Data Protection Policy and Privacy Policy
CARLUKE: ST ANDREW’S CHURCH OF SCOTLAND
Scottish Charity No. SC013968
- Introduction
The Data Protection Act 1998 (the “Act”) regulates the way in which information about living individuals (referred to as ‘Data Subjects’) is collected, stored or transferred. Compliance with the Act is important, because a failure to adhere its terms will potentially expose Carluke: St Andrew’s Church of Scotland:, Scottish Charity No. SC013968 (the “Congregation”) or indeed in exceptional circumstances, office bearers as charity trustees and employees to complaints, large fines and/or bad publicity. It will also impact upon the Presbytery who have the role technically of being the “data controller” for the congregation.
This policy therefore sets out what office bearers and employees must do when any personal data belonging to or provided by “Data Subjects”, is collected, stored or transmitted onwards; it also seeks to provide general guidance in what is a very technical area of the law.
The Kirk Session requires all its office bearers and employees to comply with the Act and this policy (both as may be amended from time to time) when handling any Personal Data. A serious or persistent failure to do so may be regarded as misconduct and may be dealt with in accordance with Act 1, 2010 in the case of office bearers and in terms of the disciplinary policy applicable to them in the case of employees. If asked to do so, office bearers and employees must therefore attend training on Data Protection issues.
Any office bearer or employee who considers that this policy has not been followed in any instance should contact the Session Clerk of the Congregation.
- Data Protection General Responsibilities
Notification to the Information Commissioner
It is necessary to notify the Information Commissioner on an annual basis as to the Church bodies that are processing personal data. Although there are some exemptions, where data is being processed for pastoral reasons or where CCTV has been installed, notification is always required. This notification for the Congregation is made under the umbrella registration of the Presbytery of Lanark as the ‘Data Controller’.
The Presbytery’s entry can be viewed at: www.ico.org.uk
The Session Clerk should be advised in writing of any plans to process data of classes or purposes not covered in the registered entry or of any amendments required to it as early as possible. He/she in turn will pass this information to the Presbytery Clerk. A failure to do so, or to knowingly process data other than in accordance with the registered entry, may constitute an offence under the Act.
Data Processing: The 8 Data Protection Principles
The Data Protection Act imposes a requirement only to process Personal Data in accordance with certain Principles. These require that all Personal Data must:
- Be processed fairly and lawfully;
- Be obtained for specific and lawful purposes;
- Be kept accurate and up to date;
- Be adequate, relevant and not excessive in relation to the purpose for which it is used;
- Not be kept for longer than is necessary for the purpose for which it is used;
- Be processed in accordance with the rights of Data Subjects;
- Be kept secure to prevent unauthorised processing and accidental loss, damage or destruction; and
- Not be transferred to any country outside the EEA (unless an exception applies).
Personal Data: Definition
Personal Data is data which relates to a living individual who can be identified from:
- that data; or
- from that data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller; which
- is in electronic form or held manually in a relevant filing system.
This definition also includes any expression of opinion about the individual Data Subject and any indication of the intentions of the Data Controller or any other person in respect of the Data Subject.
Personal Data may either be held electronically or in paper records.
Sensitive Personal Data: Definition
Sensitive Personal Data is Personal Data about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, details of the commission or alleged commission of any offence and any court proceedings relating to the commission of an offence.
Sensitive Personal Data can only be processed under strict conditions including the express permission of the person concerned, unless a specific exemption applies. As a result, generally, if sensitive Personal Data is collected, appropriate steps will need to be taken to ensure that explicit consent from the person concerned has been given to hold, use and retain this information.
A significant amount of Personal Data held by a Church of Scotland congregation will be Sensitive Personal Data as it could be indicative of a person’s religious beliefs. Office bearers and employees are therefore urged to be extra vigilant when dealing with any Personal Data.
Transfer of Personal Data outside European Economic Area (“EEA”)
The transfer of Personal Data to any country or location outside of the EEA is a breach of the Act unless:
- the data protection arrangements in the destination country have been approved by the EU Commission; or
- the recipient is a signatory to an EU approved data protection regime; or
- the recipient is bound by a contract that ensures that the data concerned will be adequately protected.
Given the links that the Church of Scotland maintains with other countries around the world, some Personal Data may fall into this category. Therefore, prior to transferring data outside the EEA or giving anyone outside the EEA access to personal data you must contact the Session Clerk who will check the position with the Law Department of the Church of Scotland, if required.
Type of Personal Data
The type of data processed by the Congregation, its office bearers and employees is likely to fall into one of the following categories:
- Personal Data about office bearers, members and parishioners as Data Subjects; or
- Personal Data relating to employees as Data Subjects.
