USING OUR DATABASE AND WEBSITE

TeamDesk is our central database for managing facilitator certifications, activities, and reporting on healing groups. Our THI internal website (also known by its technical name, Beacon) is our front-facing platform for coordinators and facilitators, designed to help you create events, report events, and access our materials library.

As a Coordinator, you have permission to do the following in the THI database within your organization’s records:

• View and modify (add, update, or delete) healing group activities

• View and modify contacts

• View and modify facilitator information, including certification

• Request written permission from a THI Staff Administrator to share read-only access to specific data related to a program and its participants

• Generate a report regarding THI program data, but only for informational purposes. These reports must be anonymized and not contain any personally identifiable information of program participants.

You must abide by these terms:

• Maintain user data confidentiality at all times

• Personal data* must be pseudonymized, hashed or de-identified

• Use the data for which you have access to solely for the purpose of reporting on THI activities related to your organization

• Use secure methods (encryption protocols) when sharing approved data

• Notify a THI Staff Administrator if transferring personal information to another country, to ensure legal compliance

• Any violation of the policy will result in a loss of access to the database

• Any suspected compromise of data or breach must be immediately reported to support@traumahealinginstitute.org

What is not permitted:

• Changing a contact’s or facilitator’s personal data in the database

• Sharing personal data (internally or externally) with anyone who is not specifically authorized in advance by prior written consent of a THI Staff Administrator

• Any type of downloading, printing, exporting, sharing, copying, capturing, or removing data—for example, you cannot take a screenshot of the THI Database and send that picture in an email

• Contacting a person whose record is marked as confidential, without written permission from a THI Staff Administrator

*Personal data is any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

I. INTRODUCTION 

a. Welcome to the Trauma Healing Institute (“THI”), a division of the American Bible Society (“ABS”). 

b. This Policy outlines the procedures and practices for Authorized Users, defined below, to access certain information and database platforms used by THI. By accessing our systems including the THI Database (TeamDesk platform) and the THI Website, you agree to the terms included in this Policy. This Policy explains your responsibilities, access levels, and required security measures when working within the THI Database and THI Website. 

c. THI Coordinators, Master Facilitators, and THI Staff are Authorized Users, defined below, who use the THI Database to further the lawful purposes of THI. 

d. Authorized Users are granted access to the THI Database solely to fulfill their Trauma Healing program responsibilities. 

II. SCOPE 

a. This Policy applies to all Authorized Users. 

III. DEFINITIONS 

a. “Authorized User” is a party, whether employed or engaged by THI, who is authorized in writing by THI Staff Administrators (or their designees) to access the THI Database. 

b. “Consent” is any freely given, specific, informed, and unambiguous indication of a Data Subject’s wishes by which the Data Subject signifies agreement to the Processing of Personal Data relating to the Data Subject. 

c. “Data Breach” occurs when it is determined that a Data Incident results in the acquisition, possible unauthorized exposure, access, use, or disclosure of Personal Data where certain legal definitions have been met, depending on the data involved and the nature of the Data Incident. 

d. “Data Incident” is the attempted or successful unauthorized access, use, disclosure, modification, exposure, or destruction of Personal Data or interference with system operations in THI’s IT Systems. Examples of Data Incidents: 

1. Authorized User account(s) accessed by an unauthorized party 

2. Unintentional or intentional disclosure of Personal Data contained in the THI Database to an unauthorized party 

3. Unauthorized sharing of login credentials with other users 

4. Unauthorized access to, alteration of, or activity within the THI Database or THI IT Systems (e.g., unexplained or unauthorized code changes, compromised/defaced website, etc.) 

