Castleton Baptist Church
Data Protection Policy
Castleton Baptist Church is committed to protecting all information that
we handle about people we support and work with, and to respecting
people’s rights around how their information is handled.
This policy explains our responsibilities and how we will meet them.
Hello everyone,
Our Anniversary celebrations are going really well and it has been good to see so many people joining with us in these celebrations, with lots more going on if you haven’t been able to be part of it as yet.
I’m writing now to let you know that, because of updated data protection legislation, we have to make sure that those people we are contacting are happy with that contact and would wish it to continue.
As you know, we have your contact details on our fellowship list (the booklet which we give out to the fellowship each year so we can stay in contact with each other) and/or email lists (for those with email we send out copies of the prayer list, bulletins etc. to remind people what is going on - other people on the list can see your email address) and we need to know whether you wish to remain on those lists. It may be that, if you haven’t been to Gateway for some time, or for any other reason, you would prefer contact to cease, either with your details being removed from the fellowship list or the email list or both. In which case I would ask you to let me know, by replying to this email or writing to the address below, that this is your preference.
If no such communication is received, we will assume that you are happy for us to keep in contact and to continue to send you information, updates, etc. as appropriate.
With very best wishes,
Jen Spear
Church Secretary
On behalf of the Pastor and Leadership Team
41, Oakleafe Drive
Pontprennau
Cardiff
CF23 8AL
Castleton Baptist Church
Data Protection Policy
FINAL APRIL 2023
Castleton Baptist Church is committed to protecting all information that we handle about people we support and work with, and to respecting people’s rights around how their information is handled.
This policy explains our responsibilities and how we will meet them.
Contents
Section A – What this policy is for ............................................................................2
1. Policy statement .........................................................................................2
2. Why this policy is important .........................................................................2
3. How this policy applies to you & what you need to know................................2
4. Training and guidance.................................................................................3
Section B – Our data protection responsibilities ........................................................3
5. What personal information do we process? ..................................................3
6. Making sure processing is fair and lawful......................................................4
7. When we need consent to process data .......................................................6
8. Processing for specified purposes................................................................6
9. Data will be adequate, relevant and not excessive ........................................6
10. Accurate data .............................................................................................6
11. Keeping data and destroying it.....................................................................6
12. Security of personal data.............................................................................6
13. Keeping records of our data processing .......................................................7
Section C – Working with people we process data about (data subjects) ....................7
14. Data subjects’ rights....................................................................................8
15. Direct marketing .........................................................................................8
Section D – working with other organisations & transferring data ...............................8
16. Sharing information with other organisations 8
17. Data processors .........................................................................................9
18. Transferring personal data outside the United Kingdom (UK) .........................9
Section E – Managing change & risks ......................................................................9
19. Data protection impact assessments ............................................................9
20. Dealing with data protection breaches ..........................................................9
Schedule 1 – Definitions and useful terms .............................................................. 10
[Schedule 2 – ICO Registration] ...............................................................................
Schedule 3 – Appropriate Policy Document
Section A: WHAT THIS POLICY IS FOR
1. Policy Statement
Castleton Baptist Church is committed to protecting personal data and respecting the rights of our data subjects - the people whose personal data we collect and use. We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.
We process personal data to help us:
a) maintain our list of church members and regular attenders.
b) provide pastoral support for members and others connected with our church;
c) provide services to the community
d) safeguard children, young people and adults at risk;
e) recruit, support and manage staff and volunteers;
f) maintain our accounts and records;
g) promote our services
h) maintain the security of property and premises;
i) respond effectively to enquirers and handle any complaints
This policy has been approved by the church’s Charity Trustees who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.
2. Why this policy is important
We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security, or being shared carelessly, or being inaccurate, as we are aware that people can be upset or harmed if any of these things happen.
This policy sets out the measures we are committed to taking as a church and what each of us must do to comply with the relevant legislation.
In particular, we will make sure that all personal data is:
a) processed lawfully, fairly and in a transparent manner;
b) processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
d) accurate and, where necessary, up to date;
e) not kept longer than necessary for the purposes for which it is being processed;
f) processed in a secure manner;
g) processed in keeping with the rights of data subjects regarding their personal data.
3. How this policy applies to you and what you need to know
· As an employee, trustee or volunteer processing personal information on behalf of the church, you are required to comply with this policy. If you think that you have accidentally breached the policy, it is important that you contact our Data Protection [Officer/Trustee] immediately so that we can take swift action to try and limit the impact of the breach.
Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.
