For Covid-19 go to here
Policy/Privacy Statement Overview
In May 2018 the law relating to data protection and privacy was enhanced in the UK by the General Data Protection Regulation (GDPR). This enhanced law gave extra rights and protection to the individual (Data Subject) over the gathering and use of his or her personal data by organisations (Data Controllers).
The following summary of our Privacy Policy and Privacy Notice and expanded description thereafter involves some terminology such as Data Subject, Data Controller and Lawful Basis which are defined in Appendix A.
The following summary describes what we as a church do with personal data, the terms used and the ways in which personal information is ‘processed’ are more fully described in sections 1 to 4 below.
In May 2018 the law relating to data protection and privacy was enhanced in the UK by the General Data Protection Regulation (GDPR). This enhanced law gave extra rights and protection to the individual (Data Subject) over the gathering and use of his or her personal data by organisations (Data Controllers).
The following summary of our Privacy Policy and Privacy Notice and expanded description thereafter involves some terminology such as Data Subject, Data Controller and Lawful Basis which are defined in Appendix A.
The following summary describes what we as a church do with personal data, the terms used and the ways in which personal information is ‘processed’ are more fully described in sections 1 to 4 below.
- We hold personal data about individuals employed by the church for the purposes of remuneration, taxation and pension provision. These individuals may be employed on a full-time or part-time basis, for example the pastor, or on an ad hoc basis such as the church cleaner.
- We hold personal data about officers of the church for the purposes of providing contact details to those the church corresponds with and to administrative bodies (such as the Association of Grace Baptist Churches, Grace Charities Trust) that the church has dealings with.
- We hold personal data about individuals representing other organisations in relation to letting the premises or who provide services to us.
- We hold personal data about individuals for whom we have arranged Disclosure and Barring Service checks so that they can work with vulnerable people associated with us. In addition we would record information about individuals in the course of monitoring safeguarding and in the event of a safeguarding incident might record further information which might be of a sensitive nature.
- We want to maintain a list of people who have attended on a regular basis or who have been registered ‘members’ for the purposes of spiritual care and on rare occasions to note those we no longer wish to have any further contact with or who do not wish to have any further contact with us.
- We may record elements of people’s conversation at ‘members’ meetings and officers of the church may keep on record correspondence and elements of conversations.
- We record donations made by standing order or cheque or reimbursement payments that may be direct to personal bank accounts for accounting purposes and also for Gift Aid processing purposes.
- We share data with Grace Charities Trust in order to process Gift Aid and with the Disclosure and Barring Service in order to carry out DBS checks.
- Where data relates to congregants of the church that information may be shared with other congregants for the purposes of the Legitimate Interests of the church in providing mutual care and support.
- All data that we hold may be held indefinitely for the purposes of protecting the Legitimate Interests of the church and its members and especially for the purposes of safeguarding of vulnerable people associated with the church.
Policy/Privacy Statement Detail
Before being able to state the church’s policy on privacy it is necessary to understand the roles within a church, how the individuals who have a connection with us relate to us as an organisation and to each other within the church.
A church consists of those that attend meetings of the church on a regular basis and who are involved in the life of the church in living out Christ-like lives, giving and receiving spiritual and practical help or who are enquiring into the Christian faith. Included within this general definition are those who perhaps are unable to attend meetings regularly but otherwise fulfil the criteria outlined. Also this group includes people who are present at the will of others (e.g. children of adults attending) and also others who on occasions may attend other churches. Within the church’s Privacy Policy and Privacy Notice this category of those involved with the church are referred to as congregants.
1.2Members
A distinct group within the overall category of congregants are referred to as members, these being those congregants who wish to identify themselves solely and specifically with Providence Baptist Church and who meet the church’s criteria for membership. Membership is an administrative necessity of church life in that there is information that should only be available to those who wish to identify themselves solely with a given church and decisions about the administration of the church which only those with that sole commitment should be able to make.
1.3Church Officers
A distinct group within the members of the church are the officers of the church who are divided into those who perform a specific service to the church, such as the fabric deacon who manages the upkeep of the buildings, and the elders who are responsible for the spiritual leadership of the church by organising meetings, preaching, teaching and counselling the congregants.
2.Sharing Data
2.1Congregants
The nature of a church is more like that of a family rather than a common interest group such as a sporting club and as such congregants may share personal information between themselves and the church’s Privacy Policy and Privacy Statement cannot make any commitments or statements about such shared information as the church could only be considered to have any control over its members like any other organisation.
