Policies

RSS

BIDEFORD BAPTIST CHURCH

DATA PROTECTION POLICY

Adopted: April 2018

POLICY STATEMENT

BIDEFORD BAPTIST CHURCH is committed to protecting all information ('personal data') that we handle which relates to those we support and work with, and to respecting people’s rights in relation to how their information is handled.

We value the personal information entrusted to us, and we respect that trust by complying with all relevant legislation and adopting good practice.

This policy explains our responsibilities and how we will meet them.

Personal Data

We collect and process personal data to help us:

• Maintain our list of Church Members [and regular attenders];

• Provide pastoral support for members and others connected with our Church;

• Safeguard children, young people and adults at risk;

• Recruit, support and manage staff and volunteers;

• Maintain our Accounts and Records;

• Keep you up-to-date with forthcoming Church Services and Events;

• Maintain the fabric and security of property and premises;

• Respond effectively to enquirers and handle any complaints.

This policy has been approved by the Church's Charity Trustees, who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.

Why this policy is important

We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security or being shared carelessly, or being inaccurate, as we are aware that people can be upset or harmed if any of these things happen.

This policy sets out the measures that we are committed to taking as an organisation, and what each of us will do to ensure we comply with the relevant legislation.

In particular, we will make sure that all personal data is:

• processed lawfully, fairly and in a transparent manner;

• processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;

• adequate, relevant and limited to what is necessary for the purposes for which it is being processed;

• accurate and, where necessary, up to date;

• not kept longer than necessary for the purposes for which it is being processed;

• processed in a secure manner, by using appropriate technical and organisational means;

• processed in keeping with the rights of data subjects regarding their personal data.

HOW THIS POLICY APPLIES TO YOU AND WHAT YOU NEED TO KNOW

As an Employee, Trustee or Volunteer processing personal information on behalf of the Church, you are required to comply with this policy. If you think that you have accidentally breached the policy, it is important that you contact our Data Controller immediately so that we can take swift action to try and limit the impact of the breach.

You are required to make sure that any procedures which involve personal data, for which you are responsible in your area, follow the rules set out in this Data Protection Policy.

Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.

As a 'Data Subject' of Bideford Baptist Church – we are committed to handling your personal information in line with this policy.

Our Data Controller is responsible for advising Bideford Baptist Church Employees, Trustees, Volunteers and Members about their legal obligations under Data Protection Law, monitoring compliance, and for dealing with data security breaches.

Any questions about this policy or any concerns that the policy has not been followed should be referred to them at secretarysue@live.co.uk.

Note:

Before you collect or handle any personal data as part of your work (paid or otherwise) for Bideford Baptist Church, it is important that you take the time to read this policy carefully and understand what is required of you, as well as the organisation’s responsibilities when we process data.

Our procedures will be in line with the requirements of this policy, but if you are unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Controller.

Note:

The current Church Secretary (Sue Jones) is our nominated Data Controller for Bideford Baptist Church, and can be contacted via e-mail at:

secretarysue@live.co.uk

OUR DATA PROTECTION RESPONSIBILITIES

What personal information do we process?

In the course of our work, we may collect and process information ('personal data') about many different people ('data subjects'). This includes data we receive straight from

the person it is about, for example, where they complete forms or contact us, as well as information from other sources.

We process personal data in both electronic and paper form, and all this data is protected under Data Protection Law. The personal data we process can include information such as names and contact details, and visual images of people.

In some cases, we hold types of information that are called “special categories” of data (e.g. health / health care provision), which can only be processed under strict conditions.

We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is an overarching safeguarding requirement to process this data for the protection of children and adults who may be put at risk in our church.

This processing will only ever be carried out on advice from the Ministries Team of the Baptist Union of Great Britain or our Regional Association Safeguarding contact person.

Other data may also be considered ‘sensitive’ such as bank details, but will not be subject to the same legal protection as the types of data listed above.

Making sure processing is fair and lawful

Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent.

This means that we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.

How can we legally use personal data?

Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the GDPR1, is met:

• the processing is necessary for a contract with the data subject;

• the processing is necessary for us to comply with a legal obligation;

• the processing is necessary to protect someone’s life (this is called “vital interests”);

• the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;

• the processing is necessary for legitimate interests pursued by Bideford Baptist

Church or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject.

If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.

1 General Data Protection Regulations

How can we legally use ‘Special Categories’ of data?

Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the GDPR, is met.

These conditions include where:

• the processing is necessary for carrying out our obligations under employment and social security and social protection law;

• the processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent;

• the processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes;

• the processing is necessary for pursuing legal claims.

• If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent.

Before deciding which condition should be relied upon, we may refer to the original text of the GDPR as well as any relevant guidance, and seek legal advice as required.

What must we tell individuals before we use their data?

If personal data is collected directly from the individual, we will inform them about:

• our identity / contact details [and those of the Data Controller];

• the reasons for processing, explaining our legitimate interests, and where relevant, the consequences of not providing data needed for a contract or statutory requirement;

• who we will share the data with;

• if we plan to send the data outside of the European Union;

• how long the data will be stored and the data subjects’ rights.