· As a data subject of Castleton Baptist Church We will handle your personal information in line with this policy
· Our Data Protection Officer is responsible for advising Castleton Baptist Church and its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy. Any questions about this policy or any concerns that the policy has not been followed should be referred to them at Charlottecogswell@btinternet.com
· Before you collect or handle any personal data as part of your work (paid or otherwise) for Castleton Baptist Church it is important that you take the time to read this policy carefully and understand what is required of you, as well as the organisation’s responsibilities when we process data.
· Our procedures will be in line with the requirements of this policy, but if you are unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Protection Officer.
4. Training and guidance
We will provide general training at least annually for staff and leaders to raise awareness of their obligations and our responsibilities as well as to outline the law. We may also issue procedures, guidance or instructions from time to time.
Section B OUR DATA PROTECTION RESPONSIBILITIES
5. What personal information do we process?
· In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it is about, for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers.
· We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include a variety of information - such as names and contact details, education or employment details, and visual images of people.
· In some cases, we hold types of information that are called “special categories” of data in the UK GDPR.
Special category personal data does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply. Other than in the circumstances described in paragraphs 5.4 to 5.8 below, information relating to criminal convictions and offences should not be processed unless the processing is authorised by law or is carried out under the control of official authority. Special category personal data can only be processed under strict conditions, including the data subject’s explicit consent (although other alternative conditions can apply in limited, very specific circumstances as described below).
Special categories’ of data (as referred to in the UK GDPR) includes information about a person’s: racial or ethnic origin; political opinions; religious or similar (e.g. philosophical) beliefs; trade union membership; health (including physical and mental health, and the provision of health care services); genetic data; biometric data; sexual life and sexual orientation.
We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is a clear lawful basis to process tis data.
· We may process information relating to criminal proceedings or offences or allegations of offences to safeguard against any risks posed to others under Article 6(1)(f) UK GDPR where the processing is necessary for the purposes of the legitimate interests of Castleton Baptist Church but not where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
· We may also process special category or criminal convictions etc data (“criminal offence data”) where it fulfils one of the substantial public interest conditions under Schedule 1, Part 2 of the Data Protection Act 2018, in particular, Conditions 10, 11, 12, 18 and 19.
· We may also seek to obtain, use and retain criminal offence data in reliance upon Condition 31 relating to criminal convictions under Schedule 1, Part 3 of the Data Protection Act 2018.
· For the purposes of Schedule 1, Part 4 of the Data Protection Act 2018, more information about Castleton Baptist Church processing of special category and criminal convictions data under Conditions 10, 11, 12, 18, 19 and 31 can be found in the “Appropriate Policy Document” in Schedule [3] of this policy.
· The processing of special category and criminal convictions data described in paragraphs 5.4 to 5.8 will only ever be carried out on the advice of statutory authorities, the Ministries Team of the Baptist Union of Great Britain or our Regional Association Safeguarding contact person.
· Other data may also be considered ‘sensitive’ such as bank details but will not be subject to the same legal protection as the types of data listed above.
6. Making sure processing is fair and lawful
Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.
How can we legally use personal data?
· Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the UK GDPR, is met:
A. the processing is necessary for a contract with the data subject;
B. the processing is necessary for us to comply with a legal obligation;
C. the processing is necessary to protect someone’s life (this is called “vital interests”);
D. the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;
E. the processing is necessary for legitimate interests pursued by Castleton Baptist Church or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject.
F. If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.
How can we legally use ‘special categories’ of data?
· Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the UK GDPR, is met. These conditions include where:
a) the processing is necessary for carrying out our obligations under employment and social security and social protection law;
b) the processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent;
c) the processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes;
d) the processing is necessary for pursuing legal claims.
e) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent.
· Before deciding which condition should be relied upon, we may refer to the original text of the UK GDPR as well as any relevant guidance, and seek legal advice as required.
What must we tell individuals before we use their data?
· If personal data is collected directly from the individual, we will inform them [in writing] about; our identity/contact details [and those of the Data Protection [Officer/Trustee], the reasons for processing, and the legal bases, [including explaining any automated decision making or profiling], explaining our legitimate interests, and explaining, where relevant, the consequences of not providing data needed for a contract or statutory requirement; who we will share the data with; if we plan to send the data outside of the United Kingdom; how long the data will be stored and the data subjects’ rights.
This information is commonly referred to as a ‘Privacy Notice’.
This information will be given at the time when the personal data is collected.
· If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information described in section 6.5 as well as: the categories of the data concerned; and the source of the data.
This information will be provided to the individual in writing and no later than within 1 month after we receive the data, unless a legal exemption under the UK GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication.
