Reviewed & Update by Christine Akot & Barbara Kuekes-Patel Approved by: The PCC on 19 Sept 2022 Next Review Due: September 2023
Data Protection Policy
Christ Church Roxeth Roxeth Hill Harrow HA2 0JN www.ccrharrow.org | 020 8422 3241 Charity Number: 1134836
Contents OVERVIEW..................................................................................3 SCOPE........................................................................................3 CATEGORIES OF DATA..................................................................3 PROCESSING OF DATA .................................................................4 THE EIGHT PRINCIPLES OF DATA HANDLING .................................4 APPLYING THESE PRINCIPLES.......................................................5 QUERIES......................................................................................5 ACCESS.......................................................................................5 COMPLAINTS, ENFORCEMENT AND DEALING WITH BREACHES.......6 THE INFORMATION COMMISSIONER'S OFFICE...............................6 OVERVIEW Christ Church Roxeth (CCR) uses personal data about living individuals solely to facilitate normal church administration including: employee data,electoral roll records, rotas, giftings, visitor information lettings and financial records of giving for tax and accounting purposes church groups, clubs and other activities pastoral care the maintaining of a Church Directory on MyChurchSuite communication regarding church activities. CCR is committed to the proper and lawful treatment of all personal data. All personal data-which may be held by CCR on paper, on computer or in other media- will adhere to the appropriate legal safeguards as laid down in the General Data Protection Regulation 2018. SCOPE This policy applies to all trustees, staff employed by CCR, those contracted and subcontracted by CCR and to all volunteers and group leaders – and must be adhered to by them, together with any detailed guidelines published separately for this purpose. We will do our utmost to ensure that all its staff, volunteers and trustees are conversant with data protection legislation and practice. The scope of the policy does not seek to govern the sharing of contact details and personal data between groups of friends who are connected through Christ Church. CATEGORIES OF DATA Data is information which is recorded with the intention that it should be processed on a computer or is recorded as part of a relevant filing system (i.e. manual system). 1. PERSONAL DATA is information relating to an individual who can be identified: from the data from the data whichi ncludes an expression of opinion about the individual For Example: electoral roll name and address details 2. SENSITIVE PERSONAL DATA is defined in law as information relating to: racial or ethnic origins of the person political opinions religious beliefs or other beliefs of a similar nature trade union involvement physical or mental health sexual life the commission or alleged commission of any offence any proceedings for any offence committed or alleged to have been committed For Example: information held for the purpose of pastoral care In order to process these two types of data, consent from the individual must be obtained by the organisation handling the data. Explicit consent must be given when it is sensitive personal data. Additional safeguards are therefore in place where sensitive personal data is concerned. PROCESSING OF DATA CCR will only process data if at least one of the following conditions is satisfied: 1.The processing is necessary to further the “legitimate interests” of Christ Church Roxeth (CCR), provided that such processing does not prejudice the “right and freedoms or legitimate interests” of the person concerned. If CCR processes data under this condition, there is no requirement to obtain consent from the person concerned, but we will always ensure that CCR respects that person’s rights. This includes the rights of those who provide services to CCR (e.g. tradespeople). 2.The person concerned has given consent. The consent may be explicit or implicit. By way of an example, a person who emails the church is deemed to give implicit consent for his or her contact details to be stored in such a way that enables the church to respond to the email. 3.In compliance with a legal obligation–for example a court order requiring disclosure of information. THE EIGHT PRINCIPLES OF DATA HANDLING CCR upholds the eight principles ofdatahandlingrequiredbytheDataProtection Act.Thepurpose of these principles is to specify the mandatory conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Trustees, employees and any others who obtain, handle, process, transport and store personal data for or on behalf of CCR must always adhere to these principles. In summary,these principles require that personal data: 1. Shall always be processed fairly and lawfully and shall not be processed at all unless certain conditions are met. 2. May only be gathered for as pecified and lawful purpose and shall not be processed in any manner incompatible with that purpose. 3. Shall be adequate, relevant and not excessive for those purposes. 4. Be accurate and where necessary, kept up to date. 5. Shall not be kept for longer than is necessary for that purpose. 6. Shall be processed in accordance with the data subject’s rights. 