1.1 “Personal Data” is information that may be used to identify you, directly or indirectly, alone or in conjunction with other information. This includes information such as your full name, email address and telephone number, among others;
1.2 “Sensitive Personal Data” means data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of unambiguous personal identification, health or sexual and / or sexual orientation of a person.
2. PRIVACY AND SECURITY OF MEMBER:
2.1 Protecting your privacy is very important to us. RIVERSIDE protects the information entrusted to us. We are fully aware that these data belong to Members and Contacts and we will use them specifically according to what has been consented to.
2.2 We implement appropriate technical and organizational protections to protect against unauthorized or illegal processing of Personal Data and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data;
2.3 Only employees and members of the Board who need the information to perform a specific job are granted access to Personal Data. Personal data is stored and managed in a secure digital environment;
2.4 We inform, however, that we cannot completely eliminate the security risks associated with the storage and transmission of Personal Data;
2.5 Accepting this document, the Member Contact and acknowledge and agree that RIVERSIDE disclose your account information, when required by public authorities , to satisfy any applicable law, regulation, legal process or governmental request.
3. DATA RECEPTION:
3.2 RIVERSIDE not receive Sensitive Personal Data;
3.3 Members and Contacts use the following channels for the provision of personal data:
a) Through its forms in www.riversideintchurch.com
b) Through the emails sent directly to firstname.lastname@example.org;
c) Through the Connection Card form handed over to the church secretary or deposited in the forms box and collected by the secretary.
3.4 The following information may be received:
a) Full name;
c) Preferred language of contact;
d) Date of birth;
f) Mobile phone;
h) Town / region housing;
i) Free field – is not stored in the system.
3.5 RIVERSIDE does not receive directly Personal Information of children. If you know that a child has provided us with Personal Information, contact us through email@example.com email. If we detect that a child has provided us with Personal Data, we will take the adequate steps to remove the information. However, parents can access their children’s data they provided to us through our contact channels.
4. USE OF PERSONAL INFORMATION AND RESPONSIBILITIES OF CONDUCT:
4.1 RIVERSIDE uses your personal data for the following purpose:
a) Communications related to the activities promoted by the church , by e-mail or telephone .
4.2 No personal data will be shared with third-parties . The only exception is in cases where information is required by law or court order;
4.3 All RIVERSIDE employees accessing Member and Contacts’ personal data are required to maintain confidentiality over them;
4.4 All employees are liable for disciplinary action for the illegal breach or transmission of data received. This responsibility will be verified through a disciplinary procedure that may culminate in penalties provided for in the Labor Code;
4.5 In the event of any security incident involving personal data, RIVERSIDE will inform its Members, Contacts and competent authorities within the maximum period of 72 (seventy-two) hours
5. ELIMINATION AND INFORMATION ABOUT THE DATA
5.1 Members and Contacts may at any time withdraw permission to receive communications relating to church-sponsored activities by email or telephone , by sending a written request to firstname.lastname@example.org , or by clicking on option available in our emails;
5.2 Contacts may request information and/or permanent elimination of all their personal data by sending a written request to the email email@example.com , or by clicking on the option available in our emails.
5.3 Requests for information or deletion of personal data will be attended within thirty (30) days.
6. CONTACTS :
6.1 These are the main channels that RIVERSIDE makes available to its Members and Contacts for any clarifications or requests:
6.1.1 Telephone: ( +351 ) 214 836 590 , available from Monday to Friday at the following times: 9: 00-13 : 00 and 14: 00-17: 00.
6.1.2 Email Address : firstname.lastname@example.org ;
6.1.3 Mail : Av. 25 de Abril, 1011, Galerias O Navegador, Piso -1, Loja 24, 2750-515 Cascais, Portugal.
SECURITY OF INFORMATION POLICY
This document is intended to guide and set guidelines for conduct and responsibilities in the handling of information and technology assets in order to ensure the confidentiality, integrity and availability d the information necessary for the continued operation, as provided for in Portuguese law.