If we plan to pass the data onto someone else outside of Castleton Baptist Church we will give the data subject this information before we pass on the data
7. When we need consent to process data
· Where none of the other legal conditions apply to the processing, and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it. Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.
· Consent can however be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.
8. Processing for specified purposes
We will only process personal data for the specific purposes explained in our privacy notices (as described above in section 6.5.) or for other purposes specifically permitted by law. We will explain those other purposes to data subjects in the way described in section 6, unless there are lawful reasons for not doing so.
9. Data will be adequate, relevant and not excessive
We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained to the data subjects in privacy notices). We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later.
10. Accurate data
We will make sure that personal data held is accurate and, where appropriate, kept up to date. The accuracy of personal data will be checked at the point of collection and at appropriate points later on.
11. Keeping data and destroying it
· We will not keep personal data longer than is necessary for the purposes that it was collected for. We will comply with official guidance issued to our sector about retention periods for specific records.
· Information about how long we will keep records for can be found in our Data Retention Schedule.
12. Security of personal data
· We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.
· We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing.
Measures will include technical and organisational security measures. In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:
a) the quality of the security measure;
b) the costs of implementation;
c) the nature, scope, context and purpose of processing;
d) the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
e) the risk which could result from a data breach.
· Measures may include:
a) technical systems security;
b) measures to restrict or minimise access to data;
c) measures to ensure our systems and data remain available, or can be easily restored in the case of an incident;
d) physical security of information and of our premises;
e) organisational measures, including policies, procedures, training and audits;
f) regular testing and evaluating of the effectiveness of security measures.
13. Keeping records of our data processing
To show how we comply with the law we will keep clear records of our processing activities and of the decisions we make concerning personal data (setting out our reasons for those decisions).
Section C: WORKING WITH PEOPLE WE PROCESS DATA ABOUT
(known as Data Subjects)
14. Data subjects’ rights
We will process personal data in line with data subjects' rights, including their right to:
g) request access to any of their personal data held by us (known as a Subject Access Request);
h) ask to have inaccurate personal data changed;
i) restrict processing, in certain circumstances;
j) object to processing, in certain circumstances, including preventing the use of their data for direct marketing;
k) data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organisation;
l) not be subject to automated decisions, in certain circumstances; and
m) withdraw consent when we are relying on consent to process their data.
· If a colleague receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to our [Data Protection Officer/Trustee] immediately.
· We will act on all valid requests as soon as possible, and at the latest within one calendar month from the date of receipt of the request, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.
· All data subjects’ rights are provided free of charge.
· Any information provided to data subjects will be concise and transparent, using clear and plain language.
15. Direct marketing
· We will comply with the rules set out in the UK GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing. This includes, but is not limited to, when we make contact with data subjects by post, email, text message, social media messaging, telephone (both live and recorded calls) and fax.
Direct marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed, to individuals. “Marketing” does not need to be selling anything, or be advertising a commercial product. It includes contact made by organisations to individuals for the purposes of promoting the organisation’s aims.
· Any direct marketing material that we send will identify Castleton Baptist Church as the sender and will describe how people can object to receiving similar communications in the future. If a data subject exercises their right to object to direct marketing we will stop the direct marketing as soon as possible.
Section D: WORKING WITH OTHER ORGANISATIONS & TRANSFERRING DATA
16. Sharing information with other organisations
We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a privacy notice), unless legal exemptions apply to informing data subjects about the sharing. Only authorised and properly instructed [staff/Trustees] are allowed to share personal data.
We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied. We will follow the ICO’s statutory Data Sharing Code of Practice (or any replacement code of practice) when sharing personal data with other data controllers. Legal advice will be sought as required.
17. Data processors
· [Before appointing a contractor who will process personal data on our behalf (a data processor) we will carry out due diligence checks. The checks are to make sure the processor will use appropriate technical and organisational measures to ensure the processing will comply with data protection law, including keeping the data secure, and upholding the rights of data subjects. We will only appoint data processors who can provide us with sufficient guarantees that they will do this.]
· [We will only appoint data processors on the basis of a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing, and compliance with the contract, throughout the duration of the contract.]
18. Transferring personal data outside the United Kingdom (UK)
Personal data cannot be transferred (or stored) outside of the United Kingdom unless this is permitted by the UK GDPR. This includes storage on a “cloud” based service where the servers are located outside the UK.
We will only transfer data outside the UK where it is permitted by one of the conditions for non-UK transfers in the UK GDPR.
