Privacy and Confidentiality Policy

Purpose and Scope

Te Puke Baptist Church ('TPBC') is committed to protecting the personal privacy of all individuals whose information we collect, use, or store. This policy applies to staff, volunteers, contractors, members, donors, and visitors, and aligns with the New Zealand Privacy Act 2020, as well as our mission and core values.  

This policy sits within the Privacy, Technology and Communications Policy Framework and operates in alignment with TPBC’s Constitution and cross-framework policies related to governance, people, finance, and property

Core Principles

This policy is guided by the principles outlined in the TPBC Policy Frameworks, including biblical stewardship, integrity and ethical conduct, safety and risk management, compliance and lawfulness, transparency and accountability, and relational communication.

Collection of Personal Information

We collect only the personal information necessary to carry out our legitimate activities, such as ministry involvement, employment, pastoral care, health and safety, or communication. Information is collected fairly, lawfully, and as directly as possible from the individual concerned.

Use and Disclosure

Personal information will only be used or disclosed for the purposes for which it was collected or where required by law. This may include reference checks, legal obligations, or protection of health and safety. We do not sell or rent personal information. Disclosures to third parties (e.g., Planning Center, Mailchimp, Google) are managed through secure platforms offering equivalent data protection to NZ standards.

TPBC undertakes due diligence to ensure all data processors and cloud-based systems (particularly those operating overseas) comply with the Privacy Act 2020. Where applicable, data processing agreements are used to safeguard data.

Confidentiality and Trust

Te Puke Baptist Church values the trust placed in us by our members, staff, and wider community. Confidentiality is a sacred responsibility and must be upheld by all representatives of TPBC.

The following confidentiality expectations apply:

  • Confidential information includes, but is not limited to, personal details, pastoral disclosures, financial matters, employment records, health issues, safeguarding concerns, and any sensitive conversations or records entrusted to church leaders, staff, or volunteers.
  • Information shared in confidence (verbally or in writing) must not be disclosed to anyone else unless:
    • There is informed consent from the individual, or
    • There is a legal obligation (e.g. mandatory reporting), or
    • There is a risk of serious harm to the individual or others.
  • Confidential discussions must take place in appropriate private settings, and physical or digital records must be stored securely in accordance with our Cybersecurity Policy (5.1.4).
  • Staff and volunteers must refrain from discussing confidential matters in public forums, social media, or casual conversation—even if names are not used.
  • All staff and volunteers may be asked to sign a separate Confidentiality agreement depending on their role, particularly if handling sensitive data, HR matters, or pastoral care.

Photography, Video and CCTV

Personal images and video recordings are considered identifiable personal information under the Privacy Act. TPBC’s standards for the ethical use of photographs and video content — including consent, safeguarding, and communications permissions — are outlined in our Communications and Media Policy.

CCTV is used at TPBC facilities for safety and security purposes. Footage is stored securely and is only accessed by authorised personnel as listed in the delegations register. CCTV data is managed in accordance with this policy’s data retention, access, and disclosure provisions.

Social Media

TPBC uses platforms like Facebook and Instagram to share content. Any personal data collected via these platforms is governed by their independent privacy policies. TPBC does not give them access to personal data we hold internally.

Storage and Security

We take all reasonable steps to protect personal information from loss, unauthorised access, or misuse. This includes secure digital storage, access control, and training for those handling personal data. 

TPBC uses cloud-based systems with encrypted access and two-factor authentication where applicable. Access is restricted to authorised staff and volunteers as per our Cyber Security Policy.  

Offboarding procedures ensure accounts and access rights are revoked promptly when a staff member or volunteer concludes their service.

Access and Correction

Individuals have the right to access their personal information and request correction. Requests can be made in writing to the TPBC Privacy Officer (Josiah Carr and josiah@tpbc.org.nz). We may decline access only in line with legal exceptions under the Privacy Act.

We will respond to requests within 20 working days, as required under the Privacy Act 2020 (IPP6). Access may be withheld only under lawful exceptions (e.g., threat to safety, confidentiality of others, etc.)

Retention and Disposal

Personal data is retained only as long as necessary. Most employment records are kept for up to 6 years, while general contact or application records may be held for 12 months. Data is securely destroyed or de-identified when no longer required.

Breach Response and Escalation

TPBC takes all actual or suspected privacy, confidentiality, or data breaches seriously. A breach includes any unauthorised access, use, disclosure, alteration, loss, or destruction of personal or sensitive information.

All suspected breaches must be reported immediately to the TPBC Privacy Officer or a member of the Leadership Team.

Escalation Pathway:

  1. Immediate Action – Contain the breach and preserve any relevant evidence.
  2. Notify the Privacy Officer – The Privacy Officer will log the breach, assess severity, and determine next steps in consultation with the Senior Pastor and relevant leaders.
  3. Investigation – A prompt internal review will identify the cause, impact, and any individuals affected.
  4. Notification – If the breach is likely to cause serious harm, the Privacy Commissioner and affected individuals will be notified within 72 hours as required under the Privacy Act 2020.
  5. Resolution and Prevention – Steps will be taken to remedy the issue, support affected individuals, and implement safeguards to prevent recurrence.

All incidents will be documented and stored securely. Serious breaches may trigger disciplinary action or external reporting depending on their nature.

Roles and Responsibilities

The TPBC Privacy Officer is responsible for privacy compliance, training, incident response, and managing data access requests.

All staff, elders, and volunteers are responsible for handling information in accordance with this policy and reporting concerns to the Privacy Officer

The Senior Pastor and delegated leaders oversee policy implementation and resource allocation.

Training and Responsibilities

All staff and volunteers are trained in privacy responsibilities during onboarding. Everyone is responsible for safeguarding the information they handle and must report any concerns promptly. Training is refreshed at least every three years or sooner if legislative or organisational changes occur

Reviews and Related Policies

This Privacy and Confidentiality Policy will be reviewed every three years or earlier if legal or operational changes require it.