Privacy/Data Protection

Introduction

The purpose of this policy is to enable Immanuel Church to:

o   comply with the law in respect of the data it holds about individuals

o   follow good practice

o   protect Immanuel Church staff, volunteers and activity attenders

o   protect the organisation from the consequences of a breach of its responsibilities.

 

Brief introduction to Data Protection Act 2018

The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

1.       Fairly and lawfully processed

2.       Processed for limited purposes

3.       Adequate, relevant and not excessive

4.       Accurate and up to date

5.       Not kept for longer than is necessary

6.       Processed in line with the rights of Data Subjects

7.       Secure

8.       Not transferred to other countries without adequate protection

 

The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

Policy statement

Immanuel Church will:

o   comply with both the law and good practice

o   respect individuals’ rights

o   be open and honest with individuals whose data is held

o   provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently

Immanuel Church recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals.  Information about staff, volunteers and clients will be used fairly, securely and not disclosed to any person unlawfully.

Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account.  In addition to being open and transparent, Immanuel Church will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.

All processing of personal data will be undertaken in accordance with the data protection principles.

Definitions

The Data Subject is the individual whose personal data is being processed. Examples include:

o   employees – current and past

o   volunteers

o   job applicants

o   users

o   suppliers

Processing means the use made of personal data including:

o   obtaining and retrieving

o   holding and storing

o   making available within or outside the organisation

o   printing, sorting, matching, comparing, destroying

 

The Data Controller is the legal ‘person’, or organisation, that decides why and how personal data is to be processed. The data controller is responsible for complying with the Data Protection Act.

The Data Processor - the data controller may get another organisation to be their data processor, in other words to process the data on their behalf. Data processors are not subject to the Data Protection Act. The responsibility of what is processed and how remains with the data controller. There should be a written contract with the data processor who must have appropriate security.

The Data Protection Officer is the name given to the person in organisations who is the central point of contact for all data compliance issues.

 

Responsibilities

The Elders recognise their overall responsibility for ensuring that Immanuel Church complies with its legal obligations.

The Data Protection Officer is currently the Church Secretary who has the following responsibilities:

o   Briefing the Elders on Data Protection responsibilities

o   Reviewing Data Protection and related policies

o   Advising other staff and volunteers on Data Protection issues

o   Ensuring that Data Protection induction and training takes place

o   Handling subject access requests

o   Approving unusual or controversial disclosures of personal data

o   Ensuring contracts with Data Processors have appropriate data protection clauses

o   Electronic security

o   Approving data protection-related statements on publicity materials and letters

 

Each member of staff and volunteer at Immanuel Church who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.

All staff and volunteers are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Significant breaches of this policy will be handled under Immanuel Church disciplinary procedures (Please see Immanuel Church Staff and Volunteer Handbook.

Confidentiality

It is the intention of Immanuel Church to respect the privacy of our staff, volunteers and users. We aim to ensure that all staff, volunteers and users can share their information in the confidence that it will only be used to enhance their welfare. There are record keeping systems in place that meet legal requirements; means of storing and sharing that information take place within the framework of the Data Protection Act.

Security

This section of the policy only addresses security issues relating to personal data.  It does not cover security of the building, business continuity or any other aspect of security.

 

Any recorded information on staff, volunteers and users will be:

  • Kept in locked cabinets

  • Protected by the use of passwords if kept on computer

  • Destroyed confidentially if it is no longer needed

 

Access to information on the main database is controlled by a password and only those needing access are given the password. Staff and volunteers should be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.

Notes regarding personal data of users should be shredded or destroyed.

 

Data Recording and Storage

Different departments within Immanuel Church have databases holding basic information about all users and volunteers. The back-ups of this data are password protected.

Immanuel Church will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

  • The database system is reviewed and re-designed, where necessary, to encourage and facilitate the entry of accurate data.

  • Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets.

  • Effective procedures are in place so that all relevant systems are updated when information about any individual changes.

  • Staff and volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.

  • Data will be corrected if shown to be inaccurate.

  • Data will be retained for as long as 25 years as suggested by the United Reformed Church Good Practice.

Immanuel Church stores archived paper records of staff, volunteers and users securely in the office.

Access to Data

All staff, volunteers and users have the right to request access to all information stored about them. Any subject access requests will be handled by the Data Protection Officer within the required time limit.

Subject access requests must be in writing.  All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.

All those making a subject access request will be asked to identify any other individuals who may also hold information about them, so that this data can be retrieved.

Where the individual making a subject access request is not personally known to the Data Protection Officer their identity will be verified before handing over any information.

The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.

Immanuel Church will provide details of information to staff, volunteers and users who request it unless the information may cause harm to another person.

Staff have the right to access their file to ensure that information is being used fairly. If information held is inaccurate, the individual must notify their supervisor so that this can be recorded on file.

 

Transparency

Immanuel Church is committed to ensuring that in principle Data Subjects are aware that their data is being processed and:

  • for what purpose it is being processed

  • what types of disclosure are likely

  • how to exercise their rights in relation to the data

Data Subjects will generally be informed in the following ways:

  • Staff: in the staff terms and conditions

  • Volunteers: in the volunteer welcome/support pack

  • Users: when they request (on paper, on line or by phone) services

Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.

 

Consent

Consent will normally not be sought for most processing of information about staff. Although staff details will only be disclosed for purposes unrelated to their work for Immanuel Church (e.g. financial references) with their consent.

Information about volunteers will be made public according to their role, and consent will be sought for (a) the means of contact they prefer to be made public, and (b) any publication of information which is not essential for their role.

Information about users will only be made public with their consent.  (This includes photographs.)

‘Sensitive’ data about users (including health information) will be held only with the knowledge and consent of the individual.

Consent should be given in writing, although for some services it is not always practicable to do so. In these cases verbal consent will always be sought to the storing and processing of data. In all cases it will be documented on the database that consent has been given. 

All Data Subjects will be given the opportunity to opt out of their data being used in particular ways, such as the right to opt out of direct marketing (see below).

Immanuel Church acknowledges that, once given, consent can be withdrawn, but not retrospectively.  There may be occasions where Immanuel Church has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn.

Direct Marketing

Immanuel Church will treat the following unsolicited direct communication with individuals as marketing:

  • seeking donations and other financial support

  • promoting any Immanuel Church services

  • promoting Immanuel Church events

  • promoting membership

  • promoting sponsored events and other fundraising exercises

 

Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opt out.  If it is not possible to give a range of options, any opt-out which is exercised will apply to all Immanuel Church marketing. Immanuel Church does not have a policy of sharing lists, obtaining external lists or carrying out joint or reciprocal mailings.

Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

 

Staff Training and Acceptance of Responsibilities

All staff and volunteers who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy. All staff will be expected to adhere to all these policies and procedures.

Data Protection will be included in the induction training for all volunteers.

Immanuel Church will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.