General Data Protection Regulation
Below you will find three documents that give details of our Data Protection Policy, Data Privacy Notice and our Data Retention Policy. They are lengthy but they are also important. They allow you to know how we use your personal data.
DATA PROTECTION POLICY
THE CONGREGATION OF PORTREE & BRACADALE
OF THE FREE CHURCH OF SCOTLAND
IN THE PRESBYTERY OF SKYE & WESTER ROSS
- Purpose and scope
- We Portree & Bracadale Free Church, process personal information (also called personal data) about individuals. These include, but are not limited to, office holders, employees, volunteers, members, former members, adherents, contractors, suppliers, and others who are in contact with us for a variety of reasons.
- Personal data is any information from which a person can be identified, directly or indirectly. In addition to basic personal information such as names, contact details etc. etc., it includes opinions expressed about a person and information regarding the intentions of the data controller and third parties about a person. It does not include information which has been appropriately anonymised.
- Processing means anything we do with personal information – for example, collecting, editing, storing, holding, disclosing, sharing, viewing, recording, listening, erasing, deleting etc. We are committed to processing personal information appropriately and lawfully, in terms of the Data Protection Act 2018 (the “2018 Act”) and the General Data Protection Regulation (“GDPR”).
- This document sets out our data protection policy. It provides some basic information about data protection, including the 7 data protection principles, information regarding special categories of personal data, how we process personal information (including our legal bases for processing), how we keep it secure and where appropriate share it, and how we would deal with any data security breach. It also provides information on the rights of “data subjects” (individuals about whom we hold personal information). It applies to all those involved in processing personal information on our behalf, who must comply with this policy in all respects.
- We have a separate Privacy Notice which outlines the way in which we process personal information provided to us, and a Data Retention Policy which outlines how long various categories of personal information are retained by us. In general terms, personal information should only be retained for as long as is necessary for the purposes for which it was obtained. Copies of our Privacy Notice and Data Retention Policy area available on the church noticeboard and website.
- This policy does not form part of any contract of employment or contract to provide services.It will be reviewed from time to time to ensure compliance with data protection laws and will be updated as required.
- We take compliance with this policy very seriously. Any deliberate or negligent breach of this policy by an employee may result in disciplinary action being taken and may result in dismissal for gross misconduct.
- Data Protection Principles
- Personal information will be processed by us in accordance with the 7 GDPR Data Protection Principles, which stipulate that personal information must be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with these purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which it is processed;
- processed securely, with protection against unauthorised or unlawful processing and against accidental loss or damage, using appropriate technical or organisational measures;
and, in accordance with the seventh principle, we are responsible for, and must be able to demonstrate compliance with, the first 6 principles as listed above.
- Special categories of personal data
- These are categories of personal information that are deemed to be more sensitive than others.Additional rules (see under paragraph 4 below) apply to the processing of personal information which falls under any of these categories, which are defined in the GDPR as being “Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
- A significant amount of personal information held by us will be classed as special category personal data, either specifically or by implication (the mere fact of us holding the information being potentially indicative of a person’s religious beliefs).
- Legal Bases for processing personal information and special categories of personal information
- We process personal information on one or more of the following legal bases, which are also set out in our Privacy Notice, where:
- you have given consent to the processing for one or more specific purpose;
- processing is necessary for the purposes of the congregation’s legitimate interests, and such interests are not overridden by your interests or fundamental rights and freedoms;
- processing is necessary for the performance of a contract with you; or
- processing is necessary for compliance with a legal obligation.
- Where we process any special category data (and this will be most of the data we process) we will, in addition to meeting a minimum of one of the legal bases listed in paragraph 4.1 hereof, ensure that one or more of the following applies:
- processing is carried out in the course of our legitimate activities with appropriate safeguards by us as a not-for-profit body with a religious aim and on condition that the processing relates solely to our members, or to former members, or to people who have regular contact with us in connection with our purposes, and that the personal information is not disclosed outside the Free Church of Scotland without your consent; or
- you have given explicit consent to the processing of your personal information for one or more specified purpose; or
- processing is necessary for reasons of substantial public interest, and in particular for the purpose of (a) protecting an individual from neglect or physical, mental or emotional harm; or (b) protecting the physical, mental or emotional well-being of an individual, where that individual is either aged under 18 or is aged 18 or over and is “at risk” (has needs for care and support, experiencing or at risk of neglect or any type of harm, and is unable to protect themselves).
