Data Protection Policy

Overview

Living Rock Trust (LRC) is committed to protecting personal data and respecting the rights of our data subjects; the people whose personal data we collect and use.  We are fully committed to compliance with the requirements of the General Data Protection Regulations (GDPR) and all other data protection legislation currently in force.

This policy has been approved by the Trustees of LRC who are responsible for ensuring that we comply with all our legal obligations.  It sets out the legal rules that apply whenever we obtain, store or use personal data.

General Data Protection Regulations (GDPR)

The Regulation applies to anyone processing personal data and sets out principles which should be followed and gives rights to those whose data is being processed.

LRC endorses fully and adheres to the Data Protection principles listed below.  This policy, sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed.  When processing data we will ensure that it is:

• Processed lawfully, fairly and in a transparent manner;
• Processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
• Adequate, relevant and limited to what is necessary in relation to the purpose for which it is being processed;
• Accurate, and where necessary, kept up to date;
• Not kept longer than necessary for the purposes for which it is being processed;
• Processed in keeping with the rights of data subject’s regarding their personal data;
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using the appropriate technical and organisational measures;

What information do we collect?

• Contact details; name, address, telephone numbers and email address;
• Personal information; date of birth, marital status, dependants, photograph, information relating to criminal proceedings or offences for safeguarding purposes, current areas of serving to produce rotas, bank details, credit or debit card information, pastoral information;
• Special Category information; health information, (dietary or other health details to ensure we can provide the best care and support, including if you ask for prayer), religious beliefs;
• Employee or Applicant Information; full employment and education history, evidence of qualifications, references, job description and terms of employment, salary and pension information, medical or health information, training records, appraisal information, sickness absence and annual leave, bank account details, payroll records and tax codes, national insurance information, information and relevant communications regarding disciplinary and grievance issues and next of kin;

When do we collect information from you?

• When you fill in a contact form or sign up form (either through the website, ChurchSuite or on paper/card);
• When you use the website (form submissions and cookies);
• When you contact us by email, text, phone call, letter or visiting us in person;
• When you sign in to an event or meeting;
• When you apply for a job or become an employee of LRC;
• We may also receive information about you from Ministries Without Borders (MWB) or MWB related churches;

The purposes for keeping and processing your personal data

• To maintain accurate and up to date records of employees, church members, volunteers and regular attenders;
• To establish and maintain your involvement with LRC and to communicate with you and your family members by email, phone and other means;
• To keep you informed of events and relevant information from LRC and other affiliated organisations (MWB);
• To register users into events, training or other special meetings;
• To register children attending a Sunday morning in line with our health and safety obligations and provide support to those who have any additional needs (allergy, SEN etc);
• Safeguard children, young people and adults at risk;
• Maintain our accounts and records, including recording donations and gift aid claim;
• Recruit, support and manage staff and volunteers;
• To fulfil our function as a Christian church and to support those with the same purpose as our own; to extend the knowledge of the message of Jesus throughout the world;
• To respond effectively to enquiries and those wanting to hire the building;
• Provide services to the community including (Mumstop, Foodbank);

We will not share your information with others without your consent, unless it is;

• To comply with any legal obligation;
• To enforce or apply any contract with you or others;
• To protect our rights, property or safety of our employees or others;

Children’s Data

All personal information regarding children is held by LRC with the direct consent of parents or guardians.  Their personal data enables us to tailor our children’s ministry content to different age groups with differing numbers of children, and ensure we maintain a high standard of safety, including, a registration system for all groups; to have the correct adult-to-child ratios in line with our Safeguarding Policy.  Any sensitive information, such as allergy or SEN information, is held in order to help us keep children safe and secure. Only those who require access to this data have authorisation.

Where do we store your personal data?

• We are committed to holding your personal information securely.  Only LRC staff, Elders and authorised volunteers that need to see the data can access it;
• We may store your information on computers (on hard drives, or use cloud-based storage), in paper form, or both;
• All computers that store any personal data are password protected;
• Any paper files that hold personal information (other than names and contact details) are kept on secure premises in locked cupboards and filing cabinets or shredded if no longer needed;
• Information you provide to us is stored on our secure servers.  Where we have given you (or where you have chosen) a password that enables you to access certain parts of our site or app (ChurchSuite), you are responsible for keeping this password confidential.  We ask you not to share a password with anyone;

What is our legal basis for processing your data?

Our legal basis for processing personal data is different depending upon the purpose it was collected for.  Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis and is transparent.

