DATA PROTECTION POLICY
(The General Data Protection Regulation, 2016)
(GDPR)
Updated 11 2023
The Overflow Church is committed to protecting all personal information that we handle about people we support and work with, and to respecting people’s rights around how their information is handled. This policy explains our responsibilities and how we will meet them.
Contents
Section A – What this Policy is for
1. Policy Statement ....................................................................................... 3
2. Why this policy is important......................................................................... 3
3. How this policy applies to you & what you need to know............................... 4
4. Training and guidance................................................................................ 4
Section B – Our data protection responsibilities........................................................ 4
5. What personal information do we process?.................................................. 4
6. Making sure processing is fair and lawful..................................................... 5
7. When we need consent to process data...................................................... 7
8. Processing for specified purposes............................................................... 7
9. Data will be adequate, relevant and not excessive........................................ 7
10. Accurate data............................................................................................ 7
11. Keeping data and destroying it.................................................................... 8
12. Security of personal data............................................................................ 8
13. Keeping records of our data processing....................................................... 8
Section C – Working with people we process data about (data subjects)................... 9
14. Data subjects’ rights................................................................................... 9
15. Direct marketing......................................................................................... 9
Section D – working with other organisations & transferring data............................. 10
16. Sharing information with other organisations.............................................. 10
17. Data processors....................................................................................... 10
18. Transferring personal data outside the European Union (EU)...................... 10
Section E – Managing change & risks.................................................................... 11
19. Data protection impact assessments......................................................... 11
20. Dealing with data protection breaches....................................................... 11
Schedule 1 – Definitions and useful terms.............................................................. 11
Schedule 2 - Data Retention Periods………………………………………………………13
Schedule 3 - Data processing agreement (form annexed)………………………………13
Schedule 4 – ICO Registration.............................................................................. 13
Section A – What this policy is for
a. Policy statement
1.1 THE Overflow Church is committed to protecting personal data and respecting the rights of our data subjects; the people whose personal data we collect and use. We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.
We process personal data to help us:
· maintain our list of church regular attenders;
· provide pastoral support for regular attenders and others connected with our church;
· provide services to the community including for Children and Family activities;
· safeguard children, young people and adults at risk;
· recruit, support and manage staff and volunteers;
· maintain our accounts and records;
· promote our gatherings, events, activities and facilities;
· maintain the security of property and premises;
· respond effectively to enquirers and handle any complaints.
1.i. This Policy has been approved by the Church’s Charity Trustees who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.
2. Why this Policy is important
2.i. We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security, or being shared carelessly, or being inaccurate, as we are aware that people can be upset or harmed if any of these things happen.
2.ii. This Policy sets out the measures we are committed to taking as an organisation and, what each of us will do to ensure we comply with the relevant legislation.
2.iii. In particular, we will make sure that all personal data is:
i. processed lawfully, fairly and in a transparent manner;
ii. processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
iii. adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
iv. accurate and, where necessary, up to date
v. not kept longer than necessary for the purposes for which it is being processed;
vi. processed in a secure manner, by using appropriate technical and organisational means;
vii. processed in keeping with the rights of data subjects regarding their personal data.
3. How this Policy applies to you and what you need to know
3.i. As an employee, trustee or volunteer: processing personal information on behalf of the Church, you are required to comply with this Policy and sign a data processing agreement in the form set out in Schedule 3. If you think that you have accidentally breached the Policy it is important that you contact our Data Protection Officer/Trustee immediately so that we can take swift action to try and limit the impact of the breach.
Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the Policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.
3.ii. As a leader/line manager: you are required to make sure that any procedures that involve personal data that you are responsible for in your area, follow the rules set out in this Data Protection Policy.
3.iii. As a data subject: we will handle your personal information in line with this Policy.
3.iv. As an appointed data processor/contractor: Companies who are appointed by us as a data processor are required to comply with this Policy under the contract with us. Any breach of the Policy will be taken seriously and could lead to us taking contract enforcement action against the company, or terminating the contract. Data processors have direct obligations under the UK GDPR, primarily to only process data on instructions from the controller (us) and to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved.