- Access to personal information and keeping it secure
- Everyone who processes personal information on our behalf (including, but not limited to, the minister, office-bearers, employees, volunteers and service providers) must ensure that they do so in line with this policy, our Data Retention Policy and our Privacy Notice, and all in accordance with data protection law.
- Personal information should only be accessed by those who need it in connection with the work they do for us.
- In relation to minutes of meetings of the Kirk Session and Deacons’ Court only individuals specifically authorised by the Kirk Session and/or Deacons’ Court are permitted to receive copies of such minutes and other records.
- Personal information should be processed only for the purposes for which it was obtained.
- Personal information should be accurate and, where necessary, updated.
- Personal information should not be shared with those who are not authorised to receive it.Care should be taken when dealing with any request for personal information, whether by letter, email communication, over the telephone, or otherwise. Identity checks should be carried out if giving out information to ensure that the person requesting the information is either the individual concerned, or someone properly authorised to act on their behalf.
- Hard copy personal information should be stored securely (in lockable storage, where appropriate) and not visible when not in use.Filing cabinets and drawers and/or office doors should be locked when not in use. Keys should not be left in the lock of the filing cabinets/lockable storage.
- Confidential paper waste should be disposed of securely by shredding.
- Any computers being used in a shared area (including in the user’s home) should be shut down, or the user should log off, when leaving them unattended.
- Personal information being processed electronically should always be password protected.Passwords should be kept secure, should be strong, changed regularly and not written down or shared with others.
- Joint or shared email addresses should not be used for processing personal information.
- It is recommended that emails containing personal information should not be sent to or received at a work email address (other than an @freechurch.org address) as this might be accessed by third parties.
- If personal devices have an @freechurch.org account linked to them these should not be accessed on a shared device for which someone else has the pin code.
- Personal data should always be encrypted if being taken off premises.
- Back-ups of personal data stored electronically should be kept.
- Personal data should never be transferred outside the European Economic Area except in compliance with the law.
- Sharing personal data
- We will only share personal information where we have a legal basis to do so, including for our legitimate interests within the Free Church of Scotland (either within the Presbytery or to enable central databases held within the Church Offices at The Mound, Edinburgh to be maintained and kept up to date).This may require information relating to criminal proceedings or offences or allegations of offences to be processed for the protection of children or adults who may be at risk and to be shared with those within the Church who have designated roles in respect of Safeguarding, or with statutory agencies.
- We will not send any personal information outside the European Economic Area.If this changes all individuals affected will be notified and protections put in place to secure their personal information, in line with the requirements of the GDPR.
- If there is a data security breach
- A data breach is where there is accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.This can happen in many different ways, for example:
- Loss or theft of data or equipment on which personal information is stored;
- Unauthorised access to or use of personal information by a member of staff, volunteer or third party;
- Loss of data resulting from an equipment or systems failure;
- Human error, such as accidental deletion, alteration or transfer of data;
- Unforeseen circumstances, such as fire or flooding;
- Deliberate attacks on IT systems, such as hacking, viruses or phishing scams;
- Should a data security breach occur, and if the breach is likely to result in a risk to the rights and freedoms of individuals, then we will notify the Information Commissioner’s Office without undue delay and, where possible, within 72 hours of the time we become aware of the breach.Notification will be made or coordinated by the Session Clerk.
- Subject access requests
- Individuals who are data subjects may ask us for copies of the personal information we hold about them. This request must be made in writing.Any such request received by the congregation should be forwarded immediately to the Session Clerk [insert contact details] who will coordinate a response within the necessary time limit (maximum 30 days).