Section E: Managing change & risks
19. Data protection impact assessments
· When we are planning to carry out any data processing which is likely to result in a high risk we will carry out a Data Protection Impact Assessment (DPIA). These include situations when we process data relating to vulnerable people, trawling of data from public profiles, using new technology, and transferring data outside the UK. Any decision not to conduct a DPIA will be recorded.
· We may also conduct a DPIA in other cases when we consider it appropriate to do so. If we are unable to mitigate the identified risks such that a high risk remains we will consult with the ICO. · DPIAs will be conducted in accordance with the ICO’s guidance on Data Protection Impact Assessments.
20. Dealing with data protection breaches
· Where staff or volunteers, [or contractors working for us], think that this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Data Protection [Officer/Trustee].
· We will keep records of personal data breaches, even if we do not report them to the ICO.
· We will report all data breaches which are likely to result in a risk to any person, to the ICO. Reports will be made to the ICO within 72 hours from when someone in the church becomes aware of the breach.
· In situations where a personal data breach causes a high risk to any person, we will (as well as reporting the breach to the ICO), inform data subjects whose information is affected, without undue delay. This can include situations where, for example, bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and/or to exercise their rights.
DEFINITIONS AND USEFUL TERMS
The following terms are used throughout this policy and have their legal meaning as set out within the UK General Data Protection Regulation (“UK GDPR”). The UK GDPR definitions are further explained below:
Data controller means any person, company, authority or other body who (or which) determines the means for processing personal data and the purposes for which it is processed. It does not matter if the decisions are made alone or jointly with others.
The data controller is responsible for the personal data which is processed and the way in which it is processed. We are the data controller of data which we process.
Data processors include any individuals or organisations, which process personal data on our behalf and on our instructions e.g. an external organisation which provides secure waste disposal for us. This definition will include the data processors’ own staff (note that staff of data processors may also be data subjects).
Data subjects include all living individuals who we hold or otherwise process personal data about. A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal information. Data subjects that we are likely to hold personal data about include:
a) the people we care for and support;
b) our employees (and former employees);
c) consultants/individuals who are our contractors or employees working for them;
d) volunteers;
e) tenants;
f)
g) complainants;
h) supporters;
i) enquirers;
j) Friends and family;
advisers and representatives of other organisations.
ICO means the Information Commissioners Office which is the UK’s regulatory body responsible for ensuring that we comply with our legal data protection duties. The ICO produces guidance on how to implement data protection law and can take regulatory action where a breach occurs.
Personal data means any information relating to a natural person (living person) who is either identified or is identifiable. A natural person must be an individual and cannot be a company or a public body. Representatives of companies or public bodies would, however, be natural persons.
Personal data is limited to information about living individuals and does not cover deceased people.
Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Privacy notice means the information given to data subjects which explains how we process their data and for what purposes.
Processing is very widely defined and includes any activity that involves the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing can also include transferring personal data to third parties, listening to a recorded message (e.g. on voicemail) or viewing personal data on a screen or in a paper document which forms part of a structured filing system. Viewing of clear, moving or stills images of living individuals is also a processing activity.
Special categories of data (as identified in the UK GDPR) includes information about a person’s:
a) Racial or ethnic origin;
b) Political opinions;
c) Religious or similar (e.g. philosophical) beliefs;
d) Trade union membership;
e) Health (including physical and mental health, and the provision of health care services);
f) Genetic data;
g) Biometric data;
h) Sexual life and sexual orientation.
ICO REGISTRATION
We are registered with the Information Commissioner’s Office (ICO) registration number ZB537416
Contents
Section A – What this policy is for ...................................................................2
1. Policy statement ........................................................................................2
2. Why this policy is important ........................................................................2
3. How this policy applies to you & what you need to know................................2
4. Training and guidance..................................................................................3
Section B – Our data protection responsibilities ..............................................3
5. What personal information do we process? ..................................................3
6. Making sure processing is fair and lawful......................................................4
7. When we need consent to process data .......................................................6
8. Processing for specified purposes................................................................6
9. Data will be adequate, relevant and not excessive .........................................6
10. Accurate data .............................................................................................6
11. Keeping data and destroying it.....................................................................6
12. Security of personal data.............................................................................6
13. Keeping records of our data processing .......................................................7
Section C – Working with people we process data about (data subjects) .............7
14. Data subjects’ rights....................................................................................8
15. Direct marketing .........................................................................................8
Section D – working with other organisations & transferring data ......................8
16. Sharing information with other organisations 8
17. Data processors ..........................................................................................9
18. Transferring personal data outside the United Kingdom (UK) ........................9
Section E – Managing change & risks ................................................................9
19. Data protection impact assessments ..........................................................9
20. Dealing with data protection breaches ........................................................9
Schedule 1 – Definitions and useful terms .........................................................10
[Schedule 2 – ICO Registration] ........................................................................
