Privacy policy
PERRY BAPTIST CHURCH
East Perry
Perry
Cambridgeshire
PE28 0BT
Proposed: 4th July 2018
Approved and Adopted: 10th October 2018
PERRY BAPTIST CHURCH is committed to protecting all information that we handle about people we
support and work with, and to respecting people’s rights around how their information is handled.
This policy explains our responsibilities and how we will meet them.
CONTENTS
Section A – What this policy is for
1 Policy Statement ……………………………………………………………………… 2
2. Why this policy is important ……………………………………………………… 2
3. How this policy applies to you & what you need to know …………….. 2
4. Guidance ………………………………………………………………………………… 3
Section B – Our data protection responsibilities …………………………………….. 3
5. What personal information do we process? ……………………………….. 3
6. Making sure processing is fair and lawful …………………………………… 3
7. When we need consent to process data …………………………………….. 4
8. Processing for specified purposes ……………………………………………… 4
9. Data will be adequate, relevant and not excessive ………………………. 4
10. Accurate data ………………………………………………………………………….. 5
11. Keeping data and destroying it ………………………………………………….. 5
12. Security of personal data ………………………………………………………….. 5
13. Keeping records of our data processing ……………………………………… 5
Section C – Working with people we process data about (data subjects) ….. 5
14. Data subjects’ rights ………………………………………………………………… 5
15. Direct marketing ……………………………………………………………………… 6
Section D – working with other organisations & transferring data …………… 6
16. Sharing information with other organisations …………………………….. 6
Section E – Managing change & risks ……………………………………………………. 6
17. Data protection impact assessments …………………………………………. 6
18. Dealing with data protection breaches ………………………………………. 6
Section A – What this policy is for
1. Policy statement
1.1 PERRY BAPTIST CHURCH is committed to protecting personal data and respecting the
rights of the people whose personal data we collect and use. We value the personal
information entrusted to us and we respect that trust, by complying with all relevant laws,
and adopting good practice.
We process personal data to help us:
(a) maintain our list of church members and regular attenders;
(b) provide pastoral and prayer support for members and others connected with our church;
(c) provide services to the community
(d) safeguard children, young people and adults at risk;
(e) recruit, support and manage staff and volunteers;
(f) maintain our accounts and records;
(g) promote our services;
(h) respond effectively to enquirers and handle any complaints
(i) update the Church website, including photographs
1.2 This policy has been approved by the Church’s Leadership who are responsible for
ensuring that we comply with all our legal obligations. It sets out the legal rules that apply
whenever we obtain, store or use personal data. This Policy was presented to the Church
Meeting on 4th July 2018 for approval by the Church Members at the next meeting.
2. Why this policy is important
2.1 We are committed to protecting personal data from being misused, getting into the
wrong hands as a result of poor security or being shared carelessly, or being inaccurate,
as we are aware that people can be upset or harmed if any of these things happen.
2.2 This policy sets out the measures we are committed to taking as a church and, what each
of us will do to ensure we comply with the relevant legislation.
2.3 In particular, we will make sure that all personal data is:
(a) processed lawfully, fairly and in a transparent manner;
(b) processed for specified, explicit and legitimate purposes and not in a manner that is
incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary for the purposes for which it is
being processed;
(d) accurate and, where necessary, up to date;
(e) not kept longer than necessary for the purposes for which it is being processed;
(f) processed in a secure manner, by using appropriate technical and organisational means;
(g) processed in keeping with the rights of data subjects regarding their personal data.
3. How this policy applies to you & what you need to know
3.1 All those processing personal information on behalf of the church, are required to comply
with this policy. If you think that you have accidentally breached the policy it is important
that you contact one of the Church Leadership immediately so that we can take swift
action to try and limit the impact of the breach.
Anyone who breaches the Data Protection Policy may be subject to disciplinary action,
and where that individual has breached the policy intentionally, recklessly, or for personal
benefit they may also be liable to regulatory action.
3.2 The Church Leadership are required to make sure that any procedures that involve
personal data follow the rules set out in this Data Protection Policy.
3.3 The Church Leadership will handle all personal information in line with this policy.
3.4 Any questions about this policy or any concerns that the policy has not been followed
should be referred to the Church Leadership
3.5 Before you collect or handle any personal data as part of your involvement within PERRY
BAPTIST CHURCH, it is important that you take the time to read this policy carefully and
understand what is required of you, as well as the Church’s responsibilities when we
process data.