2.2Members and Officers
Because of the nature of church meetings, especially prayer meetings, those attending would expect to be able to share personal information for the legitimate interests of the church even where that information might be considered as falling into the special category of data (primarily health related). Similarly congregants are likely to share information with officers of the church, in either case holding such information falls within the legitimate criteria within the GDPR as this sharing is for the religious purposes of the church – see ICO Article 9(2)(d)
2.2.1‘Private’ Sharing
Congregants are likely to share personal information with the elders of the church and with certain officers of the church such as personal information given as part of the church’s pastoral care of the congregants or consequent on their financial involvement with the church (e.g. Gift Aid declarations) or their involvement with church activities (e.g. for DBS registration). In addition personal information may be shared by members through correspondence or in the church members’ meeting minutes. All of this personal information would be covered by the church’s Privacy Policy and Privacy Statement because it is shared with members of the church in meetings that are confidential to the church members.
2.2.2 ‘Public’ Sharing
Information shared in public meetings, such as the Sunday services or the prayer meetings, to which non-members have access are not covered by the church’s Privacy Policy or Privacy Statement and any information shared in such circumstances is outside of the control of the church.
2.2.3 Formal Sharing
2.2.3.1 Name and Address List
The church is likely to know the contact details (name, address, email address, telephone numbers) of congregants though provision of this information is not a requirement. This information might be recorded in a ‘Members and Friends Contact List’ with basic telephone and email contact information being circulated amongst those on the list. Being on the list would require consent to such sharing of basic contact details.
2.2.3.2 Emergency Contact Details
The officers of the church must know the contact details, together with medical information, in case of emergency, of congregants if those congregants are children or vulnerable adults who attend special interest groups within the church (e.g. children’s club). This is to fulfil our legal obligation in safeguarding responsibilities.
2.2.3.3 Statutory Requirements
The officers of the church will know the contact details and possibly bank details of certain congregants in order to register them with HMRC for Gift Aid purposes, to fulfil these and similar legal obligations.
2.2.3.4 Correspondence and Record Keeping
The church officers will keep copies of correspondence from and to congregants and copies of meeting notes as part of its Legitimate Interest in protecting the reputation of the church and its members and this information may be kept indefinitely and may not be destroyed or anonymised as a result of a data subject’s ‘request to be forgotten’. An example of such information could be a statement made in a church members’ meeting by a member that reveals personal information and is recorded within the minutes because it is pertinent to the matter being discussed. Such information could not be removed or anonymised without rendering the minutes meaningless and the purpose of minutes is to act as a record of the events that occurred and statements that were made at the meeting. Similarly an email that makes a statement of fact that is needed at a later date to protect the reputation of the church or any of its members could not do so if it was deleted or changed as a result of a data subject’s request. This is particularly the case given the nature of churches as bodies where personal information is shared in a way that could increase the vulnerability of individuals and therefore the attention to safeguarding and associated record keeping should be so much greater together with greater emphasis on the security of the information.
- People Within the Church
Before being able to state the church’s policy on privacy it is necessary to understand the roles within a church, how the individuals who have a connection with us relate to us as an organisation and to each other within the church.
A church consists of those that attend meetings of the church on a regular basis and who are involved in the life of the church in living out Christ-like lives, giving and receiving spiritual and practical help or who are enquiring into the Christian faith. Included within this general definition are those who perhaps are unable to attend meetings regularly but otherwise fulfil the criteria outlined. Also this group includes people who are present at the will of others (e.g. children of adults attending) and also others who on occasions may attend other churches. Within the church’s Privacy Policy and Privacy Notice this category of those involved with the church are referred to as congregants.
1.2Members
A distinct group within the overall category of congregants are referred to as members, these being those congregants who wish to identify themselves solely and specifically with Providence Baptist Church and who meet the church’s criteria for membership. Membership is an administrative necessity of church life in that there is information that should only be available to those who wish to identify themselves solely with a given church and decisions about the administration of the church which only those with that sole commitment should be able to make.
1.3Church Officers
A distinct group within the members of the church are the officers of the church who are divided into those who perform a specific service to the church, such as the fabric deacon who manages the upkeep of the buildings, and the elders who are responsible for the spiritual leadership of the church by organising meetings, preaching, teaching and counselling the congregants.
