Data Protection Policy


Donacloney Presbyterian Church needs to gather and use certain information about individuals. This may include information about members and adherents, volunteers, individuals contracted to supply services, other suppliers, facilities users, business contacts, and other people with whom Donacloney Presbyterian Church has a relationship or may need to make contact. This policy describes how this personal data must be collected, handled and stored to meet data protection standards and to comply with the law.

Why this policy exists

This data protection policy ensures that Donacloney Presbyterian Church:

Glossary of Key Terms

Data Protection Law

The General Data Protection Regulation (EU 2016/679) (GDPR) regulates how organisations collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or in any other way. To comply with the law, personal information must be collected and used fairly, stored and disposed of safely and not disclosed unlawfully. The GDPR is underpinned by six important principles to which Donacloney Presbyterian Church will adhere. These say that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (but further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered to be incompatible with the initial purposes);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date (and every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (although personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals); and
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Policy Scope

This policy applies to Donacloney Presbyterian Church and all post-holders, volunteers, contractors, suppliers and other people processing personal data on its behalf.

It applies to all data that Donacloney Presbyterian Church holds relating to identifiable individuals. This can include for example:

Data Protection Risks

This policy helps to protect Donacloney Presbyterian Church from data security risks, including:


Everyone who works for or with Donacloney Presbyterian Church has some responsibility for ensuring personal data is collected, stored and handled appropriately.

All leaders, post-holders and volunteers are required to respect the confidentiality of personal data, to take all reasonable measures to ensure its security while they are in their position, and to return or securely destroy/delete personal data held on behalf of Donacloney Presbyterian Church when they leave that position.

Everyone who handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. Failure to comply with the data protection policy and principles is a serious offence. The following, however, have key areas of responsibility:

General Guidelines

Donacloney Presbyterian Church will provide guidance to all post-holders, leaders and volunteers to help them understand their responsibilities when handling data. The following general principles must be followed by all who handle data on behalf of Donacloney Presbyterian Church.

Data Collection

In accordance with data protection legislation the main legal basis for collecting personal data on members of and those affiliated with Donacloney Presbyterian Church will be that it is necessary for Donacloney Presbyterian Church to hold this data for the purposes of legitimate interests which are not overridden by the interests of the data subject. In respect of certain types of sensitive data (and in particular data revealing religious beliefs of the data subject) this data will be held on the basis that it is processed in the course of the legitimate activities of a not-for-profit religious body and will not be disclosed outside of that body without the consent of the data subject. Other legal bases, such as contract law, etc., will also apply.

There are particular provisions under the General Data Protection Regulation when the legal basis being relied upon is consent. In certain circumstances Donacloney Presbyterian Church may need to seek consent to process personal data, particularly if something is outside of the normal day to day activities of Donacloney Presbyterian Church or if it involves sharing personal data with a third party. If this is necessary then consent shall be informed consent. Informed consent is when:

Donacloney Presbyterian Church will ensure that data is collected in accordance with the boundaries defined in this policy. This applies to data that is collected in person, or through the completion of a form. When collecting data, Donacloney Presbyterian Church will ensure that the individual (i.e. the data subject):

  1. has received sufficient information on why her/his data is needed and how it will be used;
  2. is made aware of the purposes for which the data will be used and of the consequences should she/he decide not to give consent to processing;
  3. where necessary, grants explicit consent - either written or verbal - for data to be processed;
  4. is, as far as reasonably practicable, competent to give consent and has given consent freely and without any duress; and
  5. in the absence of valid consent (that which is freely given, specific, informed and unambiguous) or where consent is deemed unnecessary (i.e. where another legal basis applies), has received information as to the lawful basis for processing her/his information.

Processing in line with Data Subject’s Rights

Donacloney Presbyterian Church will process all personal data in line with the rights of data subjects, and in particular their right to:

  1. request access to data held about them by a data controller;
  2. prevent the processing of their data for direct-marketing purposes;
  3. ask to have inaccurate data corrected or erased; and
  4. prevent processing that is likely to cause damage or distress to themselves or anyone else.

Data Storage

These rules describe how and where data should be safely stored and the security measures implemented by Donacloney Presbyterian Church. Questions about storing data safely may be directed to the Data Protection Lead.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is stored electronically but has been printed out for some reason.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. It must be password protected and encryption should also be considered:

Data Retention and Secure Destruction

Personal data will not be retained longer than necessary, in relation to the purpose for which such data is processed. Donacloney Presbyterian Church will ensure that secure storage/archiving periods are clearly defined for each type of data and ensure confidential destruction of data when no longer required.

Data Use

Personal data is of no value to Donacloney Presbyterian Church unless use can be made of it. It is, however, when personal data is accessed and used that it may be at the greatest risk of loss, corruption or theft. Because of this, Donacloney Presbyterian Church adopts the following additional security measures:

Data Accuracy

The law requires data controllers to take reasonable steps to ensure data is kept accurate and up to date.

It is the responsibility of all post-holders, leaders and volunteers who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

Subject Access Requests

All individuals who are the subject of personal data held by Donacloney Presbyterian Church are entitled to:

If an individual contacts Donacloney Presbyterian Church requesting this information, this is called a subject access request. Subject access requests from individuals should be made by e-mail or in writing and addressed to the Data Protection Lead. The Data Protection Lead will aim to provide the relevant data within fourteen days and in any event within one month. The Data Protection Lead will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing Data for Other Reasons

In certain circumstances, the GDPR allows personal data to be disclosed to local authorities, law enforcement and statutory agencies without the consent of the data subject. In such circumstances, Donacloney Presbyterian Church will disclose the necessary data. The Data Protection Lead will ensure the request is legitimate, and will seek assistance and approval from the Clerk of Session where necessary.

Data subjects will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows a data controller to disclose data (including sensitive data) without the data subject’s consent. These include the fulfilment of a legal duty and the protection of the vital interests of a member or other individual.

Donacloney Presbyterian Church regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom it deals.

Providing Information to Data Subjects

Donacloney Presbyterian Church aims to ensure that individuals are aware that their data is being processed and that they understand:

To these ends, Donacloney Presbyterian Church will issue privacy notices as appropriate to members and those affiliated with the congregation, suppliers, business contacts, and other individuals with whom Donacloney Presbyterian Church has a relationship or may need to make contact. These privacy notices set out how data relating to an individual is used by Donacloney Presbyterian Church, how an individual may exercise her/his rights in relation to this, including options available, and how to raise a complaint.

A version of this statement will also be available on the website of Donacloney Presbyterian Church.

Security Breach Management

Donacloney Presbyterian Church has an incident response procedure in place so that any breach of data protection can be acted upon immediately. The breach will be internally investigated with appropriate remedial action taken and where required, notification will further be made within 72 hours to the Information Commissioner’s Office and those affected providing details of the nature of the breach, likely consequences and mitigations being taken to address the same.


This policy and related data protection procedures will be reviewed on an annual basis by the Data Protection Lead to reflect best practice in data management, security and control and to ensure compliance with GDPR.



Date: December 2018

Review Date: December 2019


We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of this site have already been set. To find out more about the cookies we use and how to delete them, see our privacy policy.

  I accept cookies from this site.
EU Cookie Directive plugin by