3.6 Our procedures will be in line with the requirements of this policy, but if you are unsure
about whether anything you plan to do, or are currently doing, might breach this policy
you must first speak to the Church Leadership.
4. Guidance
The Church Leadership may issue updated procedures, guidance or instructions from time to
time.
Section B – Our data protection responsibilities
5. What personal information do we process?
5.1 In the course of the Church work, we may collect and process personal information about
many different people. This includes data we receive straight from them or from other
sources
5.2 The Church Leadership will process personal data in both electronic and paper form and
all this data is protected under data protection law. The personal data we process can
include information such as names, contact details, birthdays and visual images of people.
5.3 The Church Leadership will not hold information relating to criminal proceedings or
offences or allegations of offences unless there is a clear lawful basis to process this data
such as where it fulfils one of the substantial public interest conditions in relation to the
safeguarding of children and of individuals at risk or one of the additional conditions
relating to criminal convictions set out in either Part 2 or Part 3 of Schedule 1 of the Data
Protection Act 2018. This processing will only ever be carried out on the advice of the
Ministries Team of the Baptist Union of Great Britain or our Regional Association
Safeguarding contact person.
5.4 Other data may also be considered ‘sensitive’ such as bank details, but will not be subject
to the same legal protection as the types of data listed above.
6. Making sure processing is fair and lawful
Processing of personal data will only be fair and lawful when the purpose for the processing
meets a legal basis, as listed below, and when the processing is transparent. This means we will
provide people with an explanation of how and why we process their personal data at the point
we collect data from them, as well as when we collect data about them from other sources.
How can we legally use personal data?
6.1 Processing of personal data is only lawful if at least one of these legal conditions, as listed
in Article 6 of the GDPR, is met:
(a) the processing is necessary for us to comply with a legal obligation;
(b) the processing is necessary to protect someone’s life (this is called “vital interests”);
(c) the processing is necessary for us to perform a task in the public interest, and the task
has a clear basis in law;
(d) the processing is necessary for legitimate interests pursued by PERRY BAPTIST
CHURCH unless these are overridden by the interests, rights and freedoms of the
person.
(e) If none of the other legal conditions apply, the processing will only be lawful if the
person has given their clear consent.
How can we legally use ‘special categories’ of data?
6.2 Processing of ‘special categories’ of personal data is only lawful when, in addition to the
conditions above, one of the extra conditions, as listed in Article 9 of the GDPR, is met.
These conditions include where:
(a) the processing is necessary for safeguarding the vital interests (in emergency, life or
death situations) of an individual and the person is incapable of giving consent;
(b) the processing is carried out in the course of our legitimate activities and only relates
to our members or persons we are in regular contact with in connection with our purposes;
(c) the processing is necessary for pursuing legal claims.
(d) If none of the other legal conditions apply, the processing will only be lawful if the
data subject has given their explicit consent.
6.3 Before deciding which condition should be relied upon, we may refer to the original text
of the GDPR as well as any relevant guidance, and seek legal advice as required.
What must we tell individuals before we use their data?
6.4 If personal data is collected directly from the individual or from another source, the
Church Leadership will inform them of their reasons for acquiring the data and processing
it. This task will be completed through the Data Protection Form
6.5 If we plan to pass the data onto someone else outside of PERRY BAPTIST CHURCH, we will
ask the person for permission prior to this information being passed on.
7. When we need consent to process data
7.1 Where none of the other legal conditions apply to the processing, and we are required to
get consent from the person, the Church Leadership will clearly set out what we are asking
consent for, including why we are collecting the data and how we plan to use it. Consent
will be specific to each process we are requesting consent for and we will only ask for
consent when the data subject has a real choice whether or not to provide us with their
data.
7.2 Consent can however be withdrawn at any time and if withdrawn, the processing will
stop. People will be informed of their right to withdraw consent and it will be as easy to
withdraw consent as it is to give consent.
8. Processing for specified purposes
8.1 The Church Leadership will only process personal data for the specific purposes explained
in section 6 or for other purposes specifically permitted by law. We will explain those
other purposes to those affected, unless there are lawful reasons for not doing so.
9. Data will be adequate, relevant and not excessive
The Church Leadership will only collect and use personal data that is needed for the specific
purposes described above. We will not collect more than is needed to achieve those purposes.