- Personal Data about Members and Trustees
When an individual provides you with their contact details which it is intended be recorded for future use in connection with the work of the congregation, we must hold, process and use that Data Subject’s Personal Data in accordance with this policy and the 8 Data Protection Principles. In order to put the principles into practice the office bearer concerned must also be aware of the type of information which is being collected, held or processed and therefore take into account the definitions of Personal Data and Sensitive Personal Data above.
Data must be obtained for a specific use and be kept accurate and up to date
People must be informed that we hold their Personal Data, why we hold it and what we will use it for. Where possible, when obtaining new contact information or other Personal Data or communicating with a contact for the first time, the relevant office bearer should:
- Refer them to our Privacy Policy:
- If this is not possible, the next communication to the Data Subject concerned should include a paragraph in relation to contact details. Suggested wording is set out at Appendix 1; and
- A check should be made to see if the Congregation’s database already holds that person’s details and, if so, whether these are up to date. As appropriate, the details should then be recorded/updated and the Data Subject advised that their details are recorded for the Congregation’s use. If the use is not going to be for the purposes given in the Privacy Policy, the office bearer should explain what the use is likely to be. If in doubt about the use of the Personal Data this should be discussed with the Session Clerk who may check the position with the Church of Scotland Law Department, if required.
Data must be held for no longer than necessary
Employees must monitor their own individual contacts (e.g. in Outlook and/or other databases) and update or remove details where appropriate. If the responsible office bearer notices that the database is out of date, he/she should ensure that this is updated immediately.
If a Data Subject specifies that they do not wish you to use a particular form of contact with them or indeed that there is to be no contact with them at all, then the instruction must be complied with this at once and all databases updated.
Disclosures
Personal Data must only be disclosed to those organisations and individuals who the Data Subject has consented may receive his or her data, or to organisations that have a legal right to receive the data without consent being given. Care must therefore be taken to ensure that Personal Data such as the names, addresses and telephone numbers of members are not disclosed either over the phone or in writing to non-Church personnel, without such consent being in place. Care should be taken with records such as the Baptismal Register so that only the entry relating to the person concerned is exhibited to him/her and not also those of others who may still be alive.
Information Security
At minimum:
- Electronic data must be protected by standard password procedures with the ‘computer lock’ facility in place when office bearers or employees are away from the desk/workstation where information is held;
Computer workstations in administrative areas in church premises should be positioned so that they are not visible to casual observers;
- Personal data stored in manual form e.g. in files should be held where it is not readily accessible to those who do not have a legitimate reason to see it and (especially for sensitive personal data) should be in lockable storage, where appropriate;
- All ordered manual files and databases should be kept up to date and should have an archiving policy. Data no longer required must be regularly purged;
- If data is to be transferred through memory sticks, CD-ROMs or similar electronic formats then the secure handling of these devices must be ensured. No such device should be sent through the open post – a secure courier service must always be used. The recipient should be clearly stated. If data is sent via a courier the intended recipient must be made aware when to expect the data. The recipient must confirm safe receipt as soon as the data arrives. The sender is responsible for ensuring that the confirmation is received, and liaising with the courier service if there is any delay in the receipt of the data.
- Laptops and USB drives should have appropriate security and ‘encryption’.
- Personal data must not be transmitted to an office bearer’s home Personal Computer without appropriate assurances from him/her that the foregoing safeguards will be put in place.
Action to be taken if data goes missing
The Presbytery Clerk as Data Protection Compliance Officer must be informed immediately if any confidential or sensitive data goes missing. An immediate investigation will be launched by the Kirk Session. Depending on the circumstances, consideration will also be given to making a report to the Information Commissioner.
Negligent transfer of data
If an office bearer or employee has been negligent in transferring sensitive and confidential personal data this will be conduct which may result in disciplinary action having to be taken and indeed in the case of an employee could be considered to be gross misconduct, which could result in summary dismissal. This is particularly likely to be the outcome if:
- The employee did not encrypt (or store in an encrypted format), compress and password protect the data;
- The employee transferred the data in manual form without using secure means to do so or
- The employee transferred the data without seeking the appropriate approvals
Subject Access
Upon receipt of a written request from a data subject to see any personal data held which relates to them, contact should be made immediately with the Presbytery Clerk who will make arrangements for a response to be made within the statutory 40 day deadline.
- Personal Data about Employees
Good employment practice dictates that, the Kirk Session as an employer, will need to keep information for purposes connected with an employee’s employment during employment and for as long a period as is necessary following the termination of that employment.
The data recorded may include:
- information gathered about an employee and any references obtained during recruitment;
- details of terms of employment;
- salary and payroll information, tax, National Insurance information and pension details;
- appraisal information and performance management;
- details of grade and job duties and promotion/career development;
- health records;
- absence records, including holiday records and self-certification forms;
- details of any disciplinary investigations, warnings and proceedings and grievances;
- training and development records;
- contact names and addresses and next of kin information;
- all core and flexible benefits;
- correspondence with the Church as Employer and other information provided to the Employer.