2.Sharing Data
2.1Congregants
The nature of a church is more like that of a family rather than a common interest group such as a sporting club and as such congregants may share personal information between themselves and the church’s Privacy Policy and Privacy Statement cannot make any commitments or statements about such shared information as the church could only be considered to have any control over its members like any other organisation.
2.2Members and Officers
Because of the nature of church meetings, especially prayer meetings, those attending would expect to be able to share personal information for the legitimate interests of the church even where that information might be considered as falling into the special category of data (primarily health related). Similarly congregants are likely to share information with officers of the church, in either case holding such information falls within the legitimate criteria within the GDPR as this sharing is for the religious purposes of the church – see ICO Article 9(2)(d)
2.2.1‘Private’ Sharing
Congregants are likely to share personal information with the elders of the church and with certain officers of the church such as personal information given as part of the church’s pastoral care of the congregants or consequent on their financial involvement with the church (e.g. Gift Aid declarations) or their involvement with church activities (e.g. for DBS registration). In addition personal information may be shared by members through correspondence or in the church members’ meeting minutes. All of this personal information would be covered by the church’s Privacy Policy and Privacy Statement because it is shared with members of the church in meetings that are confidential to the church members.
2.2.2 ‘Public’ Sharing
Information shared in public meetings, such as the Sunday services or the prayer meetings, to which non-members have access are not covered by the church’s Privacy Policy or Privacy Statement and any information shared in such circumstances is outside of the control of the church.
2.2.3 Formal Sharing
2.2.3.1 Name and Address List
The church is likely to know the contact details (name, address, email address, telephone numbers) of congregants though provision of this information is not a requirement. This information might be recorded in a ‘Members and Friends Contact List’ with basic telephone and email contact information being circulated amongst those on the list. Being on the list would require consent to such sharing of basic contact details.
2.2.3.2 Emergency Contact Details
The officers of the church must know the contact details, together with medical information, in case of emergency, of congregants if those congregants are children or vulnerable adults who attend special interest groups within the church (e.g. children’s club). This is to fulfil our legal obligation in safeguarding responsibilities.
2.2.3.3 Statutory Requirements
The officers of the church will know the contact details and possibly bank details of certain congregants in order to register them with HMRC for Gift Aid purposes, to fulfil these and similar legal obligations.
2.2.3.4 Correspondence and Record Keeping
The church officers will keep copies of correspondence from and to congregants and copies of meeting notes as part of its Legitimate Interest in protecting the reputation of the church and its members and this information may be kept indefinitely and may not be destroyed or anonymised as a result of a data subject’s ‘request to be forgotten’. An example of such information could be a statement made in a church members’ meeting by a member that reveals personal information and is recorded within the minutes because it is pertinent to the matter being discussed. Such information could not be removed or anonymised without rendering the minutes meaningless and the purpose of minutes is to act as a record of the events that occurred and statements that were made at the meeting. Similarly an email that makes a statement of fact that is needed at a later date to protect the reputation of the church or any of its members could not do so if it was deleted or changed as a result of a data subject’s request. This is particularly the case given the nature of churches as bodies where personal information is shared in a way that could increase the vulnerability of individuals and therefore the attention to safeguarding and associated record keeping should be so much greater together with greater emphasis on the security of the information.
The GDPR defines a Data Subject as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art. 4 GDPR).
1.2Rights
A Data Subject is accorded certain rights under the GDPR as listed below. In order to exercise these rights the Data Subject must address his or her request in writing to an officer of the church following the guidelines defined by the Information Commissioners Office
Not all of these rights will be applicable to the relationship between Providence Baptist Church and its congregants, for example “The right to data portability” where the data held by Providence Baptist Church is not transferable in any sense being historical record keeping or the last right as the church does not carry out any automated decision making.
1.2.1The right to be informed
Everything that a Data Subject might need to know regarding the recording and processing of data by Providence Baptist Church is contained within this document.
1.2.2The right of access - See also Appendix B below
Anyone wishing to view data held by Providence Baptist Church may do so subject to the provisions set out by the Information Commissioners Office (see https://ico.org.uk/for-the-public/personal-information/) outlined in Appendix A.
