Data Protection Policy

Introduction

Christ Church Cambridge recognises the importance of the correct and lawful treatment of personal data. All personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards as specified in the Data Protection Act 1998 (implementing the Data Protection Directive 95/46/EC). The data is registered under the provisions of the Data Protection Act. The registration number is ZA197717 and full details of the registration can be viewed on the Information Commissioners website www.ico.gov.uk

Christ Church Cambridge uses personal data about individuals for the purpose of general church administration, pastoral care and communication. 

Any personal details that we hold will not be passed to any third party without the permission of the data subject. Data held by and on behalf of Christ Church Cambridge will not be used for any other purposes than those set out in this policy. 

Christ Church Cambridge fully endorses and adheres to the eight principles of the Data Protection Act. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data. Employees and any others who obtain, handle, process, transport and store personal data for Christ Church Cambridge must adhere to these principals. The eight principles state that personal data must be:

  • Processed fairly and lawfully
  • Processed for limited purposes and in an appropriate way
  • Adequate, relevant and not excessive for the purpose
  • Accurate
  • Not kept longer than necessary for the purpose
  • Processed in line with data subjects' rights
  • Secure
  • Not transferred to people or organisations situated in other countries without adequate protection

This policy applies to all employees and volunteers of Christ Church Cambridge.

 

  1. Definitions in the Act

The Act defines personal data and its processing in the following terms:

Data is recorded information whether stored electronically on a computer, in paper based filing systems or other media. 

Data subjects include all living individuals about whom we hold personal data.  A data subject need not be a UK national or resident.  All data subjects have legal rights in relation to their personal data.

Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession).  Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal).  It can even include a simple email address.  It is important that the information has the data subject as its focus and affects the individual's privacy in some way.  Mere mention of someone's name in a document does not necessarily constitute personal data, but personal details such as someone's contact details or salary would fall within the scope of the Act.

The types of personal data that Christ Church Cambridge may be required to handle include information about current, past and prospective parishioners, employees, volunteers, customers, suppliers, conference and course attendees, those running or leading courses and others with whom we communicate.  

Data controllers are the people or organisations who determine the purposes for which, and the manner in which, any personal data is processed.  They have a responsibility to establish practices and policies in line with the Act. Christ Church Cambridge (represented by the Parochial Church Council of St Andrew the Less) is the data controller under the terms of the Act. 

Data users include employees and volunteers of Christ Church Cambridge whose work involves using personal data held by the church.  Data users have a duty to protect the information they handle by following our data protection and security policies at all times.

Data processors include any person who processes personal data on behalf of a data controller.  This excludes volunteers or employees of Christ Church Cambridge (who are data users) but does include, for example, outside suppliers who are contracted to handle personal data on our behalf.

Processing is any activity that involves use of the data.  It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it.  Processing also includes transferring personal data to third parties.  

Sensitive personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings.  Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.  

  1. Maintaining Confidentiality

Christ Church Cambridge will treat all personal information as private and confidential and will not disclose such information to anyone other than those within Christ Church Cambridge who need access to the personal data in order to facilitate church administration, pastoral care, communication and day-to-day ministry of the church. Personal information will not be passed onto any third parties outside of the church environment. There are four exceptional circumstances to the above permitted by law: 

  • Where we are legally compelled to do so 
  • Where there is a duty to the public to disclose 
  • Where disclosure is required to protect our interest 
  • Where disclosure is made at your request or with your consent 

 

  1. Use of Personal Information

Christ Church Cambridge will use your data for two main purposes: 

  1. The day-to-day administration of the church: including pastoral care, oversight, calls and visits, preparation of ministry rotas, maintaining financial records of giving (for audit and tax purposes), electoral roll, membership of groups and committees. 
  2. Contacting you to keep you informed of church events and activities. 

 

  1. The Data

Data may be held in paper and/or electronic format. 

A record of where data is located, what the data is, what it is to be used for and who maintains, process or uses the data is to be maintained by the parish office. Due to the distributed nature of the data there is no obvious master data set. 

When data is no longer required, both electronic and paper records are to be destroyed. 

3.1 Paper Records 

Paper records are stored by those who have a need (as set out in this policy) to either maintain, process or use the data. 

3.2 Electronic Records

Electronic records may be stored on a number of computers (both church and privately owned), on a secure server and in ‘cloud-based’ systems such as Dropbox or Microsoft OneDrive. It is stored by those who have a need (as set out in this policy) to maintain, process or use the data. Electronic data is to be password protected and stored on a machine which is adequately protected physically and electronically with the latest updates to the operating system, antivirus and any other technical measures which are necessary. 

3.3 CCTV

CCTV is used for maintaining the security of property and premises and for preventing and investigating crime. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about anyone including offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, services providers, police forces, security organisations and persons making an enquiry. 

 

  1. Consent

The intention to process data will be communicated to all data subjects. 

  1. Rights to Access Information

All subjects of personal data held by Christ Church Cambridge have the right to access the data record that is kept about them, subject to statutory exemptions. Any person who wishes to exercise this right should make the request in writing to the Church Office, using the standard letter which is available from The Information Commissioner www.ico.gov.uk. Christ Church Cambridge reserves the right to charge a fee in line with the recommendations of the ICO.