THE BARMBY MOOR GROUP CHURCHES
Comprising the Parishes of St Botolph’s, Allerthorpe, St Catherine’s, Barmby Moor, St Martin’s, Fangfoss, St Michael’s, Thornton and St Martin’s, Yapham
1. Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controllers’ possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR” – see Appendix 1). In practice this mainly entails details on the Gift Aid envelopes, parish electoral rolls and information collected in connection with compliance with our Safeguarding Policy, and church-organised activities and for marriages, baptisms and funerals; also for the Parish News and group website. For churchwardens, treasurers and secretaries, their details appear in the Diocesan Church Directory.
Regarding the preparation and publication of the Parish News and group website, we will respect the privacy and rights of advertisers who will have supplied information (not all of which may have been collected for publication). We will similarly assume that the names and contact details of church officials and volunteers who appear in the Parish News have expressly allowed their details to be printed in the Parish News. However, the rights of the above two categories under the GDPR remain the same and are unaffected.
2. Who are we?
The Vicar, churchwardens and treasurers on the PCCs of the Barmby Moor Group of Churches, the officials with responsibilities for marriages, baptisms and funerals, along with the Benefice Safeguarding Representatives, are data controllers within the meaning of the GDPR. This means that they decide how your personal data is processed and for what purposes.
3. How do we process your personal data?
The PCCs of the Barmby Moor Group of Churches comply with their obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. Data may be paper-based or electronic data such as that contained in spreadsheets and data submitted to church authorities in general data returns.
To administer church membership records;
to fundraise and promote the interests of our churches;
to manage our employees and volunteers;
to maintain our own accounts and records (including the processing of Gift Aid applications);
to inform you of news, events, activities and services running at our ten churches;
where appropriate, to share your contact details with the Diocesan Office so they can keep you
informed about news in the diocese and events, activities and services that will be occurring in the
diocese and in which you may be interested;
where appropriate, to enable us to provide a voluntary service (such as would generally be
recognised as falling within the remit of a church) for the benefit of our communities in a geographical area.
your personal data for the following purposes:
4. What is the legal basis for processing your personal data?
Explicit consent of the data subject so that we can keep you informed about news, events, activities and services and keep you informed about diocesan events. In the case of the filling-in of Gift Aid envelopes and in cases where individuals have made arrangements for regular payments to a church (such as by standing order); where electoral roll registration forms have been completed; where a couple is in discussion about marriage; where a family is in touch in connection a funeral; and where advertisers have submitted copy for the Parish News and / or website, the Benefice will assume that explicit consent has only been given for the retention and relevant use of data that relates to the circumstances of the particular italicised item specified in this section 4. However, this does not affect their rights under the GDPR, e.g. to ask for details of the information held, to ask for them to be modified or to be withdrawn. Please note, no withdrawal is allowable for Gift Aid as it is an obligation under HMRC rules for Gift Aid records to be kept for a statutory period and individual permissions do not have to be sought.
Processing is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or social protection law, or a collective agreement;
Processing is carried out by a not-for-profit body with a religious or statutory aim provided:
o the processing relates only to members or former members (or those who have regular
contact with it in connection with those purposes); and o thereisnodisclosuretoathirdpartywithoutconsent.
5. Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with other members of the church to carry out a service to other church members or for purposes connected with the church. We will only share your data with third parties outside of the parish with your consent.
6. How long do we keep your personal data1?
We keep data in accordance with the guidance set out in the guide “Keep or Bin: Care of Your Parish Records” which is available from the Church of England website [see footnote for link].
Specifically, we retain electoral roll data while it is still current; gift aid declarations and associated paperwork for up to 6 years after the calendar year to which they relate; and parish registers (baptisms, marriages, funerals) permanently.
7. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
The right to request a copy of your personal data which the PCCs of the Barmby Moor Group of Churches hold about you;
the right to request that the PCCs of the Barmby Moor Group of Churches correct any personal data if it is found to be inaccurate or out of date;
the right to request your personal data is erased where it is no longer necessary for the PCCs of the Barmby Moor Group of Churches to retain such data;
the right to withdraw your consent to the processing at any time – compliance with HMRC rules excepted;
the right to request that the relevant data controller provides the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent
1 Details about retention periods can currently be found in the Record Management Guides located on the Church of England website at: - https://www.churchofengland.org/more/libraries-and-archives/records-management-guides
or is necessary for the performance of a contract with the data subject and in either case the data
controller processes the data by automated means];
the right, where there is a dispute in relation to the accuracy or processing of your personal data, to
request a restriction is placed on further processing;
the right to object to the processing of personal data, (where applicable) [Only applies where
processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics];
the right to lodge a complaint with the Information Commissioners Office.