5. Data rendered unusable (e.g., encrypted with no encryption key, i.e., ransomware attack) 

6. Compromise of credentials resulting from, but not limited to, malware infection, phishing attack, eavesdropping, or improper disclosure of password(s) to an unauthorized party 

7. Evidence that someone tampered with an Authorized User account 

8. Stolen or lost devices, including laptop, tablet, smartphone, or external storage device 

9. Physical theft/breach (e.g., broken doors to THI’s facilities, stolen computers, etc.) 

10. Device(s) infected with malicious software 

11. Notification of publicly posted or available Authorized User credentials or Personal Data 

12. Notification from a vendor regarding a breach involving Personal Data 

13. Risks or circumstances that are likely to result in any of the above 

If THI Staff Administrators are notified of a possible Data Incident within the TeamDesk platform, they will collaborate with TeamDesk, who are responsible for managing the database infrastructure, assess, and respond. THI Staff Administrators will also coordinate with ABS Legal, who may initiate further actions such as an investigation or retention of forensic experts, to determine if the event qualifies as a Data Incident or Data Breach and provide a unified response. 

e. “DataSubject” refers to any individual to which Personal Data in the THI Database relates. 

f. “Facilitators” are users of the THI Website and app who submit Personal Data and activity reports related to THI program activity that populate the THI Database. Facilitators may access Personal Data on a limited basis to reach out to those who voluntarily provided their names and email addresses through the THI Website to enroll for a specific Trauma Healing event. 

g. “Master Facilitators” are Authorized Users who have the ability to view information in the THI Database and can change Facilitators’ certification status in accordance with the THI program model. 

h. “Personal Data” means any information relating to an identified or identifiable natural person, i.e., Data Subject. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. 

i. “Processing” (includes derivatives, such as “Process”) refers to any handling of data, including efforts to collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle data. For example: storage in databases, input onto systems and applications, sharing with relevant stakeholders, and creating customer accounts. The act of entering an individual’s name into a spreadsheet or the THI Database is an example of Processing Personal Data. 

j. “THI Coordinators” are Authorized Users with limited access to data management functions of the THI Database. Their access is limited to purposes related to management of the Trauma Healing programs they oversee within their separate organizations to which they can view and modify. 

k. “THI Database” refers to the THI data stored on the TeamDesk platform and is used by THI to capture Trauma Healing data and further the mission of THI. 

l. “THI IT Systems” means ABS’s and THI’s information technology systems and networks, including resources used for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information. Examples include computers, laptops, networks, phone systems, calendar systems, cloud storage, Wi-Fi capabilities, document storage, on premise storage, camera systems, card readers, or any other system that transmits or stores THI data and information or provides support to overall THI business operations. The THI Database is part of THI IT Systems. 

m. “THI Staff” are Authorized Users with limited access to data management functions of the THI Database, including those functions necessary for their work as employees of the Trauma Healing Division within ABS. 

n. “THI Staff Administrators” are Authorized Users who are ABS employees of the Trauma Healing Division and are the system administrators for the THI technology ecosystem. THI Staff Administrators have full administrative control and access to all aspects of the THI Database. 

o. “THI Website” refers to the event registration platform storing THI event registrations, event dates, and locations. 

IV. ROLES AND RESPONSIBILITIES  

a. THI Staff Administrators  

1. THI Staff Administrators are responsible for overseeing the management, training of users, and compliance with this Policy and effectuating Policy review and discipline measures as set forth in this Policy. This may involve reviewing anonymized reports generated by THI Coordinators to affirm compliance with data privacy regulations. This may also involve reviewing and approving requests for data downloads or exports (if permitted) to help guarantee compliance with data privacy regulations and program participant confidentiality. This may also include regular review of Authorized User access and logins. This will also include providing relevant and useful training documents, appropriate for users to ensure they understand how to use the system appropriately.  

2. THI Staff Administrators are responsible for and will maintain a list of restricted data sets accessible only by Authorized Users. This list will include data highly sensitive to THI, such as  confidential program participant information.  

3. Questions about this Policy should be directed to support@traumahealinginstitute.org.  

b. Authorized Users  

1. Authorized Users, as key stakeholders in data management within the THI Database, play a vital role in upholding the integrity, confidentiality, and security of data.  

