Page 1 of 1

Church policy documents don't match. Clarification requested.

Posted: Sat Jul 07, 2018 2:34 am
by devinbost
Regarding our interest in creating a web application to assist with coordinating Ministering Interviews with members of our Elders Quorum, I have located the most relevant policies from the Handbook 2 and, "Use of Online Resources in Church Callings." This information is helpful, but there is actually a section of the two policies that conflict. (They state two different things.) This is likely an oversight from the general Church committee responsible for maintaining that section of policies, so it may be helpful if we could get additional guidance on it (and to respectfully bring it to their attention).

I'll first mention the two official policy documents, and then I'll point out where the information is in conflict.

Handbook 2, section 21.1.22 states:
'However, members should remember that electronic communication should not replace opportunities for in-person contact, where feasible. . .
Members may not create websites, blogs, or social media profiles on behalf of the Church or to officially represent the Church and its views. However, they may create websites, blogs, or social media profiles to assist with their callings. When doing so, members must include a disclaimer such as “This is not an official website of The Church of Jesus Christ of Latter-day Saints” and comply with the following guidelines:
1. Local priesthood leaders must first approve the creation of calling-related websites, blogs, or social media profiles.
2. The Church logo may not be used or imitated.
3. The name and contact information of the member who is responsible for the website, blog, or social media profile should be posted publicly.
4. Members should not state or imply that their online resource’s content, images, or other materials are sponsored or endorsed by the Church or officially represent the Church in any way.
5. Church-owned artwork, videos, music, and other materials should not be posted unless such use is clearly authorized by the “Rights and Use Information” page of an official Church website or by the Church’s Intellectual Property Office.
6. Photographs of other individuals or personal information should not be displayed without consent.
7. Social media properties must be properly maintained and actively moderated to ensure that any inappropriate content is promptly removed.
8. The website, blog, or social media profile should not be the name of a Church unit. For example, “First Ward News” or “Friends of the First Ward” is acceptable, while “First Ward” is not.'
I also found https://internet.lds.org/ , which states:
"General Guidelines
Remember the following as you plan to use a website, blog, or social media resource for your calling:

Local priesthood leaders must first approve the creation of calling-related websites, blogs, or social media profiles.
The Church logo may not be used or imitated.
The name and contact information of the member who is responsible for the website, blog, or social media profile should be posted publicly.
Members should not state or imply that their online resource’s content, images, or other materials are sponsored or endorsed by the Church or officially represent the Church in any way. Rather, the online resource should include a disclaimer stating that it is not an official, Church-sponsored product.
Church-owned artwork, videos, music, or other materials should not be posted unless such use is clearly authorized by the Rights and Use Information page of an official Church website or by the Church’s Intellectual Property Office. For copyrighted content from other sources, members must first obtain written permission from the content owner.
Other people’s personal information must never be displayed. Images or videos of other people should not be displayed unless the individuals have given written consent. (See “Additional Resources” at the end of this page for an example of a permissions form.)
Social media properties must be properly maintained and actively moderated to ensure that any inappropriate content is promptly removed. Having more than one moderator or owner will help ensure active monitoring and timely moderation.
Members should have a purpose and goal for the resource, such as community outreach, increased friendship between members, and so on, and the resource should be named accordingly. The website, blog, or social media profile should not simply be the name of a Church unit or individual. For example, “First Ward News” and “Friends of the First Ward” are acceptable names, but “First Ward” and “Bishop Davis” are not.
Websites, blogs, and social media profiles should not duplicate tools and features that are already available on LDS.org.”
There are also examples at internet.lds.org, including this example (among others), that constitute appropriate use:
"An elders quorum president needs to have regular contact with his quorum members, many who have limited Internet access.
After receiving permission from his bishop, the quorum president decides to use a mobile messaging app (such as WhatsApp, Skype, Facebook Messenger, Google Hangouts, or Kik) to communicate with his quorum. After determining which of these services is most convenient for his quorum members—and receiving their permission to communicate with them on this platform—he creates a private list of those who would like to receive these messages. He understands that this is just one method of communicating with his quorum members and always follows up on important items by making phone calls or visiting in person. He never shares this group information with anyone else and quickly adds or removes anyone from the group who requests it."
They also have helpful examples of inappropriate use listed there, but none of those cases seem to apply to what we’re doing here.