3.v. Our Data Protection Officer/Trustee is responsible for advising The Overflow Church and its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this Policy. Any questions about this Policy or any concerns that the Policy has not been followed should be referred to them at paul.stevens@overflowchuch.org.uk or 01244 312037
3.vi. Before you collect or handle any personal data as part of your work (paid or otherwise) for The Overflow Church, it is important that you take the time to read this Policy carefully and understand what is required of you, as well as the organisation’s responsibilities when we process data.
3.vii. Our procedures will be in line with the requirements of this Policy, but if you are unsure about whether anything you plan to do, or are currently doing, might breach this Policy you must first speak to the Data Protection Officer/Trustee.
4. Training and guidance
4.i. We will provide general training annually for all staff to raise awareness of their obligations and our responsibilities, as well as to outline the law.
4.ii. We may also issue procedures, guidance or instructions from time to time. Leaders/line managers must set aside time for their team to look together at the implications for their work.
Section B – Our data protection responsibilities
5. What personal information do we process?
5.i. In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it is about, for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers.
5.ii. We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names and contact details, education or employment details and visual images of people.
5.iii. In some cases, we hold types of information that are called “special categories” of data in the UK GDPR. This personal data can only be processed under strict conditions.
‘Special categories’ of data (as referred to in the GDPR) includes information about a person’s: racial or ethnic origin; political opinions; religious or similar (e.g. philosophical) beliefs; trade union membership; health (including physical and mental health, and the provision of health care services); genetic data; biometric data; sexual life and sexual orientation.
Special category personal data does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply. Other than in the circumstances described in paragraphs 5.4 to 5.8 below, information relating to criminal convictions and offences should not be processed unless the processing is authorised by law or is carried out under the control of official authority. Special category personal data can only be processed under strict conditions, including the data subject’s explicit consent (although other alternative conditions can apply in limited, very specific circumstances as described below).
We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is an overarching safeguarding requirement to process this data for the protection of children and adults who may be put at risk in our Church. This processing will only ever be carried out on advice from church Trustees and thirtyone:eight. (Thirtyone:eight are an independent Christian charity which helps faith and community groups to protect vulnerable people from abuse.)
5.iv. We may process information relating to criminal proceedings or offences or allegations of offences to safeguard against any risks posed to others under Article 6(1) (f) UK GDPR where the processing is necessary for the purposes of the legitimate interests of OVERFLOW CHURCH but not where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
5.v. We may also process special category or criminal convictions etc data (“criminal offence data”) where it fulfils one of the substantial public interest conditions under Schedule 1, Part 2 of the Data Protection Act 2018, in particular, Conditions 10, 11, 12, 18 and 19.
5.vi. We may also seek to obtain, use and retain criminal offence data in reliance upon Condition 31 relating to criminal convictions under Schedule 1, Part 3 of the Data Protection Act 2018.
5.vii. For the purposes of Schedule 1, Part 4 of the Data Protection Act 2018, more information about OVERFLOW CHURCH processing of special category and criminal convictions data under Conditions 10, 11, 12, 18, 19 and 31 can be found in the “Appropriate Policy Document” in Schedule 3 of this policy.
5.viii. The processing of special category and criminal convictions data described in paragraphs 5.4 to 5.8 will only ever be carried out on the advice of statutory authorities, the advice of thirtyone:eight.
5.ix. Other data may also be considered ‘sensitive’ such as bank details, but will not be subject to the same legal protection as the special categories types of data listed above.
6. Making sure processing is fair and lawful
6.i. Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as if we collect data about them from other sources.
How can we legally use personal data?
6.ii. Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the UK GDPR, is met:
a) the processing is necessary for a contract with the data subject;
b) the processing is necessary for us to comply with a legal obligation;
c) the processing is necessary to protect someone’s life (this is called “vital interests”);
d) the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;
e) the processing is necessary for legitimate interests pursued by The Overflow Church or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject;
f) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.
How can we legally use ‘special categories’ of data?
6.iii. Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the UK GDPR, is met. These conditions include where:
? the processing is necessary for carrying out our obligations under employment, social security and social protection law;
? the processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent;
? the processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes;
? the processing is necessary for pursuing legal claims.
? If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent.
6.iv. Before deciding which condition should be relied upon, we may refer to the original text of the UK GDPR as well as any relevant guidance, and seek legal advice as required.
What must we tell individuals before we use their data?
