Donacloney Presbyterian Church needs to gather and use certain information about individuals. This may include information about members and adherents, volunteers, individuals contracted to supply services, other suppliers, facilities users, business contacts, and other people with whom Donacloney Presbyterian Church has a relationship or may need to make contact. This policy describes how this personal data must be collected, handled and stored to meet data protection standards and to comply with the law.
Why this policy exists
This data protection policy ensures that Donacloney Presbyterian Church:
- complies with data protection law and follows good practice;
- protects the rights of members and adherents, post-holders, volunteers and other people with whom Donacloney Presbyterian Church has a relationship or may need to make contact;
- is open about how it stores and processes the data of individuals; and
- protects itself from the risks of a data breach
Glossary of Key Terms
- Data Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing the data.
- Data Processing
The operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Data Protection Lead
The person from time to time who has agreed to:
‣ take responsibility for ensuring that Donacloney Presbyterian Church abides by its data protection policies;
‣ act as a point of contact for anyone with concerns as to how their information is being handled; and
‣ undertake the responsibilities as detailed in this policy.
- Data Subject
An individual who is the subject of personal data, not including deceased individuals or individuals who cannot be identified or distinguished from others (as in statistics, for example).
- Identifiable Natural Person
An individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Personal Data
Any information relating to an identifiable natural person data subject.
- Sensitive Personal Data
Any data relating to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, genetic data and/or biometric data.
A mathematical function that uses a secret value (the key) to encode data so that only users with access to that key can read the information. In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures.
Data Protection Law
The General Data Protection Regulation (EU 2016/679) (GDPR) regulates how organisations collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or in any other way. To comply with the law, personal information must be collected and used fairly, stored and disposed of safely and not disclosed unlawfully. The GDPR is underpinned by six important principles to which Donacloney Presbyterian Church will adhere. These say that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (but further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered to be incompatible with the initial purposes);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date (and every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (although personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals); and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
This policy applies to Donacloney Presbyterian Church and all post-holders, volunteers, contractors, suppliers and other people processing personal data on its behalf.
It applies to all data that Donacloney Presbyterian Church holds relating to identifiable individuals. This can include for example:
- Names of individuals, postal/email addresses, telephone numbers.
- Sensitive personal data such as information in relation to physical or mental health conditions, religious beliefs, ethnic origin, or sexual orientation.
Data Protection Risks
This policy helps to protect Donacloney Presbyterian Church from data security risks, including:
- Breaches of confidentiality - for example, information about members of or volunteers with Donacloney Presbyterian Church being given out inappropriately;
- Failing to comply with GDPR - such as not offering choice to individuals when seeking their consent as the legal basis for processing their data;
- Damage to reputation - which may occur if, for instance, hackers or thieves successfully gained access to personal data held by Donacloney Presbyterian Church.
Everyone who works for or with Donacloney Presbyterian Church has some responsibility for ensuring personal data is collected, stored and handled appropriately.
All leaders, post-holders and volunteers are required to respect the confidentiality of personal data, to take all reasonable measures to ensure its security while they are in their position, and to return or securely destroy/delete personal data held on behalf of Donacloney Presbyterian Church when they leave that position.
Everyone who handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. Failure to comply with the data protection policy and principles is a serious offence. The following, however, have key areas of responsibility:
- The Kirk Session is ultimately responsible for ensuring that Donacloney Presbyterian Church meets its legal obligations.
- The Data Protection Lead is responsible for:
‣ keeping the Kirk Session and Congregational Committee up to date about data protection issues, responsibilities and risks;
‣ reviewing all data protection procedures and related policies, in line with an agreed schedule;
‣ arranging data protection training and advice for the people covered by this policy;
‣ dealing with requests from individuals to see the data about them held by Donacloney Presbyterian Church (also called “subject access requests”); and
‣ checking and approving any contracts or agreements with third parties that may handle sensitive data that has been gathered and is held by Donacloney Presbyterian Church.
Donacloney Presbyterian Church will provide guidance to all post-holders, leaders and volunteers to help them understand their responsibilities when handling data. The following general principles must be followed by all who handle data on behalf of Donacloney Presbyterian Church.
- All data must be kept secure, by taking sensible precautions and following the guidelines below.
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally.
