Church Directory Privacy: Protecting Your Members' Information

Why Privacy Matters for Church Directories

Church members entrust their personal information to the church with the expectation that it will be handled responsibly. When a family provides their address and phone number for the directory, they're trusting that this information will be used to build community — not to expose them to unwanted contact, solicitation, or safety risks.

Real consequences can follow from mishandled directory information:

• Domestic violence situations: A survivor's address or phone number in an unsecured directory can put them at risk if the information reaches the wrong person.
• Stalking and harassment: Published personal details can be used by anyone who obtains a copy of the directory, not just church members.
• Scams and solicitation: A directory with emails and phone numbers is a ready-made contact list for scammers or solicitors.
• Identity concerns: Some members — foster parents, law enforcement, those in witness protection — have legitimate reasons to limit their personal information exposure.

This doesn't mean you shouldn't create a directory. It means you should create one thoughtfully, with privacy built into the process from the start.

Getting Consent from Members

Consent is the foundation of directory privacy. Every family should actively agree to be included — never assume that membership implies consent.

Best Practices for Consent

• Opt-in, not opt-out: Ask families to actively submit their information rather than including everyone by default and asking people to opt out. Opt-in produces a directory of willing participants.
• Be specific about what you'll publish: Tell families exactly what information will appear in the directory: names, photo, phone number, email, address — whatever you plan to include. Don't surprise people after publication.
• Offer partial participation: Some families may want to include their names and photo but not their address. Others may want their phone number listed but not their email. Give members the ability to choose what they share.
• Respect refusals without pressure: If a family chooses not to participate, respect their decision without asking for an explanation. There may be reasons they don't want to share.
• Document consent: Keep a record of who agreed to be included and what information they consented to share. This protects the church if questions arise later.

With Church Pictorial, the photo submission process serves as implicit consent: families actively upload their photo and provide information they're comfortable sharing. Families who don't submit are not included.

What Information to Include (and What to Leave Out)

Not all personal information belongs in a directory. Here's a practical guide:

Commonly Included

• Family photo — The core purpose of a pictorial directory.
• Names — Adults' and children's first names. Last name is standard.
• Phone number — Usually one number per family. Mobile or home, family's choice.
• Email address — One per family, typically the primary contact's email.

Include with Caution

• Home address: Useful for pastoral visits and card-sending, but a bigger privacy exposure than phone or email. Consider making this optional.
• Children's full names: Some families prefer to list children by first name only. Respect this preference.
• Wedding anniversaries and birthdays: Nice for community but adds personal detail some families prefer to keep private.

Generally Avoid

• Social Security numbers or financial information — Never. Not even internally.
• Medical conditions or prayer requests — These are confidential and should never appear in a directory.
• Employer information — Unnecessary for a church directory and adds personal exposure.
• Children's photos individually — Photograph children with their family, not separately, unless parents specifically request it.

Access Controls: Who Can View the Directory

How you control access to your directory is one of the most important privacy decisions you'll make. There are three common approaches:

Public Access

Anyone with the link can view the directory. This is the least private option but can be appropriate for churches that intentionally want to be open and welcoming. Consider limiting what information is visible in a public directory — perhaps names and photos only, without phone numbers or addresses.

Private with Email Verification

Members verify their identity with their email address and receive a one-time code to access the directory. This ensures that only recognized members can view personal information. It's a good balance between accessibility and security — no passwords to remember, but a meaningful barrier to unauthorized access.

Staff-Only Access

Only logged-in staff and administrators can view the directory. The most restrictive option. Appropriate for churches that distribute printed copies only and want the online version locked down, or for churches with heightened privacy concerns.

Church Pictorial supports all three modes. You set the access level per directory, and you can change it at any time. For a deeper look at these options, see our features page.

Printed vs. Online: Privacy Implications

The format of your directory has direct privacy implications:

Printed Directories

• Once distributed, you cannot revoke access. Every copy is out of your control.
• Lost or discarded copies can be found by anyone.
• You cannot track who has a copy or who has shared it.
• Corrections require waiting for the next printing.

