Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
Who are we?
The PCC of St James and All Saints and Christ Church, Gloucester is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.
How do we process your personal data?
The PCC of St James and All Saints and Christ Church, Gloucester complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for some or all of the following purposes: -
- To enable us to meet all legal and statutory obligations (which include maintaining and publishing our electoral roll in accordance with the Church Representation Rules);
- To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments;
- To minister to you and provide you with pastoral and spiritual care (such as visiting you when you are gravely ill or bereaved) and to organise and perform ecclesiastical services for you, such as baptisms, confirmations, weddings and funerals.
- To enable us to provide a church body voluntary service for the benefit of the public in a particular geographical area.
- To administer membership records;
- To fundraise and promote the interests of the charity;
- To manage our employees and volunteers;
- To maintain our own accounts and records (including the processing of gift aid
- To inform you of news, events, activities and services running at St James and All Saints
and Christ Church, Gloucester
- To process a donation that you have made (including Gift Aid information);
- To seek your views or comments;
- To notify you of changes to our services, events and role holders;
- To send you communications which you have requested and that may be of interest to
you. These may include information about campaigns, appeals and other fundraising
- To process a grant or application for a role;
- Using CCTV systems for the prevention and prosecution of crime.
We collect personal data in some or all of the following ways;
- Names, titles, and aliases, photographs;
- Contact details such as telephone numbers, addresses, and email addresses;
- Where they are relevant to our mission, or where you provide them to us, we may
process demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependants;
- Where you make donations or pay for activities such as use of a church hall/other premises financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers.
The data we process is likely to constitute sensitive personal data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs. Where you provide this information, we may also process other categories of sensitive personal data: racial or ethnic origin. And, where this is relevant, mental and physical health, details of injuries, medication/treatment received, and criminal records, fines and other similar judicial records.
What is the legal basis for processing your personal data?
- Most of our data is processed because it is necessary for our legitimate interests, or the legitimate interests of a third party (such as another organisation in the Church of England). An example of this would be our safeguarding work to protect children and adults at risk. We will always take into account your interests, rights and freedoms.
- Some of our processing is necessary for compliance with a legal obligation. For example, we are required by the Church Representation Rules to administer and publish the electoral roll, and under Canon Law to announce forthcoming weddings by means of the publication of banns.
- We will seek explicit consent to keep you informed about news, events, activities and services and keep you informed about local church and other diocesan events.
- We may also process data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. An example of this would be processing your data in connection with the hire of church facilities.
- Processing is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or social protection law, HMRC and other statutory requirements.
- Where we have PCC employees we may process information in line with payroll and pension, HMRC, safer recruitment including DBS checks, and other statutory requirements.
- Religious organisations are also permitted to process information about your religious beliefs to administer membership or contact details.
- Where your information is used other than in accordance with one of these legal bases, we will first obtain your consent to that use.
Sharing your personal data
Your personal data will be treated as strictly confidential. It will only be shared with third parties where it is necessary for the performance of our tasks, where you first give me your prior consent, or in respect of a legal/statutory obligation. It is likely that I will need to share your data with some or all of the following (but only where necessary):
- The appropriate bodies of the Church of England including the other data controllers.
- Other clergy or lay persons nominated or licensed by the bishops of the diocese to support the mission of the Church in our parish. For example, our clergy are supported by our area dean and archdeacon, who may provide confidential mentoring and pastoral support. Assistant or temporary ministers, including curates, deacons, licensed lay ministers, commissioned lay ministers or persons with Bishop’s Permissions may participate in our mission in support of our regular clergy;
- Other persons or organisations operating within the diocese as appropriate.
- On occasion, other churches with which we are carrying out joint events or activities.
- External statutory bodies (police, social care etc) where this is legally required.
- In the event of employee related tasks including payroll and pension provisions.
How long do we keep your personal data?
We keep data in accordance with the guidance set out in the guide “Keep or Bin: Care of Your Parish Records” which is available from the Church of England website.1
Specifically, we retain electoral roll data; gift aid declarations and associated paperwork for six years after the calendar year to which they relate; and parish registers (baptisms, marriages, funerals) permanently.
Details about retention periods can currently be found in the Record Management Guides located on the Church ofEnglandwebsiteat: www.churchofengland.org/more/libraries-and-archives/records-management-guides
Your rights and your personal data
Unless subject to an exemption, or overruled by other obligations, under the GDPR, you have the following rights with respect to your personal data: -
- The right to request a copy of any personal data which the PCC of St James and All Saints and Christ Church, Gloucester holds about you;
- The right to request that the PCC of St James and All Saints and Christ Church, Gloucester corrects any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for the PCC of St James and All Saints and Christ Church, Gloucester to retain such data;
- The right to withdraw your consent to the processing at any time
- The right to request that the data controller (the PCC) provides the data subject (you)
with your personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable). [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable)
- This right only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct
marketing and processing for the purposes of scientific/historical research and
- The right to lodge a complaint with the Information Commissioners Office.
If we wish to use your personal data for a new purpose, not covered by this Data Protection Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
Marketing permissions and seeking consent
Whilst there may be an expectation that people involved in the life of the diocese in many ways would expect to receive information from the PCC through email, post, social media etc; the PCC is required through data regulations to ensure that it asks for your permission to do so in certain circumstances; and to ensure that it makes you aware of your rights in doing so.
- Email and text
- We will ask for your permission to contact you in this way.
- Postal marketing
- From time to time we may send you information about the diocese and its work unless you have told us you would prefer not to receive this information by post.
- Bulletins and newsletters
- The PCC will, in the main, require individuals to personally opt in and out of electronically sent information such as church newsletters. This ensures that individuals are able to manage the information they wish to receive.
Changes to this Privacy Notice
The PCC will review this Privacy Notice regularly and may update it at any time - for example in the event of legal changes, to improve how we manage data, where an issue or concern has come to light that needs appropriate response. If there are any significant changes in the way the PCC processes your personal information we will provide a prominent notice on our website or send you a notification.
Transfer of Data Abroad
Any electronic personal data transferred to countries or territories outside the EU will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas.
To exercise all relevant rights, queries of complaints please in the first instance contact firstname.lastname@example.org .
This page has the Diocesan Safeguarding Advisor’s contact details and details of how anyone can report a concern.