- Personal data should not be disclosed to any unauthorised person, even if the unauthorised person is a member of Donacloney Presbyterian Church.
- Data held by Donacloney Presbyterian Church should only be disclosed if the person making the request is entitled to the information in keeping with the terms for which Donacloney Presbyterian Church is holding the data.
- Individuals who handle data on behalf of Donacloney Presbyterian Church should not be pressurised into disclosing personal data.
- For data stored electronically, strong passwords must be used, changed regularly and never shared.
- Data should be regularly reviewed, and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of safely.
- Post-holders, leaders and volunteers should request help from the Data Protection Lead if they are unsure about any aspect of data protection.
In accordance with data protection legislation the main legal basis for collecting personal data on members of and those affiliated with Donacloney Presbyterian Church will be that it is necessary for Donacloney Presbyterian Church to hold this data for the purposes of legitimate interests which are not overridden by the interests of the data subject. In respect of certain types of sensitive data (and in particular data revealing religious beliefs of the data subject) this data will be held on the basis that it is processed in the course of the legitimate activities of a not-for-profit religious body and will not be disclosed outside of that body without the consent of the data subject. Other legal bases, such as contract law, etc., will also apply.
There are particular provisions under the General Data Protection Regulation when the legal basis being relied upon is consent. In certain circumstances Donacloney Presbyterian Church may need to seek consent to process personal data, particularly if something is outside of the normal day to day activities of Donacloney Presbyterian Church or if it involves sharing personal data with a third party. If this is necessary then consent shall be informed consent. Informed consent is when:
- An individual clearly understands why her/his information is needed, with whom it will be shared, and the possible consequences of her/his agreeing or refusing the proposed use of the data, and
- then gives her/his informed and unambiguous consent.
Donacloney Presbyterian Church will ensure that data is collected in accordance with the boundaries defined in this policy. This applies to data that is collected in person, or through the completion of a form. When collecting data, Donacloney Presbyterian Church will ensure that the individual (i.e. the data subject):
- has received sufficient information on why her/his data is needed and how it will be used;
- is made aware of the purposes for which the data will be used and of the consequences should she/he decide not to give consent to processing;
- where necessary, grants explicit consent - either written or verbal - for data to be processed;
- is, as far as reasonably practicable, competent to give consent and has given consent freely and without any duress; and
- in the absence of valid consent (that which is freely given, specific, informed and unambiguous) or where consent is deemed unnecessary (i.e. where another legal basis applies), has received information as to the lawful basis for processing her/his information.
Processing in line with Data Subject’s Rights
Donacloney Presbyterian Church will process all personal data in line with the rights of data subjects, and in particular their right to:
- request access to data held about them by a data controller;
- prevent the processing of their data for direct-marketing purposes;
- ask to have inaccurate data corrected or erased; and
- prevent processing that is likely to cause damage or distress to themselves or anyone else.
These rules describe how and where data should be safely stored and the security measures implemented by Donacloney Presbyterian Church. Questions about storing data safely may be directed to the Data Protection Lead.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is stored electronically but has been printed out for some reason.
- When not required, the paper or files should be put away securely.
- Post-holders, leaders and volunteers should make sure paper and printouts are not left where they may be seen by unauthorised people (e.g. in a photocopier).
- Data printouts should be shredded and disposed of securely when no longer required.
- Where personal data is recorded in a notebook (for example for the purposes of pastoral visitation) consideration should be given to encoding the personal data so as to reduce the risk of damage to the data subject should the notebook be lost or stolen.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. It must be password protected and encryption should also be considered:
- Data should be protected by strong passwords which are changed regularly and never shared among post-holders, leaders and volunteers.
- If data is stored on removable media (such as a CD, DVD, USB flash drive etc.), the removable media should be stored securely when not being used.
- Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing service. If using such services the user must be satisfied that the service supplier will hold the data in a manner compliant with data protection legislation. The user should review his/her terms and conditions or other contractual information to ensure that these matters are addressed.
- Servers containing personal data should be sited in a secure location.
- Data must be backed up frequently.
- Data which is considered important should not be saved solely to a mobile device as this type of device is generally more prone to failure, accidental loss, or theft. Where data is held on a mobile device then appropriate security measures should be applied.
- All servers/computers containing data must be protected by approved security software and a firewall.