6.v. If personal data is collected directly from the individual, we will inform them in writing about our identity/contact details and those of the Data Protection Officer/Trustee, the reasons for processing, and the legal bases including explaining any automated decision making or profiling, explaining our legitimate interests, and explaining, where relevant, the consequences of not providing data needed for a contract or statutory requirement, who we will share the data with, if we plan to send the data outside of the European Union, how long the data will be stored and the data subjects’ rights.
This information is commonly referred to as a ‘Privacy Notice’.
This information will be given at the time when the personal data is collected.
6.vi. If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information described in section 6.5 as well as the categories of the data concerned and the source of the data.
This information will be provided to the individual in writing and no later than within 1 month after we receive the data unless a legal exemption under the GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication.
If we plan to pass the data onto someone else outside The Overflow Church, we will give the data subject this information before we pass on the data.
7. When we need consent to process data
7.i. Where none of the other legal conditions apply to the processing, and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it. Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.
7.ii. Consent can however be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.
8. Processing for specified purposes
8.i. We will only process personal data for the specific purposes explained in our privacy notices (as described above in section 6.5.5) or for other purposes specifically permitted by law. We will explain those other purposes to data subjects in the way described in section 6, unless there are lawful reasons for not doing so.
9. Data will be adequate, relevant and not excessive
9.i. We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained to the data subjects in privacy notices). We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later.
10. Accurate data
10.i. We will make sure that personal data held is accurate and, where appropriate, kept up to date. The accuracy of personal data will be checked at the point of collection and at appropriate points later on.
11. Keeping data and destroying it
11.i. We will not keep personal data longer than is necessary for the purposes that it was collected for. We will comply with official guidance issued to our sector about retention periods for specific records.
11.ii. Information about how long we will keep records for can be found in the Data Retention Schedule (Schedule 2) at the end of this document.
12. Security of personal data
12.i. We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.
12.ii. We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing.
Measures will include technical and organisational security measures. In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:
? the quality of the security measure;
? the costs of implementation;
? the nature, scope, context and purpose of processing;
? the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
? the risk which could result from a data breach.
12.iii. Measures may include:
? technical systems security;
? measures to restrict or minimise access to data;
? measures to ensure our systems and data remain available, or can be easily restored in the case of an incident;
? physical security of information and of our premises;
? organisational measures, including policies, procedures, training and audits;
? regular testing and evaluating of the effectiveness of security measures.
13. Keeping records of our data processing
13.i. To show how we comply with the law we will keep clear records of our processing activities and of the decisions we make concerning personal data (setting out our reasons for those decisions). This is the responsibility of each leader/line manager.
Section C – Working with people we process data about (data subjects)
14. Data subjects’ rights
14.i. We will process personal data in line with data subjects' rights, including their right to:
? request access to any of their personal data held by us (known as a Subject Access Request);
? ask to have inaccurate personal data changed;
? restrict processing, in certain circumstances;
? object to processing, in certain circumstances, including preventing the use of their data for direct marketing;
? data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organisation;
? not be subject to automated decisions, in certain circumstances; and
? withdraw consent when we are relying on consent to process their data.
14.ii. If a colleague (whether staff or volunteer) receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to our Data Protection Officer/Trustee immediately.
14.iii. We will act on all valid (written specific) requests as soon as possible and at the latest within one calendar month, unless we have reason to and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.
14.iv. All data subjects’ rights are provided free of charge.
14.v. Any information provided to data subjects will be concise and transparent, using clear and plain language.
15. Direct marketing
15.i. We will comply with the rules set out in the UK GDPR, the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing. This includes, but is not limited to, when we make contact with data subjects by post, email, text message, social media messaging, telephone (both live and recorded calls) and fax.
Direct marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed, to individuals. “Marketing” does not need to be selling anything, or be advertising a commercial product. It includes contact made by organisations to individuals for the purposes of promoting the organisation’s aims.
15.ii. Any direct marketing material that we send will identify The Overflow Church as the sender and will describe how people can object to receiving similar communications in the future. If a data subject exercises their right to object to direct marketing we will stop the direct marketing as soon as possible.
Section D – working with other organisations & transferring data
16. Sharing information with other organisations
16.i. We will not share personal data with other organisations or people. If we ever decided that this was appropriate then we would only share it when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a privacy notice), unless legal exemptions apply to informing data subjects about the sharing. Only authorised and properly instructed Trustees/staff are allowed to share personal data.