We will inform people, by way of a privacy notice, of the following

• The legal basis for processing your data, including where relevant, the consequences of not providing data needed for a contract or statutory requirement;
• The purpose of processing your data;
• Who we will share the data with, including if we plan to send the data outside of the European Union;
• How long the data will be stored;
• Your rights as a data subject;

This information will be given at the time the personal data is collected or via email soon after.

If we plan to pass the data onto someone else outside of LRC, we will give the data subject this information before we pass on the data.

Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the GDPR, is met:

• The processing is necessary for a contract with the data subject;
• The processing is necessary for us to comply with a legal obligation;
• The processing is necessary to protect someone’s life (this is called “vital interests”);
• The processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;
• The processing is necessary for legitimate interests pursued by LRC or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject;
• If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent;

How can we legally use ‘Special Categories’ of data?

Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the GDPR, is met.  These conditions include where:

• The processing is necessary for carrying out our obligations under employment and social security and social protection law;
• The processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent;
• The processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes;
• The processing is necessary for pursuing legal claims;
• If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent;

When we need consent to process data

Where none of the legal conditions apply to the processing, we are required to get consent from the data subject.  We will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it.  Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.

Consent can however be withdrawn at any time and if withdrawn, the processing will stop.  Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.

Data will be adequate, relevant and not excessive

We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained to the data subjects in our privacy notice).  We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later.

We will make sure that personal data held is accurate and, where appropriate, kept up to date.  The accuracy of personal data will be checked at the point of collection and at appropriate points later on.

Keeping data and destroying it

We will not keep personal data longer than is necessary for the purposes that it was collected for.  We will comply with official guidance issued to our sector about retention periods for specific records.

Security of personal data

We will use appropriate measures to keep personal data secure at all points of the processing.  Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.

We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing.

Measures will include technical and organisational security measures.  In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:

• The quality of the security measure;
• The costs of implementation;
• The nature, scope, context and purpose of processing;
• The risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
• The risk which could result from a data breach;

Measures may include:

• Technical systems security;
• Measures to restrict or minimise access to data;
• Measures to ensure our systems and data remain available, or can be easily restored in the case of an incident;
• Physical security of information and of our premises;
• Organisational measures, including policies, procedures, training and audits;
• Regular testing and evaluating of the effectiveness of security measures;

Other Websites

Our site may, from time to time, contain links to and from other websites, advertisers and affiliates.  If you follow a link to any of these websites, please note that these websites have their own data and privacy policies and that we do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data to these websites.

Cookies

Our websites use cookies for the following reasons:

• To allow you to carry information across pages of our websites and avoid having to re-enter information when you return to one of our sites;
• To measure our website traffic and analyse how our websites work.  This will allow us to make changes to our websites in the future and make them easier to use;

You can accept or decline cookies by modifying the settings in your browser.  Please note that if you disable all cookies then you may not be able to access some parts of our websites.  For further details please see our Cookies Policy here.

Data subjects’ rights

We will process personal data in line with data subjects’ rights, including their right to:

• Request access to any of their personal data held by us (known as a Subject Access Request);
• Ask to have inaccurate personal data changed;
• Restrict processing, in certain circumstances;
• Object to processing, in certain circumstances, including preventing the use of their data for direct marketing;
• Data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organisation;
• Not be subject to automated decisions, in certain circumstances; and
• Withdraw consent when we are relying on consent to process their data;

If LRC receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to our Chair of Trustees immediately.

We will act on all valid requests as soon as possible, and at the latest within one calendar month, unless we have reason to, and can lawfully extend the timescale.  This can be extended by up to two months in some circumstances.

All data subjects’ rights are provided free of charge, however if the request is excessive or repetitive then we may make an administrative cost for providing this information.  Any information provided to data subjects will be concise and transparent, using clear and plain language.

Direct marketing

We will comply with the rules set out in the GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing.  This includes, but is not limited to, when we make contact with data subjects by post, email, text message, social media messaging and telephone calls.

Direct marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed, to individuals.  “Marketing” does not need to be selling anything or be advertising a commercial product.  It includes contact made by organisations to individuals for the purposes of promoting the organisation’s aims.

Any direct marketing material that we send will identify LRC as the sender and will describe how people can object to receiving similar communications in the future.  If a data subject exercises their right to object to direct marketing we will stop the direct marketing as soon as possible.

Sharing information with other organisations

We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a privacy notice), unless legal exemptions apply to informing data subjects about the sharing.  Only authorised and properly instructed staff, elders or trustees are allowed to share personal data.

We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied.  We will follow the ICO’s statutory Data Sharing Code of Practice (or any replacement code of practice) when sharing personal data with other data controllers. Legal advice will be sought as required.