Schedule 3 – Appropriate Policy Document .......................................................
Section A: WHAT THIS POLICY IS FOR
1. Policy Statement
Castleton Baptist Church is committed to protecting personal data and respecting the rights of our data subjects - the people whose personal data we collect and use. We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.
We process personal data to help us:
a) maintain our list of church members and regular attenders
b) provide pastoral support for members and others connected with our church;
c) provide services to the community
d) safeguard children, young people and adults at risk;
e) recruit, support and manage staff and volunteers;
f) maintain our accounts and records;
g) promote our services
h) maintain the security of property and premises;
i) respond effectively to enquirers and handle any complaints
This policy has been approved by the church’s Charity Trustees who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.
2. Why this policy is important
We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security, or being shared carelessly, or being inaccurate, as we are aware that people can be upset or harmed if any of these things happen.
This policy sets out the measures we are committed to taking as a church and what each of us must do to comply with the relevant legislation.
In particular, we will make sure that all personal data is:
a) processed lawfully, fairly and in a transparent manner;
b) processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
d) accurate and, where necessary, up to date;
e) not kept longer than necessary for the purposes for which it is being processed;
f) processed in a secure manner;
g) processed in keeping with the rights of data subjects regarding their personal data.
3. How this policy applies to you and what you need to know
· As an employee, trustee or volunteer processing personal information on behalf of the church, you are required to comply with this policy. If you think that you have accidentally breached the policy, it is important that you contact our Data Protection [Officer/Trustee] immediately so that we can take swift action to try and limit the impact of the breach.
Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.
· As a data subject of Castleton Baptist Church We will handle your personal information in line with this policy
Measures will include technical and organisational security measures. In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:
a) the quality of the security measure;
b) the costs of implementation;
c) the nature, scope, context and purpose of processing;
d) the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
e) the risk which could result from a data breach.
· Measures may include:
a) technical systems security;
b) measures to restrict or minimise access to data;
c) measures to ensure our systems and data remain available, or can be easily restored in the case of an incident;
d) physical security of information and of our premises;
e) organisational measures, including policies, procedures, training and audits;
f) regular testing and evaluating of the effectiveness of security measures.
13. Keeping records of our data processing
To show how we comply with the law we will keep clear records of our processing activities and of the decisions we make concerning personal data (setting out our reasons for those decisions).
Section C: WORKING WITH PEOPLE WE PROCESS DATA ABOUT
(known as Data Subjects)
14. Data subjects’ rights
We will process personal data in line with data subjects' rights, including their right to:
g) request access to any of their personal data held by us (known as a Subject Access Request);
h) ask to have inaccurate personal data changed;
i) restrict processing, in certain circumstances;
j) object to processing, in certain circumstances, including preventing the use of their data for direct marketing;
k) data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organisation;
l) not be subject to automated decisions, in certain circumstances; and
m) withdraw consent when we are relying on consent to process their data.
· If a colleague receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to our [Data Protection Officer/Trustee] immediately.
· We will act on all valid requests as soon as possible, and at the latest within one calendar month from the date of receipt of the request, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.
· All data subjects’ rights are provided free of charge.
· Any information provided to data subjects will be concise and transparent, using clear and plain language.
15. Direct marketing
· We will comply with the rules set out in the UK GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing. This includes, but is not limited to, when we make contact with data subjects by post, email, text message, social media messaging, telephone (both live and recorded calls) and fax.
Direct marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed, to individuals. “Marketing” does not need to be selling anything, or be advertising a commercial product. It includes contact made by organisations to individuals for the purposes of promoting the organisation’s aims.
· Any direct marketing material that we send will identify Castleton Baptist Church as the sender and will describe how people can object to receiving similar communications in the future. If a data subject exercises their right to object to direct marketing we will stop the direct marketing as soon as possible.
Section D: WORKING WITH OTHER ORGANISATIONS & TRANSFERRING DATA
16. Sharing information with other organisations
We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a privacy notice), unless legal exemptions apply to informing data subjects about the sharing. Only authorised and properly instructed [staff/Trustees] are allowed to share personal data.
We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied. We will follow the ICO’s statutory Data Sharing Code of Practice (or any replacement code of practice) when sharing personal data with other data controllers. Legal advice will be sought as required.