The PSI is based on the recommendations of the ISO 27001 standard, which has the main Information Security (SI) practices applied worldwide, as well as the RGPD – General Data Protection Regulation.
The guidelines set forth in this document apply to all employees and information in any medium or support related to Riverside International Church (“Riverside”).
5. DETAIL OF THE GUIDELINES
8. DURATION AND REVIEW
The Riverside has its information security processes governed by the following guidelines:
4.1 Information Security Organization
Establish and maintain a framework for Riverside’s Security of Information.
4.2 Human Resources Security
Ensure that employees, suppliers, and third-parties understand their roles and responsibilities before, during, and in the closing or change of engagement to reduce the risk of theft, fraud, and misuse of resources.
4.3 Physical Security
Provide physical protection mechanisms, which range from outside perimeter to internal work space, preventing unauthorized physical access, damage, theft and interference with critical Riverside facilities and information;
4.4 Access Control
Control access to information, information resources and processes, based on information security.
4.5 Operations and Communications Management
Ensure the safe and correct operation of Riverside’s information resources, including network activities, as well as the control and detection of unauthorized activities.
4.6 Business Continuity Management
Ensure continuity of critical lines through contingency plans.
5. DETAIL OF THE GUIDELINES
The Information Security guidelines that govern Riverside’s activities are detailed as follows:
5.1 Information Security Organization
a) Members of the management shall m actively support information security in Riverside;
b) Members of the Board are responsible for protecting the personal data of Riverside members;
c) Coordination of safety in training activities should be carried out by the management, the meetings of the Information Security Commission;
d) Responsibilities for information security should be clearly defined and disseminated, including in cases of third-parties;
e) The Riverside must have security policies that describe corporate policies and procedures, establishing information security criteria in accordance with the requirements of the operation and with existing laws and regulations;
g) Policies and security procedures must be reviewed and updated annually, considering all the facts and relevant events that require immediate review.
5.2 Human Resources Security
a) Ensure that all job seekers are adequately analyzed, especially in jobs or services with access to confidential information. Verifications of personal references and criminal records are mandatory;
b) Ensure that all new employees are instructed about their responsibility for the security of information and everyone to sign a Security Agreement, as well as with third parties, when not explicit in the contract;
c) Establish periodic awareness plans, ensuring the science and adherence of employees and third parties to the principles and guidelines of information security;
d) Ensure the return of Riverside assets and the withdrawal of access rights of all employees and third-parties in the termination of their activities, contracts or agreements;
e) Apply formal disciplinary measures in force for officials who have committed a violation of Information Security, including ensuring that new violations do not occur.
5.3 Physical Security
a) Control the physical security perimeters of the Riverside, ensuring there are no gaps or points of easy invasion to the environment where the information is kept;
b) No individual, not an employee, shall have access to the premises where the information is located, without it being announced and its entry authorized by an official.
5.3.1 Clean Table Policy
a) This policy refers to the Clean Table, Screen, Printer and Garbage;
b) When leaving, the employee should not leave on the printed work table, notes, calendars and notebooks. These should be stored in drawers or lockers with locks;
c) The use of screen savers with password on computers is the responsibility of the employee. Although the screen saver is triggered automatically, in periods of inactivity of the mouse or keyboard, the employee must activate it immediately before his absence from the work table;
d) It is imperative to keep printed documents and storage devices properly protected, not leaving these materials in the printer or in the bin. They should be stored in lockers with keys, disposed of unprotected or crushed garbage.