We will not collect any personal data “just in case” we want to process it later.
10. Accurate data
The Church Leadership will make sure that personal data held is accurate and, where
appropriate, kept up to date. The accuracy of personal data will be checked at the point of
collection and at appropriate points later on.
11. Keeping data and destroying it
The Church Leadership will not keep personal data longer than is necessary for the purposes
that it was collected for. We will comply with official guidance issued to the Church about
retention periods for specific records.
12. Security of personal data
12.1 We will use appropriate measures to keep personal data secure at all points of the
processing. Keeping data secure includes protecting it from unauthorised or unlawful
processing, or from accidental loss, destruction or damage.
12.2 We will implement security measures which provide a level of security which is
appropriate to the risks involved in the processing.
Measures will include technical and organisational security measures (ie password protected
documents). In assessing what measures are the most appropriate we have taken into account
the following:
(a) the quality of the security measure;
(b) the costs of implementation;
(c) the nature, scope, context and purpose of processing;
(d) the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
(e) the risk which could result from a data breach.
(f) measures to restrict or minimise access to data;
(g) measures to ensure our systems and data remain available, or can be easily restored in
the case of an incident;
(h) physical security of information and of our premises;
(i) regular testing and evaluating of the effectiveness of security measures (eg regular
change of security passwords)
13. Keeping records of our data processing
To show how we comply with the law we will keep clear records of our processing activities and
of the decisions we make concerning personal data (setting out our reasons for those decisions).
Section C – Working with people we process data about (data subjects)
14. Data subjects’ rights
14.1 The Church Leadership will process personal data in line with data subjects’ rights,
including their right to:
(a) request access to any of their personal data held by us (known as a Subject Access
Request);
(b) ask to have inaccurate personal data changed;
(c) restrict processing, in certain circumstances;
(d) object to processing, in certain circumstances, including preventing the use of their
data for direct marketing;
(e) not be subject to automated decisions, in certain circumstances; and
(f) withdraw consent when we are relying on consent to process their data.
6
14.2 If a church member receives any request from a person that relates or could relate to
their data protection rights, this will be forwarded to the Leadership immediately.
14.3 The Church Leadership will act on all valid requests as soon as possible, and at the latest
within one calendar month, unless we have reason to, and can lawfully extend the
timescale.
15. Direct marketing
15.1 We will comply with the rules set out in the GDPR, the Privacy and Electronic
Communications Regulations (PECR) and any laws which may amend or replace the
regulations around direct marketing (eg coffee mornings etc).
15.2 Any direct marketing material that we send will identify PERRY BAPTIST CHURCH as the
sender. If a data subject exercises their right to object to direct marketing we will stop
the direct marketing as soon as possible.
Section D – working with other organisations & transferring data
16. Sharing information with other organisations
16.1 We will only share personal data with other organisations or people when we have a legal
basis to do so and if we have informed the data subject about the possibility of the data
being shared (in a privacy notice), unless legal exemptions apply to informing data
subjects about the sharing. Only Church Leadership are allowed to share personal data.
16.2 The Church Leadership will keep records of information shared with a third party, which
will include recording any exemptions which have been applied, and why they have been
applied. We will follow the ICO’s statutory Data Sharing Code of Practice (or any
replacement code of practice) when sharing personal data with other data controllers.
Legal advice will be sought as required.
Section E – Managing change & risks
17. Data protection impact assessments
When the Church Leadership are planning to carry out any data processing which is likely to
result in a high risk we will carry out a Data Protection Impact Assessment (DPIA). These include
situations when we process data relating to vulnerable people, trawling of data from public
profiles, using new technology. Any decision not to conduct a DPIA will be recorded.
18. Dealing with data protection breaches
18.1 Where church persons think that this policy has not been followed, or data might have
been breached or lost, this will be reported immediately to the Church Leadership
18.2 The Church Leadership will keep records of personal data breaches, even if we do not
report them to the ICO.
18.3 In situations where a personal data breach causes a high risk to any person, the Church
Leadership will inform data subjects whose information is affected, without undue delay.
This can include situations where, for example, bank account details are lost or an email
containing sensitive information is sent to the wrong recipient. Informing data subjects
can enable them to take steps to protect themselves and/or to exercise their rights.
19. Change of Leadership
All personal data and information relating to the church and congregation will be destroyed and
deleted from electronic devices held by the person(s) leaving the leadership