Data processors

Before appointing a contractor who will process personal data on our behalf (a data processor) we will carry out due diligence checks.  The checks are to make sure the processor will use appropriate technical and organisational measures to ensure the processing will comply with data protection law, including keeping the data secure, and upholding the rights of data subjects.  We will only appoint data processors who can provide us with sufficient guarantees that they will do this.

We will only appoint data processors on the basis that they will comply with all relevant legal requirements.  We will continue to monitor the data processing, and compliance throughout the duration of our agreement.

Transferring personal data outside the European Union (EU)

Personal data cannot be transferred (or stored) outside of the European Union unless this is permitted by the GDPR.  This includes storage on a “cloud” based service where the servers are located outside the EU.

We will only transfer data outside the EU where it is permitted by one of the conditions for non-EU transfers in the GDPR

Managing change & risks

Data protection impact assessments

When we are planning to carry out any data processing which is likely to result in a high risk we will carry out a Data Protection Impact Assessment (DPIA).  These include situations when we process data relating to vulnerable people, trawling of data from public profiles, using new technology, and transferring data outside the EU. Any decision not to conduct a DPIA will be recorded.

We may also conduct a DPIA in other cases when we consider it appropriate to do so.  If we are unable to mitigate the identified risks such that a high risk remains we will consult with the ICO.

DPIAs will be conducted in accordance with the ICO’s Code of Practice ‘Conducting privacy impact assessments’.

Dealing with data protection breaches

Where staff or volunteers, (or contractors working for us), think that this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Chair of Trustees.

We will keep records of personal data breaches, even if we do not report them to the ICO.

We will report all data breaches which are likely to result in a risk to any person, to the ICO.  Reports will be made to the ICO within 72 hours from when someone in the church becomes aware of the breach.

In situations where a personal data breach causes a high risk to any person, we will (as well as reporting the breach to the ICO), inform data subjects whose information is affected, without undue delay.

This can include situations where, for example, bank account details are lost or an email containing sensitive information is sent to the wrong recipient.  Informing data subjects can enable them to take steps to protect themselves and/or to exercise their rights.

Changes to our Data Protection Policy

LRC reserves the right to amend this Policy from time to time to reflect change and ensure compliance with the law.

Contact

If you would like to discuss anything in this Policy or have any questions then please contact the Chair of Trustees on data@livingrock.church.

Definitions and Useful Terms

The following terms are used throughout this policy and have their legal meaning as set out within the GDPR.  The GDPR definitions are further explained below:

Data Controller means any person, company, authority or other body who (or which) determines the means for processing personal data and the purposes for which it is processed.  It does not matter if the decisions are made alone or jointly with others. The data controller is responsible for the personal data which is processed and the way in which it is processed.  We are the data controller of data which we process.

Data Processors include any individuals or organisations, which process personal data on our behalf and on our instructions e.g. an external organisation which provides secure waste disposal for us.  This definition will include the data processors’ own staff (note that staff of data processors may also be data subjects).

Data Subjects include all living individuals who we hold or otherwise process personal data about.  A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal information.  Data subjects that we are likely to hold personal data about include:

• The people we care for and support;
• Our employees (and former employees);
• Consultants/individuals who are our contractors or employees working for them;
• Volunteers;
• Tenants;
• Trustees;
• Complainants;
• Supporters;
• Enquirers;
• Friends and family;
• Advisers and representatives of other organisations;

ICO means the Information Commissioners Office which is the UK’s regulatory body responsible for ensuring that we comply with our legal data protection duties.  The ICO produces guidance on how to implement data protection law and can take regulatory action where a breach occurs.

Personal data means any information relating to a natural person (living person) who is either identified or is identifiable.  A natural person must be an individual and cannot be a company or a public body. Representatives of companies or public bodies would, however, be natural persons.

Personal data is limited to information about living individuals and does not cover deceased people.  Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Privacy notice means the information given to data subjects which explains how we process their data and for what purposes.

Processing is very widely defined and includes any activity that involves the data.  It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it.  Processing can also include transferring personal data to third parties, listening to a recorded message (e.g. on voicemail) or viewing personal data on a screen or in a paper document which forms part of a structured filing system.  Viewing of clear, moving or stills images of living individuals is also a processing activity.

Special categories of data (as identified in the GDPR) includes information about a person’s:

• Racial or ethnic origin;
• Political opinions;
• Religious or similar (e.g. philosophical) beliefs;
• Trade union membership;
• Health (including physical and mental health, and the provision of health care services);
• Genetic data;
• Biometric data;
• Sexual life and sexual orientation.