Introduction
King’s Church Uckfield (KCU) needs to gather and use certain information about individuals in order to function as a church, to protect those in its care with appropriate safeguarding, and meet financial record-keeping requirements. As a result, the church has a legitimate interest to process and store personal data.
These individuals can include members (current and a limited number of former members), suppliers, business contacts, employees and other people the church has a relationship with or may need to contact. This privacy statement describes how this personal data must be collected, handled and stored to meet the church’s data protection standards — and to comply with the law.
Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be established by the information alone or in conjunction with any other information in the data controller’s (KCU’s) possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).
How do we process your personal data?
GDPR principles say that personal data shall be:
1. Processed lawfully, fairly and in a transparent manner
2. Collected only for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Be accurate and, where necessary, kept up to date
5. Not be held for any longer than necessary
6. Processed in a manner that ensures appropriate security of the personal data
KCU complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
Personal data is defined as all data that a company holds relating to identifiable individuals. This includes:
• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• Bank information
• Health information
• Sensitive data regarding religious views
• …plus any other information relating to individuals
KCU will seek, process and store only the information it needs to fulfil its duties and will not ask for sensitive data consisting of:
• Racial or ethnic origin,
• political opinions,
• trade union membership,
• genetic data,
• biometric data,
• data concerning health or
• data concerning a natural person’s sex life or sexual orientation.
We use your personal data for the following purposes: –
• To enable the Church to fulfil its objectives in meeting the needs of its members and those it works with
• To enable church leadership to provide pastoral support to church members
• To enable us to provide a voluntary service for the benefit of the public in the geographical area of Uckfield and surrounding villages, as specified in our constitution
• To manage our employees and volunteers
• To administer membership records
• To promote the interests of the church
• To operate the KCU website and deliver the services that individuals have requested.
• To inform individuals of news, events, activities or services running at KCU (subscription must be performed by the individual from our website).
• To process members’ giving and gift aid applications and maintain our own accounts and records as required by the Charity Commission
• To process Disclosure and Barring Service (DBS) disclosures and other safeguarding requirements
• To contact individuals via surveys to conduct research about their opinions of current services or of potential new services that may be offered.
What is the legal basis for processing your personal data?
GDPR Article 6 Processing consent of the data subject (i.e. the individual as referred to in this statement);
A company can legally hold or process data based on one of the below conditions:
• The individual has consented to the data being processed
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract;
• Processing is necessary for compliance with a legal obligation;
• Processing is necessary to protect the vital interests of a data subject or another person;
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
• Processing is necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
GDPR Article 9 Processing
As well as satisfying one of the processing conditions set out in Article 6 (above), sensitive data can only be held following the satisfaction of one of the following processing conditions:
• Explicit consent of the data subject
• Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement;
• Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent;
• Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided: –
o the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
o there is no disclosure to a third party without consent.
• Processing relates to personal data manifestly made public by the data subject;
• Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity;
• Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law;
• Processing is necessary for reasons of preventative or occupational medicine, for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional;
• Processing is necessary for the reasons of public interest in the area of public health;
• Processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes.
KCU only retains or processes data that meets one of the conditions above and asserts that it has a legitimate interest to do so for its members, and a legal obligation to do so for its donors and those that work with children and vulnerable adults.
On rare occasions the church processes sensitive personal data. Personal data which reveals religious belief is classed as sensitive personal data under the GDPR, but the church asserts that this is a prerequisite of church membership and is thus applicable to all church members. The church will not ask for other sensitive data relating to: health; ethnicity; trade union membership; political party membership; or sexual orientation as part of its procedures, but understands that occasionally these may be made known during the course of pastoral care.
Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared only with employees or leaders who need access to this information in order to properly perform their role. We will only share your data with third parties outside of the church with your consent.
In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, KCU will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
How long do we keep your personal data?
We will generally keep your personal data for no longer than reasonably necessary to a maximum period of 7 years in order to comply with our obligation in company and charity law to hold 7 years of records and accounts. Outside of these records, we will destroy all other personal data as soon as possible within a period of two years of the information not being used.
In addition to this, we will keep safeguarding records and children’s registers for a period of 7 years, internal welfare concerns for 10 years, and anything referred to police or social services for a period of 25 years to allow for potential legal claims to be handled correctly.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –
• The right to request a copy of your personal data which KCU holds about you (known as a Subject Access Request or SAR); •
• The right to request that KCU corrects any personal data if it is found to be inaccurate or out of date (see below); •
• The right to request your personal data is erased where it is no longer necessary for KCU to retain such data (see below); •
• The right to withdraw your consent to the processing of your personal data at any time should consent be relied upon as a processing condition (see below); •
• The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable)
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing; •
• The right to object to the processing of your personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics] •
• The right to lodge a complaint with the Information Commissioner;s Office (ICO).
