Data Privacy & Protection Policy
The Parochial Church Council of the Ecclesiastical Parish of St Philip and St Jacob, Bristol
Statement of Policy
The St Philip and St Jacob PCC uses personal data about living individuals for the purpose of discipleship, communication and general administration. The Operations Manager will act as data controller, or in their absence, a member of staff as appointed by the Parochial Church Council from time to time, and will be responsible for and able to demonstrate compliance with this policy.
The St Philip and St Jacob PCC recognise the importance of the correct and lawful treatment of personal data. All personal data whether being held physically on paper or in soft format on computer will be subject to the appropriate legal safeguards as specified in the General Data Protection Regulation (GDPR), which will apply in the UK from 25 May 2018, superseding the existing UK Data Protection Act 1998 (the DPA).
The St Philip and St Jacob PCC fully endorse and adhere to the principles of GDPR, which specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Data controllers who obtain, handle, process, transport and store personal data for the St Philip and St Jacob PCC must adhere to these principles.
We will also make sure we provide access to this policy to all individuals at the point of personal data capture.
Principles of GDPR
Article 5 of the GDPR requires that personal data must be:
A. Processed lawfully, fairly and in a transparent manner in relation to individuals;
B. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
C. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
D. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
E. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
F. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR.
The GDPR is only a part of the overall data protection framework. The Government has confirmed its plans to introduce a Data Protection Bill into Parliament. This should become law in 2018 replacing the current Act. In particular, it will set out derogations from the GDPR, ie areas where Member States can decide provisions, such as around some exemptions.
We will review this policy in light of any changes that are made at this point, when full and final guidance will be made available.
How and why we use your data
The Parochial Church Council of the Ecclesiastical Parish of St Philip and St Jacob with Emmanuel (St Philip and St Jacob PCC), Bristol is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.
Church communications and administration
We use your personal data for the day to day administration of the church:
● To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution (e.g. pastoral care, discipleship and oversight, home visits, maintaining financial records.);
● To administer membership records (preparation and publication of a church directory, preparation and publication of ministry rotas);
● To fundraise and promote the interests of the charity;
● To manage our employees and volunteers;
● To maintain our own accounts and records (including the processing of gift aid applications);
● To inform you of news, events, activities, ministries and gatherings running at St Philip and St Jacob Church, Bristol.
Where we request personal information for these tasks, we will provide an explicit and specific ‘opt-in’ model so you’re clear about what data you’re giving us and which communications you are agreeing to.
We hold this information until either consent is withdrawn, or the purpose for which the information was collected is considered to be no longer useful, at which point the data will be erased.
The personal data held and processed by us is classed as sensitive because it relates to ‘religious belief’. However, some of the information we maintain and process about our members, former members and those who are in regular contact with us is considered ‘legitimate activity’, which means that as a religious organisation we have a valid basis for processing your data for certain church-related activities.
Where the information we process about you falls outside of the scope of legitimate activity, our lawfulness for processing such data stems from Article 6(1)(a): your consent. As per GDPR guidelines, consent must be freely given, specific and unambiguous. Consent cannot be assumed from silence or pre-ticked boxes.
We rely on the following legal bases for processing your personal data: -
● Explicit consent of the data subject so that we can keep you informed about news, events, activities and gathering;
● Processing is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or social protection law, or a collective agreement;
● Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided:-
○ the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
○ there is no disclosure to a third party without consent.
Records and safeguarding
For Safeguarding purposes, we retain records relating to volunteers and helpers in activities relating to children or vulnerable adults. Our lawfulness for processing such data stems from Article 6(1)(c) – processing is necessary for compliance with a legal obligation. Safeguarding records will be kept securely in our care for an indefinite period.
Records on children are kept with the consent of a parent or guardian. Where we need to keep records on vulnerable adults, we will provide the request for consent in a clear, plain way which is easy to understand. Consent may also be provided by a carer or guardian where they have been legally enabled to do so. We will keep these records until either consent is withdrawn, or the purpose for which the information was collected is considered to be no longer useful, at which point the data will be erased.
Profiling using data
Where appropriate, we may want to look at data in aggregate to be better informed when making decisions as a church. This may be applicable in cases such as profiling church members based on location or demographics. When undertaking any such activity, we will make sure data is anonymised except where we have the explicit consent of participants.
The St Philip and St Jacob PCC will treat all personal information as private and confidential and not disclose any data about church members to anyone other than the leadership team and ministry coordinators (Staff & Volunteers) of the church in order to facilitate the administration, day to day ministry and parishioner discipleship of the church without prior consent.
