Data protection

General Data Protection rules are adhered to at St. Anne's and St. Peter's . 

Find below our Data Protection Policy and Data Privacy policies.






St Anne’s and St Peter’s, Wycombe Marsh and Micklefield, (hereafter referred to as SASP) uses personal data about living individuals solely to facilitate:


  • Day-to-day church administration – including but not limited to employee data, membership records, rotas, lettings and financial records of giving for tax purposes;
  • Church groups, clubs and other activities;
  • Pastoral care;
  • The production of a Church Directory to facilitate communication;
  • Publicity Communications regarding church activities. 


SASP is committed to the proper and lawful treatment of personal data. All personal data that may be held by SASP on paper, electronically or in other media, will adhere to the appropriate legal safeguards as laid down in the General Data Protection Regulation (GDPR) and associated UK legislation.




This policy applies to all trustees, staff employed by SASP, those subcontracted by SASP and to all volunteers and group leaders – and must be adhered to by them, together with any detailed guidelines published separately for this purpose. We will do our utmost to ensure that all its staff, volunteers and trustees are conversant with data protection legislation and practice.


Definitions of key terms used in this Policy are provided at the end of the document.




SASP will only process data if one or more of the following conditions are satisfied:

a)     Consent

b)     Contractual obligation

c)     Legal obligation

d)     To protect a person

e)     In the public interest

f)       Legitimate interests of the controller




SASP upholds the Principles and Rights described by the GDPR. The purpose of these are to specify the mandatory conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Trustees, employees, volunteers and any others who obtain, handle, process, transport and store personal data for or on behalf of SASP must adhere to these Principles and Rights.


In summary, these Principles require that personal data shall be:


  1. Processed lawfully, fairly and in a transparent manner 
  2. Collected for specified, explicit and legitimate purposes 
  3. Adequate, relevant and limited to what is necessary.
  4. Accurate, and where necessary, kept up to date. 
  5. Retained only for as long as is necessary.
  6. Processed in an appropriate manner to maintain security.


The Rights of the Data Subject under GDPR are:


  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object to the processing of personal data
  8. Rights in relation to automated decision making and profiling.


As Controller and Processor of your personal data, SASP will take necessary technical and organisational measures to ensure that your personal data is protected by design and by default, and will obtain explicit consent for the collection and processing of personal data.


Therefore, you can be assured that SASP will treat all the personal information that you provide as private and confidential and not disclose any data about you to anyone other than the SASP leadership team, employees and group leaders and solely in order to facilitate the administration and ministry of the church and its directly associated organisations. You should note however that there are four exceptional circumstances to the above:


  1. Where we are legally compelled to do so.
  2. Where there is a duty to the public to disclose.
  3. Where disclosure is required to protect your interest.
  4. Where disclosure is made at your request or with your consent.




  1. All SASP trustees and staff who process Personal Data on behalf of the church will be required to agree to sign our Data Processor agreement. 
  2. The PCC has appointed a Data Administrator to monitor the collection and processing of personal data by SASP. All questions and concerns in relation to this Policy should be addressed to the Data Administrator via the contact details provided at the end of this Policy.
  3. When personal information is collected for use by SASP we will ensure that

a)     Only the information necessary for church purposes is collected and processed.

b)     The information is not kept for longer than it is needed.

c)     Data Subjects are made aware of this Policy at the point of consent, and are informed how they can obtain a copy.

d)     Explicit consent is obtained where this information will be shared with others, such as within the Church Directory.

e)     We will not share this information with third parties outside of the contexts described in our Privacy Notice.

f)       Personal information (including photographs) of individuals will not be published on our website without obtaining explicit and informed consent from the individuals concerned or their parents. We will never publish the names of children and young people alongside their photographs.

g)     We will ensure that all individuals who have provided their personal data to SASP are able to request to update the information held about them.

h)     We will not make any decisions or profile individuals by any automated means.

i)       A copy of this policy will be on our church website, on the Church notice boards and will also available upon request from the Church Administrator.

j)       All personal information held by trustees, staff and volunteers on behalf of SASP will be held and processed in a sufficiently secure manner (whether in paper or electronic form) to prevent unauthorised access (whether by unauthorised church personnel or third parties). This means we will:

       Store paper based information in secure, locked cupboards;

       Use password protection and data encryption where possible;

       Ensure that Special Categories of personal data, and the personal data of children, are explicitly identified and protected accordingly.