Online Directories

• Access can be revoked at any time for any individual.
• You control who can view the directory and can change access levels.
• Information can be corrected or removed immediately.
• If a member requests removal, their entry disappears for all viewers instantly.

If privacy is a primary concern for your church, an online directory with access controls offers significantly more protection than printed copies. For a full comparison, see our guide on online vs. printed church directories.

Special Considerations for Children and Families

Children's privacy deserves extra attention:

• Photograph children with their family: Family photos are standard for church directories. Avoid photographing children individually or in groups without parental consent.
• Respect custody situations: In blended families or custody arrangements, one parent may not want children photographed or listed. If you're aware of custody concerns, ask the custodial parent specifically.
• Foster and adoptive families: Foster families may have legal restrictions on sharing children's photos. Always ask. Adoptive families may have similar concerns depending on their situation.
• First names only for children: Some churches list children by first name only as a standard practice. This reduces exposure while still making the directory personal.
• No separate children's section: Avoid creating a "children's directory" or listing children separately from their families. This creates unnecessary groupings of minors' information.

Data Handling Best Practices

How you handle directory data behind the scenes matters as much as what you publish:

• Limit who has admin access: Only the people who need to manage the directory should have access to the admin tools. This is typically 2–4 people, not the entire church staff.
• Don't store directory data in personal email: Avoid emailing spreadsheets of member information. Use a secure platform designed for this purpose.
• Secure your spreadsheets: If you use spreadsheets to collect information before importing, store them securely and delete them after import. Don't leave a file called "church_directory_all_members.xlsx" in a shared Google Drive folder.
• Regular cleanup: Remove entries for families who have left. There's no reason to retain personal information for people who are no longer part of your congregation.
• Use a secure platform: Choose a directory platform that uses encryption, secure hosting, and proper access controls. Your members' data deserves the same protection as any other sensitive information.

When Members Leave

When a family leaves the church, their personal information should be handled thoughtfully:

• Online directories: Remove their entry. They should no longer appear in the directory and should lose access to view it (if using email verification).
• Printed directories: You can't un-print a distributed copy, but you can exclude them from future editions.
• Backup data: Delete their information from your systems unless you have a specific, communicated reason to retain it (like maintaining historical records for the church's archives).
• Respect the relationship: Don't use directory contact information to reach out to families who have left. The directory is a tool for the current congregation, not a retention mechanism.

Common Privacy Mistakes

• Including everyone by default: Don't assume that being a church member means consenting to have personal information published. Always use an opt-in process.
• No access controls: Posting the directory as a public PDF on the church website is the most common privacy failure. Anyone on the internet can access it, including non-members.
• Ignoring removal requests: If a member asks to be removed from the directory, do it promptly. Don't require an explanation or try to convince them to stay.
• Sharing the data outside the directory: Using directory information for fundraising appeals, political messaging, or sharing with third parties violates the trust members placed in the church.
• Posting directory photos on social media: Family photos submitted for the directory should not be reused on the church's social media without separate permission.
• Forgetting about old editions: Old printed directories contain outdated but still personal information. Encourage members to dispose of old editions securely when a new one is published.
• No written policy: Without a clear privacy policy, decisions are made ad hoc and inconsistently. Document your approach.

Creating a Directory Privacy Policy

Every church that publishes a directory should have a simple, written privacy policy. It doesn't need to be a legal document — just a clear statement of how you handle members' information. A good policy covers:

• What information is collected: Names, photos, phone numbers, emails, addresses — list everything.
• How information is used: "Published in the church directory for the purpose of community connection."
• Who can access the directory: Members only? Staff only? Public? Be specific.
• How members can opt out or request changes: Provide a clear point of contact.
• How long information is retained: "Entries are removed when a family leaves the church or requests removal."
• What happens with old editions: "Members are encouraged to dispose of outdated printed directories."

Share this policy with your congregation when you announce the directory project. Transparency builds trust, and families are more likely to participate when they know exactly how their information will be handled.