Click this link to download a PDF version of the Northgate Church Trust Data Protection Policy. Alternatively, scroll down for the web-based version below.
Northgate Church Trust Data Protection Policy
(Updated May 2018)
1.0 Introduction to the Policy
Northgate Church Trust (hereafter referred to as “We”/”Us”/”Data Controller”) use personal data about living individuals for the purpose of general church administration and communication.
We recognise the importance of the correct and lawful treatment of personal data. All personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards and good practice as specified in the General Data Protection Regulation 2018.
We fully endorse and adhere to the eight principles of the GDPR. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Employees and any others who obtain, handle, process, transport and store personal data for us must adhere to these principles.
2.0 At A Glance
What information is being collected?
We collect information such as your name, contact details and age.
Who is collecting it?
Northgate Church Trust.
How is it collected?
The information is collected by the completion of forms or electronic submission of data by the person the data relates to.
Why is it being collected and how will it be used?
For general church administration, for communication with you (if you agree) and for statistical analysis.
Who will it be shared with?
Our relevant leaders, staff and volunteer members, but never with anyone else. You can also choose to share your information with other members of the church, but this is up to you.
How will it affect you?
If you agree, you will receive regular email updates and ad hoc correspondence from us.
3.0 The GDPR Principles
The principles require that personal data shall:
- Be processed fairly and lawfully and shall not be processed unless certain conditions are met.
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and where necessary, kept up to date.
- Not be kept for longer than is necessary for that purpose.
- Be processed in accordance with the data subject’s rights.
- Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures.
- Not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Please see the below Database section 5.1.4.
4.0 Your Rights
The rights of the data subject are:
- right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
5.0 Maintaining Confidentiality
We will treat all your personal information as private and confidential and will not disclose any data about you to anyone other than the relevant leaders, staff and volunteer members to facilitate the administration and day-to-day ministry of the church, unless you request otherwise.
All Northgate Church Trust leaders, staff and volunteers who have access to Personal Data will be required to agree to and sign the Data Protection Policy.
We will never sell your data, or share it with any external third party other than those listed below, and we promise to keep your data safe and secure.
Third parties who we may share your data with are:
- HMRC – if you have completed a Gift Aid Declaration Form, or are an employee
- com – if you agree to us contacting you via email, we may use MailChimp to send these emails. Therefore, your email address will be held there. MailChimp is a secure site and your details can only be accessed by password holders, in the same way the Database can only be accessed by approved people.
There are four exceptional circumstances to the above permitted by law:
- Where we are legally compelled to do so.
- Where there is a duty to the public to disclose.
- Where disclosure is required to protect your interest.
- Where disclosure is made at your request or with your consent.
5.2 Use of Personal Information
We will use your data for three main purposes:
- The day-to-day administration of the church; e.g. pastoral care and oversight including calls and visits, preparation of ministry rotas, maintaining financial records of giving for audit and tax purposes.
- Contacting you to keep you informed of church activities and events.
- Statistical analysis; gaining a better understanding of church demographics.
N.B. although collated church data may be passed to a third party, such as number of small groups or small group’s attendance, no personal data will be disclosed.
6.0 Storage of Data
6.1 The Database
Information contained on the database will not be used for any other purposes than set out in this section. The database is accessed through the cloud and therefore, can be accessed through any computer or smart device with internet access. The server for the database is in the UK and hosted by ChurchSuite.
- Access to the database is strictly controlled through the use of name specific passwords, which are selected by the individual.
- Those authorised to use the database only have access to their specific area of use within the database. This is controlled by the Data Controller and other specified administrators. These are the only people who can access and set these security parameters.
- People who will have secure and authorised access to the database are Northgate Church Trust Leaders, staff and volunteer members. Anyone with access to the database is required to complete the Data Protection Understanding and Acceptance Form in Appendix 1.
- The database will NOT be accessed by any authorised users outside of the EU, in accordance with the Data Protection Act, unless prior consent has been obtained from the individual whose data is to be viewed.
- All access and activity on the database is logged and can be viewed by the Database Controller.
- Subject Access – all individuals who are the subject of personal data held by Northgate Church Trust are entitled to:
- Ask what information the church holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed what Northgate Church Trust is doing to comply with its obligations under the 2018 General Data Protection Regulation.
- Personal information will not be passed onto any third parties outside of the church environment, other than listed in point 5.0.
- Subject Consent – The need to process data for normal purposes will be communicated to all data subjects. In some cases, if the data is sensitive, for example, information about health, race or gender, express consent to process the data must be obtained.
6.2 Other Storage
Occasionally, data needs to be stored outside of the Database. This includes the written consent for data to be used and processed. On these occasions, it will be stored electronically and/or physically.
6.2.1 Electronic data outside of the Database will be stored on the cloud, specifically One Drive, Dropbox and iCloud to which all principals laid out in 6.1 apply.
6.2.2 Physical Data will be stored in a locked office on the church premises. People who will have secure and authorised access to the data include the relevant Northgate Church Trust leaders, staff and volunteer members.
6.2.3 Data should not and will not be stored on authorised person’s personal computers or devices, or at any address other than the local church office.
7.0 Rights to Access Information
Employees and other subjects of personal data held by Northgate Church Trust have the right to access any of their own personal data that is being held in certain manual filing systems. This right is subject to certain exemptions: Personal Information may be withheld if the information relates to another individual.
Any person who wishes to exercise this right should make the request in writing to Northgate Church Trust, using the standard letter which is available online from www.ico.gov.uk
If personal details are inaccurate, they can be amended upon request, or by the data subject if held on the Database.
