Protecting Personal Information
The policy of the Methodist Church of Great Britain is described in the Managing Trustees’ Privacy Notice document describing in general terms how people’s privacy is respected and how their personal information is protected.
Specific to this web site there are two classes of people involved: those who read the material on the site (the consumers) and those who can update it (the providers).
From time to time, material provided in text form for web pages includes information about how to get in touch with a person: typically quoting a telephone number or email address and occasionally a surface mail address. For private individuals, the web site’s information providers often take the view that the phone and address information can be omitted without significant loss of value. In certain cases it is retained but converted from text to a graphical image, so that its meaning would not be intelligible to a piece of malicious software.
Where such information is provided to allow people to contact the person representing an external organisation officially, the information may be retained in textual form. Where the official contact relates to this Circuit and its churches, e.g. its ministers and church or circuit administrators, the information is protected by converting it to a graphical image as above.
When photographs of people are received for publication, and individuals’ faces are shown clearly, one of the following actions is taken, according to the circumstance:
- Adults’ permission is sought for images of themselves
- Parents’ or guardians’ permission is sought on behalf of children
- Organisations may be able to provide on-going permission for their members
- Where permission is not available for all in a group, faces can be pixelated
- If none of the above approaches is acceptable, the image is withheld
This web site uses technology which allows designated individuals to have update access to designated areas of the site, e.g. to the pages of an individual church. Training includes a session on the need to be aware of others’ personal data security: information providers have responsibility for their fellow providers too.
The designated individuals are trained in how to make changes, are given a system ‘identity’ for logging in and are able to specify their preferred password (to replace the one provided by system administrators). Every log-in ‘identity’ is unique so that should a breach occur it will be clear what the source was.
Although information providers are able to change their own password (at any time) the mechanism is designed to prevent access by on-line robots, which may try to take over a person’s right to amend the site.
Defence of the Joomla Support System
The Joomla database holds the personal email addresses of registered information providers. The support system providing the mechanisms for creating and updating web pages and for giving specified individuals the right to manage specified areas of the site, is itself strongly defended.
Here we expect to be guarding against attack from malicious software which might try to take control of the system. Attempted attacks are monitored. From time to time, perhaps in response to an attempted attack, the defences are changed or strengthened.