Privacy Policy
DATA PROTECTION POLICY
“Data Protection Legislation” means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, including, where applicable, the guidance and codes of practice issued by the Information Commissioner’s OfficeTo provide an interactive website where email is used to communicate with the users.
The Data Protection Legislation (“the Legislation”) is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected. During the course of the activities of Binscombe Church (“the Church”), the Church Trustees (“we”) will collect, store and process personal data about our members, people who attend our services and activities, suppliers and other third parties and we recognise that the correct and lawful treatment of this data will maintain confidence in the Church. This policy sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
The Data Protection Compliance Manager is responsible for ensuring compliance with the Legislation and with this policy. The post is held by Peter Davis.
Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager.
Processing personal data
All personal data should be processed in accordance with the Legislation and this policy. Any breach of this policy may result in disciplinary action.
Processing includes obtaining, holding, maintaining, storing, erasing, blocking and destroying data.
Personal data is data relating to a living individual. It includes employee data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations may be covered. Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Examples of personal data are employee details, including employment records, names and addresses and other information relating to individuals, including supplier details, any third party data and any recorded information including any recorded telephone conversations, emails or CCTV images.
Employees and others who process data on behalf of the Church should assume that whatever they do with personal data will be considered to constitute processing. Individuals should only process data:
• If they have consent to do so; or
• If it is necessary to fulfil a contractual obligation or as part of the employer/employee relationship; for example, processing the payroll
If neither of these conditions are satisfied, individuals should contact the Data Protection Compliance Manager before processing personal data.
Compliance with the Legislation
Employees and others who process data on our behalf have a responsibility for processing personal data in accordance with the Legislation. Anyone who has responsibility for processing personal data must ensure that they comply with the data protection principles in the Legislation. These state that personal data must:
• be obtained and used fairly and lawfully
• be obtained for specified lawful purposes and used only for those purposes
• be adequate, relevant and not excessive for those purposes
• be accurate and kept up to date
• not be kept for any longer than required for those purposes
• be used in a way which complies with the individual’s rights (this includes rights to prevent the use of personal data which will cause them damage or distress, to prevent use of personal data for direct marketing, and to have inaccurate information deleted or corrected)
• be protected by appropriate technical or organisational measures against unauthorised access, processing or accidental loss or destruction
• not be transferred outside the European Economic Area unless with the consent of the data subject or where the country is determined to have adequate systems in place to protect personal data.
Monitoring the use of personal data
We are committed to ensuring that this data protection policy is put into practice and that appropriate working practices are being followed. To this end, the following steps will be taken:
• any employees who deal with personal data are expected to be aware of data protection issues and to work towards continuous improvement of the proper processing of personal data;
• employees who handle personal data on a regular basis or who process sensitive or other confidential personal data will be more closely monitored;
• All employees must evaluate whether the personal data they hold is being processed in accordance with this policy. Particular regard should be had to ensure inaccurate, excessive or out of date data is disposed of in accordance with this policy;
• Spot checks may be carried out;
• Data breaches will be recorded and investigated to see what improvements can be made to prevent recurrences.
Handling personal data and data security
We will take appropriate technical and organisational steps to guard against unauthorised or unlawful processing. Manual records relating to church members or staff will be kept secure in locked cabinets. Access to such records will be restricted. Computer files should be password protected.
We will ensure that staff and members who handle personal data are adequately trained and monitored.
We will ensure that passwords and physical security measures are in place to guard against unauthorised disclosure.
We will take particular care of sensitive data and security measures will reflect the importance of keeping sensitive data secure (definition of sensitive data is set out below).
Where personal data needs to be deleted or destroyed adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and backup files and physical destruction of manual files. Particular care should be taken over the destruction of manual sensitive data (written records) including shredding or disposing via specialist contractors.
All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed. Any agent employed to process data on our behalf will be bound to comply with this data protection policy by a written contract. Personal data stored on a laptop should be password protected.
The rights of individuals
The Legislation gives individuals certain rights to know what data is held about them and what it is used for. In principle, everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in data corrected or erased. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.
Any request for access to data under the Legislation should be made to Peter Davis in writing. In accordance with the Legislation we will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request.
When a written data subject access request is received the data subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organisations to whom the data may be disclosed, d) be provided with a copy of the information in an intelligible form.
Sensitive data
We will strive to ensure that sensitive data is accurately identified on collection so that proper safeguards can be put in place. Sensitive data means data consisting of information relating to an individual’s
• Racial or ethnic origin
• Political opinions
• Religious beliefs
• Trade union membership
• Physical or mental health
• Sexual life
• Criminal offences
Sickness records are likely to include sensitive data and as such should only be held if the explicit consent of each employee is obtained or if one of the other conditions for processing sensitive data is satisfied.
Changes to this policy
We reserve the right to change this policy at any time. Where appropriate we will notify data subjects of those changes by mail or email.
Policy adopted on 20th May 2018
INFORMATION SECURITY POLICY
Information security involves preserving confidentiality, preventing unauthorised access and disclosure, maintaining the integrity of information, safeguarding accuracy and ensuring access to information when required by authorised users.
In addition to complying with this policy, all users must comply with the Data Protection Legislation and the Data Protection Policy.
‘Church data’ means any personal data processed by or on behalf of the church.
Information security is the responsibility of every member of staff, church member and volunteer using Church data on but not limited to the Church information systems. This policy is the responsibility of Peter Davis who will undertake supervision of the policy. Our IT systems may only be used for authorised purposes. We will monitor the use of our systems from time to time. Any person using the IT systems for unauthorised purposes may be subject to disciplinary and/or legal proceedings.
We will ensure information security by:
• Ensuring appropriate software security measures are implemented and kept up to date;
• Making sure that only those who need access have that access;
• Not storing information where it can be accidentally exposed or lost;
• Making sure that if information has to be transported it is done so safely using encrypted devices or services.
Access to systems on which information is stored must be password protected. Passwords must not be disclosed to others. If you have a suspicion that your password has been compromised you must change it.
You must ensure that any personally owned equipment which has been used to store or process Church data is disposed of securely. Software on personally owned devices must be kept up to date. Do not use unsecured wifi to process Church data.
All breaches of this policy must be reported to Peter Davis.
This policy will be regularly reviewed and audited.
Policy adopted on 20th May 2018
RETENTION POLICY
Storage of Data and Records Statement
-
All data and records will be stored in accordance with the security requirements of the Data Protection Legislation and in the most convenient and appropriate location having regard to the period of retention required and the frequency with which access will be made to the record.
-
Data and records which are active should be stored in the most appropriate place for their purpose commensurate with security requirements.
-
Data and records which are no longer active, due to their age or subject, should be stored in the most appropriate place for their purpose.
-
The degree of security required for file storage will reflect the sensitivity and confidential nature of any material recorded.
-
Any data file or record which contains personal data of any form can be considered as confidential in nature.
-
Data and records should not be kept for longer than is necessary. This principle finds statutory form in the Data Protection Legislation, which requires that personal data processed for any purpose "shall not be kept for longer than is necessary for that purpose". All groups are required to have regard to the Guidelines for Retention of Personal Data attached hereto.
-
Any data that is to be disposed must be safely disposed of, for example by shredding. Any group which does not have access to a shredder should pass material to Anna Rossiter who will undertake secure shredding.
-
Special care must be given to disposing of data stored in electronic media. Guidance will be given by the Church Leadership team to any group which has stored personal data relating to its members on for example personal computers which are to be disposed of.
Policy adopted on 20th May 2018