Life Church Southampton Data Protection Policy (GDPR)
Last reviewed: May 2020
Personal data – information relating to a living individual who can be identified from that data.
Data subject – an individual identifiable from the information held.
Processing – obtaining, storing, using, disclosing or destroying personal data.
Sensitive personal data – information about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
This policy sets out the basis on which personal data is collected and processed by Life Church Southampton, hereafter referred to as the Church. Data collected and processed by the Church is covered by the notification provided by the Church under the Data Protection Act and the General Data Protection Regulations. Personal data is used solely in connection with Church related activities. The Church does not sell, share or transfer this personal data except as set out in the Data Procedures and Guidelines. It uses up-to-date industry procedures to keep personal data as safe and secure as possible and to protect against loss and unauthorised disclosure or access. Individuals have the right to access details that the Church holds and they may seek to have that information corrected, where appropriate. Data is retained for as long as the individual remains connected with the Church or otherwise as required by law.
The Church collects personal data under 3 broad legal categories:
Consent – members and visitors can provide personal data, all at their discretion, to facilitate the church in serving its members and visitors.
Employment – Church employees are required to provide personal data commensurate with normal employment matters.
Safeguarding – activities of the Church that involve children or adults at risk require the Church to collect data about some staff and volunteers in order to comply with safeguarding regulations.
The Church adopts the following principles for the protection of personal data:
It is used fairly and lawfully.
It is used for limited, specifically stated purposes.
It is used in a way that is adequate, relevant and not excessive.
It is kept accurate.
It is kept for no longer than is necessary.
It is handled according to people’s data protection rights.
It is kept safe and secure.
It is not transferred to other organisations without adequate protection.
There are additional measures for sensitive personal data.
Data Procedures and Guidelines
Requests for personal data
The Church requests personal data in the following circumstances:
Visitors to events are asked if they want to stay in contact and, if so, a card is completed by the individual. There is a data privacy statement on the card.
On registering a child1 at a children’s activity, parents/carers are asked for appropriate information for the Real Life Kids workers to provide a safe environment for that child and others. Some data elements are mandatory.
On registering a young person a youth2 activity, parents/carers are asked for appropriate information for the youth workers to provide a safe environment for that young person and others. Some data elements are mandatory.
Older people, whether members or visitors, are asked for relevant access or medical information, all at the individual’s discretion, when attending certain events or regularly part of the church community.
Recruitment of an individual (staff or volunteer) to work in a role that requires safeguarding clearance has a separate process, gathering sufficient information to comply with safeguarding regulations. The data requirements are contained in the Safeguarding Policy and Procedures.
Individuals applying to work for the Church are generally asked for a CV and other information as part of the recruitment process. The request for such information is accompanied by a data privacy statement and any information received is retained only up to the point of appointment.
Trustee and other statutory appointments provide personal data as required by law.
The Church collects financial information in the following circumstances:
○ Donors that give through banking systems.
○ Payers that use credit and debit cards.
○ Donors that wish to increase their donation through Gift Aid.
○ Expenses, staff and volunteers.
The appendix contains details of the data elements collected in the above circumstances.
Methods of collection In general, paper forms and records are discouraged, though it is recognised that on occasions, paperwork is more expeditious. In instances where the paper version is temporary, pending the creation of an electronic copy, the former is destroyed once the latter has been generated. In instances where the paper version is more permanent, it is retained at the Life Centre in a lockable container reserved for that purpose.
1 Within this context, a child is of primary school age. 2 Within this context, a youth is of secondary school age and less than 18.
Most of the personal data held by the Church is in electronic format. The main repositories are: ● Files held on the server at the Life Centre.
Files held on the cloud in applications such as Google Drive and Drop Box.
Processing and storing
Many activities require the organiser to create separate lists of those attending or otherwise involved in the activity. In such cases, if electronic, the file is created in a web-enabled password-protected application; if paper-based, is retained at the Life Centre and is destroyed after the event.
Paper-based files, lists and forms that contain personal data are stored at the Life Centre in a lockable container. On occasions, they are taken from the Life Centre (e.g. when taking a list of emergency contact details when supervising an external youth event). On such occasions they are returned as soon as practicable.
Organisers of activities are not to create files of personal data in applications such as Word and Excel. They are instead to use cloud-based applications such as Google Docs and Google Sheets. If others need access to those files, they are to be sent a link, not a downloaded list either on paper or as an emailed attachment.
The nature of the church’s volunteer community necessitates personal devices being frequently used. The church allows this provided that no personal data other than normal contact information is stored on those devices. Lists and more extensive information is to be stored on cloud-based password-protected applications and not downloaded to the personal device.
Financial information is stored separately from all other personal information. Payroll and expenses information is stored securely on the server and distributed through encrypted channels to relevant bodies, such as taxation, pension and banking entities. Minimal information about donations from individuals is recorded so as to identify the donor for Gift Aid purposes. Paper receipts and vouchers for all financial transactions are retained in lockable containers.
Data is retained no longer than needed. Financial data (e.g. payroll, taxation) is retained for 7 years or as otherwise required by law. Safeguarding data is retained indefinitely, though “archived” so that it is not accessible electronically to those running current operations.
The membership database is scrutinised approximately annually and those that are deceased, have formally left or in the opinion of the elders have discontinued their membership are deleted.
When a child reaches the age of 18, their child/youth record is deleted.