5.4 Access Control
a) New access requests must be approved by Management and must be traceable;
b) Employees must have unique ID, personal and not transferable, qualifying them as responsible for the actions carried out through this identification;
c) The granting of access to employees must comply with the criterion of lesser privilege, in which employees have access only to the information resources necessary for the full performance of their activities;
d) The work processes of the Riverside should be safeguarded through the segregation of functions, so that activities are not performed and controlled by the same employee;
e) Passwords should never be shared, revealed to others or written and should be stored encrypted in systems;
f) The Strong Password process must be used, with passwords consisting of a minimum number of alphabetic and numeric characters, with uppercase and lowercase letters, free of identical consecutive characters;
g) The initial access passwords provided to employees must be self-expiring, requiring them to be changed on first use;
h) The default passwords for purchased products and applications must be changed immediately upon activation;
i) Employee IDs should be disabled after a maximum number of invalid access attempts;
j) Officials on leave or long absence, for any other reason planned, should have their access blocked immediately;
k) The access rights of employees and third parties disconnected must be removed immediately from the register;
l) The delivery of mobile devices, such as notebooks or mobile devices, must be recorded according to the Equipment Receipt Term;
m) Inactive sessions should be automatically blocked by means of screen savers and their release must require password;
n) All personal information should be classified and treated as CONFIDENTIAL;
o) Employees who use laptops and mobile phones should be aware as to:
i. Mobile devices must be protected against loss and theft, with the use of passwords and safe behaviors (e.g. do not leave mobile devices exposed);
ii. Immediately notify Management Members in case of loss or theft of the mobile device;
iii. Take the necessary care to protect Riverside’s confidential information.
5.5 Operations and Communications Management
a) The procedures and description of the Riverside are in the document Riverside’s Workplace Systems;
b) Must ensure adherence to the use of the Internet controls and electro single mail (e-mail), as defined in the document Riverside’s Workplace Systems;
c) Detection and prevention controls must be in place to protect against malicious code;
d) Backups of information and software must be performed and tested regularly and their storage must be in a different location and away from the locality of the original data, according to the Business Continuity Policy;
e) Media and equipment should be disposed of safely and protected when they are no longer needed, observing the criticality of the information stored;
f) The units of removable media (USB key, CD and USB) should be used with the justification and approval life.
5.6 Business Continuity Management
a) It must be ensured adherence to the Business Continuity Policy, covering People, Processes, Physical and Technological Implications;
B) Any security incidents must be reported to the Board, as described in the Incident Management Plan.
6.1 Members of the Board:
a) Ensure compliance with this Policy and safety procedures issued by all employees;
b) Take precautions upon admission, transfer or dismissal of employees to prevent documents or information from Riverside and its members from being used or disclosed improperly;
c) M should be the point of contact with the authorities, including reporting incidents;
d) Keep informed and aware employees of Riverside regarding safety requirements and GDPR;
e) Disclose the importance of password secrecy, as well as the care with its use, avoiding the use of the same password by a group of several employees;
f) Ensure that agreements entered into with third parties and entities outside Riverside (partners, third parties, service providers, suppliers, contractors and temporary agents) contain clauses that preserve the security of Riverside information, its members, partners and employees;
g) Provide guidance to employees who, due to the need and nature of the work, have to handle or become aware of documents with confidential information, as to the zeal they must have with such information.
6.2 Information Security Commission:
a) Its aim is to ensure clear direction and provide evident support for Riverside ‘s safety initiatives;
b) It is composed of the Board Members. Other representatives may be invited to attend specific meetings;
c) This Committee meets regularly and its frequency is according to identified needs.
6.2.1 Responsibilities of the Information Security Commission:
a) Critical and permanent analysis of the Information Security Policy and the responsibilities involved, deciding on possible changes, whenever necessary;
b) Critical analysis and monitoring of the main risks and incidents of information security;
c) Approval of the main initiatives to increase the level of information security.
6.3 General Responsibilities
a) All exchanged or stored information by Riverside, regardless of content, are the sole and exclusive property of Riverside. Employees must use the feature provided by Riverside to conduct its operations;
b) It is incumbent upon all employees to comply with the guidelines contained in this Policy and other Information Security and Privacy policies;
c) Every employee must formally adhere to the Security Agreement and Term of Liability and Confidentiality.
Failure to observe the principles and guidelines in this policy can seriously impact Riverside’s members and contacts, enable the violation of laws and regulations, and negatively affect the reputation and the financial stability of Riverside. Deviations and exceptions should be handled by the Information Security Commission.
8. DURATION AND REVIEW
This policy takes effect on May 02, 201 8 with annual review.
Date of Approval: 02/05/2018
Approver: Information Security Committee