8. Risk management ​

Overview ​

Risk management involves identifying any issues that can undermine the proper functioning of the parish and then putting in place responses to prevent or minimise potential damage.

Parish priests are responsible for the protection and preservation of resources of the parish. It is their responsibility to ensure that the resources entrusted to their care are in no way lost or damaged.

Risk management involves the property and the material and financial assets of the parish. It also includes the people (for instance, in relation to providing a safe working environment for employees).

The best way to care for the resources of the parish is to create ownership of the risk-management process by parish leaders and to implement policies and procedures designed to prevent, or at least minimise, loss or damage from occurring.

With the advice of the parish finance committee (PFC), the parish priest should:

• identify the key risks to the parish (What might happen?)
• analyse the likelihood of the key risks and the controls in place to mitigate these risks (When might it happen?)
• evaluate how best to prevent or minimise the risk occurring (Why might it happen?)
• treat the risk (What can be done to prevent it happening?)

Examples of how to prevent loss or damage of parish resources include:

• completing a property-protection checklist (to check, for instance, if security devices are fitted)
• ensuring the Working with Children (WWC) Check register is regularly updated
• ensuring collection monies are secured, counted by more than one person and banked as soon as practicable.

The parish priest should make sure that actions, or the inaction, of the parish do not give rise to criminal conduct or civil claims for damages. Examples include:

• providing adequate lighting
• signposting steps and slippery surfaces
• ensuring that all computer software is licensed and data is backed up daily
• following proper employment workplace practices
• ensuring copyright is not infringed.

Parish risk-management policies, procedures and checklists (link to come) have been prepared covering various areas, including property protection, safeguarding and fraud prevention.

Property protection ​

Parish priests must ensure they have in place property-maintenance and inspection processes to prevent loss of buildings, disruption to parish operations and loss of sensitive information.

Property-maintenance advice is available from the Archdiocese’s Property and Infrastructure team.

Safeguarding protections ​

Parish priests must adopt the Safeguarding Children and Young People Framework put in place by the Archdiocese and must encourage the nomination of a Safeguarding Committee in their parish.

Parish ministries providing services to, or offering activities involving the participation of, children must adhere to the safeguarding directives.

The parish’s overarching responsibilities in relation to safeguarding are to:

• implement, maintain and/or review child safety processes and procedures to support the wellbeing and safety of children and young people, with input from relevant stakeholders (e.g. priest, parish administration, parents/carers, children, young people, program leaders, pastoral associates)
• engage in and/or review risk-management processes to promote the safe participation of children and young people in programs, activities and events
• implement risk-management strategies for people of concern
• promote and model a culture of safety at all times
• ensure compliance with the Safeguarding and Wellbeing of Children and Young People Policy and relevant procedures and practices within the parish to protect children and young people from child abuse and harm.

Parish leaders, employees, volunteers and others in contact with children should be trained in the Archdiocese’s policies and procedures on how to promote a safe environment for children and young people.

The parish priest must appoint a parish Safeguarding Committee, who will work with the parish administration team to ensure the Working with Children (WWC) Check register for the parish is accurately maintained at all times.

Further information about the WWC Check requirements can be found in the Working with Children Check Protocol.

Fraud prevention ​

Parish priests must ensure they have fraud-prevention systems, processes and procedures in place to provide structure and reasonable assurance that assets and records accurately reflect parish financial activities.

All transactions are to be authorised, recorded and reconciled in a timely manner, and all assets and transactions are to be safeguarded by physical security measures and procedures.

Parish priests must ensure instances of actual, attempted or suspected impropriety are investigated and appropriate action taken.

PFCs are to ensure appropriate and effective preventative internal control systems are in place for handling cash. This would include ensuring two people are involved in counting and recording collection monies.

Privacy ​

The parish is a community built on trust. Every day, parishes gather names, contact details, sacramental records, pastoral notes, donation histories and other information that reflects important moments in people’s lives. Caring for this information well is part of the pastoral life of the parish—an expression of respect for the dignity of each person and for the trust they place in the Church.

Why privacy matters ​

At its heart, privacy is about respecting the dignity and trust of each person. When parishioners share information with their parish, they are placing their confidence in the Church. Protecting that information is part of the parish’s pastoral responsibility and mission.

The term personal information is broad. It covers any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in writing or held in some other form. In a parish setting, personal information typically includes names, addresses, dates of birth, phone numbers, email addresses, health information and financial details.

A narrower category—known as sensitive information—attracts a higher level of protection under privacy law. It includes information about a person’s religious affiliation, ethnic origin and health, all of which a parish may collect and hold in the ordinary course of its ministry. Particular care should be taken whenever sensitive information is collected, used or shared.

