Our Privacy Statement
These days it seems that we are being constantly bombarded for information from different sources – banks, government departments, energy companies, online shopping, the list goes on. Sometimes the information sought is very private and sensitive …
… which, of course, is why we have Data Protection laws which are designed to make sure that our personal information held by any organisation is appropriate, only gets seen by those who need it, and doesn’t get into the wrong hands.
This document is to inform you about what happens to any personal information you share with us. You are encouraged to read carefully the following information telling you about the church’s policy on data protection. We are circulating this now because of the new legislation (the General Data Protection Regulation – or GDPR) which gives extended rights to all EU Citizens on whom we hold any personal information.
When anyone contacts and/or attends our church we may collect information about them. This Privacy Statement is designed to make clear the following:
- who are we?
- how do you contact us?
- what information we collect about individuals?
- what is the source of this personal information?
- what are the legal grounds for us holding your personal information?
- how we use that information?
- how safe is the information we hold?
and more about GDPR:
- what are your rights under Data Protection laws?
- children’s personal data and consent
- what are the various data protection roles?
- how to make a complaint
> First of all – who are we?
We are Christchurch Christian Centre, located in Millhams Street, Christchurch, Dorset, BH23.1DN.
We are an Elim Pentecostal Church; part of the Elim Foursquare Gospel Alliance – Registered Charity 251549 (England and Wales).
For the purposes of GDPR (the General Data Protection Regulation) the church fulfils the role of Data Controller.
> How do you contact us?
We can be contacted in writing at the above address, by telephone on 01202 475618 or email firstname.lastname@example.org
Our Data Protection Lead is Ray Adkins who can be contacted at the above address or email email@example.com
> What information do we collect?
The amount and range of information will depend largely upon the contact you have with the church. Typically, for regular attenders of the church, we may collect the following information about you:
- your name and address …
- … also names of family members, including children.
- your contact details including email address and phone numbers
- your age and/or date of birth
- your giving – which we are required to do, for tax purposes, if you choose to give through Gift Aid
- any notes in relation to our contact with you (information about your coming to faith, church groups you attend, if you are married and/or baptised in the church, pastoral issues, etc.)
While for one-off or occasional visitors:
- we may just hold your name, and perhaps a phone number or email address through which we can invite you to future events.
> Where does this information come from?
We may collect personal information about you when you:
- Fill in our “Visitors” enquiry form
- Sign up for a course or other event at the church
- Volunteer for duty at one of our services
- Contract to do work at the church
- Apply for church membership
- Contact us via email or by telephone for any reason
- Wish to be married at the church
- Wish to make any gift-aided offering to the church
- Hire one of our rooms
- Ask for a Pastoral care visit
- Supply us with other personal information, for example regarding a health issue
> What legal basis do we have for keeping your information?
There are various legal grounds for organisations to maintain and process data about people. Under GDPR we have to be able to demonstrate these grounds. There are six lawful bases:
- CONSENT – Individuals give their explicit agreement for their details to be held – this must be opt-in (so organisations can’t legally assume that you agree to your personal data being held). This is the basis that we will have for most of the details that we keep, and why it is so important that you complete and return the Consent Form.
- The data is necessary for THE PERFORMANCE OF A CONTRACT
- The data is necessary for COMPLIANCE WITH A LEGAL OBLIGATION. This may apply to some of the details that we hold. For example if you married in the church we are legally obliged to keep those records; and if you make donations through Gift Aid, tax legislation means that we have to keep records for a period of time set out by HMRC.
- The data is necessary to PROTECT THE VITAL INTERESTS OF THE DATA SUBJECT. For example, when it is needed to protect someone’s life.
- The data is necessary for the PERFORMANCE OF A TASK CARRIED OUT IN THE PUBLIC INTEREST.
- The processing is necessary for the purposes of the LEGITIMATE INTERESTS pursued by the Data Controller.
You can read more about these legal bases for holding information at the website of the Information Commissioner’s Office (ICO) at www.ico.org.uk
> How we use your personal information
Personal information that you give us can be used in various ways:
- to enable us to contact you with invitations to forthcoming events
- to notify people on the various church rotas of duty details and reminders
- to monitor our membership lists
- in church planning to get a clearer picture on attendance by age, gender, location, etc.
We only hold your personal information for as long as necessary for the purposes for which we collected your information.
Christchurch Christian Centre has a policy which lays down timescales for the retention of information. We have set these timescales to fit in with any applicable legislation (e.g. for tax purposes) and where none exists then we will keep your information for a maximum of 5 years after which time it will be deleted.
> How safe is my personal information?
The information we hold on individuals is most commonly held on our computer records system, but we also necessarily hold certain paper documentation where appropriate (for example registration forms that you have completed, etc.)
In all cases, we make every effort to ensure that only those very few individuals who need the information have access to it. Our computer systems are firewall protected and our membership list spreadsheets which include limited personal information have strong password protection, and are not available online.
All paper documentation is locked away inside the church building and does not leave the premises.
In fact, we do everything we can to make sure that your information is completely safe, and your privacy protected.
Our online database is run on our behalf by iKnow Church Software, based in Solihull in the West Midlands. Each person whose details are entered into this programme (members and non-members) have the opportunity to visit the secure online website and see their own personal information, as well as be updated on church meetings and special functions.
Note: other than a couple of people with responsibility for maintaining the church information (currently Pastor Dave Sharpe and Ray Adkins) no-one has access to all the records. When you log on to iKnow, you are only able to see your own information – which you can change, add or remove details as is your right – but no-one else can see your details, and you can’t see theirs.