16.ii. We will keep records of any information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied. We will follow the ICO’s statutory Data Sharing Code of Practice (or any replacement code of practice) when sharing personal data with other data controllers. Legal advice will be sought as required.
17. Data processors
17.i. Before appointing a contractor who will process personal data on our behalf (a data processor) we will carry out due diligence checks. The checks are to make sure the processor will use appropriate technical and organisational measures to ensure the processing will comply with data protection law, including keeping the data secure, and upholding the rights of data subjects. We will only appoint data processors who can provide us with sufficient guarantees that they will do this.
17.ii. We will only appoint data processors on the basis of a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing and compliance with the contract throughout the duration of the contract.
18. Transferring personal data outside the United Kingdom (UK)
18.i. Personal data cannot be transferred (or stored) outside of the United Kingdom unless this is permitted by the UK GDPR. This includes storage on a “cloud” based service where the servers are located outside the UK.
18.ii. We will only transfer data outside the UK where it is permitted by one of the conditions for non-UK transfers in the UK GDPR.
Section E – Managing change & risks
19. Data protection impact assessments
19.i. When we are planning to carry out any data processing which is likely to result in a high risk we will carry out a Data Protection Impact Assessment (DPIA). These include situations when we process data relating to vulnerable people, trawling of data from public profiles, using new technology, and transferring data outside the UK. Any decision not to conduct a DPIA will be recorded.
19.ii. We may also conduct a DPIA in other cases when we consider it appropriate to do so. If we are unable to mitigate the identified risks such that a high risk remains we will consult with the ICO.
19.iii. DPIAs will be conducted in accordance with the ICO’s guidance on Data Protection Impact Assessments.
20. Dealing with data protection breaches
20.i. Where Trustees, staff or volunteers, or contractors working for us think that this Policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Data Protection Officer/Trustee.
20.ii. We will keep records of personal data breaches, even if we do not report them to the ICO.
20.iii. We will report all data breaches which are likely to result in a risk to any person, to the ICO. Reports will be made to the ICO within 72 hours from when someone in the Church becomes aware of the breach.
20.iv. In situations where a personal data breach causes a high risk to any person, we will (as well as reporting the breach to the ICO), inform data subjects whose information is affected, without undue delay.
This can include situations where, for example, bank account details are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and/or to exercise their rights.
Schedule 1 – Definitions and useful terms
The following terms are used throughout this policy and have their legal meaning as set out within the UK General Data Protection Regulation (“UK GDPR”). The UK GDPR definitions are further explained below:
Data controller means any person, company, authority or other body who (or which) determines the means for processing personal data and the purposes for which it is processed. It does not matter if the decisions are made alone or jointly with others.
The data controller is responsible for the personal data which is processed and the way in which it is processed. We are the data controller of data which we process.
Data processors include any individuals or organisations, which process personal data on our behalf and on our instructions e.g. an external organisation which provides secure payroll, IT and accountancy services for us. This definition will include the data processors’ own staff (note that staff of data processors may also be data subjects).
Data subjects include all living individuals who we hold or otherwise process personal data about. A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal information. Data subjects that we are likely to hold personal data about include:
? the people we care for and support;
? our employees (and former employees);
? consultants/individuals who are our contractors or employees working for us;
? volunteers;
? tenants;
? trustees;
? complainants;
? supporters;
? enquirers;
? friends and family;
? advisers and representatives of other organisations.
ICO means the Information Commissioners Office which is the UK’s regulatory body responsible for ensuring that we comply with our legal data protection duties. The ICO produces guidance on how to implement data protection law and can take regulatory action where a breach occurs.
Personal data means any information relating to a natural person (living person) who is either identified or is identifiable. A natural person must be an individual and cannot be a company or a public body. Representatives of companies or public bodies would, however, be natural persons.
Personal data is limited to information about living individuals and does not cover deceased people.
Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Privacy notice means the information given to data subjects which explains how we process their data and for what purposes.
Processing is very widely defined and includes any activity that involves the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing can also include transferring personal data to third parties, listening to a recorded message (e.g. on voicemail) or viewing personal data on a screen or in a paper document which forms part of a structured filing system. Viewing of clear, moving or stills images of living individuals is also a processing activity.