- It is a criminal offence to conceal or destroy personal data which is part of a subject access request.
- Rights of Data subjects
- Data subjects have certain other rights under the GDPR and the 2018 Act. These include the right to know what personal data we are processing, the purposes of such processing, and the legal basis or bases for the processing.
- Data subjects also have the right to request that we have any inaccurate or incomplete personal information rectified, and to have their personal data erased if we are not entitled by law to process it or it is no longer necessary for us to process it for the purpose for which it was collected.In situations where consent is the only legal basis which we have for processing then personal information should be erased if and when the individual revokes that consent.
- All requests to have personal data corrected or erased should be passed to the Session Clerk [insert contact details] who will be responsible for responding to them.
- We will ensure that all those engaged in processing personal information for the congregation receive adequate training in their data protection responsibilities
- If any processing of personal information is outsourced to an external data processor we will enter into a contract with them to ensure compliance with data protection law.
- Data Protection Policy Review
- This policy will be reviewed and updated from time to time.
This Data Protection Policy was adopted by the Charity Trustees of Portree & Bracadale Free Church. The charity trustees will be responsible for the implementation of this Policy in the Congregation.
DATA PRIVACY NOTICE – HOW WE USE YOUR PERSONAL INFORMATION
THE CONGREGATION OF PORTREE & BRACADALE
OF THE FREE CHURCH OF SCOTLAND
IN THE PRESBYTERY OF SKYE & WESTER ROSS
This privacy notice explains the way in which the Portree & Bracadale Free Church of Scotland Congregation uses, or “processes” personal information. Personal information is any information, held either in paper records or electronically, from which you can be identified. Examples of personal information are your name, address, email address, telephone number, IP address, photograph or video image. The processing of personal information is governed by data protection law. “Processing” is anything that is done with personal information, from collection onwards.
The Congregation, jointly with the Presbytery, is the “data controller” in terms of data protection regulations as we decide on the purposes and means of how your personal information is processed. Our contact details are provided below.
We use personal information for the following purposes:
- To maintain membership records.
- To maintain baptismal records.
- To manage employees and volunteers.
- For payroll administration.
- To maintain accounts and records, including Gift Aid administration.
- In relation to the provision of counselling and pastoral care.
- In relation to individuals participating in church events and activities, including children and young people.
- To provide information about church news, events, and activities.
- To fulfil contractual and other legal obligations;
- For fundraising.
- Generally, to further the charitable aims of the church.
Sharing of information
Only individuals appointed to specific roles within the Free Church of Scotland can access your data. We will not share your data outside the Free Church of Scotland without your consent, properly obtained, unless we are permitted or obliged to do so by law.
Lawful bases for processing personal information
We are required by law to identify an appropriate legal basis, or appropriate legal bases, for processing personal information. We process personal information on one or more of the following legal bases:
- Where you have given your consent to the processing for one or more specific purpose. You are entitled to withdraw such consent at any time, using the contact details provided below.
- Where the processing is necessary for the purposes of our legitimate interests, and such interests are not overridden by your interests or fundamental rights and freedoms.
- Where the processing is necessary for the performance of a contract with you.
- Where the processing is necessary for compliance with a legal obligation.
Further, where we process personal information which is more sensitive than other types and is classed by law as “special category data” we will, in addition to meeting a minimum of one of the above legal bases, ensure that one or more of the following applies:
- Processing is carried out in the course of our legitimate activities with appropriate safeguards by us as a not-for-profit body with a religious aim and on condition that the processing relates solely to our members, or to former members, or to people who have regular contact with us in connection with our purposes and that the personal information is not disclosed outside the Free Church of Scotland without your consent.
- You have given explicit consent to the processing of your personal information for one or more specified purpose. You are entitled to withdraw such consent at any time, using the contact details provided below.
Security and retention of personal information
We are committed to ensuring that personal information is held and retained securely and in accordance with data protection principles. More specifically, we keep data in accordance with the guidance set out in our Data Retention Policy, a copy of which is available online and with the Session Clerk
You have the right to make certain requests in relation to your personal data, as follows:
- You can request copies of the personal data which we hold about you, using the contact details provided below.