Handbook 2, section 21.1.11, also states that some additional information is available in Handbook 1, sections 13.8 and 13.9, about the use of computers, but I don't have enough authority to have access to Handbook 1. Specifically, it states:
"To protect confidential information on computers, leaders and clerks should use the password features of Church record-keeping systems. Additional instructions about protecting confidential information are provided in Handbook 1, 13.8 and 13.9."
So, unless there's something in Handbook 1 that states that our current use cases are unauthorized, it appears that it is totally acceptable for me to create a web app using Amazon Web Services to:
  • -automate sending reminders via email to EQ members regarding ministering interviews (as long as we allow them to opt-out),
    -automate sending reminders via text message to EQ members regarding ministering interviews (as long as we allow them to opt-out),
    -help keep our Excel spreadsheet or calendars in sync with lds.org (though I'd need to think about how we'd do this first),
    -help us keep track of ministering interviews.

However, what's not as clear is that Handbook 2, Section 21.1.22(6) states:
'Photographs of other individuals or personal information should not be displayed without consent.'
which conflicts with internet.lds.org (6), which states:
'Other people’s personal information must never be displayed. Images or videos of other people should not be displayed unless the individuals have given written consent. (See “Additional Resources” at the end of this page for an example of a permissions form.)'
What makes this confusing is regarding the use of the internet for leadership purposes, such as among the members of an Elders Quorum presidency, who aren't displaying the information to members of the quorum outside the presidency or among members of the public but need the information to be displayed to each other to stay coordinated, such as (for example) regarding conducting Ministering Interviews.

I want to be clear that my goal is not to be critical of the Church policies. I think the policies are great, and I know that our Church leaders are inspired by God and are the best possible individuals who could be serving in their capacity, but like I mentioned before, this may have been a simple oversight. Alternatively, perhaps I just don't understand the language they are using in the policy definitions, but perhaps I am not the only one.

So, is it the intent of the First Presidency to allow or prevent the use of internet technologies to facilitate the sharing of information (that includes private member information) among auxiliary presidencies in this manner? If the intent is to restrict such use, to what extent is such activity prohibited? And if the issue is a security issue, are there security best practices (such as encryption in transit and at rest) that we can implement to protect such information to allow such use?

The interpretation from a member of my stake presidency is thus:
"I have read through your email, both Handbook 2, the on-line instructions and Handbook 1.
All of them seem to agree to me and state that you cannot put any members (or anyones) personal information on the Web without their explicit consent. If you do put it out there, then there has to be some mechanism that records and stores that Members consent. Also they have to be able to have the data removed ASAP upon request.

If it is a spreadsheet stored in the cloud that only specific people (ie: the EQ Presidency) have access to, then that does not qualify as putting it out there publicly and does not need consent from all the members. However if that document is accessible by anyone, then there is a problem. A really good guide to go by, is either LDS Tools or LCR and who has access to what.

I would strongly encourage the use of LCR & LDS Tools for the sharing of quorum members information as a whole (ie: Pictures, phone numbers, email addresses, dates, etc). I say this because the members can individually control what is seen and not seen about them and you do not have deal with it. I also know that you can send emails and texts to groups or individuals through those tools. But I don’t know of a way to automate that. I know of a few programmers who are working on tools to interface with LCR/LDS Tools to do so, but who knows when they will have them done.

Having a spreadsheet shared with only the quorum presidents & secretaries on say Google Docs used for coordinating interviews, that is fine. Just be really careful with who has access at any given time and limit the personal data as much as possible."


