Data Protection Policy (GDPR)
(Company No: 6065940; Charity No: 1118978)
Adopted by the Trustees of Life Church Southampton
Version 1.2
Reviewed April 2024 – to be reviewed every 2 years or sooner in the light of new recommendations
Policy Statement
This policy sets out the basis on which personal data is collected and processed by New Frontiers Life Church Southampton, hereafter referred to as “the Church”. Data collected and processed by the Church is covered by the notification provided by the Church under the Data Protection Act and the General Data Protection Regulations. Personal data is used solely in connection with Church related activities. The Church does not sell, share or transfer this personal data except as set out in the Data Procedures and Guidelines. It uses up-to-date industry procedures to keep personal data as safe and secure as possible and to protect against loss and unauthorised disclosure or access. Individuals have the right to access details that the Church holds and they may seek to have that information corrected, where appropriate. Data is retained for as long as the individual remains connected with the Church or otherwise as required by law.
Legal basis
The Church collects personal data under 3 broad legal categories:
Consent – members and visitors can provide personal data, all at their discretion, to facilitate the church in serving its members and visitors.
Employment – Church employees are required to provide personal data commensurate with normal employment matters.
Safeguarding – activities of the Church that involve children or adults at risk require the Church to collect data about some staff and volunteers in order to comply with safeguarding regulations.
Principles
The Church adopts the following principles for the protection of personal data:
1 It is used fairly and lawfully.
2 It is used for limited, specifically stated purposes.
3 It is used in a way that is adequate, relevant and not excessive.
4 It is kept accurate.
5 It is kept for no longer than is necessary.
6 It is handled according to people’s data protection rights.
7 It is kept safe and secure.
8 It is not transferred to other organisations without adequate protection.
9 There are additional measures for sensitive personal data.
Requests for personal data
The Church requests personal data in the following circumstances:
Visitors to events are asked if they want to stay in contact and, if so, the cloud-based Get Connected form on the church website is completed by the individual. This data is stored in cloud-based applications. At the point of collecting that data, the individual is asked to read and give assent to the Church’s data privacy policy.
During the process of becoming members of the Church, individuals are asked to provide details, at their option, that might allow the church to integrate them into relevant activities by completing the Get On Board Membership Form. This form can be completed online with details held in a cloud-based application, or can be completed in a paper form, at the option of the individual. At the point of completing that form, the individual is asked to read and give assent to the Church’s data privacy policy.
On registering a child at a children’s activity, parents/carers are asked for appropriate information for the Real Life Kids workers to provide a safe environment for that child and others. Some data elements are mandatory.
On registering a young person at a youth activity, parents/carers are asked for appropriate information for the youth workers to provide a safe environment for that young person and others. Some data elements are mandatory.
Everyone in the Church Address Book is asked to let the Church know whether they have any additional needs that the Church should be aware of in the event of an emergency evacuation. This is followed up by a phone conversation
Recruitment of an individual (staff or volunteer) to work in a role that requires safeguarding clearance has a separate process, gathering sufficient information to comply with safeguarding regulations. The data requirements are contained in the Safeguarding Policy and Procedures.
Individuals applying to work for the Church are generally asked for an application form and other information as part of the recruitment process. The request for such information is accompanied by a data privacy statement and any information received is retained only up to the point of appointment.
Employees are required to provide information in order to comply with employment law. The data privacy policy is explained to them on appointment.
Trustees and other statutory appointments provide personal data as required by law.
Individuals or organisations requesting to use or hire space at the Boathouse are asked to provide basic contact information, which is stored in cloud based applications.
The Church collects financial information in the following circumstances:
Donors that give through banking systems.
Payers that use credit and debit cards.
Donors that wish to increase their donation through Gift Aid.
Expenses, staff and volunteers.
Payroll.
Methods of collection
In general, paper forms and records are discouraged, though it is recognised that on occasions, paperwork is more expeditious. In instances where the paper version is temporary, pending the creation of an electronic copy, the former is destroyed once the latter has been generated. In instances where the paper version is more permanent, it is retained in a lockable container reserved for that purpose.
Most of the personal data held by the Church is in electronic format.
Processing and storing
The Address Book database is held on a cloud-based application called ChurchSuite. A minimum of data is added centrally when the individual joins; the reminder is added at the discretion of the individual. He/she can elect to have some data elements withheld from other members. It is password protected and a strong password is enforced. Initial setup requires the individual’s consent to the Church’s Data Protection Policy and annually thereafter. Specific staff have access to the whole Address Book database for generating reports and answering queries related to the Church’s activities. Staff are not permitted to create separate files, downloads or print-outs other than those contained within the application itself and for legitimate purposes of the Church’s programme.
Each adult in the ChurchSuite Address Book has access to My ChurchSuite both through a web browser and through the My ChurchSuite app. From here they are able to update their personal details and those of their children, and they are able to give and remove consent for the general use of their details by the Church.
Many activities require the organiser to create separate lists of those attending or otherwise involved in the activity. In such cases, if electronic, the file is created in a web-enabled password-protected application; if paper-based, is retained at the Boathouse and is destroyed after the event.