Where the requested data is embedded in documents with information that relates to other Data Subjects (e.g. church members’ meeting minutes) it will either be necessary to get the consent of those other individuals to share their data with the Data Subject or their data will have to be redacted within the copy of the data, it should be noted that this may make the Data Subject’s data meaningless without its context.
Note that the GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).
1.2.3The right to rectification
Where a Data Subject wishes to have information held by Providence Baptist Church amended this will only be possible where that data does not constitute historical records (e.g. correspondence, members’ meeting minutes) which have to be maintained in their original form for the purposes of protecting the reputation of the church and its congregants and for reasons of safeguarding. It should be noted that if corrections are required to members’ meeting minutes an opportunity is always given at the beginning of the following meeting when the minutes are read, beyond this the minutes become fixed historical records.
(See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/ for further information.)
1.2.4The right to erasure (right to be ‘forgotten’) - See also Appendix C below
The GDPR gives Data Subjects the right to be forgotten by an organisation. If an existing or former congregant requests that the church ‘forgets’ him or her under the regulation wherever possible, such as with the members and friends contact list, personal information will be erased but it should be understood that this cannot apply to any correspondence or church minutes that the church holds because of the church’s responsibility to protect the reputation of the church and its congregants and for reasons of safeguarding. This will include the correspondence requesting the erasure of data as this will be used to inform church officers of the Data Subject’s requirement to be ‘forgotten’ by the church. For the same reason it may not be possible to erase contact details that may be held by the officers of the church as the information might be needed for reasons connected with its original collection (e.g. Gift Aid processing).
(See Appendix B and https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ for further information.)
1.2.5The right to restrict processing (the right to withdraw consent)
Where data has been collected with specific consent, such as contact details for the members and friends contacts list, this consent may be withdrawn by the Data Subject at any time. Recipients of the contacts list (that is those that are on the list) will be informed and asked to not use that information.
2.Third Party Access to Data
2.1Confidentiality
The data we hold relating to congregants will not be shared with any third party outside of the body of congregants without the express consent of congregants concerned other than where required by law.
There is no intention of transmitting information relating to congregants outside of the area of jurisdiction of the GDPR (Europe) but it should be noted that where information is shared via email (e.g. monthly prayer diary) congregants who are travelling might pick up their emails outside of the area of jurisdiction of the GDPR and in this case the church would have no way of controlling such access.
- GDPR – Data Subject Rights
The GDPR defines a Data Subject as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art. 4 GDPR).
1.2Rights
A Data Subject is accorded certain rights under the GDPR as listed below. In order to exercise these rights the Data Subject must address his or her request in writing to an officer of the church following the guidelines defined by the Information Commissioners Office
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
- The right to lodge a complaint with the Information Commissioners Office (ICO)
Not all of these rights will be applicable to the relationship between Providence Baptist Church and its congregants, for example “The right to data portability” where the data held by Providence Baptist Church is not transferable in any sense being historical record keeping or the last right as the church does not carry out any automated decision making.
1.2.1The right to be informed
Everything that a Data Subject might need to know regarding the recording and processing of data by Providence Baptist Church is contained within this document.
1.2.2The right of access - See also Appendix B below
Anyone wishing to view data held by Providence Baptist Church may do so subject to the provisions set out by the Information Commissioners Office (see https://ico.org.uk/for-the-public/personal-information/) outlined in Appendix A.
Where the requested data is embedded in documents with information that relates to other Data Subjects (e.g. church members’ meeting minutes) it will either be necessary to get the consent of those other individuals to share their data with the Data Subject or their data will have to be redacted within the copy of the data, it should be noted that this may make the Data Subject’s data meaningless without its context.
Note that the GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).
1.2.3The right to rectification
Where a Data Subject wishes to have information held by Providence Baptist Church amended this will only be possible where that data does not constitute historical records (e.g. correspondence, members’ meeting minutes) which have to be maintained in their original form for the purposes of protecting the reputation of the church and its congregants and for reasons of safeguarding. It should be noted that if corrections are required to members’ meeting minutes an opportunity is always given at the beginning of the following meeting when the minutes are read, beyond this the minutes become fixed historical records.
(See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/ for further information.)
