Reference documents - Data Protection
Westhill Community Church SCIO Data Protection Policy
(version 1, 6 February 2023)
Introduction
Westhill Community Church (hereby referred to as WCC) is an independent Christian organisation affiliated to the Anglican Convocation in Europe (ACE).
The personal data that WCC processes to provide these services relates to its church members and those otherwise choosing to be connected to the church, employees and suppliers of goods and services to the church.
This policy sets out WCC’s commitment to ensuring that any personal data, including special category personal data, which WCC processes, is carried out in compliance with data protection law. WCC ensures that good data protection practice is imbedded in the culture of our staff and our organisation.
‘Data Protection Law’ includes the UK General Data Protection Regulation; the UK Data Protection Act 2018; and all relevant UK data protection legislation.
Data Retention Policy
WCC data retention policy provides that, subject to statutory requirements, any personal data will be removed:
• when an employee leaves the employ of WCC;
• if a church member ceases to be a member;
• If those wishing to maintain contact with the church and be entered on the church contact list withdraw their consent.
A positive statement of consent will be required annually during data audit.
Scope
This policy applies to all personal data processed by WCC and is part of WCC’s approach to compliance with data protection law. All WCC staff and volunteers are expected to comply with this policy and failure to comply may lead to disciplinary action for misconduct, including dismissal or removal of SCIO membership.
Data Protection Principles
WCC complies with the data protection principles set out below. When processing personal data, it ensures that:
• it is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
• it is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
• it is all adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’);
• it is all accurate and, where necessary, kept up to date and that reasonable steps will be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’);
• it is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (‘storage limitation’);
• it is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
WCC will facilitate any request from a data subject who wishes to exercise their rights under data protection law, as appropriate, always communicating in a concise, transparent, intelligible and easily accessible form and without undue delay.
Process/Procedures/Guidance
WCC will:
• ensure that the legal basis for processing personal data is identified in advance and that all processing complies with the law;
• not do anything with data that the data subject would not expect given the content of this policy and the privacy notice;
• ensure that appropriate privacy notices are in place advising staff and others how and why their data is being processed, and, in particular, advising data subjects of their rights;
• collect and process only the personal data that it needs for purposes it has identified in advance;
• ensure that, as far as possible, the personal data it holds is accurate, or a system is in place for ensuring that it is kept up to date;
• retain personal data only for as long as it is needed, after which time WCC will securely erase or delete the personal data – WCC’s data retention schedule sets out the appropriate period of time;
• have appropriate security measures in place to ensure that personal data can only be accessed by those who need to access it and that it is held and transferred securely.
WCC will ensure that all staff and volunteers who handle personal data on its behalf are aware of their responsibilities under this policy, and other relevant data protection and information security policies, and that they are adequately trained and supervised.
Breaching this policy may result in disciplinary action for misconduct, including dismissal of staff or removal of volunteers from SCIO membership. Obtaining (including accessing) or disclosing personal data in breach of WCC’s data protection policies may also be a criminal offence.
Data Subject Rights
WCC has processes in place to ensure that it can facilitate any request made by an individual to exercise their rights under data protection law. All staff and volunteers receive training and are aware of the rights of data subjects. Staff can identify such a request and know who to send it to.
All requests will be considered without undue delay and within one month of receipt.
Subject access: the right to request information about how personal data is being processed, including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:
• the purpose of the processing;
• the categories of personal data;
• the recipients to whom data has been disclosed or will be disclosed;
• the retention period;
• the right to lodge a complaint with the Information Commissioner’s Office;
• the source of the information if not collected direct from the subject;
• the existence of any automated decision making.
Rectification: the right to allow a data subject to rectify inaccurate personal data concerning them.
Erasure: the right to have data erased and to have confirmation of erasure, but only where:
• the data is no longer necessary in relation to the purpose for which it was collected, or
• where consent is withdrawn, or
• where there is no legal basis for the processing, or
• there is a legal obligation to delete data.
Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
• if the accuracy of the personal data is being contested, or
• if WCC’s processing is unlawful but the data subject does not want it erased, or
• if the data is no longer needed for the purpose of the processing but it is required by the data subject for the establishment, exercise or defence of legal claims, or
• if the data subject has objected to the processing, pending verification of that objection.
Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller. This would only apply if WCC was processing the data using consent or on the basis of a contract.
Object to processing: the right to object to the processing of personal data relying on the legitimate interests processing condition unless WCC can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.
Special category personal data
This includes the following personal data revealing:
• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person;
• an individual’s health;
• a natural person's sex life or sexual orientation;
• criminal convictions or offences.
WCC processes special category data of employees as is necessary to comply with employment and social security law. This policy sets out the safeguards we believe are appropriate to ensure that we comply with the data protection principles set out above. WCC also has a data retention schedule which sets out how long special category data will be held onto.
Disclosure of Personal Data to Third Parties
WCC may share personal data with third parties set out below:
• ChurchSuite – our online database provider based in the UK;
• Professional advisers based in the UK who provide banking, legal, insurance, auditing or accounting services;
• HM Revenue & Customs, regulators and other authorities based in the UK who require reporting of processing activities in certain circumstances;
• Anglican Convocation in Europe (ACE) in the case of clergy.
ACE retain copies of the rector’s Letters of Orders (Deacon and Presbyter), and a copy of his/her DBS certificate. ACE runs biennial clergy reviews, and there are questionnaires and interviews undertaken as part of this process. Any data held in respect of the WCC rector would also be held in accordance with the ACE data protection policies https://aceanglicans.org/privacy/
Responsibility for the Processing of Personal Data
The vestry of WCC takes ultimate responsibility for data protection.
If you have any concerns or wish to exercise any of your rights under the GDPR, then you can contact the data protection lead in the following ways:
Name George Laing, Vestry Secretary
Address Westhill Community Church, Old Skene Road, Westhill, Aberdeenshire, AB32 6AQ
Email [email protected]
Telephone 01224 737380
Monitoring and Review
This policy shall be reviewed annually and was last reviewed on 6 February 2023.
An annual data audit will be undertaken.
Version 1: 6 February 2023
* * * * * * * * * * *
Appendix
Recruitment Privacy Notice
How Westhill Community Church (WCC) protects data it holds, including that gathered for the purpose of recruitment, is set out in the WCC Data Protection Policy.
Any data requested will be used for recruitment purposes only.
The types of information about an applicant held or gathered by WCC will include
• contact details;
• social and professional profiles;
• education and work experience;
• third party references, where requested.
WCC will not share information gathered for the purposes of recruitment of non-clergy staff beyond the church.
In the case of the rector or other members of clergy, information may be shared with the Bishop of the Anglican Convocation in Europe (ACE). ACE retains the successful candidate’s application form, CV and references. ACE also retains copies of the rector’s Letters of Orders (Deacon and Presbyter), and a copy of his/her DBS certificate. Information retained by ACE would be held in accordance with the ACE data protection policies https://aceanglicans.org/privacy/ .
Where applicants’ data is sourced will be clearly communicated.
Processing of data will be based at WCC, stored securely and accessible only to authorised named individuals.
Westhill Community Church will specify how long it intends to store each applicant’s data.
The WCC Data Controller is:
Name George Laing, Vestry Secretary
Address Westhill Community Church, Old Skene Road, Westhill, Aberdeenshire, AB32 6AQ
Email [email protected]
Telephone 01224 737380