17. Data processors
· [Before appointing a contractor who will process personal data on our behalf (a data processor) we will carry out due diligence checks. The checks are to make sure the processor will use appropriate technical and organisational measures to ensure the processing will comply with data protection law, including keeping the data secure, and upholding the rights of data subjects. We will only appoint data processors who can provide us with sufficient guarantees that they will do this.]
· [We will only appoint data processors on the basis of a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing, and compliance with the contract, throughout the duration of the contract.]
18. Transferring personal data outside the United Kingdom (UK)
Personal data cannot be transferred (or stored) outside of the United Kingdom unless this is permitted by the UK GDPR. This includes storage on a “cloud” based service where the servers are located outside the UK.
We will only transfer data outside the UK where it is permitted by one of the conditions for non-UK transfers in the UK GDPR.
Section E: Managing change & risks
19. Data protection impact assessments
· When we are planning to carry out any data processing which is likely to result in a high risk we will carry out a Data Protection Impact Assessment (DPIA). These include situations when we process data relating to vulnerable people, trawling of data from public profiles, using new technology, and transferring data outside the UK. Any decision not to conduct a DPIA will be recorded.
· We may also conduct a DPIA in other cases when we consider it appropriate to do so. If we are unable to mitigate the identified risks such that a high risk remains we will consult with the ICO. · DPIAs will be conducted in accordance with the ICO’s guidance on Data Protection Impact Assessments.
20. Dealing with data protection breaches
· Where staff or volunteers, [or contractors working for us], think that this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Data Protection [Officer/Trustee].
· We will keep records of personal data breaches, even if we do not report them to the ICO.
· We will report all data breaches which are likely to result in a risk to any person, to the ICO. Reports will be made to the ICO within 72 hours from when someone in the church becomes aware of the breach.
· In situations where a personal data breach causes a high risk to any person, we will (as well as reporting the breach to the ICO), inform data subjects whose information is affected, without undue delay. This can include situations where, for example, bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and/or to exercise their rights.
DEFINITIONS AND USEFUL TERMS
The following terms are used throughout this policy and have their legal meaning as set out within the UK General Data Protection Regulation (“UK GDPR”). The UK GDPR definitions are further explained below:
Data controller means any person, company, authority or other body who (or which) determines the means for processing personal data and the purposes for which it is processed. It does not matter if the decisions are made alone or jointly with others.
The data controller is responsible for the personal data which is processed and the way in which it is processed. We are the data controller of data which we process.
Data processors include any individuals or organisations, which process personal data on our behalf and on our instructions e.g. an external organisation which provides secure waste disposal for us. This definition will include the data processors’ own staff (note that staff of data processors may also be data subjects).
Data subjects include all living individuals who we hold or otherwise process personal data about. A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal information. Data subjects that we are likely to hold personal data about include:
a) the people we care for and support;
b) our employees (and former employees);
c) consultants/individuals who are our contractors or employees working for them;
d) volunteers;
e) tenants;
g) complainants;
h) supporters;
i) enquirers;
j) Friends and family;
advisers and representatives of other organisations.
ICO means the Information Commissioners Office which is the UK’s regulatory body responsible for ensuring that we comply with our legal data protection duties. The ICO produces guidance on how to implement data protection law and can take regulatory action where a breach occurs.
Personal data means any information relating to a natural person (living person) who is either identified or is identifiable. A natural person must be an individual and cannot be a company or a public body. Representatives of companies or public bodies would, however, be natural persons.
Personal data is limited to information about living individuals and does not cover deceased people.
Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Privacy notice means the information given to data subjects which explains how we process their data and for what purposes.
Processing is very widely defined and includes any activity that involves the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing can also include transferring personal data to third parties, listening to a recorded message (e.g. on voicemail) or viewing personal data on a screen or in a paper document which forms part of a structured filing system. Viewing of clear, moving or stills images of living individuals is also a processing activity.
Special categories of data (as identified in the UK GDPR) includes information about a person’s:
a) Racial or ethnic origin;
b) Political opinions;
c) Religious or similar (e.g. philosophical) beliefs;
d) Trade union membership;
e) Health (including physical and mental health, and the provision of health care services);
f) Genetic data;
g) Biometric data;
h) Sexual life and sexual orientation.
ICO REGISTRATION
We are not required to register Castleton Baptist Church with the Information Commissioner’s Office (ICO)
Policy Statement on Safeguarding in Castleton Baptist Church
Castleton Baptist Church (referred to as “the church” in the Policy Statement)
The purpose of the church is to evangelize our community and beyond, to encourage people to become more Christ-like through discipleship and we are committed to meeting the needs of those inside and outside our walls through ministry. We value fellowship and will come before the Lord in obedience to worship Him.