Requesting access to your personal data
All individuals who are the subject of personal data held by KCU are entitled to access details of the personal data concerning them. If an individual contacts the church requesting this information, this is called a Subject Access Request (SAR).
SARs from individuals should be made in writing or by email, addressed to the data controller at office@kingschurchuckfield.org.uk with the subject heading ‘Subject Access Request’ to avoid ambiguity.
The data controller must provide the relevant data within one month of receipt of the SAR.
The data controller must always verify the identity, authority and entitlement (i.e. someone acting under a power of attorney) of anyone making a SAR before handing over any information.
In responding to a SAR, the church will advise the data subject or entitled person of:
• The purpose of the processing.
• The categories of personal data concerned.
• The recipients of the information.
• How long the church will hold on to information, or what categories it will use to decide how long the information will be held for.
• The right to request rectification, erasure or restriction of the processing.
• The right to lodge a complaint with the ICO.
• Where the personal data is not collected from the data subject, the source from which the church obtained the data.
• The existence of any automated decision-making.
Right to rectification (correction)
If the church receives a request for rectification, either verbally or in writing, the KCU Data Protection Officer (DPO) shall take reasonable steps to satisfy themselves that the data is accurate and to rectify the data if necessary, taking into account the arguments and evidence provided by the data subject. What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for.
Determining whether personal data is inaccurate can be more complex if the data refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept. In such circumstances the fact that a mistake was made and the correct information should also be included in the individuals data.
It is also complex if the data in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.
Under GDPR Article 18, an individual has the right to request restriction on the processing of their personal data where they contest its accuracy and you are still checking it. As a matter of good practice, KCU will restrict the processing of the personal data in question whilst its accuracy is verified, whether or not the individual has exercised their right to restriction.
KCU will inform the individual if it is satisfied that the personal data is accurate, and tell them that we will not be amending the data. We shall explain our decision, and inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy.
KCU will place a note on its system indicating that the individual challenges the accuracy of the data and their reasons for doing so.
KCU reserves the right to refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If KCU considers that a request is manifestly unfounded or excessive, it can refuse to deal with the request. In this instance KCU will inform the individual without undue delay and within one month of receipt of the request about:
• the reasons we are not taking action;
• their right to make a complaint to the ICO or another supervisory authority; and
• their ability to seek to enforce this right through a judicial remedy.
A valid request for rectification can be made to any staff member who should, if they are unable to deal with it themselves, report it to the DPO. The staff member may seek clarification from the requester as to the exact information they wish to correct prior to handing it over to the DPO.
All requests shall be dealt with without undue delay and at the latest within one month of receipt.
If KCU have doubts about the identity of the person making the request we will ask for more information. We will only ask for the minimum of information necessary to confirm the requester’s identity.
The individual will be informed without undue delay and within one month that we need more information from them to confirm their identity and the church does not need to comply with the request until it has received the additional information.
In the unlikely event that the church has disclosed personal data to third parties, it will make every effort to contact each recipient and inform them of the correction or completion of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, KCU will inform the individual about these recipients.
Erasure of data
Should any individual request that KCU removes all data concerning them that is held by the church, the DPO will undertake the removal of all such data from records and databases except those which are required by our auditors, to ensure safeguarding records are complete or any other area where we have a duty for legal compliance.
All staff are required to comply with the DPO’s request to ensure their computers and mobile devices are included in this erasure. However, KCU members, who are not controlled by the church, can be requested to do so, but the church cannot enforce this request.
Erasure will include removal of the following data:
• Contact information in printed and digital forms from that point forward
• Any emails sent by or to the individual that do not pertain to relevant auditing or safeguarding issues
• Any files or documents that relate to the individual that do not pertain to relevant auditing or safeguarding issues
Consent
You can grant consent to all the purposes; one of the purposes or none of the purposes contained in this privacy statement.
Where you do not grant consent we will not be able to use your personal data except in certain limited situations, such as where required to do so by law or to protect members of the public from serious harm. This will mean you will not be sent email updates or other communications from the church, but we will have to retain some data, i.e. giving or safeguarding matters, to satisfy legislation in terms of our record keeping.
If you do grant consent, please note you can withdraw your consent to all or any one of the above purposes at any time by contacting the Church Administrator at office@kingschurchuckfield.org.uk. Please note that all processing of your personal data will cease once you have withdrawn consent but this will not affect any personal data that has already been processed prior to this point.
Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Statement, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
Contact Details
To exercise all relevant rights, queries or complaints, please in the first instance contact the Church Administrator (who acts as the DPO) at office@kingschurchuckfield.org.uk.
You can contact the ICO on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.