8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact Details
To exercise all relevant rights, queries and complaints please in the first instance contact the Reverend Jan Hardy, Vicar, on 01759 307490; email: firstname.lastname@example.org
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
GENERAL DATA PROTECTION REGULATION (GDPR)
The GDPR came into force on 25th May 2018. The regulation replaces the current Data Protection Act. Organisations, and especially employers and their employees, have new responsibilities to consider helping ensure compliance. After Britain leaves the European Union, a new UK Data Protection Act will ensure that the GDPR principles remain in UK law.
Organisations must have a valid reason for having personal data and the data should not be held for any longer than necessary. The Information Commissioner's Office (ICO) has published an overview of the regulation and has a checklist of 12 steps that can help organisations ensure they are GDPR compliant.
What is GDPR?
The GDPR is concerned with respecting the rights of individuals when processing their personal information. This can be achieved by being open and honest with those affected about the use of information about them and by following good data handling procedures. The regulation is mandatory and all organisations that hold or process personal data must comply.
The regulation contains 6 principles:
Personal data should be processed fairly, lawfully and in a transparent manner.
Data should be obtained for specified and lawful purposes and not further processed in
a manner that is incompatible with those purposes.
The data should be adequate, relevant and not excessive.
The data should be accurate and where necessary kept up to date.
Data should not be kept for longer than necessary.
Data should be kept secure.
All those connected with the running of churches, whether they are employees or volunteers, have a responsibility to ensure that their activities comply with the data protection principles. Church officials and volunteers have responsibility for the type of personal data they collect and how they use it. They should not disclose personal data outside the organisation's procedures, or use personal data held on others for their own purposes.
Who does GDPR apply to?
The GDPR applies to any organisation that handles personal data.
An individual who holds data about another individual on a personal level; for example, a family members telephone number stored in a phone, will not need to consider GDPR for that data.
What is personal data?
Personal data is data that relates to an identified or identifiable individual and is:
kept in a filing system
part of an accessible record, for example an education record
held by a public authority.
This includes data that does not name an individual but could potentially identify them; for example, a highly specific postcode in a rural area on a Gift Aid envelope. Organisations should ensure staff and volunteers are aware that any personal data they have in their possession will also be subject to the regulation; for example, if an official has a written copy of contact details for their colleagues or someone keeps names and numbers on post-it notes on their desk. An organisation must have a lawful basis for handling any personal data.
How long can information be kept?
Information must not be kept for longer than is necessary.
While there is no set period set out within the GDPR, some records must be kept for a certain period in accordance with other legislation. For example, HMRC require Gift Aid details to be kept for 6 years from the end of the tax year to which they relate.
How can organisations comply with the regulation?
To ensure its compliance to the GDPR, an organisation must:
have a clear retention policy for handling personal data and ensure it is not held for longer than is necessary;
have a legal basis for acquiring and/or using any personal data (for more information on legal bases please see the ICO website);
ensure that all officials are aware of the retention policy and follow it;
respond to subject access requests (sometimes called personal data requests) within one month;
if there is a personal data breach that is likely to result in a risk to the rights and freedom of an
individual, inform the ICO within 72 hours and, if the risk is deemed to be high, also inform the individual concerned.
An individual’s right to request their personal data
Individuals have a right to access information that an organisation may hold on them. In the case of an employer, this could include information regarding any grievances or disciplinary action, or information obtained through monitoring processes.
If an individual wants to see their personal data, they should speak to the organisation concerned. Most requests for personal data can be provided quickly and easily.
If the organisation is unable or unwilling to agree to the request, the individual could make a Subject Access Request. A subject access request should be in writing and include:
full name, address and contact details;
any information used by the organisation to identify the individual;
details of the specific information required and any relevant dates.
Arrangements should already be in place to deal with Subject Access Requests as a 40-day time limit is currently stipulated under the Data Protection Act. This time limit shortens to one month under the GDPR.
While the Data Protection Regulation allows an organisation to charge a fee for Subject Access Requests, fees may only be required under GDPR if the requests are "manifestly unfounded or excessive".
If an organisation refuses a request, they must inform the individual within one month:
why they have refused the request;
that the individual has the right to complain to the supervisory authority and to a judicial remedy.
For further information on GDPR go to https://ico.org.uk/