In fulfilling this vision the church
-
Welcome children and adults at risk into the life of our community
-
Run activities for children and adults at risk
-
Make our premises available to organisations working with children and adults at risk
The church recognises its responsibilities for the safeguarding of all children and young people and adults at risk regardless of gender, ethnicity or ability.
As members of this church we commit ourselves to the nurturing, protection and safekeeping of all associated with the church and will pray for them regularly.
In pursuit of this we commit ourselves to the following policies and to the development of procedures to ensure their implementation.
-
Prevention and reporting of abuse
It is the duty of each church member to help prevent the abuse of children and adults at risk, and the duty of each church member to respond to concerns about the well-being of children and adults at risk. Any abuse disclosed, discovered or suspected will be reported in accordance with our procedures. The church will fully co-operate with any statutory investigation into any suspected abuse linked with the church.
2. Safe recruitment, support and supervision of workers
The church will exercise proper care in the selection and appointment of those working with children and adults at risk, whether paid or volunteer. All workers will be provided with appropriate training, support and supervision to promote the safekeeping of children and adults at risk.
3. Respecting children and adults at risk
The church will adopt a code of behaviour for all who are appointed to work with children and adults at risk so that all children and adults are shown the respect that is due to them.
4. Safe working practices
The church is committed to providing an environment that is as safe as possible for children and adults at risk and will adopt ways of working with them that promote their safety and well-being.
5. A safe community
The church is committed to the prevention of bullying The church will seek to ensure that the behaviour of any individual who may pose a risk to children, young people and adults at risk in the community of the church is managed appropriately.
Safeguarding contact points within our church:
The church has appointed the following individuals to form part of the church safeguarding team:
Charlotte Edwards, Designated Person for Safeguarding (DPS)
She will advise the church on any matters related to the safeguarding of children and adults at risk and take the appropriate action when abuse is disclosed, discovered or suspected.
Phone number 01633 681503 mobile 07817139143
Email address: charlottecogswell@btinternet.com
Nathan Evans, Deputy Designated Person for Safeguarding (DDPS)
He will assist the Designated Person for Safeguarding (DPS) in helping the church on any matters related to the safeguarding of children and adults at risk and take the appropriate action when abuse is disclosed, discovered or suspected.
Phone number 01633 689105 / mobile 07814594517
Email address: Nathan Evans <treasurercbc291@gmail.com>
NAME, Safeguarding Trustee
He/She will raise the profile of safeguarding within the church and oversee and monitor the implementation of the safeguarding policy and procedures on behalf of the church trustees.
Phone number …………………………………………….… Email address ……………………………….……………………………………
Our church minister is also an important part of the Church Safeguarding Team. Where possible, the Church Safeguarding Team will work together if and when issues arise. However, each person has a responsibility to report allegations of abuse as soon as they are raised.
Further definitions of these roles can be found in the BUGB publications ‘Safe to Grow’ (2011) & ‘Safe to Belong’ (2015).
Putting our policy into practice
-
A copy of the safeguarding policy statement will be displayed permanently on the church noticeboard and church office and is available on our church website.
-
Each worker with children and/or adults at risk will be given a full copy of the safeguarding policy and procedures and will be asked to sign to confirm that they will follow them.
-
A full copy of the policy and procedures will be made available on request to any member of, or other person associated with the church.
-
The policy and procedures will be monitored and reviewed annually, and any necessary revisions adopted into the policy and implemented through our procedures.
-
The policy statement will be read annually at the church AGM, together with a report on the outcome of the annual safeguarding review.
Signed (Church Secretary) Date
· Our Data Protection Officer is responsible for advising Castleton Baptist Church and its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy. Any questions about this policy or any concerns that the policy has not been followed should be referred to them at Charlottecogswell@btinternet.com
· Before you collect or handle any personal data as part of your work (paid or otherwise) for Castleton Baptist Church it is important that you take the time to read this policy carefully and understand what is required of you, as well as the organisation’s responsibilities when we process data.
· Our procedures will be in line with the requirements of this policy, but if you are unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Protection Officer.
4. Training and guidance
We will provide general training at least annually for staff and leaders to raise awareness of their obligations and our responsibilities as well as to outline the law. We may also issue procedures, guidance or instructions from time to time.
Section B OUR DATA PROTECTION RESPONSIBILITIES
5. What personal information do we process?
· In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it is about, for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers.
· We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include a variety of information - such as names and contact details, education or employment details, and visual images of people.
· In some cases, we hold types of information that are called “special categories” of data in the UK GDPR.
