The Data Privacy Act of 2012 (Republic Act 10173) applies to your church. If you collect, store, and process personal information about your members β names, birthdays, contact numbers, giving records β you are a personal information controller under Philippine law, and you have obligations.
This is not widely understood in church communities. The law was designed for corporations and government agencies, and many churches have not received guidance about how it applies to them. But the obligations are real.
What the Data Privacy Act Requires
At minimum, the DPA requires that you have a legitimate purpose for collecting personal data, that you protect that data from unauthorized access or breach, that you allow individuals to access and correct their own data, and that you do not use the data for purposes beyond what was consented to.
Common Church Practices That Create Risk
Sending member contact lists to outside vendors or partners without consent. Storing member data in unsecured spreadsheets accessible to anyone who has the shared drive link. Using member contact numbers for purposes beyond what they signed up for (e.g., adding them to a WhatsApp group for a committee they did not join). Retaining data about members who have left the church indefinitely without a retention policy.
How StewardTrack Supports Compliance
StewardTrack addresses several of these risk areas by design. Member data is stored in an encrypted, access-controlled environment β not in a shared spreadsheet. Exports are logged in the audit trail, so you can see who accessed what data and when. Role-based permissions ensure that only authorized users can view sensitive information. The system supports data retention practices β you can archive or deactivate member records when appropriate.
We are not lawyers and this is not legal advice. But if your church has been operating without thinking about data privacy, this is a good time to start. Your members trust you with their personal information. That trust deserves to be honored properly.
