Our privacy and data protection policies are those that which is provided to, and required of, us by our ultimate governing body The Methodist Church of Great Britain, and can be viewed here:
Managing Trustees’ Privacy Notice
INTRODUCTION
Welcome to the privacy notice for Local Churches, Circuits and Districts within the Methodist Church in Great Britain.
The Local Churches, Circuits and Districts within the Methodist Church in Great Britain respect your privacy and are committed to protecting your personal information (personal data). This privacy notice lets you know how we look after your personal data which either you provide to us or we obtain and hold about you and it tells you about your privacy rights and how the law protects you.
This privacy notice is available online in a layered format so you can click through to the specific areas that you may be interested in. These are set out below. Alternatively you can download a PDF version (PDF version) or you may have been provided with a hardcopy (printed) version of the notice. Please also use the Glossary to understand the meaning of some of the terms used in this privacy notice.
1. IMPORTANT INFORMATION AND WHO WE ARE
2. THE DATA WE COLLECT ABOUT YOU
3. HOW YOUR PERSONAL DATA IS COLLECTED
4. HOW WE USE YOUR PERSONAL DATA
5. DISCLOSURES OF YOUR PERSONAL DATA
6. INTERNATIONAL TRANSFERS
7. DATA SECURITY
8. DATA RETENTION
9. YOUR LEGAL RIGHTS
10. GLOSSARY
11. ANNEX
Trustees for Methodist Church Purposes
Page 2
1. IMPORTANT INFORMATION AND WHO WE ARE
PURPOSE OF THIS PRIVACY NOTICE
This privacy notice aims to give you information on how Local Churches, Circuits and Districts within the Methodist Church in Great Britain collect and process your personal data which either you provide to us or we obtain and hold about you including any data you may provide when you become a member, volunteer to help at your Local Church or provide your details to be included in the Circuit or District directories.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or dealing with personal data about you (e.g. website privacy notices and employment privacy notices) so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
CONTROLLER
The Methodist Church in Great Britain is a membership church made up of different bodies of Managing Trustees; Local Church Councils, Circuit Meetings and District Synods. These individual charities form part of the wider connexion of the Methodist Church in Great Britain details of which can be found here. This privacy notice is issued on behalf of Local Churches, Circuits and Districts within the Methodist Church in Great Britain and when we mention, “we”, “us” or “our” in this privacy notice, we are referring to the relevant charity within the wider Connexion of the Methodist Church in Great Britain that is responsible for processing your data.
Trustees for Methodist Church Purposes (TMCP) is the controller and responsible for general data protection issues arising in respect of day to day matters such as lists of members, third party users of church premises and lay employees employed by local Churches, Circuits and Districts. The Connexional Team (registered under the name of the Methodist Church in Great Britain) is the controller and responsible for data protection matters concerning safeguarding and complaints and discipline issues. When we mention the controller we mean the relevant controller.
We have appointed a data protection working party (Working Party) comprised of representatives from both controllers which is responsible for overseeing questions in relation to this privacy notice.
If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the relevant contact for the Working Party using the details set out below.
CONTACT DETAILS
Our full details are:
The Local Contact is the individual at the Local Church, Circuit or District who is responsible for day to day administration of data protection matters and their details will be set out in the fair processing notice issued by that charity. In the absence of specific information, the minister (in the case of a Local Church), the superintendent minister (in the case of Circuits) or the appointed data champion or District Chair (in the case of the District).
The controller for routine, day to day data protection matters for Methodist Local Churches, Circuits and Districts is:
Trustees for Methodist Church Purposes
Central Buildings
Oldham Street
Manchester
M1 1JQ
Name or title of Working Party contact: Laura Carnall, Legal Manager
Tel: 0161 235 6770
Email: dataprotection@tmcp.methodist.org.uk
Web: www.tmcp.org.uk
The controller for matters relating to safeguarding matters or complaints and discipline for Methodist Local Churches, Circuits and Districts is:
The Methodist Church in Great Britain
The Conference Office
Methodist Church House
25 Marylebone Road
London
NW1 5JR
Name or title of Working Party contact: Georgina Crowhurst, Legal Counsel (Governance) & Data Protection Officer
Tel: 0207 467 3779
Email: dataprotection@methodistchurch.org.uk
Web: www.methodist.org.uk
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES
This version was last updated on 21st May 2018.
We have the right to update and amend the provisions of this notice to ensure continual compliance with data protection legislation. We will provide you with copies of the new notice wherever it is practically possible to do so but please check the online or locally displayed hardcopy notice regularly to see if any updates have been made.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with the Methodist Church in Great Britain.
2. THE DATA WE COLLECT ABOUT YOU
Personal data, or personal information, means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about our members, ministers, volunteers, employees, adherents, church attendees, users of our premises, those who are interested in and supportive of the work of the Methodist Church, individuals who provide services to us and individuals who contact us.
We have grouped the different kinds of personal data together as follows:
• Administrative Data includes details about you included in orders of service; Circuit plans; Church Council, Circuit Meeting and District Synod Minutes; Local Church notices; lists of room bookings; invoices; supplier and contractor details; catering records and back-up files e.g. something that you said in the Circuit Meeting that could identify you.
• Image Data includes photographs taken of you where it is possible to identify you and images of you caught by any CCTV or similar devices at Local Church, Circuit or District premises.
• Contact Data includes home address, email address and telephone numbers e.g. information used to contact you.
Page 4
• Employment Data includes employment history, training records, pension information, details about next of kin and other details relating to your employment by Local Churches, Circuits or Districts.
• Financial Data includes bank account and payment card details.
• Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
• Marketing and Communications Data includes your preferences in receiving information from us about church events and fundraising and our third parties and your communication preferences.
• Member and Group Data includes details of membership of the Methodist Church in Great Britain, offices held, membership of Local Church groups, rotas, registration for Local Church groups and events, attendance information (e.g. Sunday School attendance).
• Official Records includes lists of those who have been baptized, confirmation records, marriage records, funeral records and lists of visitors to Local Churches.
• Parental Contact Data includes details of parents (e.g. on parent contact forms).
• Pastoral Data includes details and records of pastoral support and prayer requests.
• Special Categories of Data includes your race or ethnicity, your religious beliefs, sex life, sexual orientation, information about your health, also information about criminal convictions and offences in keeping with the Safeguarding Policy of the Methodist Church in Great Britain.
• Tax Data includes national insurance numbers and other information that may be required by HMRC relating to gift aid donations and other tax related payments and receipts.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access any websites or social media operated by Local Churches, Circuits or Districts .