V. DATA OWNERSHIP  

a. Data Processed in the THI Database is the property of THI and not of any Authorized User. THI and ABS retain all intellectual property rights associated with the THI Database, with the exception of those owned by TeamDesk.  

VI. ACCESS PERMISSIONS 

a. Authorized Users will have different levels of access to the THI Database based upon their roles and responsibilities as set forth below.  

b. THI Staff Administrators oversee data management and system maintenance within the THI Database. 

1. Have full access to the THI Database, the power to authorize Authorized Users to access the THI Database, and the ability to revoke access privileges. Such privileges are based on job requirements, security protocols, and the specific needs of THI programs and to ensure that Authorized Users have the appropriate level of access to perform their duties while minimizing the risk of unauthorized data access.  

2. Can modify developer roles, edit any column or table, and manage all TeamDesk workspaces, databases, and tools. 

3. Have all of the capabilities of other Authorized Users.

c. THI Staff

1. Have access to view, create, and modify data in the THI Database and can change Personal Data of user records.  

2. Can grant read-only access to specific data sets relevant to THI programs and program participants’ information.  

d. Coordinators manage communities of practice and local program implementation, including updating facilitator certifications and activity records. 

1. Have access to view and modify activities, contacts, certifications, and facilitators but cannot change Personal Data of contact records.  

2. With advanced written permission of THI Staff Administrators, can grant read-only access to specific data sets relevant to THI programs and program participants.  

e. Master Facilitators support programs by training and mentoring facilitators, therefore managing facilitator certifications. 

1. Can view facilitators, contacts, and activity records; can edit facilitator certifications only. 

2. Cannot change Personal Data or access GDPR/confidential records or deletion permissions. 

3. Access is limited to viewing facilitator records, with certifications as the only editable area. 

f. Facilitators

1. Do not have access to the THI Database but have access to view certain information on the THI Website. 

VII. TRANSPARENCY  

a. THI through its Authorized Users may Process Personal Data of individuals in the THI Database.  

b. Personal Data must only be Processed when Data Subjects are provided with advance notice of what information is collected and how it will be Processed.   

VIII. PROCESS DATA FOR ONLY INTENDED AND DISCLOSED PURPOSES  

a. Personal Data must only be Processed in line with the stated purposes of collection as disclosed in advance to Data Subjects. No other Processing will be permitted.   

IX. DATA MINIMIZATION  

a. Users must not collect any Personal Data in excess of the stated purposes as disclosed in advance to Data Subjects. In addition, users must not duplicate, copy, or unnecessarily store Personal Data.   

X. ACCURACY  

a. Personal Data entered into the THI Database must remain accurate and up to date. If any Personal Data is inaccurate, it should be corrected. If a Data Subject makes a request to correct their Personal Data, it must be corrected as soon as possible. If the Personal Data is out of date, it should be updated or deleted.  

XI. DATA RETENTION AND DELETION  

a. THI Staff Administrators oversee the implementation of THI's policies on data retention to reinforce compliance with regulations and minimize data storage risks.  

b. Personal Data must be kept in a form that permits identification of individuals but for no longer than is necessary for the stated purposes for which Personal Data is collected and processed.  

c. Personal Data must be retained for no longer than necessary to achieve the stated purposes.  

d. If THI Staff Administrators need to report general data internally, such data would be reported in an anonymized and/or aggregated basis only.  

XII. CONFIDENTIALITY  

a. Authorized Users may use the data stored in the THI Database solely for the purpose of reporting on THI activities related to their organization. However, they cannot download, print, export, share, or capture in any manner any data, nor may they remove it from the THI Database or make copies of it.  

b. Confidentiality of user data will be maintained at all times, including Personal Data, activity logs, and any other data elements associated with user profiles within the THI Database, especially those related to THI programs and participants. This includes prohibition of sharing, downloading, or exporting data for personal use or unauthorized purposes.  

c. Personal Data must be Processed in a secure manner to ensure confidentiality.  

d. Personal Data must not be shared (internally or externally) with anyone who is not specifically authorized in advance by prior written consent of the THI Staff Administrators.   

e. Personal Data must be processed in conformance with ABS’s Information Technology Policy, which, inter alia, requires encryption, strong passwords, access controls, and data transfer protocols.   

f. Personal Data must be pseudonymized, hashed, or de-identified to protect the confidentiality of such information.  

g. Any entry marked as confidential may not be contacted by THI Coordinators or Master Facilitators without prior written permission granted from THI Staff Administrators, solely for the lawful purpose of promoting THI’s mission.  

