Privacy Policy

Introduction

The New York Quarterly Meeting of the Religious Society of Friends (NYC Quakers) is committed to upholding the highest standards of data privacy and protection. Our approach to data privacy is rooted in Quaker values of simplicity, integrity, and respect for the individual. We strive to handle all personal data with care, ensuring it is used transparently and responsibly to benefit our community.

Key Principles

Simplicity and Transparency

• We collect only the data that is necessary to fulfill our organizational purposes.
• We use clear and straightforward language to explain our data practices.
• We are open about how we use and share personal data.

Integrity and Stewardship

• We handle personal data with respect and responsibility.
• We implement security measures to protect personal data from unauthorized access, alteration, or loss.
• We regularly review our data practices to ensure they align with our values and legal obligations.

Respect for the Individual

• We honor the privacy rights of individuals, including the rights to access, correct, and delete personal data.
• We use personal data only for purposes that benefit the individual and our community.
• We seek explicit consent from individuals before using their data in new ways.

Data Collection and Use

Types of Data We Collect

• Contact Information: Names, addresses, phone numbers, email addresses
• Membership Data: Date of membership, transfer records between meetings, membership status changes, committee participation and roles within the Meeting
• Financial Information: Donation records, payment information
• Communications Preferences: Newsletter subscriptions, preferred contact methods
• Activity preference and interests to aid connection with other members and attenders
• Community Documentation: Photos and recordings from Meeting events and activities
• Dates of birth and death.
• Names of children if part of a meeting.

Retention Periods

• Names of children if part of a meeting.Membership records: Permanent (as these form part of the Meeting’s historical record)
• Financial records: 7 years (as required by law)
• Communications preferences: Until updated or withdrawn. Community documentation and photos: 5 years or in perpetuity if used in materials.

Purpose Limitation

• We collect and use personal data only for:
  • Community communications and support
  • Membership administration
  • Financial record-keeping
  • Historical documentation
  • Community outreach and engagement through our website and social media channels

Photography and Media at Events

• We regularly document our community events and activities through photography and video for
  use in our newsletters, website, and social media channels.
• Notice will be provided at events where photography or recording is taking place.
• We make reasonable efforts to accommodate individuals who prefer not to be photographed.
• Community members may request removal of specific photos featuring them or their children
  from our channels.
• We are particularly mindful of children’s privacy and will respect parents’ wishes regarding
  photos of their children.

Data Sharing

• We do not sell or rent personal data to third parties.
• We may share personal data with trusted partners and service providers who assist us in
• our operations, under strict confidentiality agreements.
• We ensure that any third parties we work with adhere to similar data privacy standards.

Individual Rights and Response Times

• Access: Requests fulfilled within 45 business days
• Correction: Updates made within 30 business days of verification
• Deletion: Completed within 45 business days of request
• Consent Withdrawal: Processed within 15 business days
• Data Portability: Data provided in machine-readable format within 45 business days

Security Measures

Technical Controls

• Industry-standard encryption for data in transit and at rest
• Password protection for system access
• Regular security updates
• Secure backup systems
• Administrative Controls
• Access limited to authorized personnel
• Semi-annual access reviews
• Secure disposal of physical records
• Basic physical security measures

Incident Response and Breach Notification

Legal Framework

• We follow breach notification requirements as established by:
  • New York SHIELD Act: Requires notification “without unreasonable delay” and within a
    maximum of 60 days
  • Other applicable state and federal regulations

Response Timeline

• Initial Documentation: Within 15 business days of discovery
  • Document basic facts about the potential breach
  • Begin collecting relevant information
  • Notify key organizational leaders

• Assessment Phase: Within 30 business days
  • Determine if breach occurred
  • Identify affected individuals and data
  • Assess risk level and required response

• Notification Phase (if required): Within 60 days of discovery
  • Prepare and send notifications to affected individuals
  • Contact relevant authorities if required
  • Document all notification efforts

• Investigation and Resolution: Within 90 days
  • Complete internal investigation
  • Implement necessary security improvements
  • Document lessons learned

Notification Process

• Assessment Criteria for Notification:
  • Was personal information accessed?
  • What types of data were involved?
  • Is there a risk of harm to individuals?
  • Are we legally required to notify?

• If Notification Is Required:
  • Draft clear, simple notification language
  • Include required elements:
    • Description of what happened
    • Types of information involved
    • Steps individuals can take
    • What we are doing in response
    • Contact information for questions
    • Review notifications with Meeting leadership
    • Send through appropriate channels (mail, email, etc.)

Documentation

• Keep records of:
  • Initial breach discovery
  • Assessment process
  • Notifications sent
  • Response actions taken
  • Final resolution
  • Maintain these records for 7 years

Small Team Management Approach

• Designate backup personnel for privacy coordinator
• Create simple checklists for initial response
• Maintain template notification letters
• Keep updated contact list for key personnel
• Have pre-approved emergency budget for expert help if needed

Implementation and Training

Staff and Volunteer Training

• Annual privacy awareness training
• Basic security guidance provided to all data handlers
• Documentation of training completion

Audit and Compliance

• Annual privacy review
• Basic security check twice per year
• Policy review annually
• Basic compliance documentation maintained

Documentation Requirements

• Written consent records maintained for 7 years
• Processing activities logged semi-annually
• Training records maintained for 3 years
• Incident response records kept for 7 years

Data Benefits

• We ensure that any use of personal data is designed to benefit the individual and our community.
• We evaluate the potential benefits and risks of data use to ensure alignment with our values and the welfare of our community members.
• Regular assessment of data processing impact on community welfare.

Compliance

• We comply with all applicable data protection laws and regulations.
• We regularly review and update our privacy practices to maintain compliance and address emerging privacy challenges.

Contact Information

• For any questions or concerns regarding our data privacy practices, please contact: First Name Last Name [info@qosi.org]

• Response times:
  • General inquiries: Within 14 business days
  • Urgent privacy concerns: Within 7 business days
  • Rights requests: As specified in Individual Rights section

Version History

• 3.3 Last Updated: Last updated December 2024
• 3.2 November 2024 Next Review Date: November 2025

We regularly review our data practices to ensure they align with our values and legal obligations.