Paper-based files, lists and forms that contain personal data are stored in a lockable container. On occasions, they are taken from the Boathouse (e.g. when taking a list of emergency contact details when supervising an external youth event). On such occasions they are returned as soon as practicable.
Organisers of activities are not to create files of personal data in applications such as Word and Excel. They are instead to use cloud-based applications such as Google Docs and Google Sheets. If others need access to those files, they are to be sent a link, not a downloaded list either on paper or as an emailed attachment.
The nature of the church’s volunteer community necessitates personal devices being frequently used. The church allows this provided that no personal data other than normal contact information is stored on those devices. Lists and more extensive information is to be stored on cloud-based password-protected applications and not downloaded to the personal device.
Financial information is stored separately from all other personal information. It is is stored securely electronically and distributed through encrypted channels to relevant bodies, such as taxation, pension and banking entities. Minimal information about donations from individuals is recorded so as to identify the donor for Gift Aid purposes. Paper receipts and vouchers for all financial transactions are retained in lockable containers.
Retention
Data is retained no longer than needed. Financial data (e.g. payroll, taxation) is retained for 7 years or as otherwise required by law. Safeguarding data is retained indefinitely, though “archived” so that it is not accessible electronically to those running current operations.
The Address Book database is scrutinised approximately annually and those that are deceased, have formally left or in the opinion of the elders have discontinued their membership are deleted.
When a child reaches the age of 18, their child/youth record is deleted.
All staff and volunteers are to scrutinise other files (e.g. separate lists in emails, on the server, on the cloud) periodically and to delete any that are no longer needed.
“Marketing”
The Church regularly sends emails about its activities using various mailing lists. Potential recipients are included only after they have actively opted in through ChurchSuite. Additionally, recipients can opt out at any point.
For contacting children and youth, emails and letters are directed to the nominated parent or carer, not the minor.
Subjects rights
Data subjects have a legal right to be given a copy of the personal data that the Church holds. In the event of a request being received (a Subject Access Request), the Communications Manager and the Operations Manager are to be notified. The subject’s identity will be confirmed, the request acknowledged and then the Communications Manager and Operations Manager will scrutinise the following systems and repositories to locate any and all of the subject’s personal data:
Server files
Email accounts
PC files
Cloud accounts
Payroll records
Safeguarding records
Paper record
Assistance may be sought from any member of staff or volunteers as required. A consolidated reply is to be sent to the subject within 30 days of the request. The reply is to include a statement about the legal basis on which the data has been collected and stored. (See “legal basis” in the policy statement.)
Data subjects have a legal right for data held by the Church to be corrected upon notification of the inaccuracy by the individual. In most cases, the personal data is held in user-controlled environments, in which case the subject is guided to the appropriate system to make necessary amendments. In cases where the user does not have access to the data, the Communications Manager is to establish where the erroneous data is held, who has write-access to that data and give appropriate instruction to amend it. The subject is to be informed on completion.
Data subjects have a legal right to withdraw their consent for the Church to hold their data. In the event of such a request being received, the Communications Manager and the Operations Manager are to be notified. The subject’s identity will be confirm, the request acknowledged and then the Communications Manager and Operations Manager will scrutinise the following systems and repositories to locate any and all of the subject’s personal data:
Server files
Email accounts
PC files
Cloud accounts
Payroll records
Safeguarding records
Paper record
Assistance may be sought from any members of staff or volunteers as required. The Communications Manager and General Manager will then scrutinise that data to determine which elements should lawfully be retained (e.g. taxation, safeguarding) and the remainder deleted. The subject is to be informed on completion.
Security
Data security is taken seriously with best practice followed to the best of our ability to keep personal information safe. A detailed breakdown of the software used and security measures taken to secure data is kept in the internal version of the data protection policy.
Definitions
Personal data – information relating to a living individual who can be identified from that data.
Data subject – an individual identifiable from the information held.
Processing – obtaining, storing, using, disclosing or destroying personal data.
Sensitive personal data – information about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
Employee – individuals who are in either full-time or part-time paid employment with Life Church Southampton.
Staff – individuals working for us or at any of our premises irrespective of their status, level or grade. For the purpose of this policy, the definition of Staff incorporates employees, those regular volunteers who work in the Church Office and those who serve the Church voluntarily while undertaking training programmes such as the Commission Internship.
The Church – The charitable company New Frontiers Life Church Southampton.
Member – for the purposes of this policy, members includes those who have been through the process of becoming a member of Life Church and are included in the members list, and it also includes those who are not formally members but who regularly attend Life Church and view Life Church to be their church.
Real Life Kids – The banner which covers all activities for children aged 0 to school year 6, where the children come into the care of Life Church and DBS checked volunteers and staff are responsible for the children.
Youth – the banner which covers all activities for young people in school years 7 – 13, where the young people come into the care of Life Church and DBS checked volunteers and staff are responsible for the young people.
Policy Owner: James Hatcher