The Kirk Session values the privacy of its staff and is aware of the responsibilities under the Act. The Kirk Session shall therefore process any personal information relating to staff fairly and lawfully and shall endeavour to comply with the Information Commissioner’s code of practice on the use of Personal Data in employer/employee relationships.
The information held will be for the Kirk Session’s management and administrative use only, but from time to time, the Kirk Session may need to disclose some information held about employees to relevant third parties or to another Organisation, solely for purposes connected with an employee’s career or the management of the organisation.
Any personal data which is recorded or used in any way whether it is held on paper, computer or other media will have appropriate safeguards applied to it to ensure that it is in compliance with the Act.
The Kirk Session will make every effort to ensure that the information held is accurate and kept up to date but it is the responsibility of each individual employee to notify HR of any changes. In the absence of evidence to the contrary, it will be assumed that the information is up to date.
- Further information
Office bearers and employees who wish further information about data protection should look at the circular on the Church of Scotland website:
http://www.churchofscotland.org.uk/__data/assets/pdf_file/0003/2838/law_data_protection.pdf
Specific queries should be raised with the Session Clerk who, if appropriate, will take advice from the Law Department.
- 6. Review
The Kirk Session will review this policy on an on-going basis to ensure its continuing relevance and effectiveness in the light of any legislative or other developments. Any substantive changes will only be introduced after appropriate intimation has been given to all concerned.
Appendix 1
The information set out below we believe to be correct. Please do advise us immediately if our understanding is incorrect or if the details change.
Contact name
Address
Telephone number
Mobile Number
Email address
We may take instructions from an Attorney
Carluke: St Andrew’s Church of Scotland is committed to protecting your privacy and safeguarding your personal data. We are registered with the Information Commissioner through the umbrella registration of Lanark Presbytery and strive to comply fully with data protection law. We shall use the information you have provided us with for the provision of mailing you information about our congregation and for providing pastoral care and support in accordance with our Privacy Policy. We will only keep the data for as long as necessary.
Privacy Policy
This Privacy Policy covers the way in which the congregation of Carluke: St Andrew’s Parish Church of Scotland will use and disclose personal information that members, employees, volunteers, donors and other associates may provide us with.
Personal information includes any information that identifies you personally, such as your name, address, email address or telephone number.
The congregation recognises the importance of your privacy and personal information and we have therefore outlined below how the congregation collects, uses, discloses, and protects this information. We are registered with the Information Commissioner through the umbrella registration of Lanark Presbytery and strive to comply fully with data protection law.
How We Collect Information
The congregation receives and stores personal information provided by members, employees, volunteers, donors and other associates. This information can be supplied to us:
- in writing or via email, by telephone conversation or on our website (e.g. when an individual is becoming a member); or
- by otherwise associating with the congregation or its organisations, (e.g. by enquiring about our work, activities, employment and volunteering opportunities); or
- when donating money to the congregation or its organisations.
We may also receive information about you from third parties.
How We Use Information
We may use the information we collect:
- in connection with membership records, for pastoral care purposes or in relation to your participation in our activities;
- in order to fulfil individual employment contracts with our employees (e.g. personnel administration) or for agreements with volunteers;
- in order to communicate with you (e.g. by letter, email or telephone) for example to provide information relating to our work or new developments;
- in order to further our charitable aims, e.g. such as for fundraising activities;
- for internal administration, such as for accounting purposes, or for analysing how we may better advance the Kingdom of God.
Disclosure of Information
The congregation may require to share personal information held for a number of reasons including to provide pastoral or other assistance, process donations or carry out any other contractual obligations. This data may be disclosed to:
- the relevant Presbytery;
- other bodies within the Church of Scotland;
- relevant agents and third parties;
- employees and/or volunteers including the charity trustees/ office bearers.
The congregation does not permit these parties to use such information for any other purpose than the foregoing.
The congregation may also need to disclose your information if required to do so by law.
Your Consent
By providing us with your personal data, including sensitive personal data such as on your health, you consent to the collection and use of any information you provide in accordance with the above purposes and this privacy statement.
Storage and Security of Personal Information
The congregation via its office bearers and employees will use all reasonable endeavours to ensure that personal information is held in a secure and confidential environment and when the information is no longer needed it will be destroyed or permanently rendered anonymous.
You may request details of personal information which we hold about you under the Data Protection Act 1998. A small fee may be payable. If you would like a copy of the information held on you, please contact the Session Clerk
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email as soon as possible to the address below. Any information found to be incorrect will be corrected as quickly as possible.
Mrs Elizabeth Bradley, Session Clerk, 3 Birkfield Place, Carluke, ML8 4PZ
Telephone No: 01555 751797
Email: elizabethbradley24@yahoo.co.uk