Purpose of this policy
This policy sets the Church’s understanding of data protection and the policies the Church uses to ensure compliance with the Data Protection Act 2018, which encompasses the General Data Protection Regulation (GDPR). It applies to the office holders of St Michael and All Angels Church, Hughenden and of the Church’s Parochial Church Council (PCC) - referred to in this policy as “the Church” - and to all subcontractors and volunteers.
Why the Church needs this policy
The Data Protection Act 2018 places a responsibility on all organisations that handle personal data to protect that information. It also states that such organisations may need to be registered with the Information Commissioner’s Office to do so although our Church is exempt from this as it:
Is a not-for-profit organisation.
Only processes information necessary to establish or maintain membership or support.
Only processes information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it.
Only shares the information with people and organisations necessary to carry out the organisation’s activities.
Only keeps the information while the individual is a member or supporter or as long as necessary for member/supporter administration.
Does not use Closed Circuit Television devices for crime prevention.
Why the Church collects information
The Church may collect data on individuals for the following purposes:
Accounts and records.
Advertising, marketing and public relations.
Officer holder, subcontractor and volunteer administration.
Administration of membership records, including the generation of the Church’s Electoral Roll.
Fundraising, including the generation of Gift Aid returns to HM Revenue & Customs.
Realising the objectives of a charitable organisation or voluntary body.
How the Church collects information
The Church may collect personal information when individuals contact with it, such as when they:
Visit our website.
Register their details using a paper form or via an electronic form on our website.
Make a donation, by completion of offering envelopes or by electronic means.
Register for a course or other Church event.
Communicate with the Church, such as face-to-face or by email, letter and telephone.
Access social media platforms, such as Facebook.
What the Church does with collected information
The Church processes and stores information in the form of paper and computer records; its preferred method of storing personal information is in its computer database called ChurchSuite. Data security and privacy information about ChurchSuite can be found on the ChurchSuite website: www.churchsuite.com
Policy statements - how the Church will handle and protect personal information
The Church complies with all aspects of data protection legislation, adhering to the eight principles of the GDPR. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data.
The Church will not pass personal data to third parties without the explicit consent of individuals, except when permitted by law under the following exceptional circumstances:
Where the Church is legally compelled to do so.
Where there is a duty to the public to disclose.
Where disclosure is required to protect your interest.
Where disclosure is made at an individual’s own request or with their consent.
The Church will use a standard statement whenever personal data is collected. Individuals submitting their information on a paper or electronic forms will be required to date the form (whether in writing or by electronic date stamp) to indicate they have given their consent. If individuals provide their personal data verbally, such as in person or over the telephone, the person receiving the information will read out the statement and record the date when the individual’s consent was given. The statement for use is:
I consent that this information may be used to contact me about St Michael & All Angels Church activities, used for church administration purposes and stored in computerised or paper formats. I am aware that, in compliance with the Data Protection Act 2018, the Church will store my information securely and will never pass it to a third party without my explicit permission. I am aware that I can contact any of the Church’s officers or administrators at any time to withdraw this consent and to ask that any information held about me is permanently destroyed.
The Church will permit access to individual’s own personal data upon request at no charge. Such requests should be made to the Church’s Administrator or Data Protection Officer. If a Church officer holder, subcontractor or volunteer receives such a request, they must pass it on to the Administrator without delay.
The Church will update individuals’ information when notified, typically through the My ChurchSuite tool.
The Church will delete all paper and electronic records about an individual when that individual, or their empowered representative, asks the Church to do so or when the the Church no longer has a need to retain that information. This will apply unless that information is a legal record, such as an entry in the Church’s registers.
The Church will do its best to ensure all officer holders, subcontractors and volunteers are conversant with data protection legislation and practice. All people with access to personal data, other than data which individuals agree to share with the Church’s community, will be required to confirm that they have read, understood and will comply with this policy. They will be required to re-confirm this every 3 years or whenever there is a material change to this policy.
Who will have access to personal data
Individuals will be able to share as much, or as little, of their personal contact information with other church members as they would like, setting that level of access using their individual ChurchSuite login.
Individuals who are church officer holders or who hold voluntary roles within the church will be asked to confirm their consent before their contact information is published or displayed.
Where individuals provide their own contact information for publication (such as on a poster, for a notice in the pew newsletter or for an article in Outlook magazine), their consent for particular publication will be implied.
Where individuals provide their bank account details, for the purposes of receiving reimbursement for expenses paid, their consent to share that information with the Church’s bank will be implied.
The Church will control access to the main ChurchSuite database by:
Providing individual logins and requiring people to set their own, strong passwords.
Providing access to the various modules within the database on a “need to access” basis only; the modules containing Children’s and Giving information will have additional password controls applied. Examples of people who may need access to the main database include the Ministry Team, the Church Administrator, members of the PCC and rota coordinators.
Controlling access via a Data Controller and other specified administrators, who will be the only people who can access and set these security parameters.
Oversight of personal data
The PCC will appoint a Data Controller whose role is to:
Maintain a record of who has access to which elements of personal data, including paper records.
Implement controlled access to personal data.
The PCC will appoint a Data Protection Officer whose role is to:
Review and update this policy as required, such as if the applicable data protection legislation is updated or at the direction of the PCC.
Handle and investigate any discovered, alleged or reported misuse or mishandling of personal data by the Church.
Conduct an audit of the Church’s personal data handling policies, procedures and practices at least once every 2 years or sooner if requested by the PCC.
Additional guidance to Church officers, subcontractors and volunteers
All personal data held must be secured against unauthorised access and theft:
IT systems used to process information should be made as secure as possible from unauthorised access, including via the Internet, and should have anti-virus software installed that automatically installs updates as soon as they are available.
Church PCs should be password protected and are locked or logged off when individuals are away from their desk.
Paper records should be locked away when not in use.
Information about any individual that enables that individual to be identified should not be given to any person outside the Church without the express permission of the individual concerned.
If emails are being sent to multiple addressees, blind copies (using the BCC line) should be used to avoid sharing individuals’ email addresses.
Consent should be obtained from individuals before their information is put on the website or in a publication. This can be implied if someone if providing their contact details for a notice or Outlook article but, if that person provides another individual’s contact information, the consent of that other individual should be checked.
Personal data should be securely deleted or destroyed when it is no longer required. As a guideline, information about a person should be archived a maximum of 18 months after not having contact with an individual and deleted 1 year after archival (or sooner if the individual requests it).
Personal data should not be accepted from another organisation without the consent of the individual concerned.