Personal data is information which relates to a living individual who can be identified from that data alone or in conjunction with any other information in the data controller’s possession or likely to come into their possession. The processing of personal data is governed by the General Data Protection Regulation1 (the GDPR).
The data controller for the Church is the eldership, which comprises the serving elders2 of the Church.
There are different levels of privacy depending on the nature of the information held as explained below. However this policy covers all information that is held, relating to members, adherents, friends, employees and participants in activities controlled by the Church, including those for children and young people.
The Church may change this policy from time to time by resolution of the Elders Meeting. We will advise you using the contact details you have supplied of any change which affects our use of your data.
This policy is effective from 25 May 2018.
What we hold
We may hold and process the following information about you or your children if you or a member of your family provides it to us:
- Your name *
- Your home address *
- Your landline and mobile telephone numbers *
- Your email address
- Your relationship to the Church: member, adherent, friend, young person or other *
- Any role you have in the Church, such as Elder, Pastoral Visitor, Church Secretary *
- The name of the Pastoral Visitor in whose district you are, if any *
- Any rotas for which you have volunteered
- Details of your current or past subscription to the Church Magazine
- Records of your recent attendance at church events or membership of church groups
Other personal details
- The gender by which you identify yourself (male, female or other)
- The family connection between you and other people in our records
- Your dates of birth and of significant events relating to the Church (such as baptism, marriage and becoming a member)
Your financial gifts to the Church
- Commitments you make to regular giving to the Church
- Gift Aid declarations you make in favour of the Church
- The value and dates of your giving
What we do with the information we hold
With your agreement, the information marked with * above may be published in a printed directory of which copies are available at a small charge to all members and adherents. Upon request to the Church Administrator your landline or mobile phone numbers or your address will be suppressed from future copies of this directory.
Your email address may be used in communications from the Church office or office bearers.
If you have volunteered for any rotas, your contact details may be used to remind you of your scheduled duties, and you may elect to receive reminders of these duties by email, text message to your mobile phone or calls to your landline phone. Your name and duties for the upcoming fortnight will be visible on a public page of the church website, and more details of your future duties will be visible to the managers of the rotas.
If you are a member or adherent we will include you in our count of members and adherents submitted annually to URC headquarters. From time to time the URC also requests more detailed breakdowns of membership, for example by age. None of these reports identifies individuals by name.
The information listed above as Your financial gifts to the Church is held only by the Treasurer or an Assistant Treasurer and is released to others only for the purpose of managing and audit of the accounts and for reclaim of Gift Aid from HMRC.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and management procedures to safeguard and secure the information we collect.
The lawful basis under whch we hold your data
The GDPR stipulates a number of lawful reasons for the Church holding your personal information.
In the case of members and adherents and their children we assert that the Church has a legitimate interest (GDPR clause 6.1.f) in processing their data. In the case of employees, the Church has a contractual relationship with them (GDPR clause 6.1.c). In the case of friends, we have or will have obtained consent from the data subjects (GDPR clause 6.1.a).
The Church is aware that the personal information it holds may indicate the religious beliefs of the data subjects and thus constitute a special category of data under the GDPR. This use is permitted under the GDPR (clause 9.2.d) as the Church is a not-for-profit body with a religious aim.
The Church website
If you log on to the Church website, it records the most recent time you used a page. This is done so that long-unused accounts may be deleted. The Church’s website is hosted in the UK by a commercial supplier, which logs information which ultimately could be used to track all your activity on the site, but this is only accessed for the purposes of improving the site (for example, correcting any broken links).
Most interaction between your computer or device and the Church website is strongly encrypted in both directions. The only exceptions are some pages in the News area, where the inclusion of external links may prevent encryption being used. You can tell encrypted pages by the 'https' prefix to the web address. Your personal data which is held in a database is only accessible to Church staff and office bearers with a need to have such access, and that access is protected by individual passwords and commensurate security measures.
You can choose to decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This will prevent you from using some features of the website.
Links to other websites
Retention of records
Some of the information listed above is held in paper records, including the Roll of Members, the Cradle Roll (of children baptised in the church), archive copies of the Church Magazine and minutes of meetings. These historical records are retained indefinitely.
Statutory certificates of marriages carried out in the church are held in a fireproof safe for the period required by the registration authorities.
Your records in the computer-based database will be deleted 24 months after you cease to be a member, adherent, friend or employee of the Church. Employment records and records relating to safeguarding are kept for as long as is required by law or recommended by regulatory bodies.
Photographs and video recordings
From time to time we take photographs to illustrate the life of the church. We use these photographs on our website and in printed publications and other documents. We do not identify individuals by name in captions or accompanying text unless there is a specific reason to do so. We do not use pictures of children showing their faces at a recognisable size without asking permission from their parents or guardians.
We do display posters within the church premises showing pictures of office bearers and staff together with their names and responsibilities.
Security cameras operate in and around the Church premises. The equipment holds the recordings for around 30 days. They may be held for longer if needed for the investigation of suspected criminal or safeguarding issues.
Occasional video recordings are made of events within the church sanctuary, such as special services, weddings, funerals or concerts. Copies may be made available to participants. If the Church fixed equipment is used to make the recording, the master copy is retained for no longer than 24 months.
If you have any concern about our present or future use of your or your children’s photographs please let us know as soon as possible in writing to the Church Administrator.
Disclosing your personal information
The Church respects the privacy of its members and will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.
You may request details of personal information which we hold about you as required by the General Data Protection Regulation. If you would like a copy of the information held on you or your children please make a request to the Church Administrator.
You may request that the Church deletes all the personal data that the Church holds about you or your children. If you would like this done please make a request to the Church Administrator.
If you believe that any information we are holding about you or your children is incorrect or incomplete, please contact the Church Administrator or write to her at St Andrew’s URC, Northey Avenue, Cheam, Sutton SM2 7HF. We will promptly correct any information found to be incorrect.