Special categories of data (as identified in the UK GDPR) includes information about a person’s:
? Racial or ethnic origin;
? Political opinions;
? Religious or similar (e.g. philosophical) beliefs;
? Trade union membership;
? Health (including physical and mental health, and the provision of health care services);
? Genetic data;
? Biometric data;
? Sexual life and sexual orientation.
Schedule 2 – Data Retention Periods
[Schedule attached]
Schedule 3 – Appropriate Policy Document
APPROPRIATE POLICY DOCUMENT – OVERFLOW CHURCH
Schedule 1, Part 4, Data Protection Act 2018: processing of special category and criminal offence data for the purposes of Parts 1, 2 or 3 of Schedule 1 of the Data Protection Act 2018.
Who we are
OVERFLOW CHURCH is a community of people worshipping and serving God.
For further information on what we do, please visit our website: https://overflowchurch.org.uk/
What this policy does
This policy explains how and why OVERFLOW CHURCH collects, processes and shares special category personal data about you and data relating to criminal convictions etc. in order to carry out our functions, in accordance with the data protection principles set out in the UK General Data Protection Regulation (UK GDPR.) Pursuant to Part 4 of Schedule 1 of the Data Protection Act 2018 (DPA 2018), special category data (Parts 1 and 2 of Schedule 1), and data relating to criminal convictions etc (Part 3 of Schedule 1), can only be processed lawfully if it is carried out in accordance with this policy. OVERFLOW CHURCH staff, trustees and volunteers must therefore have regard to this policy when carrying out sensitive processing on our behalf.
Our approach to data protection
OVERFLOW CHURCH is committed to ensuring that the collection and processing of personal data is carried out in accordance with the UK GDPR and the DPA 2018.
• This is implemented through the provision of training for all staff, trustees and volunteers on data protection to ensure compliance with our policies and procedures.
• OVERFLOW CHURCH values openness and transparency, and we have committed to and published a number of policies and processes to assist data subjects and to explain how we handle personal data. These include the OVERFLOW CHURCH protection policy, our data retention schedule and the privacy notices on our website which describe what information we hold, why we hold it, the legal basis for holding it, who we share it with, and the period we will hold it for.
• OVERFLOW CHURCH has appointed a Data Protection Officer (DPO)/Trustee, who is Paul Stevens. The DPO/Data Protection Trustee has the day to day responsibility for ensuring that the information OVERFLOW CHURCH collects is necessary for the purposes required and is not kept in a manner that can identify the individual any longer than necessary. Data protection training is provided for all new staff and volunteers and an annual update on data protection is provided to staff, trustees and volunteers, to ensure that everyone is familiar with OVERFLOW CHURCH’s data protection policies and procedures and in particular the processing of any special category and criminal offence data. The DPO/Data Protection Trustee will review any Data Protection Impact Assessments for OVERFLOW CHURCH.
• Due to the nature of the activities performed by OVERFLOW CHURCH, the church may need to share information with other organisations e.g. thirtyone:eight including statutory bodies and professional advisers, details of which can be found in our Policy.
The data protection principles
In summary, Article 5 of the UK GDPR states that personal data shall be:
• processed lawfully, fairly and transparently
• collected for specific and legitimate purposes and processed in accordance with those purposes
• adequate, relevant and limited to what is necessary for the stated purposes
• accurate and, where necessary, kept up-to-date
• retained for no longer than necessary, and
• kept secure
Special category data and criminal convictions etc data
Special category data
Personal data refers to any information by which a living individual can be identified. Individual identification can be by information alone or in conjunction with other information. Certain categories of personal data have additional legal protections when being processed. These categories are referred to in the legislation as “special category data” and are data concerning:
• health
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data
• sex life or sexual orientation
Criminal convictions etc data
The processing of criminal convictions etc data also has additional legal safeguards. Criminal convictions etc data (“criminal offence data”) includes information about criminal allegations, criminal offences, criminal proceedings and criminal convictions.
Special category and criminal offence data we process about you
OVERFLOW CHURCH collects, processes and shares special category and criminal convictions data where it is necessary in order to carry out our functions. This processing is usually carried by the Designated Person for Safeguarding, the pastor or certain charity trustees for the purpose of safeguarding against any risks posed to others in our church or attending our church activities by those who are involved in our church, to mitigate the risk of individuals committing criminal offences (including of a sexual nature) and to assess individuals’ suitability for ministry or other work at OVERFLOW CHURCH, including by reference to risks they may pose to others. These functions and the requisite processing of personal data are matters of substantial public interest.
