1. What is personal data?
Personal data is any information relating to a living individual which allows them to be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
2. Who are we?
For the purposes of GDPR, the elders and deacons of Downe Baptist Church (the ‘Officers’) are regarded collectively as the legal Data Controller (contact details below). This means it decides how personal data is processed and for what purposes.
3. The personal data that we hold and why and how we hold and process it
We process (that is collect, use and maintain) personal data for the following purposes:
- To administer records of our members and adherents;
- To manage our volunteers (staff involved in children’s clubs etc)
- To pay our pastor and meet our responsibilities to HMRC and concerning his pension
- To maintain our own accounts and records (including the processing of gift aid applications)
- To enable us to provide a voluntary service for the benefit of the public
- To enable us to comply with our Child Protection responsibilities towards children who attend our clubs and activities and to ensure that they attend the appropriate group for their age/school year.
- To inform families who have given written consent for their children to attend our clubs of events, activities and services running at Downe Baptist Church.
Data ordinarily processed for these purposes will include name and contact details (postal address, email address if supplied, home and/or mobile telephone number). We will only hold bank account or other financial information where necessary for paying our pastor or administering gift aid payments. For children and young people under 18 who attend our children’s activities we also hold date of birth and details of their school and year as well as details of any important medical information, together with signed parental consent for them to attend our activities. The information that is processed for these purposes is always obtained directly from the data subjects themselves, or in the case of a person under 18, from their parent, or legal guardian or caregiver.
Downe Baptist Church complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. Personal data will be stored on password protected computers or in paper files kept in a secure location. Personal data will not be kept at the church building when the building is unoccupied i.e. when activities are not taking place.
4. Information from your use of our website
We may collect standard Internet log information about how and when you use our website. This information may include, but not be limited to, your IP address and location personal information, time, date, browser used, referring web addresses, other communication personal information, searches conducted, pages visited. Our website includes links to other websites whose privacy practices may differ from ours. If you submit personal information to any of those sites, your information is governed by their privacy policies and we do not accept any responsibility or liability in respect of third-party sites. Please check the privacy policies published on any third-party sites which you may access through our website before submitting personal information to them.
5. What is the legal basis for processing personal data?
We must have explicit consent of the data subject so that we can keep them informed about news, events, activities and services
Processing is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or social protection law, or a collective agreement;
Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided:
the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
there is no disclosure to a third party without consent.
6. Sharing personal data
Personal data will be treated as strictly confidential and other members of the church will only have access to personal data where it is necessary for them to carry out their duties as a volunteer in connection with the church’s activities. We will not share data with third parties outside the church.
7. How long do we keep personal data?
We retain all data while it is still current; gift aid declarations and associated paperwork for up to 6 years after the calendar year to which they relate. Consent forms for children attending our children’s activities we retain indefinitely in order to comply with safeguarding regulations.
8. The rights of the individual regarding their personal data
Unless subject to an exemption under the GDPR, any individual has the following rights with respect to his or her personal data:
The right to request a copy of personal data which Downe Baptist Church holds about them;
The right to request that Downe Baptist Church corrects any personal data if it is found to be inaccurate or out of date;
The right to request one’s personal data is erased where it is no longer necessary for Downe Baptist Church to retain such data;
The right to withdraw one’s consent to the processing at any time
The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability)
The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
The right to lodge a complaint with the Information Commissioners Office.
9. Breach of any requirement of GDPR
Any and all breaches of the DPA, including a breach of any of the data protection principles shall be reported as soon as it is discovered, to the data controller. Once notified, the data controller shall assess:
the extent of the breach;
the risks to the data subjects as a consequence of the breach;
any security measures in place that will protect the information;
any measures that can be taken immediately to mitigate the risk to the individuals.
Unless the data controller concludes that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the church, unless a delay can be justified.
If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals then the data controller shall notify data subjects of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals.
Data subjects shall be told:
the nature of the breach;
who to contact with any questions;
measures taken to mitigate any risks.
The data controller shall then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed by the church and a decision made about implementation of those recommendations.
If anyone has any concerns or questions in relation to this policy they should contact the Data Controller:
Downe Baptist Church