POLICY ON DATA MANAGEMENT
The Well Sheffield Baptist Church
1.1 This policy applies to members, volunteers and contractors working at The Well. It sets out an understanding of data protection and the requirements for every member, volunteer and contractor in order that there may be full compliance with GDPR (May 2018).
1.2 The Data Protection Act (1998) and the General Data Protection Regulations (May 2018) require the protection of personal and sensitive data and all organisations which process personal and sensitive data must be registered to do so. The Well is registered with the Information Commissioner's Office (ICO). Registration reference ZA308674.
1.3 The Well is currently registered to process pastoral data and for the use of CCTV on the premises.
The Well is registered to process the following personal data:
- personal details
- family, lifestyle and social circumstances
- education details
- employment details
The Well is currently registered to process the following sensitive personal data:
- physical or mental health details
- religious or other beliefs of a similar nature
- offences including alleged offences.
Although The Well does process other administrative and financial data, we are not required to register for such purposes.
The Well is registered for use of CCTV on the premises but there is a separate policy governing its use and governance which is kept in the office.
1.4 Data is information which is recorded with the intention that it should be processed on computer or is recorded as part of a relevant filing system (i.e. manual system). There are two categories of data:
- Personal data is information relating to a living individual who can be identified either from the data or from the data which includes an expression of opinion about the individual
- Sensitive personal data is information relating to racial or ethnic origins of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health, sexual life, the commission or alleged commission of any offence, any proceedings for any offence committed or alleged to have been committed by the data subject.
In order to process these types of data, The Well will obtain explicit consent from the data subject.
2. PURPOSES OF THE GDPR POLICY AT THE WELL
The Well has a data protection policy to ensure that it complies with all aspects of data protection legislation (1984, 1998, 2018) by setting out clear policies, responsibilities and codes of practice.
2.1 The Well intends to comply fully with all aspects of data protection legislation.
2.2 The Well will do its utmost to ensure that all its staff, members, volunteers, consultants and trustees are conversant with data protection legislation and practice.
2.3 The Well will only hold data for prescribed charitable purposes. These are personnel administration, membership administration, accounts and records, advertising marketing and public relations and charity objectives.
2.4 The Well will provide procedures for access to personal data for all those for whom personal data is held. No one will be charged (staff, personal members or other contacts) for requesting access to their personal data.
3. USE OF DATA
3.1 The Well will abide with the ICO recommendations, namely that data will be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than necessary
- Processed according to data subjects' rights
- Processed securely
- Transferred to 3rd parties in this or other countries with adequate protection and explicit written consent from the data subject concerned
- Personal and sensitive personal data are held on the computer and in manual files at The Well.
This data includes the following:
- Name, address, email address and telephone numbers
- Date of birth
- Bank details and Gift Aid details if they are a donor to The Well
- Contact details of family members including any children
- Children's contact details, medical information and permission slips
- Contact forms
- Ministry/ pastoral care forms and notes taken
- Volunteer roles
- Rota information
- Photos and videos from events and services
- Observed tracking if attending events regularly
- Contract information for 3rd parties
3.3 Under the new legislation members will be asked to sign a form consenting to data being held and processed for the following purposes: communication, pastoral needs, prayer needs, team information, rota information, ministry forms and notes, children's information including medical details and any safeguarding information, promotional materials, financial information including bank details for any ministry expenses, giving and gift aid where applicable.
3.4 Personal or sensitive data may be processed without consent only for the following reasons:
- If data is necessary for a contract such as an employment contract
- If data is needed for a legal obligation such as a court order
- If data is to protect vital interests such as a life or death situation
3.5 Data retention:
- All data is kept on the ChurchSuite cloud database which is GDPR compliant
- Personal details will be kept for the duration of the person's attendance at The Well
- Once a person leaves the Well, their details will be archived if they have asked to stay in touch or deleted if they have asked for their details to be removed
- After ministry or pastoral care is finished, notes will be shredded if on paper and documents and emails will be deleted.
- Contacts will be regularly reviewed by staff in order to update information and delete or amend any data entry that is now inaccurate or out of date.