All staff and volunteers are to scrutinise other files (e.g. separate lists in emails, on the server, on the cloud) periodically and to delete any that are no longer needed.
The Church regularly sends emails about its activities using various mailing lists. Potential recipients are included only after they have actively opted in through iKnow. Additionally, recipients can opt out at any point.
For contacting children and youth, emails and letters are directed to the nominated parent or carer, not the minor.
Data subjects have a legal right to be given a copy of the personal data that the Church holds. In the event of a request being received (a Subject Access Request), the Communications Manager and the General Manager are to be notified. The subject’s identity will be confirm, the request acknowledged and then the Communications Manager and General Manager will scrutinise the following systems and repositories to locate any and all of the subject’s personal data:
○ Server files
○ Email accounts
○ PC files
○ Cloud accounts
○ Payroll records
○ Safeguarding records
○ Paper record Assistance may be sought from any members of staff or volunteers as required. A consolidated reply is to be sent to the subject with 30 days of the request. The reply is to include a statement about the legal basis on which the data has been collected and stored. (See “legal basis” in the policy statement.)
Data subjects have a legal right for data held by the Church to be corrected upon notification of the inaccuracy by the individual. In most cases, the personal data is held in user-controlled environments, in which case the subject is guided to the appropriate system to make necessary amendments. In cases where the user does not have access to the data, the Communications Manager is to establish where the erroneous data is held, who has write-access to that data and give appropriate instruction to amend it. The subject is to be informed on completion.
Data subjects have a legal right to withdraw their consent for the Church to hold their data. In the event of such a request being received, the Communications Manager and the General Manager are to be notified. The subject’s identity will be confirm, the request acknowledged and then the Communications Manager and General Manager will scrutinise the following systems and repositories to locate any and all of the subject’s personal data:
○ Server files
○ Email accounts
○ PC files
○ Cloud accounts
○ Payroll records
○ Safeguarding records
○ Paper record Assistance may be sought from any members of staff or volunteers as required. The Communications Manager and General Manager will then scrutinise that data to determine which elements should lawfully be retained (e.g. taxation, safeguarding) and the remainder deleted. The subject is to be informed on completion.
The Church owns a HP server, located in a secure area of the Life Centre.
The financial accounts are held within Finance Coordinator, a cloud-based application provided by the Church’s accountants. Access is restricted to nominated staff members and the accountants. Supporting paperwork is secured in a lockable container.
The Church holds bank accounts with HSBC. Most transactions are conducted through HSBC’s Bankline, an encrypted web-browsing application. Papers received and copies of papers sent are secured in a lockable container.
Payroll data is stored and processed within the software package held on the server. Paper documents supporting the process are retained in a lockable container. Tax and National Insurance information is periodically uploaded to HMRC via the government’s secure link.
Pensions data is held in the software package and in Excel files on the server. Paper documents supporting the process are retained in a lockable container. Data is periodically uploaded to Scottish Widows via its secure link.
Data Protection Impact Assessments are conducted whenever a new technology is under consideration for introduction into the Church’s working practices.
Staff and volunteer guidelines:
○ Personal devices (whether portable or not) are not to be used for storing personal data other than basic contact information. They may be used to access cloud-based files only.
○ Separate or local files (paper or electronic) of personal data are not to be created; instead links to centrally held files are preferred.
○ Computers and other devices require a strong password to login.
○ Files that are likely to be shared are to be created in cloud-based applications (e.g. Google Docs and Sheets) rather than device-based applications (e.g. Microsoft Word and Excel) and when shared, links are shared rather than a file emailed.
○ When files or preferably links are shared, users are to grant access judicially, e.g. editing, downloading and copying rights.
○ In particular, free-text notes that contain personal information (e.g. prayer requests, pastoral notes, safeguarding notes) are to be generated in cloud- based documents and shared with others where appropriate by sending links.
○ Virus checking software and application software on all computers and other devices is to be kept up to date.
○ Portable devices are not to be used for storing personal data other than basic contact information. They may be used to access cloud-based files only.
○ Emails, electronic files and paper-based files are to be periodically cleansed to remove any obsolete or unnecessary personal data.
○ When sending emails to multiple addresses, “blind” addresses are to be used when there is no need for recipients to see each others details.
○ Staff are permitted to use social media to discuss Church activities though not in such a way that might damage the reputation of the Church, divulge confidential information or cause offence.
Breach management In the event of a breach or suspected breach (that is, when there is reasonable evidence to suggest that personal data held by the Church has passed to a third party), the following procedure applies:
The member of staff discovering the breach or suspected breach is to inform the Communications Manager and the General Manager as soon as practicable.
The Communications Manager and the General Manager will meet to discuss the immediate way forward.
An initial investigation will determine the scope of the breach, in particular, whose personal data has been compromised, the details lost, the nature of the third party receiving the data and whether the data was encrypted.
Within 72 hours, the Communications Manager or the General Manager will inform the Information Commissioner’s Office.
A subsequent full investigation will
○ Inform the data subjects where appropriate.
○ Consider ways to prevent a recurrence – policy, procedures and training.
○ Act on specific advice or direction from the Information Commissioner’s Office.
Training Staff and volunteers should receive training on sections of this policy relevant to their role during their induction period and annually thereafter.
Review This policy should be reviewed every 2 years.
WRITTEN: May 2018
APPROVED: May 2018 APPROVED BY: Board of Trustees
LAST REVIEWED: May 2020 REVIEWED BY: James Hatcher (Operations Manager)