7. Must be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures. 8. Must not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. CCR does not envisage any circumstances in which a transfer of data outside the UK would occur. CCR will treat all the personal information as private and confidential and not disclose any data to anyone other than the relevant staff and authorised leaders, solely in order to facilitate the administration and ministry of the church. You should note however, that there are four exceptional circumstances to the above permitted by and anticipated in the legislation: 1. Where we are legally compelled to do so. 2. Where there is a duty to the public to disclose. 3. Where disclosure is required to protect your interest. 4. Where disclosure is made at your request or with your consent. APPLYING THESE PRINCIPLES 1.All Christ Church Roxeth trustees (i.e. PCC members), staff and authorised leaders who process personal data on behalf of the church will be required to agree to sign an agreement acknowledging their understanding of this Policy. 2.The PCC will appoint one of their number to act as the Church’s Data Protection Officer.All questionsand concerns in relation to this policy should be addressed to them. They will be supported in managing the practical implementation of this Policy by the Church Administrator. 3.When personal information is collected for use by Christ Church Roxeth we will ensure that: a. This information is necessary for church purposes; b. The information is not kept for longer than it is needed; c. Those people supplying the information are aware of this policy; d. All individuals whose names and contact details are published in the Church Directory on MyChurchSuite will be asked to give explicit consent for their details to be included. We will ensure that data is safely removed from the Directory and responsibly disposed if the individual concerned requests it; e. Personal information (including photographs) of individuals will not be published on our website without obtaining explicit and informed consent from the individuals concerned or their parents. We will never publish the names of children or young people alongside their photographs; f. We will ensure that all church members and attendees are aware of who to contact to update the information held about them by Christ Church Roxeth; g. A copy of this policy will be on our church website and also available from the Church Administrator; h. All personal information held by PCC members, staff and authorised leaders on behalf of Christ Church Roxeth will be held and processed in a sufficiently secure manner (whether in paper or electronic form) to prevent unauthorised access (whether by unauthorised church staff or third parties). This means we will: i. Store paper based information in secure, lockable cupboards; ii. Use password protections and, if appropriate, encryption of particularly sensitive electronic documents; iii. Restrictaccess tobothpaperandelectronicpersonaldatatothosewhoneed to process it for one of the above uses; iv. Ensure that personal information is transmitted securely in a way that cannot be intercepted by unintended recipients; v. Access to Church systems will be password protected and only authorised personnel will have access; QUERIES If you have questions about data protection, please contact the CCR Data Protection Officer or the Church Administrator via the Church Office. ACCESS CCR will provide procedures for access to personal data for all those for whom personal data is held. No charge will normally be levied on anyone requesting access to their personal data. Any such request should be made in writing and a response shall be provided within one calendar month. Redaction of content may be required where requested data is mixed with information relating to other data subjects. COMPLAINTS,ENFORCMENT AND DEALING WITH BREACHES 1.Any complaints regarding Data Protection must be passed immediately to the Data Protection Officer. 2. Any PCC member, staff member or authorised leader who suspects that abreach of the policy has occurred must report it to the Data Protection Officer within 72 hours.Where a breach has occurred procedures for managing breach must be followed. 3. All PCC members, staff members and authorised leaders are expected to cooperate in ful lwith any investigation undertaken by the Data Protection Officer or Information Commissioner into an alleged breach of the Act. THE INFORMATION COMMISSIONER’S OFFICE The ICO’s role is to uphold information rights in the public interest. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. The ICO may use criminal prosecution, non-criminal enforcement and audit, depending on the circumstances. The ICO also has the power to serve monetary penalty notice on a data controller. Some of the options open to the ICO where there has been a more serious breach of the Data Protection Act include: 1.Serve enforcement notices and “stop now” orders where there has been a breach requiring organisations to take (or refrain from taking) specific steps in order to ensure they comply with the law; 2. Issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010, (up to €20m from25 May 2018). 3. Prosecute those who commit criminal offence under the Act. Information Commissioner’s Office: https://ico.org.uk/global/contact-us