General Data Protection Regulations
ST ANNE’S AND ST PETER’S, WYCOMBE MARSH AND MICKLEFIELD
DATA PROTECTION POLICY
St Anne’s and St Peter’s, Wycombe Marsh and Micklefield, (hereafter referred to as SASP) uses personal data about living individuals solely to facilitate:
- Day-to-day church administration – including but not limited to employee data, membership records, rotas, lettings and financial records of giving for tax purposes;
- Church groups, clubs and other activities;
- Pastoral care;
- The production of a Church Directory to facilitate communication;
- Publicity Communications regarding church activities.
SASP is committed to the proper and lawful treatment of personal data. All personal data that may be held by SASP on paper, electronically or in other media, will adhere to the appropriate legal safeguards as laid down in the General Data Protection Regulation (GDPR) and associated UK legislation.
This policy applies to all trustees, staff employed by SASP, those subcontracted by SASP and to all volunteers and group leaders – and must be adhered to by them, together with any detailed guidelines published separately for this purpose. We will do our utmost to ensure that all its staff, volunteers and trustees are conversant with data protection legislation and practice.
Definitions of key terms used in this Policy are provided at the end of the document.
PROCESSING OF DATA
SASP will only process data if one or more of the following conditions are satisfied:
b) Contractual obligation
c) Legal obligation
d) To protect a person
e) In the public interest
f) Legitimate interests of the controller
THE PRINCIPLES AND RIGHTS OF GDPR
SASP upholds the Principles and Rights described by the GDPR. The purpose of these are to specify the mandatory conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Trustees, employees, volunteers and any others who obtain, handle, process, transport and store personal data for or on behalf of SASP must adhere to these Principles and Rights.
In summary, these Principles require that personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary.
- Accurate, and where necessary, kept up to date.
- Retained only for as long as is necessary.
- Processed in an appropriate manner to maintain security.
The Rights of the Data Subject under GDPR are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to the processing of personal data
- Rights in relation to automated decision making and profiling.
As Controller and Processor of your personal data, SASP will take necessary technical and organisational measures to ensure that your personal data is protected by design and by default, and will obtain explicit consent for the collection and processing of personal data.
Therefore, you can be assured that SASP will treat all the personal information that you provide as private and confidential and not disclose any data about you to anyone other than the SASP leadership team, employees and group leaders and solely in order to facilitate the administration and ministry of the church and its directly associated organisations. You should note however that there are four exceptional circumstances to the above:
- Where we are legally compelled to do so.
- Where there is a duty to the public to disclose.
- Where disclosure is required to protect your interest.
- Where disclosure is made at your request or with your consent.
APPLYING THESE PRINCIPLES AND RIGHTS
- All SASP trustees and staff who process Personal Data on behalf of the church will be required to agree to sign our Data Processor agreement.
- The PCC has appointed a Data Administrator to monitor the collection and processing of personal data by SASP. All questions and concerns in relation to this Policy should be addressed to the Data Administrator via the contact details provided at the end of this Policy.
- When personal information is collected for use by SASP we will ensure that
a) Only the information necessary for church purposes is collected and processed.
b) The information is not kept for longer than it is needed.
c) Data Subjects are made aware of this Policy at the point of consent, and are informed how they can obtain a copy.
d) Explicit consent is obtained where this information will be shared with others, such as within the Church Directory.
e) We will not share this information with third parties outside of the contexts described in our Privacy Notice.
f) Personal information (including photographs) of individuals will not be published on our website without obtaining explicit and informed consent from the individuals concerned or their parents. We will never publish the names of children and young people alongside their photographs.
g) We will ensure that all individuals who have provided their personal data to SASP are able to request to update the information held about them.
h) We will not make any decisions or profile individuals by any automated means.
i) A copy of this policy will be on our church website, on the Church notice boards and will also available upon request from the Church Administrator.
j) All personal information held by trustees, staff and volunteers on behalf of SASP will be held and processed in a sufficiently secure manner (whether in paper or electronic form) to prevent unauthorised access (whether by unauthorised church personnel or third parties). This means we will:
• Store paper based information in secure, locked cupboards;
• Use password protection and data encryption where possible;
• Ensure that Special Categories of personal data, and the personal data of children, are explicitly identified and protected accordingly.
• Restrict access to both paper and electronic personal data to those who need to process it for one of the permitted uses;
• Ensure that personal information is transmitted securely in a way that cannot be intercepted by unintended recipients.
• Securely destroy information that is no longer required to be retained.
ENABLING THE RIGHTS OF THE DATA SUBJECT
SASP will facilitate your rights as a Data Subject, and has implemented appropriate processes to enable this. Requests will be processed free of charge, and within the 30 day time period specified by the GDPR, unless in exceptional circumstances and with the agreement of the Data Subject. Any requests should be made in writing to the Data Administrator.
If you have questions or concerns about data protection, please contact the Data Administrator at St. Anne’s and St. Peter’s, 245 Micklefield Road, High Wycombe, HP13 7HU, telephone 01494471375 or email (tbc)
You can also contact the Information Commissioner’s Office on 0303 123 1113 or via email, https://ico.org.uk/global/contact-us/email/, or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
DEFINITIONS OF KEY TERMS
CONTROLLER - determines the purposes and means of processing personal data.
DATA - Information which is recorded electronically, i.e. with the intention that it should be processed on computer, or paper-based information that is recorded as part of a filing system.
DATA SUBJECT – a living, natural person whose personal data may be collected and processed.
PERSONAL DATA - any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
PROCESSOR - responsible for processing personal data on behalf of a controller. The Controller and the Processor are often the same.
SENSITIVE PERSONAL DATA (also known as SPECIAL CATEGORIES) - information relating to race, ethnic origin, religion, philosophical beliefs, trade union membership, genetic data, biometric data, health data, sexual orientation and data concerning a natural person’s sex life.
Additional safeguards are in place where sensitive personal data is concerned, and also where the personal data of children are processed. Under UK legislation, processing of data of children aged under 13 years will require parental consent.