If we process personal information about you, you are a “data subject.” Below is a non-exhaustive list of categories of data subjects who we might process information about:
• Employees, volunteers, workers or charity trustees of OVERFLOW CHURCH;
• A child or individual in membership with or associated with OVERFLOW CHURCH;
OVERFLOW CHURCH will share this data with third parties only where strictly necessary (please see the section “Who we share your personal data with” below).
Special category data and criminal offence data may be collected from the following non-exhaustive list of sources:
· Data subjects
· Individuals in regular contact with the church – including the pastor, church elders/core, workers or volunteers, and the church’s Designated Person for Safeguarding
· Police, Social Services or the Local Authority Designated Officer for safeguarding.
·
OVERFLOW CHURCH may also obtain and process this data for other statutory and legal obligations for example, including, but not limited to:
· responding to data subject access requests under data protection legislation
· in connection with our duties under the Equality Act 2010.
The legal basis for processing your special category or criminal convictions data
A Privacy Notice is available on the OVERFLOW CHURCH website at https://overflowchurch.org.uk/ The Privacy Notice sets out the legal bases for our processing of your personal data.
Where we process special category and criminal offence data it will be by reference to Article 6(1)(f) UK GDPR and Conditions 10, 11, 12, 18, 19 and 31 of Schedule 1 Data Protection Act 2018, which are described below:
Article 6(1)(f) UK GDPR, where the processing is necessary for the purposes of the legitimate interests of OVERFLOW CHURCH, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Special category or criminal offence data may also be processed by OVERFLOW CHURCH where it fulfils one of the substantial public interest conditions under Schedule 1, Part 2 of the Data Protection Act 2018:
i.Condition 10:
Where the processing is necessary for the purposes of the prevention or detection of an unlawful act, it must be carried out without the consent of the data subject so as not to prejudice those purposes, and is necessary for reasons of substantial public interest.
In order to mitigate the risk of individuals committing criminal offences, including of a sexual nature, OVERFLOW CHURCH may undertake a risk assessment, receive, make a record of and share information about an individual who has been reported to us by another individual or a statutory authority, where there is a significant concern about their conduct and the risk they may pose to others.
ii.Condition 11:
Where the processing is necessary for the exercise of a protective function, it must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and is necessary for reasons of substantial public interest. In this paragraph, “protective function” means a function which is intended to protect members of the public against – dishonesty, malpractice or other seriously improper conduct, unfitness or incompetence, mismanagement in the administration of a body or association, or failures in services provided by a body or association.
These functions are discharged by custom, practice and with the consensus of the members of OVERFLOW CHURCH and the requisite processing of personal data is a matter of substantial public interest.
iii.Condition 12:
Where the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct, and in the circumstances the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and the processing is necessary for reasons of substantial public interest.
OVERFLOW CHURCH may, investigate and risk assess an individual’s suitability for ministry or other work within or connected with OVERFLOW CHURCH, which is in the substantial public interest and forms an integral part of “generally accepted principles of good practice” as per the definition of “regulatory requirement” in Condition 12.
iv.Condition 18:
Where the processing is necessary for the purposes of protecting an individual from neglect or physical, mental or emotional harm, or protecting the physical, mental or emotional well-being of an individual, the individual is - aged under 18, or aged 18 and over and at risk, the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and (d) the processing is necessary for reasons of substantial public interest. (2) The reasons mentioned in sub-paragraph (1)(c) are – (a) in the circumstances, consent to the processing cannot be given by the data subject; (b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing; (c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
OVERFLOW CHURCH may process criminal and special category data for the purposes of safeguarding minors and vulnerable persons or adults at risk.
v.Condition 19:
Where the processing is necessary for the purposes of protecting the economic well-being of an individual at economic risk who is aged 18 and over and the processing is of data concerning health, is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and is necessary for reasons of substantial public interest. An “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability. OVERFLOW CHURCH may seek to rely on this condition if it is required to investigate allegations of financial abuse by an individual in ministry or other work or who is involved in the life of OVERFLOW CHURCH, for the purpose of safeguarding vulnerable persons or adults at risk.