Good parish privacy practice ​

Good privacy practice is not primarily about documents. It is about how clergy, staff and volunteers handle personal information in the day-to-day life of the parish: how they collect it, what they do with it, how they keep it safe and when they let it go. Five principles underpin everything that follows:

• Collect only what is needed. Personal information should be collected only where it is reasonably necessary for the parish’s functions and activities.
• Be clear and transparent. Individuals should know why their information is being collected and how it will be used.
• Respect access and correction rights. After taking reasonable steps to confirm the identity of the person making the request, parishes should provide individuals with access to their personal information and allow corrections where information is inaccurate or out of date.
• Keep information secure. Reasonable steps should be taken to protect information from misuse, loss, unauthorised access or disclosure.
• Dispose of information appropriately. Personal information should be destroyed or de-identified when it is no longer needed.

The sections below apply these principles to the situations parishes most often encounter.

Bulletins, newsletters and acknowledgements at Mass ​

Parishes routinely include parishioners’ names, anniversaries and prayer intentions in bulletins, newsletters and acknowledgements during Mass. This is acceptable, but care should be taken where the information is sensitive or personal in nature—for example, where it touches on a person’s health or the reason behind a prayer intention. The safest course is to seek written permission before publishing information about an individual. For general acknowledgements at Mass, parishes should be satisfied that the individual would reasonably expect this information to be shared with the congregation.

Sharing within the parish and with other Church bodies ​

Personal information should be used or disclosed only for the purpose for which it was collected. Sharing information with another ministry, the parish finance council, the parish safeguarding committee or another advisory group within the parish is appropriate where the sharing relates to the parish’s activities and the individual would reasonably expect it or has consented to it.

Personal information may also be shared with the Catholic Archdiocese of Melbourne or other Church bodies where this is necessary for Church operations or administration. Such sharing should be relevant and appropriate, limited to the minimum information needed, and—where appropriate—disclosed to the individual at the time their information is collected, or by directing them to the parish’s Privacy Policy.

Records of volunteers and ministry members ​

Keeping records of volunteers and ministry members is a normal part of parish operations. Parishes should collect only the information that is genuinely necessary (such as contact details and relevant safeguarding checks), store that information securely and ensure it is accessed only by those who need it.

Photographs and videos at parish events ​

Where individuals can be identified in photographs or video taken at parish events, parishes should inform attendees in advance that recording may take place—through an announcement, signage in the event space or a term acknowledged at the point of registration. Consent should be obtained for the taking and use of images, with particular care for children and young people and for close-up or otherwise identifiable images. An option to opt out of being photographed or recorded should always be available.

Retention and disposal of records ​

Personal information should be kept only for as long as it is needed for the purpose for which it was collected. Some records—sacramental records, and safeguarding-related checks and documents—should be retained permanently. Other information, such as a contact list compiled for a single event that has now taken place, should be securely destroyed or deleted when it is no longer required.

Requests to access or correct information ​

When an individual asks for their personal information to be updated or corrected, the parish should first take reasonable steps to confirm that the person making the request is the individual concerned, or is authorised to act on their behalf. The request should be acknowledged promptly and respectfully, and information that is inaccurate, incomplete or out of date should be corrected. Responding well to these requests is an important part of maintaining both trust and the integrity of parish records.

Fundraising and appeals ​

Personal information may be used for fundraising and appeals where individuals would reasonably expect this kind of communication based on their relationship with the parish. A simple way for the individual to opt out of future communications—an unsubscribe link in an email, or a phone number to call or text on printed material—should always be provided. Information should not be used in ways that would be considered intrusive or unexpected.

Accidental disclosure ​

If personal information is disclosed in error—for example, by sending an email to the wrong recipient—the parish should take immediate steps to contain the issue, such as attempting to recall the email. The parish priest should be informed, consideration given to whether affected individuals should be notified, and guidance sought from the Archdiocese’s Legal team where needed. Acting quickly can significantly reduce any potential harm.

Privacy enquiries and complaints ​

If a parish receives a privacy enquiry or complaint and is unsure how to proceed, the Archdiocese’s Legal team can assist. Contact details can be found below.

Whether a parish needs a Privacy Policy ​

The Privacy Act 1988 (Cth) and the Australian Privacy Principles set out the legal framework for how organisations collect, use, store and disclose personal information. This framework generally applies to organisations with an annual turnover of more than $3 million. Most parishes within the Archdiocese fall below that threshold, so are not legally required to comply.