MORE INFORMATION ON GDPR
> what are your rights under Data Protection laws?
There are eight key rights of data subjects are as follows (a data subject is an individual whose personal data is held).
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The right to be informed: This gives you the right to know what information is held, and what your data is being used for. Naturally you are entitled to withhold any information, and will never be required to give an explanation of why you are unwilling for us to hold that information.
However because we would like to provide you with information about forthcoming services and events and other news which we feel may be of interest to you, it should be noted that without, for example, your email address or phone number, it may restrict our ability to invite you. Depending on what contact information you have given to us, we may contact you by email, phone or post. We will only do this where you have consented to receiving such information from us.
The right of access: Data subjects have the right to ask any organisation if they are holding or processing any personal data about them. If the organisation is holding or processing data the subject can request a copy of that data.
The right to rectification: If any of the details we hold is wrong, or out-of-date, you should contact our Data Protection Lead (Ray Adkins) whose responsibility it is to make the necessary corrections to your satisfaction, and confirm (within 1 month) that the changes have been made.
The right to erasure: (Also known as the “right to be forgotten”). The broad principle here is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. So you can ask for all personal records which concern you (other than those we are legally obliged to keep) to be erased. This applies to anyone who has previously given their consent for data to be held, but has subsequently withdrawn it, and now wants all their data to be erased.
The right to restrict processing: When processing is restricted, an organisation can continue to store data, but cannot further process it.
The right to data portability: This is a new feature of GDPR which permits data subjects to obtain and reuse their personal data for their own purposes across different organisations and services. The data must be transferred in a safe and secure way and should be provided in a useable format.
The right to object: This applies when someone feels strongly that they do not want their personal data used in a particular way. This is not really about the information being stored, but more about how it is used. Again, our Data Protection Lead can be approached to ensure that your preferences are met if you choose to exercise this right.
Rights in relation to automated decision making and profiling: Individuals have the right not to be subject to decisions based solely on automated processing where the decision has legal or similarly significant effects on the individual.
> Children’s personal data and consent
GDPR gives special consideration for storing and using children’s personal data. It recognises that children need particular protection, as they are potentially more vulnerable, and less likely to be aware of the risks involved. We are particularly cautious about processing children’s information and are constantly aware of the need to protect them at all times.
GDPR sets the age when a child can give their own consent to their data being processed at 16, although this is set to change to 13 under the Data Protection Bill. Of course we still need consent to hold any information in our systems, so whoever has parental responsibility for the child under 13 years must give their consent for this purpose. Children have the same rights as adults over their personal data. An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.
When children reach the age of 13 then they themselves need to give their own permission for the church to keep storing data on them.
> ROLES and RESPONSIBILITIES
Amongst these other things, GDPR sets out the responsibilities of those organisations which control the storing and use of data. It sets out defined ROLES, and these are listed below:
The Data Processor is responsible for processing personal data on behalf of the controller. Because we use iKnow Church software, then Edit Websites Ltd, the parent company of iKnow, is our Data Processor. The correspondence address for Edit Websites Ltd. is:
Blythe Valley Innovation Centre, Central Boulevard, Blythe Valley Business Park, Solihull, West Midlands, England, B90 8AJ.
GDPR places specific legal obligations on data processors; for example, they are required to maintain records of personal data and processing activities. They will have legal liability if they were to prove responsible for any breach.
For the purposes of GDPR, the Data Controller determines the purposes and means of processing personal data. In our case, the church itself will take on the role of Data Controller, and will be responsible for ensuring that any personal data we collect or store is handled securely, sensitively, and in a manner which reflects the lawful basis for storing this information.
While the Data Processor has legal responsibilities we, as the Data Controller, are not relieved of our obligations where a processor is involved – the GDPR places further obligations on us to ensure our contracts with processors comply with the GDPR.
Data Protection Lead
The Data Protection Lead’s purpose is to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for Data Subjects. As previously mentioned, Ray Adkins will take on this responsibility initially. He can be contacted in writing via the Church Office, or you can email him if you prefer: firstname.lastname@example.org
Any enquiries regarding GDPR should always be made in writing for accountability purposes.
The Data Subject is any individual whose data we may hold or use.
In the case of churches, this could be anyone from a full church member, to someone who has taken an Alpha or other course, to a couple who previously got married at the church.
We may have had visitors attend the church from a while ago whose visitor cards we still have in a folder, or whose information is still held on our database.
Each person on whom we hold data is a Data Subject.
> How to make a Complaint
If you make a request to us under this Privacy Statement and you are unhappy with the response, you can ask for the request to be reviewed under our internal complaints procedure. Our internal complaints procedure allows your request to be reviewed by Pastor Dave Sharpe, who will do his best to try and resolve the issue.
However if you have been through the internal complaints procedure and are still not happy with the result, then you have the right to complain to the Information Commissioner’s Office.
They can be contacted as follows:
Information Commissioners Office
The information included in this leaflet is only a brief summary of the new legislation. If you wish to know more about the General Data Protection Regulation, you are advised to go online to the website of the Information Commissioner’s Office:
https://ico.org.uk which has a link – Guide to GDPR
Alternatively you can explore the detailed advice on the website constructed by the iKnow Team: www.gdprforchurches.org.uk
Changes to our Privacy Statement
Google Analytics – to help us continually improve our website content