• Transaction Data includes details about payments to and from you and other details of your room hire, licence agreement or rental agreements that you enter into with us relating to our premises.
IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with accommodation under a tenancy agreement or process gift aid payments). We will notify you if this is the case at the time.
3. HOW YOUR PERSONAL DATA IS COLLECTED?
We use different methods to collect data from and about you including through:
• Direct exchanges. You may choose to provide personal information to us direct e.g. by speaking to us at Local Church, Circuit and District events, by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
o join and take part in Local Church, Circuit or District groups;
o become a member of the Methodist Church in Great Britain;
o apply for paid or voluntary roles within the Methodist Church in Great Britain ; or
o enter into property contracts with us including leases, licence agreements, tenancy agreements and booking forms;
• Automated technologies or interactions. As you interact with any websites run by Local Churches, Circuits or Districts (Local Websites), we may automatically collect Technical Data about your equipment, browsing actions and patterns.
Page 5
We may collect this personal data by using cookies, server logs and other similar technologies. Please see website privacy notices and cookie policies available from such Local Websites for further details.
• Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:
• Your family members;
• Our ecumenical partners in the case of shared churches and Local Ecumenical Partnerships;
• Identity and Contact Data from publicly available sources such as Companies House, the Charity Commission and the Electoral Register based inside the EU.
4. HOW WE USE YOUR PERSONAL DATA
FAIR PROCESSING The Methodist Church in Great Britain takes its obligations under data protection law (including the General Data Protection Regulation (GDPR)) seriously. Local Churches, Circuits and Districts keep personal data as up to date as possible and take active steps to rectify any personal data we find to be incorrect. Local Churches, Circuits and Districts store and destroy personal data securely and do not collect or retain personal data which is in excess of our processing activities. Local Churches, Circuits and Districts take steps to protect all personal data (including Special Category Data) from loss, misuse, unauthorised access and disclosure by ensuring that appropriate measures are in place to protect personal data. Local Churches, Circuits and Districts ensure that personal data is processed in accordance with the principles of the GDPR and is processed:
Lawfully, fairly and in a transparent manner;
For specified, explicit and legitimate purposes and not processed in a manner which is incompatible with those purposes;
Accurately, relevantly and limited to what is necessary in relation to the purposes for which it is processed;
Kept accurate and where necessary kept up to date, with all reasonable steps being taken to ensure that all inaccurate data is erased or rectified without delay;
Is not kept longer than is necessary for the purposes for which the personal data is processed; and
In a manner that ensures appropriate security of the Personal Data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical and organisational measures.
HOW WE USE YOUR DATA
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Legitimate interests means the interests of Local Churches, Circuits and Districts in operating as a membership Church, supporting our members and the communities we work in and conducting and managing our missional activities to enable us to fulfil the calling of the Methodist Church in Great Britain. We make sure we consider and
Page 6
balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting your Local Contact.
• Where we need to perform the contract we are about to enter into or have entered into with you.
Performance of Contract means processing your personal data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract including employment contracts and property contracts, such as licences and tenancy agreements.
• Where we need to comply with a legal or regulatory obligation.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
In rare cases we may need to use your personal data in the following circumstances:
Where we need to protect your vital interests e.g. in an emergency life or death situation where the emergency services are called to treat you when you are with us.
Vital interests means where it is necessary to use your personal data to protect your “vital interests” or those of another person (such as a child) in a life-or-death situation.
Where we need to perform a task carried out in the public interest e.g. in certain safeguarding situations.
Refer to the Lawful bases Guidance Notice (click here if you are reading this privacy notice online) to find out more about the types of lawful basis that we will rely on to process your personal data.
Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sharing your personal data with third parties (including where Contact Details are made publically available through Circuit and District Directories, Circuit Plans and noticeboards), sending marketing communications to you via email or to legitimise dealing with Special Category Data. You have the right to withdraw consent at any time by contacting the appropriate Local Contact although this will not prevent processing where the law allows us to process for a different reason in addition to consent.
SPECIAL CATEGORY DATA
Where data processing relates to Special Categories of Data (e.g. health information included in pastoral records or prayer requests) the following processing conditions apply in addition to the legal basis identified in the table in the Annex to this privacy notice:
Explicit Consent has been given by the data subject;
Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement;
Processing is carried out by a not for profit body with a religious aim provided:
o the processing relates to member or former members (or those who have regular contact with it in connection with those purposes; and there is no disclosure to a third party without consent;
Processing relates to personal data manifestly made public by the data subject;
Processing is necessary for the establishment, exercise, defence of legal claims or where the courts are acting in their judicial capacity; or
Processing is necessary for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes.
Page 7
PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA
We have set out in detail in the Annex to this privacy notice, in a table format, a description of the main ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact the Local Contact if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table in the Annex.
NOTIFYING YOU ABOUT EVENTS AND FUNDRAISING
We like to notify our members, those in regular contact with the Methodist Church and third parties who support the Methodist Church about upcoming church events and fundraising opportunities so that you can play as much of a role in the life of the Church as you choose from time to time. Most of the time we will let you know about such opportunities on the basis that we have a legitimate interest in doing so.
If we decide to contact you by email or telephone where you are registered with the telephone preference service we will provide you with choices as required to do so under data protection legislation and the Privacy and Electronic Communications Regulations 2003 (PECR).
THIRD-PARTY MARKETING
As a Church we will not share your personal data with any third parties for marketing purposes but if a Local Church, Circuit or District thought you might be interested in hearing from another Christian denomination or a community group or charity about certain events or fundraising we will get your express opt-in consent to us sharing your information with them before we do so.
OPTING OUT
You can ask us or third parties to stop sending you marketing messages (e.g. messages about church events or fundraising) at any time by contacting your Local Contact.
COOKIES
If you are using a Local Website (defined in Section 3) you can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of a Local Website may become inaccessible or not function properly. For more information about the cookies we use on a Local Website please see the Local Website privacy notice.
CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact the Local Contact.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Page 8
5. DISCLOSURES OF YOUR PERSONAL DATA
SHARING PERSONAL DATA
We treat all personal data as strictly confidential, except where consent has been provided for it to appear in publications available to general members of the public.
Personal data will not be shared with third parties, other than those listed below unless we are legally obliged to do so or:
with your explicit consent;
it is necessary for law enforcement purposes; or
it is necessary to protect our rights, property or safety of our members, ministers, volunteers or staff.
We may have to share your personal data with the parties set out below for the purposes set out in the table in the Annex.
• Internal third parties such as other Methodist organisations which form part of the Methodist Connexion and family, such as TMCP or the Connexional Team.
• External third parties such as:
• Any third party groups who provide support for Local Churches, Circuits and Districts in providing services to their members and the local communities in which they serve.
• Professional advisers including lawyers, surveyors, bankers, auditors and insurers based in the UK who provide legal, surveying, consultancy, banking, insurance and accounting services.
• Estate agents who provide advice and administrative support in relation to transactional matters and ongoing residential tenancy matters.
• HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
• Our ecumenical partners in the case of shared churches and Local Ecumenical Partnerships.
We will ask all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third-parties to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. TRANSFER of Personal Data outside of the European Economic Area (‘EEA’)
We may at times transfer and process personal data outside of the EEA. This is particularly relevant where members Local Churches, Circuits or Districts are engaged with providing missionary and support services abroad.
Storing, publishing or transmitting personal data via the internet, (this includes by email), is not completely secure and therefore whilst Local Churches, Circuits or Districts take all reasonable and necessary precautions to protect personal data from unauthorised access, you acknowledge that there is a risk that your personal data may be transferred and accessed outside of the EEA.
7. DATA SECURITY
We implement reasonable and appropriate security measures against unlawful or unauthorised Processing of personal data
Page 9
and against the accidental loss of, or damage to, personal data in accordance with our internal data security policy. In addition, we limit access to your personal data to those members, volunteers, ministers and employees who have a need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place reasonable and appropriate procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8. DATA RETENTION
HOW LONG WILL YOU USE MY PERSONAL DATA FOR?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Full details of retention periods for data processed by the Methodist Church in Great Britain can be found on the Methodist Church website at: http://www.methodist.org.uk/for-ministers-and-office-holders/office-holders/archivists/
In some circumstances you can ask us to delete your data: see Section 9 and details about Request erasure below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
9. YOUR LEGAL RIGHTS
Unless personal data is subject to an exemption under GDPR, such as it is subject to the prevention, investigation, detection or prosecution of a criminal offence, you have the following rights with regards to your personal data:
Where consent is used as the legal basis for processing personal data, you have the right to withdraw consent to the data processing at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent or processing carried out using an alternative legal basis such as performance of a contract or legal obligation;
The right to request a copy of the personal data which the Local Church, Circuit, District or any other Methodist body, such as TMCP or the Connexional Safeguarding Team hold about you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. If you would like to exercise this right then please complete the relevant Data Subject Access Form and forward to the relevant controller as described in section 1 of this privacy notice.
The right to request that the Local Church, Circuit or District corrects any Personal Data which is found to be inaccurate. Note that we may need to verify the accuracy of the new data you provide to us;
The right to request that the Local Church, Circuit or District erases any Personal Data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your
Page 10
request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.;
Where consent or the performance of a contract is used as the legal basis for processing Personal Data, you have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you and this right is unlikely to apply to personal data held by us.
The right to request for a restriction on data processing. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.;
Where legitimate interest is used as the legal basis for processing Personal Data, you have the right to object to the processing of personal data where there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. Note that in some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms;
The right to lodge a complaint with the Information Commissioners Office (ICO).
Contacting the ICO
Further information, guidance and advice is available from the ICO at: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113 Web: https://ico.org.uk/global/contact-us/
If you wish to exercise any of the rights set out above, please contact your Local Contact.
NO FEE USUALLY REQUIRED
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
WHAT WE MAY NEED FROM YOU
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Page 11
TIME LIMIT TO RESPOND
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
10. GLOSSARY
“controller” is the controller described in Section 1 of this privacy notice.
“data subject” is a living, identified or identifiable individual about whom personal data is held. e.g. our members, volunteers, lay employees, those who join us in worship and/or those who are interested in and supportive of the work of the Methodist Church and third parties such as community groups who use our buildings and other third parties.
“explicit consent” is a very clear and specific statement of consent.
GDPR means the General Data Protection Regulation ((EU) 2016/679). Personal data is subject to the safeguards specified in the GDPR.
“lawful bases” are the five lawful grounds on which we can lawfully process personal data set out under Article 6 of GDPR. The lawful basis or bases on which we rely are set out under Section 4 of this privacy notice.
“Local Contact” is the individual at the Local Church, Circuit or District who is responsible for day to day administration of data protection matters whose details will be set out in the fair processing notice or in the absence of specific information, the minister (in the case of a Local Church), the superintendent minister (in the case of Circuits) or the appointed data champion or District Chair (in the case of the District).
“Methodist Church in Great Britain”, “Methodist Church” or “Church” refers to the united church or denomination known as the Methodist Church formed under the provisions of the Methodist Church Union Act 1929 and a deed of union on 20 September 1932.
“personal data” is any information identifying a living individual or information relating to an individual that can be identified from that information/data (alone or in combination with other information in your hands or that can reasonably be accessed). Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. Personal information includes an individual’s name, address, date of birth, telephone number, email address, a photograph or disability, health or ethnicity data.
“Processing” “processed” or “process” means any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any activity or set of activities on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties. E.g. sharing member information by email and shredding when information is no longer required.
Page 12
Annex
Purposes for which we will use your personal data
Purpose/Activity
Type of data
Please refer to Section 2 for confirmation of what details these categories of data include
Lawful basis for processing including basis of legitimate interest
Contact
To publicise details of ministers, officeholders, relevant employees and other volunteers.
(a) Contact
(b) Identity
(c) Member and Group
(a) Necessary for our legitimate interests (to operate as a Church, further Mission and enable third parties to contact relevant office holders)
(b) Consent (where information about you is made public to third parties and you are not a minister, probationer or office holder when we will rely on legitimate interests)
Contact
To notify you (and make suggestions and recommendations to you) about Church services, activities and events that may be of interest to you or which you have signed up to and to provide news on Church events.
Also see “targeted marketing and fundraising”
(a) Contact
(b) Identity
(c) Image
(d) Marketing and Communications
(e) Member and Group
(f) Parental Contact
(g) Technical
(a) Necessary for our legitimate interests (to fulfil the calling of the Methodist Church in Great Britain, grow our Church (further Mission) by engaging with current and prospective supporters of the Church, developing the worship, activities and events available) and general fundraising (in all cases in respect of individuals who have a continuing relationship with the Church))
(b) Consent (where there is no continuing relationship with the Church and in the case of direct marketing when we cannot rely on legitimate interests as described above and contact you by any electronic form of communication and/or telephone where you are registered with the telephone preference service).
Lists
To keep and maintain records of:
(a) members, adherents, participants in and attendees to Church groups and events and parental contact information
(b) office holders , employees, volunteers and ministers
(c) individuals within the pastoral care
(a) Contact
(b) Identity
(c) Member and Group
(d) Parental Contact
(a) Necessary for our legitimate interests (to operate as a membership organisation, keep our records updated, study how our membership changes over time, identify the needs of the communities in which we operate and support our members)
(b) Performance of a contract with you
Page 13
of a Local Church e.g. those on the community roll maintained under SO 054
Pastoral
To keep and maintain pastoral records and
To keep and maintain contact information and administrative records for you where there is no continuing relationship with the Church e.g. contact details to allow pastoral visitors to see you or send you greetings cards.
(a) Contact
(b) Identity
(c) Member and Group
(d) Pastoral Data
(e) Special Category
(a) Necessary for our legitimate interests (for supporting our members and the communities we work in to enable us to fulfil the calling of the Methodist Church in Great Britain where there is a continuing relationship with the Church)
(b) Consent (where there is no continuing relationship with the Church)
Pastoral
To include your details in prayer requests and notify you about prayer requests and other news that church members, volunteers and those in regular contact with the Church wish to share with you.
(a) Contact
(b) Identity
(c) Member and Group
(d) Pastoral Data
(e) Special Category e.g. health information
(a) Necessary for our legitimate interests (for supporting our members and the communities we work in to enable us to fulfil the calling of the Methodist Church in Great Britain) where there is a continuing relationship with the Church.
(b) Consent (where there is no continuing relationship with the Church)
Record keeping
To keep and maintain records of baptisms, confirmation, marriage and funeral records.
(a) Contact
(b) Identity
(c) Official Records
(a) Necessary for our legitimate interests (for keeping official records of those who have been baptized, confirmed, received into membership, wish to be married or whose funerals take place and visitors to church premises, running our charity and providing support to members and the communities in which we operate at different times of their relationship with the Church where there is a continuing relationship with the Church)
(b) Necessary to comply with a legal obligation
(c) Consent (where there is no continuing relationship with the Church)
Administration
To administer our charity including planning services, where ministers and lay preachers will preach, managing and maintaining church premises, keeping accounts and tax records including Gift
(a) Administrative
(b) Contact
(c) Identity
(d) Financial
(a) Necessary for our legitimate interests (for running our charity, fulfilling our obligations under charity law, complying with the Constitution Practice and Discipline of the Methodist Church and providing of support to members and the communities in which we operate)
Page 14
Aid, taking audits and recording decisions reached at meetings,
(e) Member and Group
(f) Tax
(g) Technical
(b) Performance of a contract with you
(c) Necessary to comply with a legal obligation
Administration
To administer, run and protect our Local Websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Administrative
(b) Contact Identity
(c) Member and Group
(e) Technical
Details provided in relevant Local Website privacy notices.
Administration
To manage and administer third party use of our premises including room bookings, licences, leases and residential tenancy agreements
(a) Administrative
(b) Contact
(c) Identity
(c) Financial
(d) Member and Group
(e) Special Category (e.g. right to rent under the Immigration Act)
(f) Tax
(g) Transaction
(a) Necessary for our legitimate interests (for running our premises and fulfilling our obligations as charity trustees)
(b) Performance of a contract with you
(C) Necessary to comply with a legal obligation
Employment
To administer applications for job vacancies and administer and manage our relationship with our employees.
(a) Contact
(b) Identity
(c) Employment
(d) Financial
(e) Special Category (e.g. right to rent under the Immigration Act)
(f) Tax
(a) Necessary for our legitimate interests (for running our charity, fulfilling employer responsibilities and looking after our employees)
(b) Performance of a contract with you
(c) necessary to comply with a legal obligation
Page 15
Safeguarding
To record and maintain safeguarding records, self-declarations, incident reports, and carry out volunteer checks and Disclosure and Barring Service (DBS) checks.
(a) Contact
(b) Identity
(c) Employment
(d) Special Category
(a) Necessary for our legitimate interests (for ensuring and demonstrating compliance with Safeguarding Policy and Practice to protect children, young people and vulnerable adults within our Local Churches, Circuits and Districts)
(b) Performance of a contract with you
(c) Necessary to comply with a legal obligation
(d) Needed in the public interest
Security
To record and use images.
(a) Image
(b) Identity
(a) Necessary for our legitimate interests (to keep church premises and our members, ministers, volunteers, employees and third parties secure)
Targeted marketing/fundraising
To contact you personally about specific fundraising activities/ initiatives and/or with targeted marketing material.
e.g. where we contact you personally/ target you with a request for a donation to Local Church, Circuit or District funds
(a) Contact
(b) Identity
(c) Marketing and Communications
(d) Member and Group
Consent
END OF DOCUMENT
Version 1.3 – 3rd August 2020
Date Protection Policy
Data Protection Policy for the Methodist Church (GDPR)
Last updated 24.05.2018
The Methodist Connexion uses personal information all the time to fulfil its calling and is committed to protecting the privacy of its members, ministers, volunteers, lay workers, supporters and all those whose personal information it holds.
As a Connexional Church we work together to ensure that all personal information is handled safely and in accordance with the General Data Protection Regulation and UK data protection legislation.
Part I – This Data Protection Policy
1. Definitions
This section sets out definitions of key terms referred to in this Policy. Definitions used in particular sections are included at the head of such sections for ease of reference:
“you” “your” are all those volunteers, ministers and staff within the Methodist Church who handle personal data.
“we” are the Connexional Team (registered under the name of the Methodist Church in Great Britain) and Trustees for Methodist Church Purposes (TMCP) as controllers.
”controller”: the person or organisation that determines when, why and how to process, personal data. It is responsible for establishing practices and policies in line with the GDPR and UK data protection legislation.
Trustees for Methodist Church Purposes are controller for personal data used by staff and volunteers at Local Church, Circuit and District level. This is for routine, day to day data protection matters.
The Methodist Church in Great Britain is the controller responsible for all data protection matters concerning safeguarding and, complaints and discipline issues for the whole Methodist Church and other data protection matters for which the Connexional Team are solely responsible.
The “appropriate controller” is the controller for the matter in hand.
Criminal Offence Data: personal data relating to criminal offences and convictions.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
2
“data subject”: a living, identified or identifiable individual about whom personal data is held. e.g. our members, volunteers, lay employees, those who join us in worship and/or those who are interested in and supportive of the work of the Methodist Church, third parties such as community groups who use our buildings and other third parties.
GDPR: the General Data Protection Regulation ((EU) 2016/679). Personal data is subject to the safeguards specified in the GDPR.
Methodist Church in Great Britain, Methodist Church or Church refers to the united church or denomination known as the Methodist Church formed under the provisions of the Methodist Church Union Act 1929 and a deed of union on 20 September 1932..
“personal data”: any information identifying a living individual or information relating to an individual that can be identified from that information/data (alone or in combination with other information in your hands or that can reasonably be accessed). Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. Personal information includes an individual’s name, address, date of birth, telephone number, email address, a photograph or disability, health or ethnicity data.
Privacy Notices (also referred to as “fair processing notices” or “privacy policies”): separate notices setting out information that may be provided to data subjects when you collect information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one time privacy statements covering processing related to a specific purpose. A general Managing Trustee Privacy Notice will be included in the Data Protection Toolkit for your use together with more specific template notices and wording for fair processing notices.
“processing, processed or process”: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any activity or set of activities on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties. E.g. sharing member information by email and shredding when information is no longer required.
Special Category Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
Working Party: the data protection working party comprising members of the Connexional Team and Trustees for Methodist Church Purposes (TMCP).
2. INTRODUCTION
Protecting the confidentiality and integrity of personal data (personal information) is a critical responsibility that we take seriously at all times. This policy sets out how we all work together to protect the privacy of all those who are part of the Methodist Church or are associated with it by handling personal data in accordance with applicable law and respecting the principles set out in Part II of this policy.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
3
This policy sets out what is expected from you. Amongst other things it outlines the other policies and guidelines that have been put in place to help you keep information safe, maintain proper records and uphold the rights of individuals.
This policy must be followed by all volunteers, ministers and staff who handle personal data relating to the Methodist Church. In order to protect people’s privacy you will:
read, understand and comply with this policy when handling personal data;
take part in available training that is appropriate to your role; and
keep up-to-date with the guidance produced or signposted by the controllers.
The controllers have produced a number of related policies and privacy guidelines available to help you interpret and act in accordance with this policy. You shall adopt and comply with all such related policies and privacy guidelines that may be introduced and notified to you from time to time.
3. SCOPE
Why does the Methodist Church need to handle personal data?
The Methodist Church holds personal information about its members, volunteers, ministers, staff, supporters, third party users and others in order to:
Fulfil the Methodist Church’s calling and more specifically to:
o Respond to the gospel of God’s love in Christ through Worship, Learning and Caring, Service and Evangelism as expressed in Our Calling
o Provide pastoral support and care to its members
o Further the purposes of the Methodist Church as defined in s.4 of the Methodist Church Act 1976
o Provide activities and support for its members and the wider community
Fulfil the Church’s responsibilities to safeguard young people and vulnerable adults including safely recruiting and training volunteers and employees
Fulfil its obligations and due diligence as an employer
Enable the Church to fulfil the obligations placed on it under statute such as taxation and gift aid requirements and landlord and tenant obligations.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
4
Who is accountable for this policy in the Methodist Church, and responsible for it being followed across the Connexion?
TMCP acts as the controller for all Local Churches, Circuits and Districts (who are deemed to be the “Data Processors” i.e. the people who deal with data/ information on behalf of the Methodist Church). This is for routine, day to day data protection matters. The Methodist Church in Great Britain (whose responsibility is delegated by Conference to the Methodist Council with the work being carried out by the Connexional Team) now acts as controller to cover those processing activities concerning safeguarding and, complaints and discipline issues for the whole Methodist Church and other data protection matters for which the Connexional Team are solely responsible.
The Board of TMCP and the Methodist Council are responsible for overseeing this policy. These bodies will be the point of contact with the Information Commissioner’s Office (ICO) and for any queries arising in respect of their corresponding registrations and about the policy for staff, members, volunteers and the public. As applicable, the controllers will develop related policies and privacy guidelines.
Pursuant to Standing Order 019 the District Synod, Circuit Meeting and Local Church Council are ultimately accountable for compliance with the Data Protection Acts, regulations and orders in force from time to time.
This means that all District Synods, Circuit Meetings, Local Church Councils or other responsible authorities of each body registered under TMCP’s and the Methodist Church in Great Britain’s notifications are responsible for ensuring those within their District, Circuit or Local Church who handle Personal Data comply with this policy and need to implement appropriate practices, processes, controls and training to ensure such compliance. Appropriate guidance and support to help them do this will be provided by the controllers.
District Synods are strongly encouraged to nominate an individual or individuals to act as “Data Champion”. Such Data Champions will be responsible for encouraging good practice, promoting the merits of protecting privacy and assisting the controllers with compliance. Circuits and Local Churches will consider whether they need to nominate individuals at a local level to help volunteers and staff to comply.
Where to go for help?
Please contact the controllers with any questions about the operation of this policy, the GDPR or if you have any concerns that this policy is not being or has not been adhered to.
You must always contact the appropriate controller (the Connexional Team – Data Protection for issues relating to safeguarding, complaints and discipline and TMCP Data Protection for all other data protection matters) in the following circumstances:
if there has been a personal data Breach (Section 4.6.2 below);
if you receive any requests from individuals relating to their personal data rights such as a subject access request (SAR) (see Section 4.8); and
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
5
whenever you are engaging in a significant new, or change in, processing activity which is likely to require a data protection impact assessment (DPIA) (see Section 7 below) or plan to use personal data for purposes other than what it was collected for.
You should also contact the appropriate controller if you are unsure what to do so that further guidance can be provided including but not limited to:
(a) if you are unsure of the lawful basis which you are relying on to process personal data (including the legitimate interests used by the Church) (see Section 4.1 below);
(b) if you need to rely on Consent and/or need to capture Explicit Consent (see Section 6 below);
(c) if you need to draft Fair Processing Notices (see Section 4.1.1 below);
(d) if you are unsure about the retention period for the personal data being processed (see Section 4.5 below);
(e) if you are unsure about what security or other measures you need to implement to protect personal data (see Section 4.6.1 below);
(f) if there has been a personal data Breach (Section 4.6.2 below);
(g) if you are unsure on what basis to transfer personal data outside the EEA (see Section 4.7 below);
(h) if you need any assistance dealing with any rights invoked by a data subject (see Section 4.8);
(i) whenever you are engaging in a significant new, or change in, processing activity which is likely to require a Data Protection Impact Assessment (DPIA) (see Section 7 below) or plan to use personal data for purposes others than what it was collected for;
(j) if you need help complying with applicable law when carrying out direct marketing activities (see Section 8 below); or
(k) if you need help with any contracts or other areas in relation to sharing personal data with third parties (including our vendors) (see Section 9 below).
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
6
Part II – Data Protection Principles
4. PERSONAL DATA PROTECTION PRINCIPLES
The Methodist Church is committed to ensuring that personal data is used and managed appropriately. Together we adhere to the principles relating to processing of personal data set out in the GDPR which require personal data to be:
Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency). See 4.1.
Collected only for specified, explicit and legitimate purposes (Purpose Limitation). See 4.2.
Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation). See 4.3.
Accurate and where necessary kept up to date (Accuracy). See 4.4.
Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation). See 4.5.
Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality). See 4.6.
Not transferred to another country without appropriate safeguards being in place (Transfer Limitation). See 4.7.
Made available to data subjects and data subjects allowed to exercise certain rights in relation to their personal data (Data Subject’s Rights and Requests). See 4.8.
You must be able to demonstrate compliance with the data protection principles listed above (this is known as “Accountability”).
4.1. LAWFULNESS, FAIRNESS, TRANSPARENCY
4.1.1 LAWFULNESS AND FAIRNESS
The Methodist Church is committed to ensuring that personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject.
The Methodist Church makes use of the most appropriate legal basis when processing different categories of personal data for different purposes. The [Methodist Privacy Policy] states which of the six lawful bases should be used in different circumstances to ensure that personal data is processed fairly and without adversely affecting the data subject.
This means that you may only collect, process and share personal data fairly and lawfully and for specified purposes. The six lawful bases or specific purposes that you are most likely to use in the context of the Methodist Church are set out below:
the processing is necessary for the performance of a contract with the data subject e.g. pay employees
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
7
and make pension contributions under an employment contract – refer to Lawful Basis Fact Sheet 1 – Contractual;
to meet legal compliance obligations e.g. keeping records of marriages – refer to Lawful Basis Fact Sheet 2 – Legal Obligation;
to pursue legitimate interests for purposes providing they are not overridden because the interests or fundamental rights and freedoms of data subjects are prejudiced. The purposes for which personal data is processed for legitimate interests need to be set out in applicable Privacy Notices or Fair Processing Notices e.g. collecting and sharing membership information amongst members – refer to Lawful Basis Fact Sheet 3 – Legitimate Interests; or
the data subject has given his or her Consent e.g. sharing details about members with third parties – refer to Lawful Basis Fact Sheet 4 – Consent;
and in rare cases:
to perform a task in the public interest e.g. a safeguarding situation where information needs to be shared outside of the Methodist Church.
to protect the data subject’s vital interests e.g. where information is shared with the emergency services in a life or death situation;
You must identify and document the legal ground being relied on for each processing activity in accordance with the guidelines on Lawful Bases for Processing Personal Data.
4.1.2 TRANSPARENCY (NOTIFYING DATA SUBJECTS)
The Methodist Church is committed to ensuring that data subjects are provided with the detailed, specific information required under GDPR.
You must provide the specific information required under GDPR using appropriate Privacy Notices to ensure that the required information is provided in a form that is concise, transparent, intelligible, easily accessible, and in clear and plain language so that a data subject can easily understand.
You must use the Methodist Church’s Template Privacy Notice (or similar comparable templates) and comply with the controllers’ guidelines on drafting and use of Privacy Notices.
4.2. PURPOSE LIMITATION
You must only collect personal data for explicit and legitimate purposes explained to the data subject in an appropriate Privacy Notice (see 3.1.2).
You must not use personal data for new, different or incompatible purposes unless you first inform the data subject of the new purposes and if necessary obtain their consent.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
8
This means that if a member gives you their photograph for one purpose ( to put in the Local Church newsletter for example), you would not be able to use this photograph for another purpose without informing the individual and explaining what you now intend to do with it. If the new purpose included sharing the information with a third party e.g. an article in the local paper then consent may be required.
4.3. DATA MINIMISATION
The Methodist Church is committed to ensuring that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You will only collect personal data that you require for a specific task (relevant and necessary data). You will not collect more information than you actually need (not collect excessive data).
You must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the Methodist Church’s guidelines on data retention.
This means that if you are arranging a pastoral visit, you only need to collect sufficient personal information to enable the pastoral visitor to provide pastoral support. You are meeting the spiritual needs of the church member rather than providing medical care requiring detailed medical information.
4.4. ACCURACY
You will ensure that the personal data you use and hold is accurate, complete, kept up to date and relevant to the purpose for which it was collected. You must check the accuracy of any personal data when you first collect it and at regular intervals afterwards e.g. annually in the case of Circuit and District Directories or quarterly in the case of Circuit plans. You must take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.
You will notify those responsible for central databases and directories of any changes without delay so that these can be updated promptly. This would include databases held by the Connexional Team and TMCP including the Connexional Database and the Trust Information System (TIS) respectively.
4.5. STORAGE LIMITATION
You will not keep personal data, in a form which would permit the data subject to be identified, for longer than is necessary for the purposes you originally collected it for.
The Methodist Church will maintain guidelines and procedures on data retention to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time. Different categories of data will be kept for different periods of time and you must comply with the Methodist Church’s guidelines on data retention.
You will take all reasonable steps to destroy or erase from your computer systems all personal data that you no
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
9
longer require in accordance with all the Methodist Church’s guidelines, retention schedules and policies from time to time.
4.6. SECURITY INTEGRITY AND CONFIDENTIALITY
4.6.1 PROTECTING PERSONAL DATA
You are responsible for protecting the personal data you hold and making sure that data security is maintained, in line with the [Methodist Data Security Policy] and any associated guidelines or procedures that may be issued by the controller from time to time.
You must implement reasonable and appropriate security measures against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data in accordance with the Data Security Policy. You must exercise particular care in protecting Special Category Data and Criminal Offence Data from loss and unauthorised access, use or disclosure.
You must maintain data security by protecting the confidentiality, integrity and availability of the personal data. This means that:
(a) only people who have a need to know and are authorised to use the personal data can access it (Confidentiality).
(b) Personal data is accurate and suitable for the purpose for which it is processed (Integrity).
(c) authorised users are able to access the personal data when they need it for authorised purposes (Availability).
You will need to take practical steps to protect personal data in accordance with the Data Security Policy. Examples of best practice include:
Regularly backing-up computer files;
Ensuring live and back-up files are secure e.g. password protected;
Operating a “clean desk” policy;
Keeping paper records and USB sticks (particularly those containing Special Category Data and Criminal Offence Data) in locked filing cabinets or cupboards or in other secure locations;
Not leaving paper records or electronic devices such as laptops, USB sticks and work phones on public transport;
Disposing of personal data safely e.g. by shredding documents and emptying email recycling folders.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
10
4.6.2 REPORTING A PERSONAL DATA BREACH
A “personal data breach” is: any act or omission that compromises the security, confidentiality, integrity or availability of personal data or the physical, technical, administrative or organisational safeguards that we as a Church have put in place to protect it. The loss, or unauthorised access, disclosure (sharing) or acquisition, of personal data is a personal data breach e.g. emailing personal data to the wrong person; or leaving personal data in a public place where others can access it.
If you know or suspect that a personal data breach has occurred, immediately contact the appropriate controller (when directed by the Data Breach Policy) so that they can help you to investigate the matter and take appropriate steps in line with the Data Breach Policy and any accompanying guidelines and procedures. You will record all personal data breaches on your local Data Breach Record. The appropriate controller will notify data subjects or any applicable regulator where there is a legal requirement to do so. You should preserve all evidence relating to the potential personal data breach.
4.7. TRANSFER LIMITATION
EEA: the 28 countries in the EU, and Iceland, Liechtenstein and Norway.
Safe List: the list of countries outside the EEA from time to time that the European Commission has decided possess an adequate level of protection for personal data. Refer to the European Commission’s data protection website [https://ec.europa.eu/info/law/law-topic/data-protection_en] for an up-to-date list. Note that Guernsey, the Isle of Man and Jersey appear on the Safe List.
If you intend to transfer personal data outside the EEA, and unless the country appears on the Safe List, additional safeguards will need to be followed in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You will transfer personal data originating in one country across borders when you transmit, send, view or access that data in or to a different country e.g. if a presbyter or volunteer is to go on an exchange programme.
You must comply with any guidelines that the Methodist Church issues from time to time on cross border data transfers.
4.8. DATA SUBJECT’S RIGHTS AND REQUESTS
The Methodist Church respects the rights of individuals (data subjects) under GDPR including to:
(a) withdraw Consent to processing at any time where consent is relied upon as the sole lawful basis;
(b) receive certain information about the controller’s, processing activities;
(c) request access to their personal data held by a District, Circuit or Local Church (known as a subject access request or SAR);
(d) prevent use of their personal data for direct marketing purposes;
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
11
(e) ask for their personal data to be erased (right to be forgotten) if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
This means the individual has the right to ask for their personal data to be erased. However, this is not an “absolute” right and you need to ensure that such requests are considered carefully. You do not need to erase personal data in circumstances including where the processing is necessary to:
comply with a legal obligation;
perform a task carried out in the public interest;
establish, exercise or defend legal claims; or
where an individual objects to the processing of their personal data on the basis of legitimate interests but you can show that there is an overriding legitimate interest to continue this processing.
(f) restrict processing in specific circumstances e.g. pending the outcome of a dispute about the accuracy of personal data or challenge to processing g on the basis of legitimate interests;
(g) challenge processing which has been justified on the basis of our legitimate interests;
(h) prevent processing that is likely to cause damage or distress to the data subject or anyone else;
(i) be notified of a personal data Breach which is likely to result in high risk to their rights and freedoms; and
(j) make a complaint to the supervisory authority (at the date of this policy this is the Information Commissioner’s Office (ICO)); and
You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing personal data without proper authorisation). If in doubt you must contact the appropriate controller.
You must immediately forward any Data Subject Access request (SAR) you receive to the appropriate controller and comply with the SAR’s Policy and any other guidelines and procedures that are in place from time to time.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
12
Part III
Accountability – Your responsibilities and those of TMCP and the Connexional Team
5. ACCOUNTABILITY
The Methodist Church has established a framework for data protection compliance comprising the provision of guidance, policies and procedures, template documents, integrating data protection into internal documents, data championing, training volunteers, ministers and staff, monitoring the privacy measures and conducting periodic review to assess compliance.
5.1 What are TMCP and the Connexional Team’s responsibilities as controller?
The controllers commit to:
Compliance
Implement this policy and make sure it complies with data protection legislation.
Co-operate with the relevant regulatory bodies and be a point of contact.
Ensure this policy is up to date.
Regularly test systems and processes to assess compliance.
Training
Ensure volunteers and staff have access to appropriate training and guidance to enable them to comply with data privacy laws and help you to comply with this policy.
Record keeping
Facilitate the keeping of full and accurate records of all your data processing activities by providing you with the template registers and guidelines to keep records
Security and retention
Keep the Methodist Church’s Data Retention Schedule up-to-date.
Breach
Provide guidance and support to you in the event of a suspected personal data breach to enable you to deal with the suspected personal data breach in accordance with the Breach Policy and contact the data subject or ICO as required.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
13
Rights
Provide guidance and support to you in the event of you notifying us about any data protection requests or complaints which may arise.
Risk-based approach to processing
Use a risk-based approach to processing activities where you notify us about them including the use of data protection impact assessments (DPIAs) for high-risk processing activities where necessary e.g. the transfer of personal data onto a new computer system.
5.2 What are your responsibilities?
As a volunteer, minister or member of staff within a Local Church, Circuit or District, if you handle personal data as part of your role you must:
Compliance
Follow this policy and relevant procedures whenever personal data is being used for planning and delivering Church activities.
Follow the procedures, guidance and codes of practice introduced by the controllers about the collection and use of personal data.
Think about why you need to handle personal data and make sure you use as little data as you need to carry out your task.
Training
You must undergo the data privacy related training that is made available to you and ensure those within your Local Church, Circuit or District who handle personal data undergo similar training.
You must regularly review all the systems and processes under your control to ensure they comply with this policy and check that adequate governance controls and resources are in place to ensure proper use and protection of personal data.