This is helpful to me, but I'd still like to be able to request clarification at the policy level, though I'm not sure who to contact (either in the Church technology department or elsewhere).
And just to be crystal clear, I am not the type of person who would leave the Church over something like this. I hope that nobody would ever leave the Church, and I especially hope that nobody would ever leave the Church over something as insignificant as this. I am simply trying to be as obedient as possible to the intent of the First Presidency, and because of my imperfect understanding of their intent in the published policies, I'm seeking to get some additional clarification, even if I never get a personal response and instead can just see an update to the online policies (though it would be nice if I could be notified if the policies were updated).

Does anyone have any suggestions?

Re: Church policy documents don't match. Clarification requested.

Posted: Sat Jul 07, 2018 3:01 am
by devinbost
Also, for what it matters, I'm planning on using AWS Lambda and either S3 or possibly DynamoDB for storage, possibly with a service like the Simple Notification Service (SNS) or one of the related notification services. So, we would never need to worry about managing virtual machines because each of these services are considered "serverless," which makes them much easier to maintain, much easier to encrypt and secure, and very inexpensive. (At my work, AWS Lambda is costing us about $8 per million events because it's billed per millisecond of compute time, which totals about $7/year for the use case we were working on.)
I also think it would be cool to use Amazon Lex with Amazon Connect to actually be able to provide EQ lesson phone call reminders with a human voice that identifies the person by name and reminds them of when they're giving the lesson and what the subject of the lesson is. If the data is stored in DynamoDB, this would be really easy to do. I created a similar app for a work project in three hours at a workshop at the most recent AWS Conference, and I know that many companies are utilizing services that make use of machine learning for things like this, and I know that many members find services like that to be helpful.

Clarification from official Church policy on matters like this would be helpful as well because it's only a matter of time before these technologies become more widespread.

Re: Church policy documents don't match. Clarification requested.

Posted: Sat Jul 07, 2018 12:31 pm
by eblood66
These forums are only user-to-user help. There is nobody on the forums that can provide official clarification. We can provide personal interpretations and can sometimes point out additional documentation you may not be aware of but you generally won't get anything more here.

Bishops and stake presidents have responsibility for interpreting policy and resolving any conflicts for their units. So this
devinbost wrote:The interpretation from a member of my stake presidency is thus:
is your best source of clarification. If the stake president feels he needs clarification he can ask his area authority who can ask upward if he needs to. That's the only avenue for any official word. There isn't any mechanism for members to directly ask for policy decisions from CHQ or general authorities.

The one other thing I can contribute is that the Meetinghouse Technology Policy document (which you may or may not be able to access depend on your calling) prohibits using membership data in third-party applications or storing it in a cloud-based service. As it stands now, that policy would likely prohibit pulling any data from lds.org for such an application. How it might affect it otherwise is, again, something for your local leaders to decide.

Note, however, that in a very rare exception, a discussion on the forums concerning a similar idea has attracted attention from 'higher up'. See this thread: https://tech.lds.org/forum/viewtopic.php?f=16&t=23748

It's possible the eventual resolution of that thread (whatever it may be and whenever it happens) could have bearing on this kind of idea as well.

Re: Church policy documents don't match. Clarification requested.

Posted: Sat Jul 07, 2018 1:52 pm
by russellhltn
devinbost wrote:This information is helpful, but there is actually a section of the two policies that conflict. (They state two different things.)
I don't know as it "conflicts" as much as one is more restrictive than the other. To conflict, one would have to say something is okay (and not just okay by omission) and the other to say it's prohibited.

I'll point out something I posted in that other thread: From Help Center, Keeping Church Information Safe, dated 22 August 2017:
Do not export membership or financial data from Church applications.
Do not store data found in Church applications in consumer cloud storage apps (such as Dropbox or Google Drive).

devinbost wrote:If it is a spreadsheet stored in the cloud that only specific people (ie: the EQ Presidency) have access to, then that does not qualify as putting it out there publicly and does not need consent from all the members.
I find that part questionable. In my opinion (and despite the title under my name, that opinion doesn't count for anything special), the moment that you record information about someone else and put it on the web, even if secured, you're taking a chance.

