Data Protection Policy




Crofton Baptist Church aims to ensure that all personal data about adults, children and employees in its church community is collected, stored and processed in accordance with the General Data Protection Regulations.  This applies to all personal data, whether it is held in paper or electronic format.


Personal data

Personal data relates to any individual who can be identified from that data.


Privacy notices and consent

Privacy notices with associated consent forms are given to all parents of children involved in church activities and to all employees.  The personal data of children is not held unless consent is received from a parent or carer.   This Policy is available on the website and a privacy notice for adults within the church community is available and is given to all adults becoming formal members of the church and otherwise on request.  Adults giving their details to the church are considered to be giving implied consent for their personal data to be held and processed by the church.


Data controller

Crofton Baptist Church collects and stores personal data relating to adults, children and employees in its church community and the Trustees decide how to use this data.  The Trustees are registered as the data controller with the ICO and will renew this registration annually or as otherwise legally required.


Data protection principles

Crofton Baptist Church aims to comply with the principles of data protection contained in the GDPR and will ensure that personal data is:

·            processed lawfully, fairly and in a transparent manner

·            collected only for specified, explicit and legitimate purposes

·            adequate, relevant and limited to what is necessary to fulfil the

             functions of the church

·            accurate and up to date

·            kept for no longer than necessary

·            processed in a way that is appropriately secure


Why we hold personal data

Crofton Baptist Church uses personal data for the following purposes:

  • providing news and information about events, activities and services at the church 

·            administering membership records

·            maintaining financial accounts and records

·            fundraising for and promoting the interests of the church

·            working effectively with our volunteers

·            keeping the children and any vulnerable adults in the church safe

·            enabling the church to provide services for the benefit of people in

             our local community

·            carrying out obligations around safeguarding

In addition personal data about employees is used for the following purposes:

  • protecting employment rights

  • ensuring correct payment

  • appraising performance


Sharing personal data

Personal data will be treated as strictly confidential and will only be shared with other members of the church community for purposes connected with the church and its wider activities.  We will only share personal data with third parties with an individual’s consent, unless we are required to do so, for example by a law enforcement agency or court.  Crofton Baptist Church will never share personal data with any organisation to use for their own purposes.


Retention of personal data

Data is retained on the following basis:

Type of data


Retention period

Membership rolls


Contact details for adults

24 months after the last contact

Junior Heroes registers

Until the child reaches the age of 21

Junior Heroes contacts

24 months after the last contact

Friday Heroes registers

Until the child reaches the age of 21

Friday Heroes contacts

24 months after the last contact

Gift aid documentation

6 years after the calendar year to which it relates

Registers of marriage

As required by the Registrar General

Register of baptisms


Photographs of members and their families and photographs and videos of events


Personal data relating to specific events

Disposed of immediately after the event

Records of insurance claims relating to an individual


Safeguarding matters

Indefinitely or until advised otherwise by authorities

Accident books

3 years from the date of the last entry (or, if the accident involves a child, until the child reaches the age of 21)

Complaints (non-safeguarding)

3 years after resolution of complaint

Minute books


Employee records

6 years after the date of termination of employment



Security of personal data

Crofton Baptist Church uses appropriate measures to keep personal data secure at all points of the processing.  Keeping data secure includes protecting it from unauthorised or unlawful use, or from accidental loss, destruction or damage.  Security includes technical and organisational measures.  In assessing what measures are most appropriate the following will be taken into account:

·            the quality of the security measure

·            the costs of implementation

·            the nature, scope, context and purpose of the data

·            the nature and severity of the risk

and may include:

·            technical systems security

·            measures to restrict or minimise access to data

·            physical security of data and the premises;

·            organisational measures, including policies, procedures, training

             and audits

·            regular testing and evaluating of the effectiveness of security measures


Personal data rights 

Unless the data is subject to an exemption under the GDPR, data subjects have rights with respect to their personal data.  


What this means in practice

The right to be informed

This is the right to be provided with clear, transparent and easily understandable information about how personal data is processed.

The right of access

This is the right of an individual to request a copy of the personal data held about them.

The right to rectification

This is the right to have personal data corrected it is either inaccurate or incomplete.

The right to erasure

This is known as the right to be forgotten and enables an individual to request the deletion or removal of information about them.

The right to restrict processing

This is the right to block or restrict use of personal data.  When processing is restricted, it can still be held, but not used.  Crofton Baptist Church keeps lists of individuals who have asked for the processing of their data to be restricted to that the restriction can be respected in future.

The right to lodge a complaint

This is the right of the individual to lodge a complaint about the way data is handled or processed.

The right to withdraw consent

This is the right to withdraw consent regarding what personal data is held or processe


Data protection impact assessment

A Data Protection Impact Assessment (DPIA) will be carried out when there is any change to data processing which is likely to result in a high risk, for example in situations where personal data is held relating to vulnerable people or when introducing some new technology.  Any DPIA will be conducted in accordance with the ICO’s Code of Practice.


Dealing with data protection breaches

Where there are concerns that this policy has not been followed, or where personal data might have been leaked or lost, these should be reported immediately to the Data Protection Officer, who will in turn notify The Trustees.  Crofton Baptist Church will keep records of personal data breaches, even if they are not reported to the ICO.

Any data breach which is likely to result in a risk to any person will be reported to the ICO within 72 hours from when the Data Protection Officer (or a Trustee acting on their behalf) becomes aware of the breach.  In any situation where a personal data breach causes a high risk to any person, the data subjects whose information is affected also be informed without delay.  This may include, for example, a situation where bank account details are lost or an email containing sensitive information is sent to the wrong recipient.  Informing data subjects can enable them to take steps to protect themselves and to exercise their right to make a complaint.


Contact details

Any questions about this policy should, in the first instance, be directed to the Data Protection Officer, Andrew Crowson, who can be contacted at

You can contact the Information Commissioners Office by telephone on 0303 123 1113, via their website at or by post at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.


Definitions and useful terms

Data controller


The data controller means any organisation or body which determines the means for processing personal data and the purposes for which it is processed.  It does not matter if the decisions are made alone or jointly with others.  The data controller is responsible for the personal data which is processed and the way in which it is processed.  The Trustees are the data controller for Crofton Baptist Church.

Data processors

Data processors include any individuals or organisations which process personal data.

Data subjects

Data subjects include all living individuals whose data is held and processed.  All data subjects have legal rights in relation to their personal information.


This is the Information Commissioners Office.  The ICO is the UK’s regulatory body responsible for ensuring compliance with data protection regulations.  The ICO produces guidance on how to implement data protection law and can take regulatory action where a breach occurs.

Personal data

Personal data means any information relating to a person who is either identified or is identifiable through that data.  A person is an individual and cannot be a company or a public body.  Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Privacy notice

Privacy Notice means the information given to data subjects which explains how we process their data and for what purposes.


Processing is very widely defined and includes any activity that involves the personal data.  It includes obtaining, recording or holding the data, or carrying out any operation on the data including organising, amending, retrieving, using, disclosing, deleting or destroying it.  Processing can also include transferring personal data to third parties, listening to a recorded message or viewing personal data, including photographs or images, on a screen or in a paper document.







Policy adopted by the Trustees

14 May 2018

Due for review

May 2019






Powered by Church Edit