Chase Cross Baptist Church
GDPR Data Policy – 30th January 2019
(For review at January Church Meeting 2020)
Section A What this policy is for
- Policy Statement
Chase Cross Baptist Church is committed to protecting Personal Data and respecting the rights of the people whose personal data we collect and use.
Chase Cross Baptist Church is the controller of personal data collected through Church attendance & events.
As an organisation we are committed to ensuring that all personal data is:
- Processed Lawfully, fairly and in a transparent manner
- Processed for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary for the purposes for which it is being processed
- Accurate and up to date
- Not retained for longer than is necessary for the purposes for which it is being processed
- Processed in a secure manner
- Processed in keeping with the rights of all people regarding their personal data
2. How this Policy is applied
All employees, trustees and volunteers that process personal information on behalf of the church are required to comply with our policy. Any breaches or suspected breaches of policy must be reported to Chase Cross Baptist Church Data Controllers immediately for action to be taken to minimise the impact of the breach.
Anyone who breaches the Data Protection Policy may be subject to disciplinary action and where the individual has breached the policy intentionally, recklessly or for personal benefit they may be liable to prosecution or to regulatory action.
Chase Cross Baptist Church is responsible for ensuring that any procedures that involve personal data follow the rules that are set out in this policy.
As the data subjects of Chase Cross Baptist Church we will ensure that all of your personal information is processed in line with our policy.
Our Data Controllers are responsible for advising Chase Cross Baptist Church, its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law and deal with data security breaches.
3. Training and Guidance
We will provide general training annually for all persons processing data for Chase Cross Baptist Church to raise awareness of their obligations, responsibilities and provide an outline of Data Protection Law.
Where appropriate we will issue procedures, guidance and instructions with reference to the processing of personal data and Data Protection Law.
Section B – Our Data Protection Responsibilities
4. What data do we process?
Chase Cross Baptist Church processes the following Personal Data
- Name & Address Details
- Personal Contact Details
- Names of Family Members
- Bank Details & Taxation Status relating to Gift Aid on monetary offerings
- Extended Personal Information personal information to allow us to safely run events
- Next of Kin
- Emergency Contact Details
- Church Meeting Minutes
- Marriage Records
Personal Data is processed both electronically and in paper format
5. What we use your data for
Chase Cross Baptist Church uses your data:
- To administer membership records;
- To fundraise and promote the interests of Chase Cross Baptist Church;
- To manage our employees and volunteers;
- To maintain our own accounts and records (including the processing of gift aid applications);
- To inform you of news, events, activities and services running at Chase Cross Baptist Church;
- To create the Church Directory, including the contact information which you have specified may be included. (A copy of the directory is given to all who attend the church.)
- Retain a Register of Marriages
6. Who we may share your data with
We may share your data with other organisations or Church Organisations. The people that we may share your data with are:
- Chase Cross Baptist Church attendees through the Church Directory.
- HMRC for the purpose of claiming gift aid on Monetary Offerings to Chase Cross Baptist Church
- Disclosure Barring Service for employees & volunteers
- The Baptist Union of Great Britain for matters of church governance
- Any other organisations we need to share you information with will be discussed and confirm with you as appropriate.
7. Legal Basis for Data Processing and Use
Under GDPR the legal basis that we process information under is:
- Necessary for a Contract with the person: for personal contact information used for pastoral care duties and arranging of marriages, funerals, dedications and baptisms are covered by this.
- Necessary for us to comply with a legal obligation: for personal information recorded in Marriage Registration books; information obtained for Safeguarding Disclosure Checks and information kept as part of our employee or volunteer records are covered by this
- Necessary for legitimate interests pursued by Chase Cross Baptist Church: for minutes of Church meetings; holding of financial data relating to monetary offerings and the Gift Aid claims from HMRC
- By Consent of the Data Subject: for personal Information gathered for church directory inclusion, notification of church events and prayer circulars.
8. Personal Data obtained by Consent
Consent is required for the processing of personal data when no other legal condition applies. Our Consent statement will clearly outline what data we are asking for and why. In accordance with Chase Cross Baptist Church policy, personal data is voluntarily provided and does not have to be given.
Consent can be withdrawn at any time. To withdraw consent, contact the Chase Cross Baptist Church Data Controllers by emailing email@example.com
9. Processing for Specified Purposes
We will only process personal data for the specified purposes explained in our privacy notices or in this policy or for other purposes specifically permitted by law.
10. Data will be adequate, relevant and not excessive
We will only collect and use personal data that is needed for the specific purposes described in this policy and our privacy notices. We will not collect more than is required to achieve those purposes
11. Data for Marketing or Promotion Purposes
We do not use your personal data for marketing or promoting Chase Cross Baptist Church.
We may take photographs at Chase Cross Baptist Church events and use in our buildings, newsletters and website. Photographs are only taken and used with the consent of the individual or with signed consent from the main carer/guardian if the subject is under 18 or a Vulnerable Adult.
12. Data Accuracy
We will make sure that personal data held is accurate and, where appropriate, kept up to date. The accuracy of personal data is checked at point of collection and at appropriate points in the future and will be audited on an annual basis.
13. Retention of Data
We will not keep personal data longer than is necessary for the purposes that it was collected for.
- Personal data given by consent will be kept for up to 10 years unless consent is withdrawn.
- Financial data will be kept for 10 years.
- Parental or main carer consent for a person under 16 and safeguarding records will be retained for 10 years in paper form and then stored digitally for safeguarding purposes. However a new consent form is required to be completed and signed by the child once they reach 16 years of age.
- Minutes of church meetings and deacons meetings are kept for historical and charity purposes with no time limit.
- Marriage records are held by the church until the registration book is full and are then passed on to the registration office.
14. Security of Personal Data
Personal Data cannot be transferred or stored outside of the European Union. This includes Cloud storage where the servers must be located within the EU. We will ensure that all personal data held electronically is kept in a secure, password protected location at all points of the processing. Only those Chase Cross Baptist Church persons with legitimate reasons to access the data held electronically will be able to access:
- Chase Cross Baptist Church Pastor
- Chase Cross Baptist Church Deacons
- Chase Cross Baptist Church Data Controllers (the Deacons)
- Chase Cross Baptist Church Child Protection Officer
Passwords for electronic storage locations will be changed regularly. Passwords are automatically changed when any of the above personnel is changed.
Section C – Rights of Data Subjects
15. Subject Access Requests
You can make a request to see all the personal information that Chase Cross Baptist Church holds for you by emailing firstname.lastname@example.org
We will respond to all Subject Access Requests within 1 month of receipt of request.
16. Personal Data Amendment
The individual has the right to have their personal data amended by contacting the Chase Cross Baptist Church Data Controllers by emailing email@example.com
17. Restriction of Processing
Chase Cross Baptist Church will always ask you to specify how we can use your data. This is included in our Consent forms.
18. Withdrawal of Consent
You can withdraw your consent for your personal data to be processed at any time by contacting the Data Controllers by emailing firstname.lastname@example.org
Section E – Managing Change & Risks
19. Data Protection Impact Assessments
We will carry out a Data Protection Impact Assessment if we plan to carry out any data processing that is high risk. This includes when we may process information relating to vulnerable people, using new technology or changing where information is stored.
20. Data Protection Breaches
Where staff or volunteers think that the policy has not been followed or data might have been breached or lost this will be reported immediately to the Data Controllers.
We will keep records of personal data breaches.