       Restrict access to both paper and electronic personal data to those who need to process it for one of the permitted uses;

       Ensure that personal information is transmitted securely in a way that cannot be intercepted by unintended recipients.

       Securely destroy information that is no longer required to be retained.




SASP will facilitate your rights as a Data Subject, and has implemented appropriate processes to enable this. Requests will be processed free of charge, and within the 30 day time period specified by the GDPR, unless in exceptional circumstances and with the agreement of the Data Subject. Any requests should be made in writing to the Data Administrator.




If you have questions or concerns about data protection, please contact the Data Administrator at St. Anne’s and St. Peter’s, 245 Micklefield Road, High Wycombe, HP13 7HU, telephone 01494471375 or email (tbc)


You can also contact the Information Commissioner’s Office on 0303 123 1113 or via email,, or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.




CONTROLLER - determines the purposes and means of processing personal data.

DATA - Information which is recorded electronically, i.e. with the intention that it should be processed on computer, or paper-based information that is recorded as part of a filing system.

DATA SUBJECT – a living, natural person whose personal data may be collected and processed.

PERSONAL DATA - any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

PROCESSOR - responsible for processing personal data on behalf of a controller. The Controller and the Processor are often the same.

SENSITIVE PERSONAL DATA (also known as SPECIAL CATEGORIES) - information relating to race, ethnic origin, religion, philosophical beliefs, trade union membership, genetic data, biometric data, health data, sexual orientation and data concerning a natural person’s sex life.


Additional safeguards are in place where sensitive personal data is concerned, and also where the personal data of children are processed.  Under UK legislation, processing of data of children aged under 13 years will require parental consent.


The Parochial Church Council (PCC) of St Annes and St Peters Churches,

Wycombe Marsh and Micklefield

1. Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data.  Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).

 2. Who are we?

The PCC of St Annes & St Peters Churches is the data controller (contact details below).  This means it decides how your personal data is processed and for what purposes.

3. How do we process your personal data?

The PCC of St Annes & St Peters Churches complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

We use your personal data for the following purposes: -

·                 To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution;

·                 To administer membership records;

·                 To fundraise and promote the interests of the charity;

·                 To manage our employees and volunteers;

·                 To maintain our own accounts and records (including the processing of gift aid applications);

·                 To inform you of news, events, activities and services running at St Annes & St Peters Churches;

·                 To share your contact details with the Oxford Diocesan office so they can keep you informed about news in the diocese and events, activities and services that will be occurring in the diocese and in which you may be interested.


4. What is the legal basis for processing your personal data?

·       Explicit consent of the data subject so that we can keep you informed about news, events, activities and services and process your gift aid donations and keep you informed about diocesan events.

·       Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement;

·       Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided: -

o   the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and

o   there is no disclosure to a third party without consent.

5. Sharing your personal data

Your personal data will be treated as strictly confidential and will only be shared with other members of the church in order to carry out a service to other church members or for purposes connected with the church. We will only share your data with third parties outside of the parish with your consent.

 6. How long do we keep your personal data[1]?

We keep data in accordance with the guidance set out in the guide “Keep or Bin: Care of Your Parish Records” but with some modifications. See footnote [2]

 Specifically, we retain electoral roll data while it is still current; gift aid declarations and associated paperwork for up to 6 years after the calendar year to which they relate; and parish registers (baptisms, marriages, funerals) permanently.

 7. Your rights and your personal data 

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -

·       The right to request a copy of your personal data which the PCC of St Annes & St Peters Churches holds about you;

·       The right to request that the PCC of St Annes & St Peters Churches corrects any personal data if it is found to be inaccurate or out of date; 

·       The right to request your personal data is erased where it is no longer necessary for the PCC of St Annes & St Peters Churches to retain such data;

·       The right to withdraw your consent to the processing at any time

·       The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [3]

·       The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;

·       The right to object to the processing of personal data, (where applicable)[4]

·       The right to lodge a complaint with the Information Commissioners Office.

8. Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.

 9. Contact Details

To exercise all relevant rights, queries or complaints please contact the Data Administrator at St. Anne’s and St. Peter’s, 245 Micklefield Road, High Wycombe, HP13 7HU, telephone 01494471375 or email (tbc)

You can contact the Information Commissioner’s Office on 0303 123 1113 or via email or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.


[1] Details about retention periods can currently be found in the Record Management Guides located on the Church of England website at: - with some modifications

[2]Copy of modified version available from the church office and on the website

[3] Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means.

[4] Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics.