The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.
This site uses different types of cookies which show that our website is secure and that any communication you have with us via this website is kept safe.
Data Protection Privacy Notice
The Parochial Church Council (PCC) of St Paul’s Church, Scotforth
1. Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
2. Who are we?
The PCC of St Paul’s Church, Scotforth is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.
3. How do we process your personal data?
The PCC of St Paul’s Church, Scotforth complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: -
To enable us to provide a voluntary service for the benefit of the public in a particular
geographical area as specified in our constitution;
To administer membership records;
To fundraise and promote the interests of the charity;
To manage our employees and volunteers;
To maintain our own accounts and records (including the processing of gift aid
To inform you of news, events, activities and services running at St Paul’s;
To share your contact details with the Diocesan office so they can keep you informed
about news in the diocese and events, activities and services that will be occurring in the diocese and in which you may be interested.
4. What is the legal basis for processing your personal data?
Explicit consent of the data subject so that we can keep you informed about news, events, activities and services and process your gift aid donations and keep you informed about diocesan events.
Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement;
Processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided: -
o the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
o there is no disclosure to a third party without consent.
5. Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with other members of the church in order to carry out a service to other church members or for purposes
connected with the church. We will only share your data with third parties outside of the parish with your consent.
6. How long do we keep your personal data1?
We keep data in accordance with the guidance set out in the guide “Keep or Bin: Care of Your Parish Records” which is available from the Church of England website [see footnote for link].
Specifically, we retain electoral roll data while it is still current; gift aid declarations and associated paperwork for up to 6 years after the calendar year to which they relate; and parish registers (baptisms, marriages, funerals) permanently.
7. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
The right to request a copy of your personal data which the PCC of St Paul’s, Scotforth holds about you;
The right to request that the PCC of St Paul’s, Scotforth corrects any personal data if it is found to be inaccurate or out of date;
The right to request your personal data is erased where it is no longer necessary for the PCC of St Paul’s, Scotforth to retain such data;
The right to withdraw your consent to the processing at any time;
The right to request that the data controller provide the data subject with his/her
personal data and where possible, to transmit that data directly to another data
controller, (known as the right to data portability);
The right, where there is a dispute in relation to the accuracy or processing of your
personal data, to request a restriction is placed on further processing;
The right to object to the processing of personal data, (where applicable);
The right to lodge a complaint with the Information Commissioners Office.
8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact Details
To exercise all relevant rights, queries or complaints please in the first instance contact the PCC Data Protection Officer at firstname.lastname@example.org or telephone 01524 843135.
You can contact the Information Commissioners Office on 0303 123 1113 or via emailhttps://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Details about retention periods can currently be found in the Record Management Guides located on the Church of England website at: - https://www.churchofengland.org/more/libraries-and-archives/records-management-guides
Data Protection Policy
The Parochial Church Council (PCC) of St Paul’s Church, Scotforth collects and uses personal information about staff, clergy and individuals who come into contact with the Church and is known as the ‘Data Controller’ for data.
The Church of England is made up of a number of different organisations and office-holders who work together to deliver the Church’s mission in the community. The PCC works together with:
The incumbent of the parish;
The bishops of the Diocese of Blackburn;
The Church of England.
As the Church is made up of all of these persons and organisations working together, we may need to share personal data we hold with them so that they can carry out their responsibilities to the Church and our community. The organisations referred to above are joint data controllers. This means we are all responsible for how we process data.
Purpose and Principles
This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the General Data Protection Regulations 2018 and other related legislation. The Data Controller will comply with their legal obligations to keep personal data up to date; to store and destroy it securely; to not collect or retain excessive amounts of data; to keep personal data secure, and to protect personal data from loss, misuse, unauthorised access and disclosure and to ensure that appropriate technical measures are in place to protect personal data.
All persons involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines, they will be known as ‘Data Processors’.
We will use personal data for some or all of the following purposes:
To enable us to meet all legal and statutory obligations (which include maintaining and publishing
our electoral roll in accordance with the Church Representation Rules);
To carry out comprehensive safeguarding procedures (including due diligence and complaints
handling) in accordance with best safeguarding practice with the aim of ensuring that all children
and adults-at-risk are provided with safe environments;
To minister to parishioners and provide them with pastoral and spiritual care (such as visiting when
they are gravely ill or bereaved) and to organise and perform ecclesiastical services such as baptisms, confirmations, weddings and funerals;
To deliver the Church’s mission to our community, and to carry out any other voluntary or charitable activities for the benefit of the public as provided for in the constitution and statutory framework of the Data Controller;
To administer the parish, deanery, archdeaconry and diocesan membership records;
To fundraise and promote the interests of the Church and charity;
To maintain our own accounts and records;
To process a donation that has been made (including Gift Aid information);
To seek views or comments;
To notify changes to our services, events and role holders where applicable;
To send communications which individuals have requested and that may be of interest to them.
These may include information about campaigns, appeals, other fundraising activities;
To process a grant or application for a role;
To enable us to provide a voluntary service for the benefit of the public in a particular geographical
area as specified in our constitution.
Most of our data is processed because it is necessary for our legitimate interests, or the legitimate interests of a third party (such as another organisation in the Church of England), e.g. safeguarding work to protect children and adults at risk. We will always take into account the individuals interests, rights and freedoms.
Some of our processing is necessary for compliance with a legal obligation. For example, we are required by the Church Representation Rules to administer and publish the electoral roll, and under Canon Law to announce forthcoming weddings by means of the publication of banns.
We may also process data if it is necessary for the performance of a contract with an individual, or to take steps to enter into a contract, e.g. processing data in connection with the hire of church facilities.
Religious organisations are also permitted to process information about individual’s religious beliefs to administer membership or contact details.
Where information is used other than in accordance with one of these legal bases, we will first obtain consent to that use.
Sharing of personal data
Personal data will be treated as strictly confidential. It will only be shared with third parties where it is necessary for the performance of our tasks or where you first give us your prior consent. It is likely that we would need to share data with some or all of the following (but only where necessary):
The appropriate bodies of the Church of England including other Data Controllers;
HMRC for tax purposes;
Other clergy or lay persons nominated or licensed by the bishops of the Diocese of Blackburn to
support the mission of the Church in our parish;
On occasion, other churches with which we are carrying out joint events or activities.
How long do we keep personal data?
We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time, e.g. financial records – 6 years plus current year for HMRC audits. In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed.
The Data Controller has produced a Privacy Notice which will be reviewed annually. This is available on our website – stpauls-scotforth.org or a printed copy is available from the Parish Office (tel: 01524 843135, email: email@example.com ).
Rights of access to information
The following rights to access with regards to personal data are listed below, in order to process any request we would need to verify the identity of the individual making the request for security purposes. In such cases we will need the individual to respond with proof of identity before any rights can be exercised, e.g. passport, driving licence, utility bills with the current address, birth/marriage certificates, P45/P60, credit card or mortgage statement (this is not an exhaustive list).
The right to access information we hold on an individual (Subject Access Requests):
At any point an individual can contact us to request the information we hold as well as why we have that information, asking who has access to the information and where we obtained the information from. Once we have received a request we have one month in which to
respond giving a full report;
There are no fees or charges for the first request but additional requests for the same data
may be subject to an administrative fee;
We will keep a log of all Subject Access Requests.
The right to correct and update the information held on the individual:
If the data held is out of date, incomplete or incorrect, the individual can inform us and the
data will be updated.
The right to have information erased:
If the individual feels that we should no longer be using their data or that we are illegally
using the data, they can request that we erase the data we hold;
On receipt of a request for data to be erased we will confirm whether the data has been
deleted or the reason why it cannot be deleted (for example because we need if for our legitimate interests or regulatory purposes(s)).
The right to object to processing of personal data:
An individual will have the right to request that we stop processing their data. Upon
receiving the request we will contact the individual and let them know if we are able to
comply or if we have legitimate grounds to continue to process their data. Even after the individual has exercised their right to object, we may continue to hold their data to comply with their other rights or to bring or defend legal claims.
5. The right to data portability:
An individual will have the right to request that we transfer some of their data to another
Data Controller. We will comply with their request, where it is feasible to do so, within one month of receiving their request.
6. The right to withdraw consent to the processing at any time for any processing of data to which consent was sought:
An individual can withdraw their consent easily by telephone, email, or by post via the Parish Administrator or Data Protection Officer (tel: 01524 843135, email: office@stpauls- scotforth.org or post: St Paul’s Parish Office, St Paul’s Parish Hall, 41 Scotforth Road, Lancaster, LA1 4TS).
An individual has the right to object to the processing of personal data where applicable.
An individual has the right to lodge a complaint with the Information Commissioner’s Office,
www.ico.gov.uk or telephone 0303 123 1113.
Transfer of Data Abroad
Our website is accessible from overseas so on occasion some personal data (for example in a notice sheet, parish magazine) may be accessed from overseas.
If we wish to use personal data for any additional purpose we will always contact the individual providing them with a new consent form explaining any new use prior to commencing the process and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek individual consent prior to the new processing.
Processing personal data about children
Under the General Data Protection Regulations 2018 parental consent will be required for the processing of personal data of children aged under 13 years of age. The UK Government has adopted the reduced age of 13 (as opposed to EU age of 16) for providing consent. Children aged over 13 years will be asked to sign their own consent forms in line with this ruling.
A personal data breach is one that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. We are required under the new regulations to
report any data breach to the Information Commission within 72 hours, also informing them of the scope and cause of the breach, mitigation actions we plan to take and how we plan to address the problem. In line with all accountability requirements, all data breaches must be recorded along with details of actions taken.
Response Plan: Any data breaches must be reported immediately to the Data Protection Officer via the Parish Office. The Data Protection Officer will assume responsibility for investigating the cause of the breach and produce a response plan in addition to reporting to the Information Commission. For example, if the data breach is electronic then further investigation may need to be undertaken by an Incident Response Company; if papers are lost or stolen then ensuring it is reported to the relevant authorities.
If you have any enquiries in relation to this policy then please contact the Data Protection Officer who will also act as the contact point for any subject access requests.
Telephone: 01524 843135
Address: Data Protection Officer, St Paul’s Parish Hall, Scotforth Road, Lancaster, LA1 4TS
This policy will be reviewed annually at the June PCC or the next nearest meeting.
Date of Adoption: 6th July 2021