Why is compliance important?
- Legal risk
- Contracts with providers (CC merchants)
- If regulations don’t apply…stewardship!
Regulatory Standards, Policies, Processes
- Regulatory: states what you need to do (not how!)
- Policies: these are yours; address your specific response to requirements
- Processes/procedures address how you implement policies (how we will do it)
What is PII?
- Combination of two or more points of info about you
- With three pieces of info about you, almost guaranteed to be able to positively identify an individual
- Almost all regulations will cover this somehow
PCI DSS
- Merchant: if you process cards, you’re a merchant (in any form…face to face, mail/telephone, e-commerce, etc)
- Organization may require multiple SAQs; this is per-environment (online giving, in-person environments, etc.); need to evaluate and fill out appropriate SAQs for your environments
- Getting things out of scope is key!
HIPAA
- Applies to anyone who creates, receives, maintains, or transmits ePHI (electronic protected health information)
- Generally, from a HIPAA perspective, covered entities are ones providing care
- If you have ePHI, even if not a provider, you should be taking appropriate steps (stewardship, reputation protection, etc.)
- If this is in your ChMS, probably should be dialoging with your provider about this (especially if it’s in something like a free text field/custom fields, etc.)
- Example when church might be covered:
- Church-operated health clinics
- Licensed counseling clinkics (esp. if take insurance)
- Self-administered/funded insurace plans
- Three focus areas:
- Administrative: who sees/touches it (analyze and inventory)!
- Training, policy
- Physical: access controls, media control, device control, etc.
- Technical: Authentication, encryption, emergency access, audit control, etc.
- Administrative: who sees/touches it (analyze and inventory)!
- There is no technical specification for a product to be HIPAA compliant; it can help an org be compliant, but a product itself cannot be compliant
GDPR, CCPA, WPA
- What are people’s rights with regards to their data?
- General entities:
- Individual (whose data is being stored)
- Entities who collect/process data
- Entities who process on behalf of primary entitie
- Apply to data on citizens of: EU, State of CA, Washington State (or data stored in those jurisdictions)
- No examples of orgs without presence in Europe having GDPR legal action taken (yet)
- Right to be forgotten…you need to be able to remove someone’s data!
- GDPR: Children’s consent (under 16 need parent’s approval, between 16 and 13 need both parent and child’s approval)
General Compliance Take-aways
- You have responsibility to steward data!
- All about securing personal data
- Start with defining [and enforcing!] policies for securing your data
- Encrypt everywhere
- Attendance and engagement data can get murky, especially if no explicit consent!! 👈
Notes
- https://enableministry.com/citn2019