Special category personal data does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply. Other than in the circumstances described in paragraphs 5.4 to 5.8 below, information relating to criminal convictions and offences should not be processed unless the processing is authorised by law or is carried out under the control of official authority. Special category personal data can only be processed under strict conditions, including the data subject’s explicit consent (although other alternative conditions can apply in limited, very specific circumstances as described below).
Special categories’ of data (as referred to in the UK GDPR) includes information about a person’s: racial or ethnic origin; political opinions; religious or similar (e.g. philosophical) beliefs; trade union membership; health (including physical and mental health, and the provision of health care services); genetic data; biometric data; sexual life and sexual orientation.
We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is a clear lawful basis to process this data.
· We may process information relating to criminal proceedings or offences or allegations of offences to safeguard against any risks posed to others under Article 6(1)(f) UK GDPR where the processing is necessary for the purposes of the legitimate interests of Castleton Baptist Church but not where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
· We may also process special category or criminal convictions etc data (“criminal offence data”) where it fulfils one of the substantial public interest conditions under Schedule 1, Part 2 of the Data Protection Act 2018, in particular, Conditions 10, 11, 12, 18 and 19.
· We may also seek to obtain, use and retain criminal offence data in reliance upon Condition 31 relating to criminal convictions under Schedule 1, Part 3 of the Data Protection Act 2018.
· For the purposes of Schedule 1, Part 4 of the Data Protection Act 2018, more information about Castleton Baptist Church processing of special category and criminal convictions data under Conditions 10, 11, 12, 18, 19 and 31 can be found in the “Appropriate Policy Document” in Schedule [3] of this policy.
· The processing of special category and criminal convictions data described in paragraphs 5.4 to 5.8 will only ever be carried out on the advice of statutory authorities, the Ministries Team of the Baptist Union of Great Britain or our Regional Association Safeguarding contact person.
· Other data may also be considered ‘sensitive’ such as bank details but will not be subject to the same legal protection as the types of data listed above.
6. Making sure processing is fair and lawful
Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.
How can we legally use personal data?
· Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the UK GDPR, is met:
A. the processing is necessary for a contract with the data subject;
B. the processing is necessary for us to comply with a legal obligation;
C. the processing is necessary to protect someone’s life (this is called “vital interests”);
D. the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;
E. the processing is necessary for legitimate interests pursued by Castleton Baptist Church or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject.
F. If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.
How can we legally use ‘special categories’ of data?
· Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the UK GDPR, is met. These conditions include where:
a) the processing is necessary for carrying out our obligations under employment and social security and social protection law;
b) the processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent;
c) the processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes;
d) the processing is necessary for pursuing legal claims.
e) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent.
· Before deciding which condition should be relied upon, we may refer to the original text of the UK GDPR as well as any relevant guidance, and seek legal advice as required.
What must we tell individuals before we use their data?
· If personal data is collected directly from the individual, we will inform them [in writing] about; our identity/contact details [and those of the Data Protection [Officer/Trustee], the reasons for processing, and the legal bases, [including explaining any automated decision making or profiling], explaining our legitimate interests, and explaining, where relevant, the consequences of not providing data needed for a contract or statutory requirement; who we will share the data with; if we plan to send the data outside of the United Kingdom; how long the data will be stored and the data subjects’ rights.
This information is commonly referred to as a ‘Privacy Notice’.
This information will be given at the time when the personal data is collected.
· If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information described in section 6.5 as well as: the categories of the data concerned; and the source of the data.
This information will be provided to the individual in writing and no later than within 1 month after we receive the data, unless a legal exemption under the UK GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication.
If we plan to pass the data onto someone else outside of Castleton Baptist Church we will give the data subject this information before we pass on the data
7. When we need consent to process data
· Where none of the other legal conditions apply to the processing, and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it. Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.
· Consent can however be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.
8. Processing for specified purposes
We will only process personal data for the specific purposes explained in our privacy notices (as described above in section 6.5.) or for other purposes specifically permitted by law. We will explain those other purposes to data subjects in the way described in section 6, unless there are lawful reasons for not doing so.
9. Data will be adequate, relevant and not excessive
We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained to the data subjects in privacy notices). We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later.
10. Accurate data
We will make sure that personal data held is accurate and, where appropriate, kept up to date. The accuracy of personal data will be checked at the point of collection and at appropriate points later on.
11. Keeping data and destroying it
· We will not keep personal data longer than is necessary for the purposes that it was collected for. We will comply with official guidance issued to our sector about retention periods for specific records.
· Information about how long we will keep records for can be found in our Data Retention Schedule.
12. Security of personal data
· We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.
· We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing.