Policy
Our privacy notice aims to tell you how the PCC of Kings Worthy use and disclose personal data. It also explains the rights available to you in respect of our processing. The use and disclosure of your personal information is governed in the United Kingdom by the General Data Protection Regulation, and the UK Data Protection Act. Revd Paul Bradish and the PCC are defined as the ‘Data Controllers’ for the purposes of the legislation and is required to ensure The Parish of St Mary’s handles all personal information in accordance with that legislation. The PCC recognises and is committed to its responsibilities under the General Data Protection Regulation (GDPR) in relation to its handling of personal data. “Personal data” is information relating to a living individual who can be identified from that information. The PCC may collect, store and process personal data about congregation members, electoral roll members, and other users of the church (“data subjects”) in order to carry out the duties and functions of the church and for making contact with those persons in relation to church and parish matters. Under the GDPR anyone handling personal data must comply with the following eight principles of good practice by ensuring that data is:
– Processed fairly and lawfully;
– Processed for limited purposes and in an appropriate way;
– Adequate, relevant and not excessive for the purpose for which it is used;
– Accurate and not kept longer than necessary;
– Processed in line with data subject’s rights;
– Stored safely and securely; and
– Not transferred to people or organisations situated in countries without adequate protection.
Status of Policy
The PCC has approved this policy and is responsible for ensuring it is kept up to date. It sets out the rules on data protection which must be complied with by PCC members, parish officers and employees and parish volunteers (“data users”) when they obtain, handle, process, transfer and store personal data during the course of carrying out church and parish business.
Any person who feels that this policy has not been adhered to – whether in respect of their own personal data, or in respect of a third party’s – should raise this with the Data Protection Officer.
Responsibilities
The Rector and the PCC are the Data Controller under the GDPR, and are responsible for the implementation of the Regulation and for ensuring compliance by data users.
The PCC has appointed a Data Protection Officer (the Office Administrator) to handle day to day queries which may arise, and to provide data users with guidance on data protection issues to ensure they are aware of their obligations.
All data users are responsible for ensuring that they understand and comply with this policy. Any personal data handled or stored by them in the course of carrying out church and parish business must be done so in accordance with this policy and the principles of good practice set out in the GDPR. If a data user is unsure of his/her obligations or has any queries at any time it is his/her responsibility to seek further advice from the Data Protection Officer.
Collection of Data
Data users must:
Only collect personal data to the extent that it is required for the specific purpose notified to the data subject.
Seek the data subject’s consent to the processing of their data. This means that persons providing personal data must be clearly informed about:
– The purpose or purposes for which we intend to process their personal data;
– The types of third parties (if any) with which we may share or to whom we will disclose that personal data; and
– The means, if any, with which data subjects can limit our use and disclosure of their personal data (ie, provision of an opt-out).
Not use data for direct marketing purposes without the express consent of the data subject and the PCC.
Not collect or process “sensitive” personal data unless this is absolutely necessary and the express written consent of the data subject has been obtained. (Sensitive personal data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, health, sexual life, and criminal offences).
Data Security
All data users are responsible for ensuring that personal data is held securely and is not disclosed or transferred to any unauthorised third parties. This applies to electronic and paper records. Any unauthorised disclosure or processing will be treated as a breach of this policy and dealt with appropriately. Additional care and security measures should be taken in respect of data which is “sensitive” personal data.
Data users will be updated about specific security measures that are required by the Data Protection Officer and these may include:
– Keeping desks and cupboards containing confidential information securely locked.
– Shredding paper documents that are no longer required.
– Data users should ensure that their screens/monitors/papers do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
– Storing data on a central computer system.
– Password protecting as appropriate.
Data Retention
Data users must ensure that all personal data is accurate and up to date by checking the accuracy of any personal data at regular intervals. The Church Office should be immediately informed of any changes to information previously provided.
Reasonable steps should be taken to destroy or erase from our systems all data which is no longer required. The Church Office will retain some items of information for longer than others but only as long as deemed necessary taking into account guidance from the Information Commissioner and House of Bishops.
Safeguarding
In safeguarding cases, different rules on the treatment and disclosure of personal data may apply (for example to prevent the risk of harm to a child or vulnerable adult or where a criminal investigation is ongoing). Advice should be sought from the Diocesan Safeguarding Adviser and/or the Diocesan Registry without delay in circumstances where personal data relating to a safeguarding concern needs to be processed/shared.
The Right to Access To Information
The GDPR provides an individual with the right to access personal data relating to him/her which is held by the PCC/Church Office. This applies to data held electronically and also manual records.that are in a relevant filing system. Any individual who wishes to exercise this right should make the request to the Data Protection Officer in writing who shall then be responsible for managing and responding to this request in accordance with relevant guidance from the Information Commissioner.
If a ‘Subject Access Request’ is made it will be dealt with in accordance with GDPR provisions, following advice and guidance from the Diocese and within the guidance provided by the Information Commissioner’s Office.
Certain information (for example confidential information relating to a third party) will not be disclosed without obtaining the third party’s consent to disclose the information.
Revd Paul Bradish
Rector, St Mary’s Church, Kings Worthy & Chair of the Parochial Church Council
This Policy was approved by the PCC on 21 October 2024 and will be reviewed on a regular basis.