General Data Protection Regulations
1.1 Bournemouth Community Church (BCC) needs to collect certain types of information about members and other individuals who come into contact with the organisation. BCC is committed to complying not just with the letter of the law but also to ensuring that the organisation and those involved with the organisation treat each individual they come into contact with, with respect and dignity.
1.2 General Data Protection Regulation (GDPR) requires all those who gather data about individuals to comply with the following 7 Data Protection Principles:
Personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to individuals. Collected for specified, explicit and legitimate purposes and not further processed in a manner that’s incompatible with those purposes (further processing for archiving purposes in the public interest or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes). Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that’s inaccurate, having regard for the purposes for which they are processed, is erased or rectified without delay. Not kept longer than necessary in regards to the purposes it was processed; personal data may be stored for longer periods of time if it concerns historical, statistical purposes, or is in place to fulfil the safeguarding of individuals. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The subject of accountability – the designated controller shall be responsible for, and be able to demonstrate compliance with these principles.
BCC applies this to its work in the following ways:
Information about living individuals, whether service users, staff, volunteers or supporters of BCC will only be gathered when and to the extent necessary in order to provide either the service in question or the management and support of those working for BCC in a paid or voluntary capacity. Transparent communication in regards to the purposes of storing information should be given at the point of receiving it; this includes information derived from other sources, for example, tracking attendance data. Personal information gathered by BCC will not be processed to a greater degree than the original purpose it was taken. To do so BCC would require further consent. For example, by signing up for an Alpha Course, that individual’s information should only be used in reasonable connection to the purposes it was gathered for, ie. to attend the Alpha Course. BCC will only process information that is necessary to the purpose of taking it. Information that is stored will only be retained for the length of time that it is reasonable to do so. The controller regularly reviews information that is stored and seeks to only retain information that is relevant to the original purpose it was taken. The accuracy of the personal information held by BCC will be primarily the responsibility of the authorised member of staff or volunteer lead who initially collected it, however the individual can access their information upon request and make changes to ensure that data is kept up to date, and relevant, in doing so the individual also can change their privacy preferences. In accordance with GDPR, BCC will take every reasonable step to ensure that data is accurate and up to date. Any personal information gathered by BCC will only be held for the duration of the relationship between the individual and the organisation, cases will be regularly reviewed and in the case of there being no purpose in retaining an individual’s data, any information that is not relevant to historical, statistical or safeguarding purposes will be deleted from our system. Any personal information gathered by BCC will be protected from unauthorised access by being stored in a secure, encrypted online server or secure filing cabinet. Access is restricted to trained and authorised staff or volunteers who will have limited access in accordance with the purpose of the personal information and the relationship of BCC to that individual’s information. It will not be shared with any other person or organisation without the consent of the person to whom it relates (unless legally obliged to do so), and then only when absolutely necessary. BCC has sufficient governance and delegation structures to ensure that it is complying with the principles of GDPR. This includes an annual data audit on all personal data that BCC holds; this will include a review of the way BCC processes and stores data to ensure that security measures are sufficient. Regular training opportunities for authorised members of staff or volunteers will be given. BCC maintains up to date privacy notices and consent for processing data as required.
Requesting Data Procedure
Individuals will also be made aware of their rights under the GDPR to see the information held by BCC. Any individual who believes that BCC is storing personal information about them is entitled to request a copy of the information. Such requests should be put in writing to firstname.lastname@example.org or Receptionist, Life Centre, 711-715 Wimborne Road, Moordown, BH92AU.
If you believe that the Church needs to notify the Data Protection Registrar because personal data is being processed beyond the parameters set out in the these Guidelines or beyond the parameters of the GDPR, telephone the Office of the Information Commissioner to obtain a form to complete, or alternatively the form can be obtained via the Internet at https://ico.org.uk/.
Last updated: April 2018