Does anyone have a policy or other documentation on the criteria you use to determine what access a volunteer may have to your CHMS database? We want to be able to point to a policy or something to be able to say “you get this, but not this”.
Any thoughts at all would be appreciated!
This is probably an over-simplification of what we do, but:
Elders and Deacs have access to everyone, but also go through some training on our Privacy & Data Protection Policy, and their access is revoked when they break the rules until we have a convo about it, Our next step is likely going to be rolling out MFA to these groups (most staff have it already).
Other lay leaders (small group leaders, Sunday school teachers, etc) have access to the people in their group, and only the people in their group. This is a feature I really love about our ChMS, and not all of them can do that.
(Also, for us, permissions are assigned automatically based on what the person is involved with, so it’s not subjective.)