The Office for the Protection of Children and Young People (OPCYP) moved from a paper to an electronic application as of February 15, 2019. Great care was taken in the development of the how the information is collected, transmitted, stored, and accessed once in our possession. The Diocese has embraced and implemented all of the current General Data Protection Regulation (GDPR) policies. It takes serious the privacy of individuals and their Personally Identifiable Information (PII).

 

Collection and Storage

The website used to collect information through our electronic application is encrypted using HTTPS and TLS 1.2 protocols. All information is stored and encrypted on a database dedicated to OPCYP information.

 

Transmission of Information

The Diocese uses two vendors for background checks: Department of Social Services (DSS), otherwise known as Child Protective Services (CPS), and the National Center for Safety Initiatives (NCSI). DSS only accepts notarized paper applications and NCSI receives information electronically.

 

All the information collected during the application process is reviewed and electronically signed through DocuSign. DocuSign utilizes the latest security protocols and tools in the development of its solution.  This includes using 256-bit application level advanced encryption standard; transmission of data over private SSL 256-bit viewing sessions; customer multi factor authentication; separate corporate and production networks; and a security operations center (SOC) that is supported 24 X 7.  DocuSign is ISO 27001, FedRamp and BCR certified.  

 

The information collected by DSS does include PII information including the Social Security Number (SSN). These are held and stored in our safe room when it is received and then mailed in batches to DSS. Once processed by DSS, it is destroyed in Richmond. The Diocese only receives a determination email on the suitability for working with minors which does not include the individual's SSN.

 

The information collected by NCSI is transmitted through an encrypted Application Programming Interface (API). It uses three points of verification as required by the Fair Credit Reporting Act (FCRA); the name and date of birth is compared to the social security number. The collected PII is transmitted the moment the individual submits their application. This vendor is an accredited business with an A+ rating with the Better Business Bureau as well as being accredited by the Professional Background Screening Association (PBSA).

 

Audits

The IT Department is audited yearly by a third-party auditor and has received clean management letters for the past 15+ years. The audit includes the testing and review of:

  • IT System & Network Design and Overview
  • Internal Controls
  • Risk Assessment
  • Access Review
  • Security Infrastructure & Protocols
  • Information Systems Standards and Policies

 

Use of Information

OPCYP uses a management portal for parish and school liaisons to access information regarding employees and volunteers. Each liaison has a unique account that displays very limited information for only the employees and volunteers associated with their parish or school. This information includes name, address, email, phone number, and the last four digits of the SSN. This is a mirrored portal that does not allow the parish or school liaison to access any other information about the individual and they do not have access to the full SSN.

 

For the internal OPCYP staff, all access to the database is secured with unique individual log-ins with appropriate password requirements. Additionally, only the OPCYP Director has access to the full PII of any individual.

 

Conclusion

Hopefully, this will assist in providing you the necessary information that demonstrates the Diocesan security for OPCYP data collection, storage, and transmission. The policy of the Diocese is that all volunteers are required to complete the application for the background checks. OPCYP is unable to waive the submission of the SSN for American citizens since that is one of the three prongs for identification as required by FCRA.