4.0 ACCESS TO DATA BY STAFF, VOLUNTEERS, DATA SUBJECTS OR THIRD PARTIES
4.1 Staff and volunteer access to data and handling of data:
- Access to relevant data for staff is authorised by the data controller for the purpose of executing their daily work
- Access to relevant data for staff by the data controller is given on a need to know basis
- Access to data is given in accordance with the guidance and legal practice laid out in this policy
- Data will not be passed on to third parties without the data subject's explicit written consent
- Data will not be sold to or exchanged with another for financial gain or for any other advantage
- Data will not be given to third parties in or outside of the UK without the data subject's explicit written consent
- Data will be held securely at all times
- Data will be suitably password protected or held in locked drawers or filing cabinets
- Requests to staff for data access from 3rd parties regarding contractual, legal or vital interests will be referred to the data controller in the first instance for his authorisation
- Where a police officer requests access to data or requests a copy of the data, they should supply The Well with a DATA ACCESS REQUEST form. Requests for access to data by the Police will not normally be denied and can be made without the authority of the data controller provided it is accompanied by a written request signed by a Police Officer, who must indicate that the data is required for the purposes of a specific crime enquiry.
- Requests to staff from persons outside The Well (other than the Police) for viewing or obtaining data will be assessed on a case by case basis by the data controller and access will only be granted where it is consistent with the obligations placed on The Well by GDPR (May 2018) or with the data subject's explicit written consent.
- Staff will take the utmost care when transporting data in files, on phones, tablets or laptops
- Staff will be mindful when sharing personal information verbally in public and will ensure nothing is passed on beyond the remit of their work requirements
- Staff will report any data breach to the data controller who will report any breach within 72 hours of it occurring
- Volunteers will comply with GDPR for any data access requirement as staff will oversee any data access given to them in accordance with the guidelines above
4.2 Data subjects' access to their data
- Data subjects now have rights to access their data
- Data subjects have the right to correct mistakes in their data
- Data subjects have the right to restrict their data processing for marketing purposes
- Data subjects have the right to erase their data
- Data subjects have the right to instigate proceedings against the data controller if damage has occurred owing to a breach of data handling by complaining to the ICO
- Data subjects need to submit a data access request form from the office to the data controller in order to request access to any data not available to them. This must be attended to by the data controller or the delegated member of staff and access granted at no cost within a month of the dated request form. If other data subjects are named or their details are included in the item of data requested, the information of the other data subjects must be redacted. The only exceptions to this is if the data is required for a legal or criminal investigation, in which case the file must be handed over complete.
4.3 Access to data by 3rd parties
- Occasional access to data may be requested by a 3rd party such as a web designer or a mission organisation. This data can only be processed with the data subject's explicit written permission.
- Regular 3rd party involvement with the day to day running of the organisation such as the media co-ordinator will be issued with a contract stating his agreement to comply with GDPR in all their handling of business for The Well
- 3rd parties will not be given any data over the phone, by email or verbally without prior written consent from the data subject
- Most of the data is low risk and therefore will be processed by password protection rather than by encryption
5.1 It is recognised that members, staff or visitors of The Well may have concerns or complaints about the operation of the system. Any complaint about the operation of the system, data processing or data retention should be addressed in the first instance to the data controller. If the data controller cannot satisfactorily answer the complaint, then the complainant will have the right to contact the ICO.
5.2 If staff or others do not comply with the guidance in this policy, a warning will be issued by their line manager or team leader. If this is still not heeded, then it will become a disciplinary matter for the trustees in the case of a member of staff and a matter of concern to any team leader if their volunteer does not agree to the terms, which may then result in that person being disqualified from that activity, until they agree to adhere to compliance.
6.1 The responsible officers for this policy is the board of trustees. The appointed data protection officer is Nick Allan.
6.2 Implementation of this policy will be after consideration and consultation with affected parties and the trustees.
6.3 This policy and the procedures contained herein will be considered and reviewed annually by the trustees to review operational effectiveness and will be shared during staff training to ensure staff are up to speed with the requirements of GDPR.