1.2.4The right to erasure (right to be ‘forgotten’) - See also Appendix C below
The GDPR gives Data Subjects the right to be forgotten by an organisation. If an existing or former congregant requests that the church ‘forgets’ him or her under the regulation wherever possible, such as with the members and friends contact list, personal information will be erased but it should be understood that this cannot apply to any correspondence or church minutes that the church holds because of the church’s responsibility to protect the reputation of the church and its congregants and for reasons of safeguarding. This will include the correspondence requesting the erasure of data as this will be used to inform church officers of the Data Subject’s requirement to be ‘forgotten’ by the church. For the same reason it may not be possible to erase contact details that may be held by the officers of the church as the information might be needed for reasons connected with its original collection (e.g. Gift Aid processing).
(See Appendix B and https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ for further information.)
1.2.5The right to restrict processing (the right to withdraw consent)
Where data has been collected with specific consent, such as contact details for the members and friends contacts list, this consent may be withdrawn by the Data Subject at any time. Recipients of the contacts list (that is those that are on the list) will be informed and asked to not use that information.
2.Third Party Access to Data
2.1Confidentiality
The data we hold relating to congregants will not be shared with any third party outside of the body of congregants without the express consent of congregants concerned other than where required by law.
There is no intention of transmitting information relating to congregants outside of the area of jurisdiction of the GDPR (Europe) but it should be noted that where information is shared via email (e.g. monthly prayer diary) congregants who are travelling might pick up their emails outside of the area of jurisdiction of the GDPR and in this case the church would have no way of controlling such access.
Appendix A - Definitions
Data Subject - The GDPR defines a Data Subject as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art. 4 GDPR).
Data Controller – Article 4 of the GDPR describes a Data Controller as “(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”. In the context of this Privacy Notice we, Providence Baptist Church, Southend-on-Sea (SS2 6LH), are the Data Controller in that we hold certain information relating to our congregants and will take certain actions with that information (process it), as summarised below.
Lawful Basis – The GDPR requires Data Controllers to have a lawful basis in order to process personal data which replaces and mirrors the previous requirement to satisfy one of the ‘conditions for processing’ under the Data Protection Act 1998. However, the GDPR places more emphasis on our being accountable for and transparent about our lawful basis for processing.
Our Lawful Basis for ‘processing data’ in general is Legitimate Interest in that as a church we exist for the mutual benefit of those associated with the church in the exercise of our common religious aims and in order to do that there is information about our congregants that we must record and act on. It is recognised that our Legitimate Interest cannot override the Legitimate Interest of those that we hold and process information about, in particular those that are vulnerable such as children.
Legitimate Interest - Article 6(1)(f) gives a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Our Lawful Basis for ‘processing data’ for others who we from time to time have dealings with (e.g. businesses that provide services to us or very occasionally where we or members of the church acting in an official capacity provide a service such as a minister conducting a funeral) is Contract in that for a service to be provide there has to be an agreement (Contract) of the terms of that service provision even if that agreement is only verbal.
Contract - Article 6(1)(b) gives a lawful basis for processing where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
For those activities of the church that involve interaction with government bodies or where we are seeking to comply with legal responsibilities our reason for collecting and holding such data falls into the category of Legal Obligation as a Lawful Basis in that we are legally obliged to collect and hold that data for purposes such as safeguarding and financial accounting.
Article 6(1)(c) provides a lawful basis for processing where:
“processing is necessary for compliance with a legal obligation to which the controller is subject.”
Data Retention – To fulfil our responsibilities under these Lawful Bases we will need to retain data for a sufficient length of time that those responsibilities may be met. All data that we hold will be kept for an appropriate time for the purposes of protecting the legitimate interests of the church and its members. This will be governed either by legislation or good practice e.g. financial records will be kept for six years, safeguarding data may be kept indefinitely.
Appendix B - Access
https://ico.org.uk/for-the-public/personal-information/
Write to the organisation
When requesting your personal information from an organisation, you should include the following information:
It may also be helpful to include:
How should an organisation respond to my request?The organisation has to reply within 40 days, starting from the day they receive both the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file.
If an organisation reasonably needs more information to help them find your information or identify you, they have to ask you for the information they need. They can then wait until they have all the necessary information as well as the fee before dealing with your request.
The organisation should give you the information in writing but they need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen. The Act does not define what disproportionate effort means but we think the following should be taken into account:
The Act covers personal information that:
Appendix C - Erasure
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
When does the right to erasure apply?The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.
When can the organization refuse to comply with a request for erasure?The organization can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
Appendix D – Sensitive Data
GDPR - Article 9(2)(d)
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
Data Subject - The GDPR defines a Data Subject as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Art. 4 GDPR).