- Personal data collected by Donacloney Presbyterian Church should not be stored exclusively on a personal computer as this may prevent legitimate access to and use of that data.
Data Retention and Secure Destruction
Personal data will not be retained longer than necessary, in relation to the purpose for which such data is processed. Donacloney Presbyterian Church will ensure that secure storage/archiving periods are clearly defined for each type of data and ensure confidential destruction of data when no longer required.
Personal data is of no value to Donacloney Presbyterian Church unless use can be made of it. It is, however, when personal data is accessed and used that it may be at the greatest risk of loss, corruption or theft. Because of this, Donacloney Presbyterian Church adopts the following additional security measures:
- When working with personal data, post-holders, leaders and volunteers should ensure the screens of their computers always are locked when left unattended.
- Personal data should never be shared informally. In particular, post-holders, leaders and volunteers should be particularly vigilant when sending data by e-mail as this form of communication is not secure.
- Financial Data, and in particular bank details of individuals, must not be transferred electronically. Bank details usually only should be transferred by letter and/or confirmed by telephone.
- Personal data should never be transferred outside of the European Economic Area without the approval of the Data Protection Lead/Clerk of Session and will only be permitted when an adequate level of protection can be guaranteed. Some suppliers (e.g. cloud storage, survey software etc.) may operate outside of the EEA in terms of the processing they carry out; Donacloney Presbyterian Church will only use suppliers that can demonstrate GDPR compliance and who have agreed to this in their terms and conditions.
The law requires data controllers to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of all post-holders, leaders and volunteers who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data should be held in as few places as necessary. Post-holders, leaders and volunteers should not create any unnecessary additional data sets.
- Post-holders, leaders and volunteers should take every opportunity to ensure data is updated.
- Donacloney Presbyterian Church will make it easy for data subjects to update the information about them that is held.
- Data should be updated as and when inaccuracies are discovered.
Subject Access Requests
All individuals who are the subject of personal data held by Donacloney Presbyterian Church are entitled to:
- ask what information about them is held, and why;
- ask how to gain access to it and how to have inaccurate data corrected or erased;
- be informed as to how to keep it up to date;
- be informed how Donacloney Presbyterian Church is meeting its data protection obligations.
If an individual contacts Donacloney Presbyterian Church requesting this information, this is called a subject access request. Subject access requests from individuals should be made by e-mail or in writing and addressed to the Data Protection Lead. The Data Protection Lead will aim to provide the relevant data within fourteen days and in any event within one month. The Data Protection Lead will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing Data for Other Reasons
In certain circumstances, the GDPR allows personal data to be disclosed to local authorities, law enforcement and statutory agencies without the consent of the data subject. In such circumstances, Donacloney Presbyterian Church will disclose the necessary data. The Data Protection Lead will ensure the request is legitimate, and will seek assistance and approval from the Clerk of Session where necessary.
Data subjects will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows a data controller to disclose data (including sensitive data) without the data subject’s consent. These include the fulfilment of a legal duty and the protection of the vital interests of a member or other individual.
Donacloney Presbyterian Church regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom it deals.
Providing Information to Data Subjects
Donacloney Presbyterian Church aims to ensure that individuals are aware that their data is being processed and that they understand:
- how the data is being used; and
- how to exercise their rights in relation to this.
To these ends, Donacloney Presbyterian Church will issue privacy notices as appropriate to members and those affiliated with the congregation, suppliers, business contacts, and other individuals with whom Donacloney Presbyterian Church has a relationship or may need to make contact. These privacy notices set out how data relating to an individual is used by Donacloney Presbyterian Church, how an individual may exercise her/his rights in relation to this, including options available, and how to raise a complaint.
A version of this statement will also be available on the website of Donacloney Presbyterian Church.
Security Breach Management
Donacloney Presbyterian Church has an incident response procedure in place so that any breach of data protection can be acted upon immediately. The breach will be internally investigated with appropriate remedial action taken and where required, notification will further be made within 72 hours to the Information Commissioner’s Office and those affected providing details of the nature of the breach, likely consequences and mitigations being taken to address the same.
This policy and related data protection procedures will be reviewed on an annual basis by the Data Protection Lead to reflect best practice in data management, security and control and to ensure compliance with GDPR.
Date: December 2018
Review Date: December 2019