- If you believe that any information we hold about you is inaccurate or incomplete, please let us know so that we can have this rectified.
- You can request that we erase your data if there is no longer any need for us to keep it, although we may still need to retain it if the reasons why it was obtained still exist. If the only legal basis on which we hold the data is your consent, and you withdraw that consent, then we will erase your data on request.
Our contact details
You can contact us by email firstname.lastname@example.org.
The Information Commissioner’s Office
You have the right to contact the Information Commissioner’s Office on 0303 123 1113 or its website at www.ico.org.uk or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
DATA RETENTION POLICY
THE CONGREGATION OF PORTREE & BRACADALE
OF THE FREE CHURCH OF SCOTLAND
IN THE PRESBYTERY OF SKYE & WESTER ROSS
This Data Retention Policy outlines how long various categories of personal data are retained by the congregation. It should be read in conjunction with our Data Protection Policy and our Privacy Notice, copies of both of which are available on the church noticeboard [and website where applicable] [and/or by asking for a copy from the appropriate person in the congregation – complete details as appropriate].
Congregations process various types of personal information, also called personal data. Personal data is any information, whether held in hard copy or electronic form, relating to an individual who can be identified, directly or indirectly, from that data. Processing is anything that is done with that information – it includes the collecting, editing, storing/holding/retaining, disclosing/sharing, viewing, recording, listening, erasing/deleting etc. of personal information.
Examples of the types of personal information processed by congregations are set out in the Schedule to this policy and include, but are not limited to, membership lists; baptismal records; information relating to employees and volunteers; financial records, including in relation to payroll and Gift Aid administration; information relating to counselling and pastoral care; information regarding individuals attending churches and participating in church events and activities, including children and young people; and information relating to the management of properties, including sales, purchases and leases.
Personal information may be retained by congregations in various ways and places – these include, but are not limited to, minutes of meetings of the Kirk Session or Deacons’ Court/Finance Committee; employment contracts; congregational register of individuals working with children and/or protected adults; registration and/or consent forms for church activities; congregational newsletters; and letters and email correspondence.
In certain circumstances it will be necessary and appropriate to retain personal information, either in hard copy or electronic form, depending on the purposes for holding the information. However, it is not appropriate or practical for congregations to retain all records indefinitely. Records should only be retained in accordance with data protection principles, which require that personal information is limited to what is relevant and necessary, is accurate, and is kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which it was obtained. Ensuring that personal information is erased or anonymised when no longer required will reduce the risk of it becoming irrelevant, excessive, inaccurate or out of date, and the risk of it being processed in error. It is therefore important that congregations have in place systems for the timely and secure disposal of documents that are no longer required or that they are no longer entitled to retain.
It is permissible to retain personal information beyond when it is required for the original purposes, if such further retention is only for public interest archiving, scientific or historical research, or statistical purposes. Any personal data that congregations need to keep for public interest archiving etc. should be clearly identified by them.
Retention of records
Data protection law does not set specific time limits for the retention of different types of personal information. It is up to data controllers to set their own retention periods, which will depend on how long the information is required in relation to the specified purposes for which it is held.
Suggested retention periods set out in the Schedule to this policy, and decisions relating to the retention (and disposal/erasure) of personal information should be taken with reference to the Schedule. However, congregations should also bear in mind the general rule that they must always be able to justify why they keep personal information in a form that permits the identification of individuals.
In all cases where the retention period recommended in the Schedule for specific types or items of personal information has expired, a review should be carried out prior to disposal, and consideration should be given as to the most appropriate method of secure erasure or disposal.
Disposal/erasure of records
Documents containing personal information should be disposed of confidentially and securely either by shredding or by using confidential waste bins or sacks. Such documents may include, but are not limited to, those containing names and contact details, health-related information, information relating to pastoral matters and financial information.