Data Controller – Article 4 of the GDPR describes a Data Controller as “(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”. In the context of this Privacy Notice we, Providence Baptist Church, Southend-on-Sea (SS2 6LH), are the Data Controller in that we hold certain information relating to our congregants and will take certain actions with that information (process it), as summarised below.
Lawful Basis – The GDPR requires Data Controllers to have a lawful basis in order to process personal data which replaces and mirrors the previous requirement to satisfy one of the ‘conditions for processing’ under the Data Protection Act 1998. However, the GDPR places more emphasis on our being accountable for and transparent about our lawful basis for processing.
Our Lawful Basis for ‘processing data’ in general is Legitimate Interest in that as a church we exist for the mutual benefit of those associated with the church in the exercise of our common religious aims and in order to do that there is information about our congregants that we must record and act on. It is recognised that our Legitimate Interest cannot override the Legitimate Interest of those that we hold and process information about, in particular those that are vulnerable such as children.
Legitimate Interest - Article 6(1)(f) gives a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Our Lawful Basis for ‘processing data’ for others who we from time to time have dealings with (e.g. businesses that provide services to us or very occasionally where we or members of the church acting in an official capacity provide a service such as a minister conducting a funeral) is Contract in that for a service to be provide there has to be an agreement (Contract) of the terms of that service provision even if that agreement is only verbal.
Contract - Article 6(1)(b) gives a lawful basis for processing where:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
For those activities of the church that involve interaction with government bodies or where we are seeking to comply with legal responsibilities our reason for collecting and holding such data falls into the category of Legal Obligation as a Lawful Basis in that we are legally obliged to collect and hold that data for purposes such as safeguarding and financial accounting.
Article 6(1)(c) provides a lawful basis for processing where:
“processing is necessary for compliance with a legal obligation to which the controller is subject.”
Data Retention – To fulfil our responsibilities under these Lawful Bases we will need to retain data for a sufficient length of time that those responsibilities may be met. All data that we hold will be kept for an appropriate time for the purposes of protecting the legitimate interests of the church and its members. This will be governed either by legislation or good practice e.g. financial records will be kept for six years, safeguarding data may be kept indefinitely.
Appendix B - Access
https://ico.org.uk/for-the-public/personal-information/
Write to the organisation
When requesting your personal information from an organisation, you should include the following information:
- your full name, address and contact telephone number;
- any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique ID's etc);
- details of the specific information you require and any relevant dates, for example:
- your personnel file;
- emails between ‘A’ and ‘B’ (between 1/6/11 and 1/9/11);
- your medical records (between 2006 & 2009) held by Dr ‘C’ at ‘D’ hospital;
- CCTV camera situated at (‘E’ location) on 23/5/12 between 11am and 5pm;
- copies of statements (between 2006 & 2009) held in account number xxxxx .
It may also be helpful to include:
- a reference to the 40-day deadline that applies when dealing with requests to provide personal information;
- a reference to the Data Protection Act 1998 and subject access requests; and
- reference to the assistance that the Information Commissioner’s Office can provide.
How should an organisation respond to my request?The organisation has to reply within 40 days, starting from the day they receive both the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file.
If an organisation reasonably needs more information to help them find your information or identify you, they have to ask you for the information they need. They can then wait until they have all the necessary information as well as the fee before dealing with your request.
The organisation should give you the information in writing but they need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen. The Act does not define what disproportionate effort means but we think the following should be taken into account:
- the cost of giving you the information;
- the length of time it will take;
- how difficult it will be;
- the size of the organisation; and
- the effect on you of not having the information in permanent form.
- a copy of the information in permanent form;
- an explanation of any technical or complicated terms;
- any information the organisation has about where they got your information from;
- a description of the information, the purposes for processing the information and who the organisation is sharing the information with; and
- the logic involved in any automated decisions (if you have specifically asked for this).
The Act covers personal information that:
- is held, or going to be held on computer;
- is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;
- is in most health, educational, social service or housing records; or
- is other information held by a public authority.
Appendix C - Erasure
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
When does the right to erasure apply?The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.
When can the organization refuse to comply with a request for erasure?The organization can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defence of legal claims.
Appendix D – Sensitive Data
GDPR - Article 9(2)(d)
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;