All staff and volunteers appointed by the St Philip and St Jacob PCC, who have access to personal data, will be required to agree and adhere to this policy.
There are four exceptional circumstances to the above permitted by law.
- Where we are legally compelled to do so.
- Where there is a duty to the public to disclose.
- Where disclosure is required to protect your interest.
- Where disclosure is made at your request or with your consent.
Personal information will not be passed onto any third parties outside of the church environment.
Database and Data Storage
Physical copies of personal information will be kept secure in lockable desks, draws and cupboards. Information kept on the St Philip and St Jacob electronic databases shall not be used for any other purposes than set out in this document. The church databases are hosted by Church Suite Ltd based in the UK, are accessed through a remote server and therefore, can be accessed through any computer with internet access and fall under UK laws for data protection.
- Access to the database is strictly controlled through the use of name-specific passwords, which are set up and authorised by the data controller.
- People who will have secure and authorised access to the databases include the leadership team, volunteers and ministry coordinators as appointed by the St Philip and St Jacob PCC.
- The data controller will keep a record of any persons authorised to access or enter this data.
- The database will NOT be accessed by any authorised user outside of the EU, in accordance with the Data Protection Act, unless prior consent has been obtained from the individual whose data is viewed.
- All access and activity on the church database is logged and can be viewed by the data controller.
Included as part of the Church Suite Database is a church members’ platform called ‘My Church Suite’. Members are able to securely log-in and search a directory of other church members, find out details of any groups they are involved in, view recent communications and manage your own contact details, including how much information is visible to others. Access to this platform is granted to members on the explicit condition that they do not reproduce or print any contact details or pass on other member’s details to any third parties in accordance with this policy.
We keep data in accordance with the guidance set out in the guide “Keep or Bin: Care of Your Parish Records” which is available from the Church of England website
Specifically, we retain electoral roll data while it is still current; gift aid declarations and associated paperwork for up to 6 years after the calendar year to which they relate; and parish registers (baptisms, marriages, funerals) permanently.
Your rights around data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data.
Where we are collecting data with your consent, you can withdraw your consent at any time.
Access to data
At any point you can ask the St Philip and St Jacob PCC to notify you about what data we hold about you and/or give you access to that data. If requested, we will provide this information free of charge in a structured, commonly used and machine readable form such as a csv file.
If the St Philip and St Jacob PCC feel the request is unfounded or excessive, for example if it is repetitive, we reserve the right to request a reasonable fee based on the administrative cost of providing the information.
Correcting the data
You can request a correction to the data we store about you and we’ll respond within one month. If we feel we need to refuse your request for any reason, we’ll explain why and provide you with details for making an appeal to a supervisory body. You may also update and manage the data we hold for you through ‘My Church Suite’.
Erasing your data
You can also request the deletion or removal of personal data if you feel the data should not have been collected or where you feel there’s no good reason for us to carry on using it.
There are some circumstances where we may refuse your request if the data is processed for the following reasons:
● to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
● for public health purposes in the public interest;
● archiving purposes in the public interest, scientific research historical research or statistical purposes; or
● the exercise or defence of legal claims.
Requesting restrictions on processing of the data
You can request that we do not use or process your data, for example in an instance where you feel it’s inaccurate, or if you think we shouldn’t hold the data in the first place.
Lodging a complaint
If we refuse any of your requests for any reason and you wish to escalate the situation, or you feel that the St Philip and St Jacob PCC is misusing your data in any way, you have the right to lodge a complaint with a supervisory authority. You can find the information for how to do this here: https://ico.org.uk/concerns/
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
If you are a member of St Philip and St Jacob Church, Bristol, then we are able to give you access to our member-facing My ChurchSuite platform, available in “app” form or within a browser. Through My ChurchSuite you can manage your privacy settings and keep your (and your linked children’s) personal data up to date. My ChurchSuite will also help you get better connected into church life, our events, ministries and small groups. To receive access to My ChurchSuite simply email your request to email@example.com and we’ll email you back an invitation with a link to set up your secure login.
You can opt out of receiving communications from St Philip and St Jacob Church, Bristol by contacting the church office on 0117 929 33 86, or in writing to The Data Controller, St Philip and St Jacob Church, Tower Hill, Bristol, BS2 0ET, or by email to firstname.lastname@example.org
To exercise all relevant rights, queries or complaints please in the first instance contact the The Data Controller, St Philip and St Jacob Church, Tower Hill, Bristol, BS2 0ET, or by email to email@example.com
You can contact the Information Commissioner's Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
The PCC will undertake to review this policy and its implementation annually. This policy was updated and reviewed in May 2018.