Reading Gateway Church: Data Protection Policy

Data Protection

The purpose of Data Protection is to prevent wrong decisions about people being based on inaccurate data and unauthorised use of personal information. The General Data Protection Regulation (GDPR) 2018 provides a set of standardised Data Protection laws across all EU member countries (including the UK despite Brexit) which protect all citizens from privacy and data breaches. Specifically, GDPR places great emphasis on individual rights, transparency and accountability; making it easier for citizens to understand how their data is being used and how they can raise any complaints about holding of their personal data.

Reading Gateway Church (RGC) collects personal information of its members, volunteers, employees and those it engages with in the community, and is therefore subject to the conditions of the GDPR 2018 Regulations. A statutory requirement is that every organisation that processes personal information electronically must notify (and pay) the Information Commissioners Office (ICO), unless it is exempt. We are exempt because we only hold personal data for the following purposes:

• Establishing or maintaining membership;
• Administering activities for either the members or for those who have contact with us
• Staff administration (including payroll)
• Advertising, marketing and public relations (in connection with our own activities)
• Accounts and records (except in relation to processing of personal data by or obtained from a credit reference agency).

Consent

It is essential that consent is obtained from all members, clients, volunteers and employees whose data is stored and/or used by RGC. This consent must be given freely and with no hidden obligations from the consenting individual and it must be as easy to withdraw as it is to give. Consent must be explicit for sensitive data and RGC must be able to demonstrate where consent has been given to hold an individuals’ personal and sensitive data.

With regard to general personal information and sensitive personal information (defined in Appendix B) consent is defined by the GDPR 2018 as follows:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement…. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”

Furthermore, every request for data from RGC needs to be clear in:

• What data is requested.
• Why the data is needed.
• How the data will be used.
• Clear reasoning as to why we want to use the data for the reasons we’ve indicated.
• Parental/guardian consent for children’s data (under the age of 16) is required.
• Individuals to have the ability to change their mind and request their data be deleted.
• A real choice as to whether the individual wants to hand over their data or not.
• A simple but clear way for the individual to actively and freely consent to their data being used.

Processing of Personal Data

RGC complies with its obligations under the GDPR 2018 by keeping personal data up to date; storing and destroying it securely; not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

Personal data is used for the following purposes:

• Establishing and maintaining records of our members and those who engage with us
• Administering our church and outreach activities
• Managing our employees and volunteers
• Advertising our church services and outreach activities
• Maintaining our own financial accounts and records (including the processing of gift aid applications).

RGC is subject to eight Data Protection Principles and must manage all personal data against these principles:

1. Personal data must be processed fairly and lawfully and, in particular, must not be processed unless at least one of the exemptions in Appendix A applies. In the case of sensitive personal data, this must not be processed unless one of the exemptions in Appendix B applies.
2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data
8. Appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data.

Disposal of Personal Data

Personal data must be destroyed promptly if:

• The individual to whom it applies requests this, and there are no reasons in law to deny this request
• The purpose for which it was obtained no longer applies.

Rights of Individuals, Volunteers and Employees of whom Personal Data is being kept

GDPR 2018 emphasises the rights of individuals in having their personal information held by an organisation. Unless subject to an exemption under the GDPR 2018 an individual has the following rights with respect to their personal data being held by RGC:

• The right to request a copy of their personal data which RGC holds about you
• The right to request that RGC corrects any personal data if it is found to be inaccurate or out of date
• The right to request their personal data is erased where it is no longer necessary for RGC to retain such data
• The right to withdraw your consent to the processing at any time
• The right to request that RGC provide the data subject with their personal data and where possible, to transmit that data directly to another data controller
• The right to object to the processing of personal data, and there are no reasons in law to deny this
• The right to lodge a complaint with the Information Commissioners Office (ICO).

Data Breaches

In the event of a breach of data RGC are required to report this to the ICO within 72 hours of the first discovery of the breach. This is only the case if the information breached can lead to harm to the individual of whom the information belongs to. A failure to comply with these requirements can lead to RGC receiving a fine. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay.

RGC must ensure we have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority or the affected individuals, or both. We must also keep a record of any personal data breaches, regardless of whether we are required to notify ICO.

RGC Data Protection Procedures

1. Data is collected at the point of first encounter and also at subsequent encounters (for employees, volunteers, and others interacting with the church or church activities). Data is only collected for the purposes listed under ‘Processing Personal Data’ above.
2. Consent to collect and store data is obtained at this point. The signed consent form is kept securely. Where personal data is provided online (eg adding contact details to Churchsuite) the entry page will make clear that entering details indicates consent to them being stored and shared with other church members.
3. Any confidential declarations are scanned into personal files under the HR folder on Sharepoint. This folder can only be accessed by the Operations Manager, Parish Administrator and the Incumbent. The confidential declaration form is used to inform risk assessments and make safeguarding decisions.  The information is not passed onto anyone else unless a safeguarding concern is highlighted by any disclosure.
4. All employee and volunteer application forms, interview assessments and references are kept securely. Those for unsuccessful candidates are kept for a period of two years before being destroyed, in case of complaints. Those for successful applicants are kept for 10 years after the cessation of their employment/volunteering, together with all records relating to their employment history, and then destroyed.
5. All databases containing personal information are password protected.
6. All sensitive personal information (eg information held by the Parish Nurse, information concerning safeguarding cases) is either locked securely away or held in protected folders on RGC’s Sharepoint. Only staff requiring access to the information have authority to access these folders. Such data is held for 10 years after support for the individual ceases, for legal and safeguarding purposes, before being securely destroyed.
7. All staff who have access to personal information (other than those accessing it through Churchsuite) have been given a copy of RGC’s GDPR and Safeguarding Policies and Procedures and are fully briefed in the need for confidentiality.
8. None of the data is to be transferred from the databases to any other location other than the password protected laptop allocated to the individual working with it (data should not be stored on external memory).

Monitoring and Review

The RGC Operations Manager is responsible for monitoring the operation of this policy. He will report on this monitoring to the PCC as requested by PCC, but at least annually, in the APCM report.

Appendix A – Lawful Processing of Personal Data

Processing shall be lawful only if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of their personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Appendix B – Processing of Sensitive Personal Data

Sensitive personal data is defined as:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
• trade-union membership
• genetic data, biometric data processed solely to identify a human being
• health-related data
• data concerning a person’s sex life or sexual orientation.

Processing of sensitive personal data is prohibited, unless one of the following applies:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Contact Details

To exercise all relevant rights, queries of complaints please in the first instance contact the Church Office:-

Reading Gateway Church
Parish Office, St Agnes Church,
Northumberland Avenue
RG2 8DE

Tel: 0118 987 4448
Email: parishoffice@readinggateway.church

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Privacy Policy