Northgate Church Trust aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days of receipt of a completed form unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
8.0 Retention of Data
Data held on the Database will be held as long as the person is an active member of Northgate Church.
After this point, data will be either
- Deleted immediately, if a person confirms they have officially “left”
- Archived on the database, then deleted after 6 months
8.2 Data Retention Times
Different data will be retained for different periods of time, dependent on the content. Please see table in Appendix 2.
9.0 Cookies Policy
10.0 What if something goes wrong? (Data Security Breaches)
A data security breach could be caused by human error or malicious intent and its definition is “any loss of, or unauthorised access to Northgate Church Trust’s data”.
Examples of data security breaches may include:
- Unauthorised access to confidential data
- Equipment failure
- Human error
- Unforeseen circumstances such as fire or flood
- Hacking attack
- “Blagging” offences where information is obtained by deceit
Northgate Church Trust’s response to a data security breach will be as follows:
- Report – the person who discovers the breach will report it promptly to the Data Controller as represented by the Chair of the Trust. The report should be in writing (usually email) and should include full and accurate details of the incident including who is reporting the incident and the type of data involved, using the Data Breach Incident Report Form in Appendix 3 if possible.
- Assess – an assessment will be made to establish the severity of the breach and to ascertain who will lead in the management of the breach.
- Contain and Recover – action will be taken to ensure whether anything can be done to prevent further loss/breach, recover losses and limit any damage that may be caused.
- Inform – any person whose personal data has been breached will be informed, if appropriate.
- Evaluate and Respond – an evaluation will be taken to establish if any present or future risks apply, and any findings will be acted upon and implemented to prevent future data security breaches.
11.0 Key details
Policy Prepared by: Jo Nutt, Office Manager
Approved by Trustees on: 14/05/18
Next review date: 14/5/19
Appendix 1 – Data Protection Policy Understanding and Acceptance
|I function in the following role(s):
(Please tick those that are applicable)
|Staff Member ð
Leadership Team Member ð
Pastoral Team Member ð
Ministry Team Leader ð
Small Group / iConnect Group Leader ð
I have read and understood the Northgate Church Trust Data Protection Policy and agree to adhere to its contents.
I have received and watched the Northgate Church Trust Data Protection Training Presentation and agree to adhere to its contents.
We take your privacy seriously.
We will only use this information for the purposes laid out in this document and will not share it with any external party. Details are kept in strict accordance with the General Data Protection Regulation of 2018. To view our Data Protection Policy, please visit www.northgate.org.uk/privacy
|For office use only|
|Received date:||Key Date added to ChurchSuite:||Added by (name):|
Appendix 2 – Data Retention Times
|Description of data||How long is data kept for?|
|Personal details held on ChurchSuite.
|For as long as the individual is an active member of one of Northgate Church, then either:
· Deleted immediately, if a person confirms they have officially “left”.
· Archived on the database, then deleted after 6 months.
|Details of those who have completed Gift Aid declarations.||6 years after the last gift claimed, as per UK Gift Aid guidelines.|
|Parental consent forms for children/young people.||For as long as the individual is an active member of Northgate Church, and for 3 years following.|
|Application to volunteer with children/young people/vulnerable adults.
|For as long as applicant is a volunteer with children/young people/vulnerable adults, and for 3 years following.|
|DBS Self declaration forms.||Until DBS certificate expires and new DBS is completed, or 3 years from DBS approval date if new DBS is not required.|
|Details of DBS certificate numbers and expiry dates.||Until DBS certificate expires and new DBS is completed, or 3 years from DBS approval date if new DBS is not required.|
|Safeguarding incident report forms.||Indefinitely, a minimum of 10 years.|
|Accident report forms.||Indefinitely, a minimum of 10 years.|
|Staff employment contracts.||6 calendar years after contract ends/is terminated by employee or employer.|
|Employee new starter forms and details.||For as long as the individual is an employee of Northgate Church Trust, and for 6 years following.|
|Employee tax codes.||For as long as the individual is an employee of Northgate Church Trust, and for 6 years following.|
|Employee Pensions details.||For as long as the individual is an employee of Northgate Church Trust, and for 6 years following.|
|Staff annual review forms.||For as long as the individual is an employee of Northgate Church Trust, and for 6 years following.|
|Reference requests and forms.||4 years from issue of reference.|
|Contracts for letting of rooms in the church house||6 years after contract ends.|
|Contracts for letting of rooms in the church building.||6 years after hire event ends.|
|CCTV Recording||2 weeks|
|Consultant Terms of Engagement||6 calendar years after contract ends/is terminated by consultant or Trust.|
Appendix 3 – Data Breach Incident Report Form
|Description of the Data Breach:|
|Time & Date Data Breach was identified and by whom:||Time:||Date:|
|Who is reporting the Breach:||Name:|
|Type of data breached:||Public data ð
Internal data ð
Confidential data (including personal details) ð
|Volume of data breached:|
|Is the breach:
(Tick one for each row)
|If Ongoing, what actions are being taken to recover the data?|
|Who has been informed of the Breach?|
|Any other relevant information:|
|For office use only|
Appendix 4 – Glossary
The body or organization that holds and processes the data. In this case, Northgate Church Trust.
The person about which the data is held.
An external organization that processes data on behalf of the Data Controller.
Data Protection Lead
The named person within the organization responsible for Data Protection. In this case the Office Manager.
Personal Data refers to any information about a living person and includes
- Date of Birth
- Contact Details
- ID numbers
- Online Identifiers e.g. IP address, cookies, etc
- Location Data
- Physical, genetic, mental, economic, social, cultural or religious identifiers
- Health Data