This information is commonly referred to as a ‘Privacy Notice’, and will be provided at the time when the personal data is collected.

If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information described above, as well as the categories of the data concerned and the source of the data, unless a legal exemption under the GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication.

If we plan to pass the data onto someone else outside of Bideford Baptist Church, we will give the data subject this information before we pass on the data.

When we need consent to process data

Where none of the other legal conditions apply to the processing, and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it.

Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.

Consent can, however, be withdrawn at any time and, if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.

Processing for specified purposes

We will only process personal data for the specific purposes explained in our Privacy Notices (as described above), unless there are lawful reasons for not doing so.

Data will be adequate, relevant and not excessive

We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained in Privacy Notices).

We will not collect more than is needed to achieve those purposes.

We will not collect any personal data “just in case” we want to process it later.

Accurate data

We will make sure that personal data held is accurate and, where appropriate, kept up-to-date.

The accuracy of personal data will be checked at the point of collection and at appropriate points later on.

Keeping data and destroying it

We will not keep personal data longer than is necessary for the purposes that it was collected for.

We will comply with official guidance issued to our sector about retention periods for specific records.

Security of personal data

We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.

We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing.

Measures will include technical and organisational security measures.

In assessing what measures are the most appropriate, we will take into account the following, and anything else that is relevant:

• the quality of the security measure;

• the costs of implementation;

• the nature, scope, context and purpose of processing;

• the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;

• the risk which could result from a data breach.

Measures may include:

• technical systems security;

• measures to restrict or minimise access to data;

• physical security of information and of our premises;

• organisational measures, including policies, procedures, training and audits;

• regular review and evaluation of the effectiveness of security measures.

WORKING WITH PEOPLE WE PROCESS DATA ABOUT ('Data Subjects')

Data subjects’ rights

We will process personal data in line with data subjects' rights, including their right to:

• request access to any of their personal data held by us (known as a Subject Access

Request);

• ask to have inaccurate personal data changed;

• restrict processing, in certain circumstances;

• object to processing, in certain circumstances, including preventing the use of their data for direct marketing;

• data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organisation;

• not be subject to automated decisions, in certain circumstances; and

• withdraw consent when we are relying on consent to process their data.

If a request is received from an individual which relates to, or could relate to, their Data Protection rights, this will immediately be forwarded to our Data Controller.

We will act on all valid requests as soon as possible, and at the latest within one calendar month, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.

All data subjects’ rights are provided free of charge.

Any information provided to data subjects will be concise and transparent, using clear and plain language.

Direct Marketing*

We will comply with the rules set out in the GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing.

This includes, but is not limited to, when we make contact by post, e-mail, text message, social media messaging, telephone (both live and recorded calls) and fax.

* Note:

Direct Marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed to individuals.

'Marketing' does not need to be selling anything, or be advertising a commercial product. It includes contact made by organisations to individuals for the purposes of promoting the organisation's aims.

Any 'direct marketing' material that we send will identify Bideford Baptist Church as the sender and will describe how people can object to receiving similar communications in the future. If a data subject exercises their right to object to direct marketing we will stop the direct marketing as soon as possible.

WORKING WITH OTHER ORGANISATIONS AND TRANSFERRING DATA

Sharing information with other organisations

We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a Privacy Notice), unless legal exemptions apply to informing data subjects about the sharing. Only authorised and properly instructed Trustees are allowed to share personal data.

We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied. We will follow the ICO2’s statutory Data Sharing Code of Practice (or any replacement code of practice) when sharing personal data with other data controllers.

Legal advice will be sought as required.

Transferring personal data outside the European Union (EU)

Personal data cannot be transferred (or stored) outside of the European Union unless this is permitted by the GDPR. This includes storage on a “cloud” based service where the servers are located outside the EU.

We will only transfer data outside the EU where it is permitted by one of the conditions for non-EU transfers in the GDPR.

2 Information Commissioner's Office

MANAGING CHANGE AND RISKS

Data Protection Impact Assessments

When we are planning to carry out any data processing which may result in a high risk, we will carry out a Data Protection Impact Assessment (DPIA). These include situations when we process data relating to vulnerable people, trawling of data from public profiles, using new technology, and transferring data outside the EU.

We may also conduct a DPIA in other cases when we consider it appropriate to do so. If we are unable to mitigate the identified risks such that a high risk remains we will consult with the ICO.

DPIAs will be conducted in accordance with the ICO’s Code of Practice ‘Conducting privacy impact assessments’.

Dealing with Data Protection Breaches

Where staff or volunteers think that this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Data Controller.

We will keep records of personal data breaches, even if we do not report them to the ICO.

We will report all data breaches which are likely to result in a risk to any person, to the ICO. Reports will be made to the ICO within 72 hours from when someone in the Church becomes aware of the breach.

In situations where a personal data breach causes a high risk to any person, we will (as well as reporting the breach to the ICO), inform data subjects whose information is affected, without undue delay.

This can include situations where, for example, bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects