DATA PROTECTION POLICY - SUMMARY
Introduction
Crofton Baptist Church aims to ensure that all personal data about adults, children and employees in its church community is collected, stored and processed in accordance with the General Data Protection Regulations. This applies to all personal data, whether it is held in paper or electronic format.
Personal data
Personal data relates to any individual who can be identified from that data.
Privacy notices and consent
Privacy notices with associated consent forms are given to all parents of children involved in church activities and to all employees. The personal data of children is not held unless consent is received from a parent or carer. This Policy is available on the website and a privacy notice for adults within the church community is available and is given to all adults becoming formal members of the church and otherwise on request. Adults giving their details to the church are considered to be giving implied consent for their personal data to be held and processed by the church.
Data controller
Crofton Baptist Church collects and stores personal data relating to adults, children and employees in its church community and the Trustees decide how to use this data. The Trustees are registered as the data controller with the ICO and will renew this registration annually or as otherwise legally required.
Data protection principles
Crofton Baptist Church aims to comply with the principles of data protection contained in the GDPR and will ensure that personal data is:
· processed lawfully, fairly and in a transparent manner
· collected only for specified, explicit and legitimate purposes
· adequate, relevant and limited to what is necessary to fulfil the
functions of the church
· accurate and up to date
· kept for no longer than necessary
· processed in a way that is appropriately secure
Why we hold personal data
Crofton Baptist Church uses personal data for the following purposes:
-
providing news and information about events, activities and services at the church
· administering membership records
· maintaining financial accounts and records
· fundraising for and promoting the interests of the church
· working effectively with our volunteers
· keeping the children and any vulnerable adults in the church safe
· enabling the church to provide services for the benefit of people in
our local community
· carrying out obligations around safeguarding
In addition personal data about employees is used for the following purposes:
-
protecting employment rights
-
ensuring correct payment
-
appraising performance
Sharing personal data
Personal data will be treated as strictly confidential and will only be shared with other members of the church community for purposes connected with the church and its wider activities. We will only share personal data with third parties with an individual’s consent, unless we are required to do so, for example by a law enforcement agency or court. Crofton Baptist Church will never share personal data with any organisation to use for their own purposes.
Retention of personal data
Data is retained on the following basis:
Type of data |
Retention period |
Membership rolls |
Indefinitely |
Contact details for adults |
24 months after the last contact |
Junior Heroes registers |
Until the child reaches the age of 21 |
Junior Heroes contacts |
24 months after the last contact |
Friday Heroes registers |
Until the child reaches the age of 21 |
Friday Heroes contacts |
24 months after the last contact |
Gift aid documentation |
6 years after the calendar year to which it relates |
Registers of marriage |
As required by the Registrar General |
Register of baptisms |
Indefinitely |
Photographs of members and their families and photographs and videos of events |
Indefinitely |
Personal data relating to specific events |
Disposed of immediately after the event |
Records of insurance claims relating to an individual |
Indefinitely |
Safeguarding matters |
Indefinitely or until advised otherwise by authorities |
Accident books |
3 years from the date of the last entry (or, if the accident involves a child, until the child reaches the age of 21) |
Complaints (non-safeguarding) |
3 years after resolution of complaint |
Minute books |
Indefinitely |
Employee records |
6 years after the date of termination of employment |
Security of personal data
Crofton Baptist Church uses appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful use, or from accidental loss, destruction or damage. Security includes technical and organisational measures. In assessing what measures are most appropriate the following will be taken into account:
· the quality of the security measure
· the costs of implementation
· the nature, scope, context and purpose of the data
· the nature and severity of the risk
and may include:
· technical systems security
· measures to restrict or minimise access to data
· physical security of data and the premises;
· organisational measures, including policies, procedures, training
and audits
· regular testing and evaluating of the effectiveness of security measures
Personal data rights
Unless the data is subject to an exemption under the GDPR, data subjects have rights with respect to their personal data.
Rights |
What this means in practice |
The right to be informed |
This is the right to be provided with clear, transparent and easily understandable information about how personal data is processed. |
The right of access |
This is the right of an individual to request a copy of the personal data held about them. |
The right to rectification |
This is the right to have personal data corrected it is either inaccurate or incomplete. |
The right to erasure |
This is known as the right to be forgotten and enables an individual to request the deletion or removal of information about them. |
The right to restrict processing |
This is the right to block or restrict use of personal data. When processing is restricted, it can still be held, but not used. Crofton Baptist Church keeps lists of individuals who have asked for the processing of their data to be restricted to that the restriction can be respected in future. |
The right to lodge a complaint |
This is the right of the individual to lodge a complaint about the way data is handled or processed. |
The right to withdraw consent |
This is the right to withdraw consent regarding what personal data is held or processe |
Data protection impact assessment
A Data Protection Impact Assessment (DPIA) will be carried out when there is any change to data processing which is likely to result in a high risk, for example in situations where personal data is held relating to vulnerable people or when introducing some new technology. Any DPIA will be conducted in accordance with the ICO’s Code of Practice.
Dealing with data protection breaches
Where there are concerns that this policy has not been followed, or where personal data might have been leaked or lost, these should be reported immediately to the Data Protection Officer, who will in turn notify The Trustees. Crofton Baptist Church will keep records of personal data breaches, even if they are not reported to the ICO.
Any data breach which is likely to result in a risk to any person will be reported to the ICO within 72 hours from when the Data Protection Officer (or a Trustee acting on their behalf) becomes aware of the breach. In any situation where a personal data breach causes a high risk to any person, the data subjects whose information is affected also be informed without delay. This may include, for example, a situation where bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and to exercise their right to make a complaint.
Contact details
Any questions about this policy should, in the first instance, be directed to the Data Protection Officer, Andrew Crowson, who can be contacted at secretary.croftonbc@googlemail.com
You can contact the Information Commissioners Office by telephone on 0303 123 1113, via their website at ico.org.uk or by post at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Definitions and useful terms
Data controller |
The data controller means any organisation or body which determines the means for processing personal data and the purposes for which it is processed. It does not matter if the decisions are made alone or jointly with others. The data controller is responsible for the personal data which is processed and the way in which it is processed. The Trustees are the data controller for Crofton Baptist Church. |
Data processors |
Data processors include any individuals or organisations which process personal data. |
Data subjects |
Data subjects include all living individuals whose data is held and processed. All data subjects have legal rights in relation to their personal information. |
ICO |
This is the Information Commissioners Office. The ICO is the UK’s regulatory body responsible for ensuring compliance with data protection regulations. The ICO produces guidance on how to implement data protection law and can take regulatory action where a breach occurs. |
Personal data |
Personal data means any information relating to a person who is either identified or is identifiable through that data. A person is an individual and cannot be a company or a public body. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour. |
Privacy notice |
Privacy Notice means the information given to data subjects which explains how we process their data and for what purposes. |
Processing |
Processing is very widely defined and includes any activity that involves the personal data. It includes obtaining, recording or holding the data, or carrying out any operation on the data including organising, amending, retrieving, using, disclosing, deleting or destroying it. Processing can also include transferring personal data to third parties, listening to a recorded message or viewing personal data, including photographs or images, on a screen or in a paper document. |
Policy adopted by the Trustees |
14 May 2018 |
Due for review |
May 2019 |
FOR A COPY OF THE FULL VERSION OF THE DATA PROTECTION POLICY PLEASE CLICK ON THIS LINK