Submit written complaint
2. Investigation within 14 days
3. Feedback and resolution

Review and Amendments

• This policy is reviewed annually
• Updates are approved by the Parish Council and Pastoral Committee
• Latest version is available online and at the Parish Office

Appendices