OVERFLOW CHURCH may also seek to obtain, use and retain criminal offence data in reliance upon the following additional condition relating to criminal convictions under Schedule 1, Part 3 of the Data Protection Act 2018:
vi.Condition 31:
Where the processing is carried out by a not-for-profit body with a religious aim in the course of its legitimate activities with appropriate safeguards where it relates solely to persons in regular contact with it in connection with its purposes, and the personal data is not disclosed outside that body without the consent of the data subjects.
Who we share your personal data with
We are required to share your data with third parties where we have a legal obligation to do so. We may also share information with our partner organisations with which we have a Data Sharing Agreement or as set out in our Privacy Notice available here: https://overflowchurch.org.uk.The persons/organisations we may share your special category and criminal offence data with are:
· Our charity trustees, employees, contractors and volunteers on a need-to-know basis;
· Thirtyone:eight
· Churches and other appointing or employing bodies as appropriate
· Counsellors, professional supervisors and risk assessment consultants
· The Police and Social Services, Local Authority Designated Officers and other statutory agencies
· The Disclosure and Barring Service and our DBS Checking Company
· Before sharing information with any of the above persons or organisations, careful consideration is given to the rights and freedoms of the data subject against what is needed to be shared to achieve our overarching goal of safeguarding children, young people and adults at risk from harm within OVERFLOW CHURCH and to support and promote exemplary ministry. Special category and criminal offence data is only disclosed where it is reasonably necessary to do so and a record and full details of any disclosure to third parties is kept in a password protected file on the Church Mircosoft One Drive Account (which only the Data Protection Officer/Trustee can access) any physical documents will be stored in a locked filling cabinet, in Hoole Light Centre, where only Data Protection Office/Trustee and one other Staff member has a key.
Automated decision making
Currently OVERFLOW CHURCH undertakes no automated decision making in relation to your personal data.
How we keep your data secure and how long we keep it for
OVERFLOW CHURCH deploys a range of technical and organisational measures to protect the personal data it holds and processes. Controls include but are not limited to:
• Data protection training for all staff and part of the induction for new staff
• Strong defences of the OVERFLOW CHURCH core IT system (e.g. Firewalls, Malware Detection & Defence)
• Encryption of data both at rest and in transit across OVERFLOW CHURCH networks where appropriate and the use of password protected documents when sharing data.
• Where needed, appropriate redaction takes place before witness statements, case notes or investigation reports are shared.
• Deployment of Information Security Tools (e.g. Data Loss Prevention, Mobile Device Management, Secure External Email)
• Robust procedures for the reporting of any data or potential data breaches
• Only store information online with companies with strong security and privacy measure in place (For example Microsoft One Drive, Hubb.church).
These measures are under constant review by OVERFLOW CHURCH.
OVERFLOW CHURCH has a Data Retention Schedule which lists the data we hold and how long we hold it for. To find out how long we keep your data for please see our Data Retention Schedule.
Your rights in relation to the data we hold
Data protection legislation provides you with a number of rights relating to your personal data, including your special category and criminal conviction etc data. These rights are subject to some specific exemptions. Your rights may include:
• the right to access your data
• the right to have your data corrected if it is wrong or incomplete
• the right to request restrictions to the processing of your data
• the right to object to your data being processed
• the right to have your data erased
• the right to be informed about how your data is processed
• rights relating to automated decision making and data portability
You should keep us informed of any changes to your information so that we can be confident that the data we hold about you is accurate. To understand more about these rights and how to exercise them please see our Privacy Notice at: https://overflowchurch.org.uk and the Information Commissioner’s Office website: https://ico.org.uk/.
Data Protection Officer/Contact
Paul Stevens is our Data Protection Officer/Data Protection Trustee and is the person responsible for matters relating to the protection of personal data. She can be contacted as set out below.
