ENSM Data Protection Policy

1. Introduction

Centrepoint Church (Scottish Charity SC037055) is committed to safeguarding personal data in compliance with UK GDPR and the Data Protection Act 2018. This policy applies to all staff, trustees, subcontractors, volunteers, interns, and casual workers associated with Centrepoint Church and its department, Every Nation School of Ministry (ENSM).

2. Purpose

The policy aims to:

  • Provide clear guidelines for data protection compliance.

  • Clarify responsibilities for handling personal data.

  • Ensure data is processed lawfully, fairly, and transparently.

  • Protect individuals' data rights.

3. Definitions

Personal Data: Information identifying or related to an identifiable individual.

Special Category Data: Sensitive information requiring additional protection (e.g., ethnicity, religion, health data).

Processing: Operations involving personal data (collection, storage, use, disclosure).

Data Controller: Centrepoint Church, determining how personal data is processed.

Categories of Personal Data Processed:

  • Church Ministry & Membership

  • Staff & Volunteer Administration

  • Educational Activities (ENSM)

  • Financial & Fundraising Activities

  • Health & Safety

  • Marketing & Communications

  • Legal & Regulatory Compliance

4. Data Protection Principles

Centrepoint Church adheres to UK GDPR principles:

  • Lawfulness, Fairness, and Transparency

  • Purpose Limitation

  • Data Minimisation

  • Accuracy

  • Storage Limitation

  • Integrity and Confidentiality (Security)

  • Accountability

5. Legal Basis for Processing Personal Data

Data is processed based on:

  • Consent

  • Contractual Obligations

  • Legal Obligations

  • Vital Interests

  • Legitimate Interests

Special category data processing requires explicit consent or legal obligations (e.g., safeguarding).

6. Individual Rights

Individuals have the right to:

  • Access personal data

  • Correct inaccuracies

  • Request erasure

  • Restrict processing

  • Data portability

  • Object to processing

  • Challenge automated decision-making

Requests must be submitted in writing to scott.headley@everynationeurope.org and will be addressed within one month.

7. Data Security & Confidentiality

Security measures include:

  • Password protection and encryption

  • Role-based access controls

  • Secure physical record storage

  • Regular audits and staff training

8. Data Retention & Disposal

Data retention periods:

  • Membership & Pastoral Records: Reviewed every 5 years

  • Employment & HR Data: 6 years post-employment

  • Safeguarding Records: Minimum 50 years

  • Financial & Gift Aid Records: 7 years

Secure disposal methods are used upon expiration of retention periods.

9. Data Sharing & Third Parties

  • Personal data is not sold or shared for marketing.

  • Data may be shared with trusted service providers under GDPR-compliant agreements.

  • Data may be shared with authorities for safeguarding or legal reasons.

External platforms used (with available privacy policies):

  • ChurchSuite

  • MailChimp

  • Google Drive

  • Pathwright


10. Data Breach Procedure

In case of a data breach, Centrepoint Church will:

  • Assess and mitigate risks

  • Notify the ICO if required

  • Inform affected individuals when legally necessary

  • Record all breaches in the Data Breach Log


11. Responsibilities & Governance

  • Trustees: Accountable for compliance

  • Data Protection Lead: Oversees policy implementation and training

  • Staff & Volunteers: Responsible for adhering to policies and attending training

12. Policy Review & Updates

The policy is reviewed annually or as legislation requires. Updates will be communicated clearly.

13. Contact Information

For queries, concerns, or requests, contact scott.headley@everynationeurope.org.