XII. DATA SECURITY 

a. All Authorized Users must uphold these responsibilities: 

1. Data Protection: Use strong passwords and approved access methods, following and abiding by ABS policies. 

2. Prohibited Actions: Do not share, download, or export data for personal use or non-THI purposes. All reporting and data handling activities must be for the THI program and its intended purposes.  

3. Data Handling: Handle Personal Data securely, using encryption and approved transfer protocols. 

4. Data Use: Use Personal Data for THI program purposes only. Data should not be shared without written authorization from THI Staff Administrators.  

XIV. DATA TRANSFERS  

a. Various countries, such as the United Kingdom and those within the European Union, have legislative restrictions on the transfer of Personal Data to other countries. In such circumstances, you must notify THI Staff Administrators in advance. THI Staff Administrators will seek professional advice to provide a suitable transfer solution to safeguard any Personal Data in compliance with legal requirements.  

XV. ENGAGING WITH THIRD-PARTY PROVIDERS  

a. If third-party providers are to be involved in the Processing of Personal Data, they must only be engaged after they have been fully vetted by THI Staff Administrators to ensure they meet requisite qualifications and have the ability to securely process Personal Data pursuant to required contractual obligations, such as having a Data Processing Agreement in place. Any agreements with third-party providers who will be Processing Personal Data shall be subject to the advance approval of ABS’s Legal Services Department.  

b. THI acknowledges that the THI Database is in part owned, managed, and operated by a third party, TeamDesk. The THI Database and the information therein are stored in TeamDesk. TeamDesk’s privacy notices and terms of use apply to the use of the platform.  

XVI. HONOR INDIVIDUAL RIGHTS  

a. In some countries and jurisdictions, individuals may have the right to ask that THI honor various individual rights. These rights may include the right of Data Subjects to access, correct, erase, restrict Processing, object to Processing, and/or ask that they receive a copy of their information to take elsewhere. All Authorized Users shall honor such requests, as required by local law.  

b. If a Data Subject makes a request to an Authorized User, the Authorized User must promptly notify THI Staff Administrators of such request by emailing support@traumahealinginstitute.org, so that authorized and lawful requests are responded to correctly and in the appropriate time period.  

XVII. DATA PRIVACY AGREEMENTS  

a. Authorized Users are responsible for upholding data privacy regulations to ensure user trust, particularly regarding data associated with THI programs, trainings, and participants. This includes compliance with:  

1. Data Privacy Legal Requirements: Complying with all applicable data privacy laws and regulations in the applicable jurisdiction(s) relevant to THI programs.  Familiarity with these regulations is important for reinforcing Personal Data protection.  

2. Data Access Logs: While Authorized Users do not directly manage data access, they are responsible for reinforcing the accuracy of data access logs, as it relates to the events within the THI program. THI Staff Administrators should ensure accuracy of data access logs. TeamDesk has automated logging features to maintain records of data access, including accessed data sets and timestamps for audit purposes.  

3. Data Accuracy: To ensure the integrity and reliability of THI programs and data, Authorized Users should verify that entries are current, complete, and accurate, promptly addressing any inconsistencies.  

XVIII. DATA ANALYSIS AND REPORTING  

a. Authorized Users can utilize the THI Database to generate reports regarding THI program data but only for informational purposes. These reports must be anonymized and not contain any Personal Data of program participants. Downloading or exporting non-anonymized reports, including taking screenshots or making copies and emailing such information is not permitted, and doing so will be deemed to be a violation of this Policy.   

b. Violators will not be tolerated and those found to be in violation will lose their access to the THI database. Other consequences may be imposed, including but not limited to legal action and/or loss of THI privileges, depending on the severity of the violation.  

