Data Protection Policy
|
Type of data |
Retention period |
Membership rolls |
Indefinitely |
Contact details for adults |
24 months after the last contact |
Junior Heroes registers |
Until the child reaches the age of 21 |
Junior Heroes contacts |
24 months after the last contact |
Friday Heroes registers |
Until the child reaches the age of 21 |
Friday Heroes contacts |
24 months after the last contact |
Gift aid documentation |
6 years after the calendar year to which it relates |
Registers of marriage |
As required by the Registrar General |
Register of baptisms |
Indefinitely |
Photographs of members and their families and photographs and videos of events |
Indefinitely |
Personal data relating to specific events |
Disposed of immediately after the event |
Records of insurance claims relating to an individual |
Indefinitely |
Safeguarding matters |
Indefinitely or until advised otherwise by authorities |
Accident books |
3 years from the date of the last entry (or, if the accident involves a child, until the child reaches the age of 21) |
Complaints (non-safeguarding) |
3 years after resolution of complaint |
Minute books |
Indefinitely |
Employee records |
6 years after the date of termination of employment |
Security of personal data
Crofton Baptist Church uses appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful use, or from accidental loss, destruction or damage. Security includes technical and organisational measures. In assessing what measures are most appropriate the following will be taken into account:
· the quality of the security measure
· the costs of implementation
· the nature, scope, context and purpose of the data
· the nature and severity of the risk
and may include:
· technical systems security
· measures to restrict or minimise access to data
· physical security of data and the premises;
· organisational measures, including policies, procedures, training
and audits
· regular testing and evaluating of the effectiveness of security measures
Personal data rights
Unless the data is subject to an exemption under the GDPR, data subjects have rights with respect to their personal data.
Rights |
What this means in practice |
The right to be informed |
This is the right to be provided with clear, transparent and easily understandable information about how personal data is processed. |
The right of access |
This is the right of an individual to request a copy of the personal data held about them. |
The right to rectification |
This is the right to have personal data corrected it is either inaccurate or incomplete. |
The right to erasure |
This is known as the right to be forgotten and enables an individual to request the deletion or removal of information about them. |
The right to restrict processing |
This is the right to block or restrict use of personal data. When processing is restricted, it can still be held, but not used. Crofton Baptist Church keeps lists of individuals who have asked for the processing of their data to be restricted to that the restriction can be respected in future. |
The right to lodge a complaint |
This is the right of the individual to lodge a complaint about the way data is handled or processed. |
The right to withdraw consent |
This is the right to withdraw consent regarding what personal data is held or processe |
Data protection impact assessment
A Data Protection Impact Assessment (DPIA) will be carried out when there is any change to data processing which is likely to result in a high risk, for example in situations where personal data is held relating to vulnerable people or when introducing some new technology. Any DPIA will be conducted in accordance with the ICO’s Code of Practice.
Dealing with data protection breaches
Where there are concerns that this policy has not been followed, or where personal data might have been leaked or lost, these should be reported immediately to the Data Protection Officer, who will in turn notify The Trustees. Crofton Baptist Church will keep records of personal data breaches, even if they are not reported to the ICO.
Any data breach which is likely to result in a risk to any person will be reported to the ICO within 72 hours from when the Data Protection Officer (or a Trustee acting on their behalf) becomes aware of the breach. In any situation where a personal data breach causes a high risk to any person, the data subjects whose information is affected also be informed without delay. This may include, for example, a situation where bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and to exercise their right to make a complaint.
Contact details
Any questions about this policy should, in the first instance, be directed to the Data Protection Officer, Andrew Crowson, who can be contacted at secretary.croftonbc@googlemail.com
You can contact the Information Commissioners Office by telephone on 0303 123 1113, via their website at ico.org.uk or by post at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Definitions and useful terms
Data controller |
The data controller means any organisation or body which determines the means for processing personal data and the purposes for which it is processed. It does not matter if the decisions are made alone or jointly with others. The data controller is responsible for the personal data which is processed and the way in which it is processed. The Trustees are the data controller for Crofton Baptist Church. |
Data processors |
Data processors include any individuals or organisations which process personal data. |
Data subjects |
Data subjects include all living individuals whose data is held and processed. All data subjects have legal rights in relation to their personal information. |
ICO |
This is the Information Commissioners Office. The ICO is the UK’s regulatory body responsible for ensuring compliance with data protection regulations. The ICO produces guidance on how to implement data protection law and can take regulatory action where a breach occurs. |
Personal data |
Personal data means any information relating to a person who is either identified or is identifiable through that data. A person is an individual and cannot be a company or a public body. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour. |
Privacy notice |
Privacy Notice means the information given to data subjects which explains how we process their data and for what purposes. |
Processing |
Processing is very widely defined and includes any activity that involves the personal data. It includes obtaining, recording or holding the data, or carrying out any operation on the data including organising, amending, retrieving, using, disclosing, deleting or destroying it. Processing can also include transferring personal data to third parties, listening to a recorded message or viewing personal data, including photographs or images, on a screen or in a paper document. |
Policy adopted by the Trustees |
14 May 2018 |
Due for review |
May 2019 |
FOR A COPY OF THE FULL VERSION OF THE DATA PROTECTION POLICY PLEASE CLICK ON THIS LINK