Record keeping
You must keep and maintain accurate records reflecting your processing in accordance with the Methodist Church’s record keeping guidelines. These include:
o Name and contact details of the controller (in the Privacy Notice)
o Purposes of the processing (in the Privacy Notice)
o Description of the categories of individuals and categories of personal data being processed (in the Privacy Notice or Data Mapping Form)
o Categories of recipients of personal data when disclosed (in the Privacy Notice or Data Mapping Form)
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
14
o Records of the lawful bases being relied upon for processing (through the Lawful Bases Register)
o Records of data subjects’ Consents and procedures for obtaining Consents (through the Consent Record)
o Details of transfers to parties outside the EEA including documentation of the transfer mechanism safeguards in place
o Description of security measures put in place (in the Data Mapping Form)
o Retention periods (in the Privacy Notice, Retention Schedules and Data Mapping Form)
Security and retention
reduce as much as possible the likelihood of a personal data breach by maintaining good data handling practices with adequate control measures in place i.e. following the Data Security Policy, guidelines and procedures.
make sure that personal data is destroyed safely (in line with the Methodist Church’s Data Retention Schedule
Breach
report personal data Breaches (in accordance with Section 4.6.2 of this policy) to the appropriate controller immediately on discovery
establish, maintain and follow guidance on effective systems for reporting, monitoring and responding to any emergencies that could arise in relation to personal data
Rights
inform the appropriate controller immediately if you receive a request from a data subject for information held or used about them
inform the appropriate controller immediately if you receive complaints from data subjects relating to the use of their personal data and follow the controller’s directions.
Part IV – Specific Issues
6. CONSENT
“Consent” is an agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data relating to them.
“Explicit Consent” is consent which requires a very clear and specific statement (that is, not just action).
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
15
Consent is just one of the lawful bases set out in the GDPR on which personal data can be processed.
You will only rely on Consent if there are no other lawful bases on which you can rely following the guidelines on Lawful Bases for processing personal data.
If you need to rely on Consent you will ensure that you obtain the data subject’s clear agreement either by a statement or positive action to the processing of their personal data. You recognise that Consent requires affirmative action so silence, pre-ticked boxes or inactivity are insufficient. Consent must be kept separate from any other matters set out in an agreement with the data subject.
Data subjects must be easily able to withdraw their Consent at any time and withdrawal must be promptly honoured. You should ask the data subject to reconfirm their Consent if you intend to process their personal data for a different and incompatible purpose which was not disclosed when the data subject first consented.
Unless you can rely on another legal basis of processing, Explicit Consent is usually required for Processing Special Category Data and for transferring personal information overseas e.g. if a volunteer is to work overseas and information about them is sent beforehand. Where Explicit Consent is required, you must issue a Privacy Notice to the data subject to capture Explicit Consent.
You will need to evidence Consent captured and keep records of all Consents to demonstrate compliance with Consent requirements.
7. PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENT (DPIA)
Data Protection Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of “Privacy by Design” and should be conducted for all major system or business change programs involving the processing of personal data.
Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
The Methodist Church is committed to implementing Privacy by Design measures in cases where the Church handles (processes) personal data by ensuring that appropriate measures (like Pseudonymisation) are implemented in an effective manner, to ensure compliance with the data privacy principles set out in Part II of this policy.
You must assess what Privacy by Design measures can be implemented on all programs/systems/processes that process, personal data by taking into account matters including the cost of implementation, the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for rights and freedoms of
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
16
data subjects posed by the processing.
You should conduct a DPIA and discuss your findings with the controller before implementing major changes in systems involving the processing of personal data e.g. use of new IT systems or large scale processing of Special Category Data and/or Criminal Offence Data.
A DPIA must include:
a description of the processing, its purposes and the legitimate interests if appropriate;
an assessment of the necessity and proportionality of the processing in relation to its purpose;
an assessment of the risk to individuals; and
the measures in place to mitigate risk and demonstrate compliance.
You must comply with the controllers’ guidelines on DPIA and Privacy by Design.
8. FUNDRAISING
The Methodist Church commits to ensuring that any fundraising activities are carried out in accordance with the Methodist Church’s guidelines on fundraising.
You must comply with the Church’s guidelines on fundraising [http://www.methodist.org.uk/our-work/support-our-work/fundraise/].
Note that a data subject’s prior Consent is required for electronic direct marketing (for example, by email, text or calls to telephone preference numbers). The rules catch any fundraising that a Local Church, Circuit or District may decide to undertake. Refer to the Lawful Bases Fact Sheet 8 – Privacy and Electronic Communications Regulations (PECR) 2003.
You must explicitly offer the data subject the right to object to receive such fundraising or other “direct marketing”. You must make this offer in an intelligible manner so that it is clearly distinguishable from other information.
A data subject’s objection to direct marketing must be promptly honoured. If anybody “opts out” at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences e.g. their objection, are respected in the future.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
17
9. SHARING PERSONAL DATA
The Methodist Church acknowledges that sharing personal data with third parties is not permitted unless certain safeguards and contractual arrangements have been put in place.
You may only share the personal data in your possession with another volunteer, minister or staff member if the recipient has a “need to know” the information relate to their role (confidentiality).
You may only share the personal data you hold with third parties, such as other organisations or individuals who use Methodist premises, the local community or service providers if:
they need to know the information e.g. to provide services to church members or allow the Church to further Mission by publicising events to the local community;
sharing the personal data complies with the Privacy Notice provided to the data subject and, if required, the data subject’s Consent has been obtained;
In the case of a third party organisations (not the general public), the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures and
if the third party is a contracted service provider, there is a fully executed written contract that contains the Template GDPR Third Party Clauses (to be provided from time to time).
Common examples of this within the Methodist Church are where Directories or Circuit Plans containing contact details i.e. personal data for Managing Trustees and other volunteers are left in the foyer or published on the Local Church’s website. To do this you need to ensure that consent is in place. However, there is no need for consent to be obtained from Ministers in Full Connexion, probationers or office holders whose contact details would need to be in the public domain to fulfil specific Church functions e.g. the treasurer or bookings secretary.
You must comply with the controller’s guidelines on sharing data with third parties.
Part V – Changes to and acceptance of this policy
10. CHANGES TO THIS PRIVACY STANDARD
This policy will be updated from time to time. We will try to give notice via TMCP’s News Hub and other means of communication deemed appropriate by the controllers from time to time. The onus is on you to check back regularly to obtain the latest copy of this policy. This policy was first published on 24 May 2018 and was last revised on the date stated on the front page.
GDPR Toolkit – Data Protection Policy for the Methodist Church (GDPR)
18
11. ACKNOWLEDGEMENT OF RECEIPT AND REVIEW
I, [NAME], acknowledge that on [DATE], I received and read a copy of the [Methodist Church’s [policy] and understand that I am responsible for knowing and abiding by its terms and ensuring compliance by the members of my [Local Church] OR [Circuit] OR [District]. I understand that the information in this policy is intended to help volunteers and staff work together effectively and assist in the use and protection of personal data.
Signed ……………………………………………………….
Printed Name ……………………………………………….
For and on behalf of the [Church Council] OR [Circuit Meeting] or [District Synod]
of ……………………………………………………… (name of managing trustee body)
Date ………………………………………………………….