For reasons that are probably both Public Relations and legal, the church is very careful about what kinds of information is gathered and recorded about its members. I think that plays a large part in why ministering is focused around interviews and meetings, and not around using far more convienent but recorded forms of information transfer.

Another thing to ask yourself - what happens if something goes wrong and the information is exposed? Who is held responsible in the resulting lawsuit? (I wouldn't count on the grace of the members to avoid legal trouble.) I think there's a good chance the church would have to throw the leaders under the bus who went outside the guidelines in order to protect church assets. The leaders involved are likely to find the events "life altering" for economic reasons. The only sure protection here is to either not do it or to limit the information to non-personal/non-sensitive information.

If you want to be on the safe side, I'd suggest sticking with interviews and correlation meetings, and avoiding any kind of shared electronic data until further clarification is made. As someone who was clerking before the age of the internet or even before computers in the meetinghouse, I find the argument that modern tools are somehow "necissary" to be amusing. <smile>

Re: Church policy documents don't match. Clarification requested.

Posted: Sun Jan 13, 2019 3:28 pm
by cgswvc
This is an interesting conversation. In my temporal work I am involved with sensitive information, one is a persons private information. I am strongly in favor of erring on the side of protecting data rather than exposing it to potential threats. With that being said I turned our firewall on in the stake meeting houses to restrictive and not many minutes later was getting complaints about Google Docs being blocked. To keep from being lynched I set them to moderate.

My question then revolves around if there are applications that are not to be used in with the Church’s network? Google Docs and Dropbox seem like at least partially open doors for someone of malicious intent. I know the firewall setting is up to the stake president to define so is what programs are used in the stake up to him also or is there a definition provided by the Church IT department? In the defense industry it is becoming harder to do a job because of the added security not easier. I am concerned that when it comes to our personal information, or our kids information maybe we should request direction that limits risk of exposure.

If someone has something to add that I can use as a guideline please do so!

Re: Church policy documents don't match. Clarification requested.

Posted: Sun Jan 13, 2019 5:57 pm
by russellhltn
cgswvc wrote:My question then revolves around if there are applications that are not to be used in with the Church’s network? Google Docs and Dropbox seem like at least partially open doors for someone of malicious intent. I know the firewall setting is up to the stake president to define so is what programs are used in the stake up to him also or is there a definition provided by the Church IT department? In the defense industry it is becoming harder to do a job because of the added security not easier. I am concerned that when it comes to our personal information, or our kids information maybe we should request direction that limits risk of exposure.

If someone has something to add that I can use as a guideline please do so!
At this time, I think all you'll find is from Meetinghouse Technology Policy
4.13.2 Only Church-approved, licensed software is permitted for installation on Church computers.
The kicker is what is "Church-approved"? And some web-based things are not really installed software.

Also:
4.9.3 The use of MLS data and membership information in third party software is prohibited, whether obtained from within or outside of a meetinghouse.

4.9.4 The use of cloud-based services for storing and/or backing up MLS or any membership related data is prohibited.
My personal advice is that no one should be entering/storing information about other members into any website except those created by church headquarters and registered them. There's a very good possibility if anyone does that and things go wrong, that individual may be hung out to experience the full force of the "laws of the land". The church will need to protect itself and there's nothing in the manuals that says to use third-party sites, so the member may find it hard to deflect any blame. Regardless of the outcome, the experience is likely to be life-altering. And not in a good way.

That's not to say there isn't any valid use for Dropbox or Google Docs. I myself keep an inventory of the stakes computers in Google Sheets. Others in this forum have indicated that they keep meeting agendas there (being sensitive to personal information).