XIX. DATA INCIDENT REPORTING AND MANAGEMENT  

a. If any user suspects a Data Incident, the following steps should be followed:

1. Stop User Access: Take steps to mitigate and stop any Data Incident as reasonable under the circumstances and refrain from granting further user access, especially to data sets related to THI programs (including Personal Data), until the situation is investigated and resolved.  

2. Report the Data Incident: Users must promptly report any suspected or confirmed Data Incidents to the THI Staff Administrators, who will in turn notify the Legal Services Department and ABS’s IT Department by following the steps below:  

i. Initial Contact: Report the Data Incident via email to the THI Staff Administrators at support@traumahealinginstitute.org with a clear subject line indicating "Suspected Data Incident."  

ii.Phone Call: If the situation is urgent or requires immediate action, such as to prevent the potential risk to Personal Data or THI IT Systems, users should follow up the email with a phone call to the THI Staff at 1.800.32.BIBLE and mention “Urgent – Suspected Data Incident.”  

3. Investigation and Containment: Users may be required to assist in the investigation and containment of Data Incidents, ensuring that immediate measures are taken to prevent further unauthorized access or disclosure of data.  

4. Remediation: Users may be required to participate in remediation efforts at the direction of THI Staff Administrators or as directed by ABS’s legal counsel.  

XX. COMMUNICATIONS  

a. Authorized Users will be informed about this Policy during onboarding, with periodic reviews tailored to their roles and responsibilities.  

b. When there are significant changes to the THI Database or this Policy, Authorized Users will receive an email or other form of notification summarizing the updates and will be directed to review the revised Policy.  

c. Authorized Users must acknowledge and agree to the terms of this Policy by reviewing and signing it upon onboarding and following major updates.  

XXI. POLICY REVIEW  

a. At least annually, THI Staff Administrators will conduct a review of this Policy and make changes in accordance with related laws or business requirements. Likewise, a review will be conducted in the event of any significant changes to the THI Database or TeamDesk. 

XXII. DISCIPLINE  

a. Any violation of this THI Policy may result in disciplinary action including but not limited to suspension of privileges of the THI Database and/or participation in THI activities, termination of access to THI IT Systems, data, and/or criminal or civil proceedings and/or investigations or other legal consequences.  

XXIII. VERSION CONTROL  

a. Version: 5.0  

b. Last Updated: December 18, 2024 

Facilitators and Coordinators: Differences in Access and Capabilities

Coordinators and Master Facilitators

• How to Search for Facilitators in TeamDesk

• How to Search for Activities in TeamDesk

• Changing Certifications of Facilitators

Coordinators

• Reporting for Facilitators in a Country

• Reporting with Confidential Facilitators and/or Locations

• Changing Details in a Reported Activity (i.e., facilitators, materials, etc.)

• Bulk Upload Process

Healing Group

• How to Become a Healing Group Leader

• How to Create a Healing Group Event

• Find Materials (Healing Group)

• Have Someone Register and View Participants (Healing Group)

• Reporting (Healing Group)

• Changing Certifications of Facilitators

• How to Search for Activities within an Organization

• Reporting with Confidential Facilitators and/or Locations

• Changing Details in a Reported Activity (i.e.facilitators, materials, etc.)

• Bulk Upload Process

• Facilitator vs Coordinator Views

• How to Search for Facilitators in the Database

• Reporting for Organizations

Initial Equipping Session

• Create Initial Equipping Session Event

• Find Materials (Initial Equipping)

• Have Someone Register (Initial Equipping)

• Reporting (Initial Equipping)

Advanced Equipping Session

• Create Advanced Equipping Session Event

• Find Materials (Advanced Equipping)

• Have Someone Register (Advanced Equipping)

• Reporting (Advanced Equipping)