For parishes below the threshold, implementing a Privacy Policy is optional. Nevertheless, a Privacy Policy is a simple and practical way of letting parishioners know how their information is handled, and the Archdiocese encourages parishes with expenditure below the $3 million threshold to consider having one in place. Even where it is not legally required, a Privacy Policy helps ensure that personal information—much of which is sensitive—is managed consistently and respectfully, and supports the trust placed in the Church by the community.

The parish Privacy Policy template ​

To assist parishes that decide to adopt a Privacy Policy, the Archdiocese has developed a Parish Privacy Policy template. The template is based on the Archdiocese’s own Privacy Policy, which was updated in June 2025 to reflect current privacy legislation and the Australian Privacy Principles, as well as the ways the Archdiocese currently collects and discloses personal information. It is designed as a reliable foundation that parishes can adopt and adapt to their local context. You can access the template via the Vine under the Policies quick link*.*

Because each parish collects and handles personal information differently, the template is not intended to be a ‘one-size-fits-all’ document. Parishes are expected to review the template and tailor it so that it accurately reflects their own practices. Guidance notes (in italics and highlighted) indicate where information should be inserted or adapted, and these notes should be removed before the policy is finalised and published. Wording within the template that the guidance notes do not prompt parishes to remove—particularly wording relating to the Archdiocese—should be left in place. If a parish considers that other wording should be removed, the Archdiocese’s Legal team should be contacted before any changes are made. Parishes with their own logo should insert it in the header of the template before publication.

Choosing whether to use the template ​

Parishes that decide to implement a Privacy Policy may either adopt and customise the template—the approach recommended by the Archdiocese as the most efficient and lowest-risk option—or develop their own Privacy Policy independently. Where a parish elects to develop its own policy, it is strongly recommended that appropriate legal advice is obtained to ensure the policy complies with applicable privacy laws and accurately reflects the parish’s obligations and practices.

Reviewing, endorsing and publishing the policy ​

A Privacy Policy should be published only after it has been properly reviewed and approved. Once the template has been completed and adapted to reflect how the parish collects, uses, stores and discloses personal information, the draft policy should be provided to the parish finance council (or relevant advisory body) for review and input. The parish finance council should have the opportunity to endorse the policy, and the parish priest is to provide final approval.

The completed policy should be published and easily accessible on the parish website, ideally linked from the footer of every page. Where a parish does not have a website, or where individuals who regularly interact with the parish may not have internet access, the Australian Privacy Principles suggest making the policy available in other ways—by displaying it on a stand at the parish premises, distributing a printed copy on request, including details of how to access it at the bottom of correspondence and, where the parish interacts with individuals by telephone, informing them during the call of how the policy may be accessed.

A parish priest responsible for more than one parish that shares a single website need only publish one Privacy Policy, identifying the parishes concerned under the Introduction heading where indicated.

Tailoring the policy to the parish ​

The template contains a broad list of the types of personal information parishes are likely to collect and disclose, and parishes should not normally need to go beyond what it already includes. If, however, a parish collects or discloses information in a way that is not listed in the template, the policy should be amended to cover it. Where there is any doubt about whether an item should be included, the Archdiocese’s Legal team can advise.

If the parish does not have a dedicated parish privacy officer, the section How to contact us (including how to make a privacy complaint) should record the details of the parish administrator or parish secretary instead.

Keeping the policy up to date ​

A Privacy Policy is not a document to set and forget. If a parish changes the way it collects, stores or discloses personal information, the policy should be amended promptly and republished. Where the change is material—more than a minor clarification—parishioners should be notified, either by email or through the parish bulletin, that the policy has been updated.

Consent to use images for promotional purposes ​

Parishes frequently take photographs and videos of parishioners and attendees at events, and subsequently publish this material in parish communications (often online platforms) such as newsletters, bulletins, websites and social media.

To ensure good privacy practices, parishes should obtain consent from parishioners and attendees before capturing and publishing any images or recordings of them.

To assist with this, a media consent form has been developed for use by parishes within the Archdiocese.

Once signed, the form provides the parish with ongoing consent to photograph and record the parishioners and attendees, and to publish those images and recordings in parish communications for the purposes of promoting the parish and the Archdiocese.

The form should be completed by all existing parishioners, as well as any new parishioners or attendees attending a parish event for the first time. Completed forms must be securely stored.

Individuals completing the form are required to provide:

• their full name at the top of the form
• their email address at the bottom, so that a copy of the signed form can be sent to them. This ensures that both the parish and the individual retain a record of the consent provided.

Parishes should insert their parish logo in the space provided at the top of the document.

Need further help? ​

For help with implementing a Privacy Policy, or with any general privacy concern, please contact the Archdiocese’s Legal team at general.counsel@cam.org.au.