Your right to complain to the Information Commissioner
If you are unhappy with any aspect of the way in which we have processed your personal data, you have the right to make a complaint to the Information Commissioner’s Office:
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk
Tel: 0303 123 1113
casework@ico.org.uk
Feedback or complaints about Overflow Church, staff or volunteers
If you want to give us feedback or make a complaint about OVERFLOW CHURCH, its staff or volunteers in relation to the handling of your personal data, please contact:
Paul Stevens - DPO/Data Protection Trustee
HBC Chester, Westminster Road, Hoole, Chester, CH2 3AU
Tel: 01244 312037
Email: paul.stevens@overflowchurch.org.uk
Review of this policy
This policy will be regularly reviewed and may be subject to revision. Please visit our website to check for the current version.
[Schedule 4 – ICO Registration
Data Controller: The Overflow Church Trustees
Data Protection Officer: Paul Stevens
Data Processor:
Registration Number: Z1669442
Date Registered: 10th June 2009
Registration Expires: 9th June 2024
Schedule 5 – form of data processing agreement for completion by all those handling personal data
[see standard form attached]
Schedule 6 – form of Privacy Notice
[see standard form attached]
Signed: Paul Stevens Date: 3/11/2023
for and on behalf of Overflow Church
DATA PROTECTION POLICY
(The General Data Protection Regulation, 2016)
(GDPR)
[Confidentiality agreement for signature by employees and volunteers handling personal data]
For the purposes of the General Data Protection Regulation 2016, the Church’s Leadership Team (the Trustees) is the Data Controller and …....................... is the Data Protection Officer.
………………………………………. has been appointed by the Trustees as a Data Processor to process the following personal data on their behalf:
………….[nature of data being processed e.g. contact details (parents’ and children), sensitive pastoral information etc.]………………………………..…..
For the sole purpose of:
……………[e.g. keeping in touch with families whose child(ren) attend(s) activity, facilitating prayer ministry etc.]……………………………………….
By signing this document:
1. The Data Processor agrees to ensure that the data:
-
will be held securely at all times and not made available to anyone else without the express permission of the Trustees;
-
will be destroyed once it is no longer needed [or on a specific date];
-
will be handed over to the Trustees on request or, if the Data Processor is an employee and ceases to be employed by the Trustees as a Data Processor on their behalf or, if the Data Processor ceases to be a Member of the Church.
2. The Data Processor acknowledges that they will process the data only
according to the instructions provided by the Trustees and that they must
not process this data for their own purposes.
3. The Data Processor understands that any electronic device used to store or
process the personal data must be password or pin-protected or content
encrypted and that appropriate firewall measures are in place.
I agree to the above.
Signed:…………………………..(Data Processor) Date:……………………
OVERFLOW CHURCH PRIVACY NOTICE (Generic)
Our contact details:
Name: OVERFLOW CHURCH
Address: Hoole Lighthouse Centre, Westminster Road, Hoole, Chester, CH2 3AU
Phone Number: 01244 312037
E-mail: office@overflowchurch.org.uk
The type of personal information we collect
We currently collect and process the following information:
Personal identifiers, contacts and characteristics (for example, name and contact details) in order to:
§ maintain our list of church regular attenders;
§ provide pastoral support for regular church attenders and others connected with our church;
§ provide services to the community including for Children and Family activities;
§ safeguard children, young people and adults at risk;
§ recruit, support and manage staff and volunteers;
§ maintain our accounts and records;
§ promote our gatherings, events, activities and facilities;
§ maintain the security of property and premises;
§ respond effectively to enquirers and handle any complaints.
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by people for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers.
We use the information that you have given us in order to carry out the above.
We may share this information with someone else outside Overflow Church but only after we have given you this information.
Under the UK General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
(a) Your consent. You are able to remove your consent at any time. You can do this by contacting the Data Protection Officer;
(b) We have a contractual obligation;
(c) We have a legal obligation;
(d) We have a vital interest;
(e) We need it to perform a public task;
(f) We have a legitimate interest.
How we store your personal information
Your information is securely stored at Overflow Church‘s address in locked filling cabinets and also on Microsoft One Drive and securely on our web server (managed by Hubb.church) and on computers and mobile phones. All Computers and mobile phones used are password protected and have software to help secure and easrse data if device is lost or stolen.
We keep your personal information generally for six months after your connection with Overflow Church ceases. We will then dispose your information by permanently deleting from any IT system and destroying any paper records by securely shredding and disposal. For details of specific types of information see the Data Retention Schedule.
Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information;
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete;
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances;
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances;
Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances;
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances;
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you;
Please contact us at the above address if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at the above address.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk