Introduction
King’s Church recognises its responsibility to comply with the Data Protection Act 1998. The Act regulates the use of personal data. Definitions of terms used within this policy can be found in appendix A. Any queries regarding this policy and its application should be directed to the ALT.The Data Protection Act
The Data Protection Act sets out standards for the processing of personal data and protection of a person's right to privacy. The Data Protection Act covers personal data held both on paper and in electronic form. The leadership of King’s Church has responsibility for ensuring compliance with the Data Protection Act 1998, ensuring that the following Data Protection principles are met: Data Protection Principles:Personal data must be processed fairly and lawfully, and will not be processed unless:
a). Principle 2 is met. b). In the case of sensitive data, Principle 3 is met.Personal data shall be obtained only for specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
Personal data processed must be adequate & relevant to the specified purposes, and not be excessive in relation to the purpose or purposes for which it is being processed.
Personal data must be kept accurate and, where necessary, up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes.
Personal data must be processed in accordance with the rights of data subjects under this Act.
Personal data must be kept securely.
Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
Processing Data
To ensure that the Data Protection principles listed in section 2 are met, the following actions should be taken: Collection Of DataUnless it is obvious, the purpose for processing personal data should be made clear at the point of collection.
When collecting personal data, those involved should ensure that they only gather that which is required to meet the purposes for processing the data.
Storage Of DataPersonal data should be stored in a secure manner. This means where the data is held electronically it should be protected by a password. Where personal data is held on paper it should not be easily accessible to those who do not need to process it for the specified purposes. Further to this personal data held on paper should, where possible, be locked away limiting further the access to it. Where sensitive personal data is held on paper it should be locked away in a lockable cabinet or room.
Those processing personal data should make efforts to keep it accurate and up to date. This should include where relevant updating personal data when they are made aware of a change.
Disposal Of DataWhen the decision is taken to start processing personal data, those involved should take a decision as to how long the data should be held for. This period will vary substantially between purposes.
When personal data is no longer required to fulfil the purpose of processing it should be disposed of. Personal data held electronically should be deleted. Personal data held on paper should be shredded.
Further ProcessingFurther processing of personal data should be compatible with the initial purpose for processing. For example personal data collected for the purpose of maintaining the church membership records should not be disclosed to a Christian Travel agency who is intending to use the data to sell holidays.
Notification
A further step that should be taken to comply with the data protection act is to notify the Information Commissioner that the Church will be processing personal data for the following purposes:Staff Administration
Administration of Membership Records
Fundraising
Realising the Objectives of a Charitable Organisation or Voluntary Body
Crime prevention and prosecution of offenders (CCTV)
Pastoral care
This notification needs to be renewed. Full details of the current Notification can be found in the Data Protection Register held at www.ico.gov.uk. *[If we have not registered then we are required to!]Disclosure
Disclosure To Data SubjectsData subjects should be able to access a copy of the personal data held on them. To do this they should submit a written request to the church’s Safeguarding officer who has 40 days to respond.
A copy of the subject’s data should only be disclosed to them once their identity has been confirmed.
Any personal data disclosed should relate to that person alone and not include anyone else.
Disclosure To OthersPersonal data should only be provided to a Police officer upon production of a warrant card in connection with a prosecution enquiry.
Other requests should be placed in writing to the Safeguarding officer who has 40 days to respond.
When handling other requests, checks should be made to ensure that the intended processing of the data is not incompatible with the initial purpose for processing.
Photography
Where photographs are taken for personal reasons (i.e. a parent taking pictures of their child in the Christmas nativity play) the data protection act does not apply, and therefore are not covered by this policy.
Photographs taken by the Church for reasons other than the above (e.g. photographs taken for publicity) may be covered by the data protection act. In this case those people in the photograph should be made aware of the purpose for it being taken. This can be either done verbally or in the form of a written notification either handed to them or displayed in a visible location.
Appendix A - Definitions (Definitions below have been taken from www.ico.gov.uk) Data subject means an individual who is the subject of personal data. Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –organisation, adaptation or alteration of the information or data,
retrieval, consultation or use of the information or data,
disclosure of the information or data by transmission, dissemination or otherwise making available, or
alignment, combination, blocking, erasure or destruction of the information or data.
from those data, or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
Personal data includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Sensitive personal data means personal data consisting of information as to -The racial or ethnic origin of the data subject.
Their political opinions.
Their religious beliefs or other beliefs of a similar nature.
Whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992).
Their physical or mental health/condition.
Their sexual life.
The commission or alleged commission by the subject of any offence.
Any proceedings for any offence committed or alleged to have been committed by the subject, the disposal of such proceedings or the sentence of any court in such proceedings.
Church membership records
Address lists
Church attendance records
Staff records
Details of volunteers
Details of pastoral issues
Medical forms from children & young people (those under 18) taking part in certain Church activities
Appendix C - Examples Example 1: A list of contact details is kept for the purpose of maintaining the church membership. The list contains names, addresses, telephone numbers and email addresses and is held in an Excel spreadsheet. Collection Of Data: When someone's contact details are collected for this list, they should be made aware as to the reason we hold this data. However if it is considered that the purpose is obvious then this does not need to be done. Storage Of Data: As the data is held electronically on an Excel spreadsheet the file should be password protected. When those processing the data are made aware that someone's contact details are changed, they should update the list so that the accuracy of the data is maintained. Disposal Of Data As the Church membership is not static there will be some cases where a person has relinquished their membership of the Church. In this case their contact details should be removed from this list. Example 2: An attendance record for Sunday services is kept. This record consists of a list of people who are considered to regularly attend services, and the weeks they were present. This data is held on paper. Collection Of Data: It would be impractical to inform everyone individually that Sunday attendance is being recorded. However where possible people should be made aware Storage Of Data: As this data is held on paper it needs to be stored in a locked location. Disposal Of Data A decision should be made by those maintaining the attendance record as to how long the attendance record for a period should be kept. As the data is stored on paper it should, when no longer required be shredded. Example 3: Photos are taken at a Friday night youth event for the purpose of publicity. Those attending the event come from numerous other Churches. Collection Of Data: Due to the people involved being unfixed it would be impractical to inform everyone individually beforehand that photos would be taken to be used for publicity. Therefore so that people are made aware that photos will be taken notices should be placed in prominent locations (e.g. on entrances to the Church building) stating that photos will be taken that are intended to be used for photography.