Electronic communications including email, Facebook pages, twitter accounts etc. and all information stored digitally should also be reviewed regularly and if no longer required should be closed and/or permanently deleted. It is understood that the word “deletion” can mean different things in relation to electronic data, and that it is not always possible to erase all traces of it. The key issue is to put the data beyond use. Therefore, it will normally be sufficient simply to delete the information, with no intention of it ever being used or accessed again by anyone. In addition to deleing personal information from a live system, it should also be deleted from any back-up of the information on that system.
Retention of records for archiving, research or statistical purposes
Personal information can be kept indefinitely if held only for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes. There must be appropriate safeguards in place to protect individuals – for example, in some cases pseudonymisation may be appropriate. If retaining personal information for archiving purposes, it must not be used for any other purposes. In cases where archiving is considered appropriate the Assembly Clerks’ Office should be consulted for advice.
This Data Retention Policy was adopted by the Charity Trustees of Portree & Bracadale Free Church. The charity trustees will be responsible for the implementation of this Policy in the Congregation.
Data Retention Schedule
|Minutes of Kirk Session, Deacons Court and Finance Committee meetings||Permanent (Per 2018 General Assembly)|
|Minutes of other meetings||6 years|
|Papers for meetings, including agendas and reports||Delete once there is no longer a need to retain these|
|EMPLOYMENT, MEMBERS & VOLUNTEERS|
|Pre-employment (of volunteers and paid workers) enquiries/applications/notes/letters/references||6 months after completion of recruitment (unless data to be retained for a future similar opportunity, in which case 1 year)
|Advice (emails, letters) from Church solicitor or PVG Lead Signatory||100 years|
|Confidentiality Agreements||100 years|
|Covenants of Responsibilities||100 years|
|Safeguarding Risk Assessments||100 years|
|Complaints concerning people||100 years|
|Congregational Register||100 years|
|Safeguarding Audit for Congregations and Presbyteries||100 years|
|Transfer Forms||100 years|
|Employee records including: contracts, time records etc||Duration of employment + 6 years|
|Volunteer records||Duration of placement + 6 years|
|Databases for mailing lists/distribution||Reviewed annually – delete or correct out of date information|
|Miscellaneous contact information||Delete once there is no longer a need to retain such information|
|Miscellaneous letters and emails||Delete the email/confidentially destroy the letter once no longer required|
|Payroll and pension payment records||Minimum, 6 years, no maximum|
|Pension and retirement records||Minimum 6 years beyond final pension payment, no maximum|
|PROPERTY & LEGAL|
|Insurance claims/ applications||Permanent|
|Insurance disbursements and denials||Permanent|
|Insurance contracts and policies (Directors and Officers, General Liability, Property, Workers’ Compensation)||Permanent|
|Leases||6 years after expiration|
|Property & land documents (including loan and mortgage contracts, title deeds)||Permanent|
|Warranties||Duration of warranty + 6 years|
|Documents relating to legal proceedings, potential or actual||Final settlement of matter or conclusion of any formal proceedings + 6 years|
|Hazardous material exposures||30 years|
|Injury and Illness Incident Reports (RIDDOR)||5 years|
|Fixed Asset Records||Permanent|
|Application for charitable and/or tax-exempt status||Permanent|
|Sales and purchase records||10 years|
|OSCR filings||5 years from date of filing|
|Contracts||6 years following expiration|
|Audit and review workpapers||6 years from the end of the period in which the audit or review was concluded|
|Financial records, including invoices and expenses payable, income records, bank statements and all supporting documentation||6 years from end of year in which transaction made|
|Annual audit reports and financial statements||Permanent|
|Annual plans and budgets||2 years|
|Tax records||Minimum 6 years|
|Gift Aid Declarations||6 years from end of year in which final claim made or until any current enquiries completed|
|Gift Aid Records||6 years from end of year in which transaction made or until any current enquiries completed|
|Gift Aid Envelopes||One full month per year for 6 years|
|Legacies (general)||6 years after estate has been wound up|
|Legacies which create permanent endowment||Permanent|