1. SCOPE
Centrepoint Church is a Scottish Charity SC037055. Every Nation School of Ministry (ENSM) is a department of Centrepoint Church. This policy applies to all staff employed by Centrepoint Church, those subcontracted by Centrepoint Church and to all volunteers, interns and casual workers and associated companies.
2. CONTEXT
General Data Protection Regulations (GDPR) requires the protection of personal data and all organisations which process personal data must be registered to do so. Centrepoint Church is registered with the Data Protection Commissioner.
3. PURPOSE
This policy sets out an understanding of data protection and the requirements of every member of staff, subcontractor, volunteer, intern or casual worker in order that there may be full compliance with the General Data Protection Regulations (GDPR).
4. DEFINITIONS
4.1 Centrepoint Church is currently engaged in data collection and processing for seven purposes:
Accounts and Records
Advertising, Marketing and Public Relations
Staff, Contractor, and Vendor Administration
Administration of Student Records
Fundraising
Realising the Objectives of a Charitable Organisation or Voluntary Body
Local Church Ministry
4.2 Data is information which is recorded with the intention that it should be processed on computer or is recorded as part of a relevant filing system (i.e. manual system). There are two categories of data:
4.2.1 Personal data is information relating to a living individual who can be identified:
from the data
from the data which includes an expression of opinion about the individual
4.2.2 Sensitive personal data is information relating to:
racial or ethnic origins of the data subject
political opinions
religious beliefs or other beliefs of a similar nature
trade union membership
physical or mental health
sexual life
the commission or alleged commission of any offence
any proceedings for any offence committed or alleged to have been committed by the data subject.
In order to process these types of data consent from the data subject must be obtained by Centrepoint Church handling the data. Explicit consent must be given when it is sensitive personal data. Record of consent received will be retained where possible, and updated if consent is subsequently withdrawn by the data subject.
5. POLICY
This Centrepoint Church Data Protection Policy exists to ensure compliance with all aspects of data protection legislation by setting out clear policies, responsibilities and codes of practice:
5.1 Centrepoint Church intends to comply fully with all aspects of data protection legislation.
5.2 Centrepoint Church will make all reasonable efforts to maintain a comprehensive written notification with the Data Protection Commissioner.
5.3 Centrepoint Church will do its utmost to ensure that all its staff, consultants and trustees are conversant with data protection legislation and practice.
5.4 Centrepoint Church will only hold data for prescribed charitable purposes. These include student administration, personnel administration, membership administration, accounts and records, advertising marketing and public relations, fundraising, charity objectives and local church ministry.
5.5 Centrepoint Church will not pass personal data to third parties.
5.6 Centrepoint Church will use standard, approved statements about data protection in all Centrepoint Church’s literature in which personal data is collected. The statements for use are:
“Centrepoint Church will only use personal data in connection with its charitable purposes. It does not make personal data available to any other organisation or individual”.
“ENSM will only use personal data in connection with its educational purposes. It does not make personal data available to any other organisation or individual”.
5.7 Centrepoint Church will provide procedures for access to personal data for all those for whom personal data is held. No charge will be levied on anyone (staff, personal members or other contacts) requesting access to their personal data.
5.8 Data will not be held longer than is necessary.
5.9. Access to data by staff and volunteers will be allocated on a domain-relevant basis.
6. SCOPE
This policy pertains to all persons associated with Centrepoint church and its charitable purposes including but not limited to personnel, employee, interns, students and congregants.
6.1 Personal and sensitive personal data are held securely in online clouds, on computers and in manual files. This data may include the following:
Name, address and telephone
National Insurance number and date of birth
Nationality
Passport information
Health and health insurance information
Bank details and details of any previous pension scheme
Start date/salary at start date
Job title
Next of kin and contact details
Details of any regular medication
Church affiliation and Christian experience
Career history/previous employment
Qualifications obtained/membership of professional bodies
References
Appraisals
Student records
Attendance
Discipleship benchmarks
Giving records
Children’s details
PVG status
Privacy statements for databases we use can be found online:
· ChurchSuite: https://churchsuite.com/terms-of-service
· MailChimp: https://mailchimp.com/legal/privacy/?_ga=2.100453789.224609872.1526389084-1911980369.1516012689
· Pathwright: https://www.pathwright.com/privacy-policy
6.2 Staff will be asked to sign a form consenting to data being held and processed for the following purposes:
Recruitment and selection
Performance management and training
Absence recording
Monitoring
Statistical analysis
6.3 All staff may request sight of their personal details on computer provided reasonable notice (at least 14 days in writing) is given. NB: references are exempt from all Data Protection legislation.
6.4 Centrepoint Church’s employment application form has been amended to include the individual’s consent to sensitive personal data being used by Centrepoint Church for recruitment, selection and statistical purposes. Likewise when CV’s are received, the letter in acknowledgement will contain a clause: “The information contained in your letter and CV will only be used by Centrepoint Church for recruitment, selection and statistical purposes.”
6.5 Centrepoint Church’s student application form has been amended to include the individual’s consent to sensitive personal data being used for school-related purposes.
7. SECURITY
7.1 All personal and sensitive personal data held must be secure against unauthorised access and theft. Password protection is the most obvious means, but the server, filing cabinets and building in which the data is held must also be secure.
7.2 Centrepoint Church needs to ensure that:
Our IT network is as secure as possible from unauthorised access including access through the website.
Individual PC’s are password protected.
Individual PC’s are logged off when individuals are away from their desk for more than a few minutes at a time.
Personnel and other files holding sensitive or confidential personal data are secured and only made available to staff with authorised access.
7.3 Security on the Database.
The Database provides for different levels of security giving us the ability to ensure confidentiality of data by restricting access to different records and functions to only those users that need to use them. Persons should not disclose their password to other individuals. Passwords are required to have a minimum password strength and to be changed every 6 months.
CONTACTS: COLLECTION OF DATA
8.1 Centrepoint Church will make sure the Data Subject knows our identity and why and how data will be used and that the data is relevant to our charitable work.
8.2 If individuals are being added to Centrepoint Church’s database or Manual filing system they need to be informed how Centrepoint Church will store and use their data at the time the data is collected.
9. QUERIES
Data protection policy and practice is monitored, updated and continuously developed further by Centrepoint Church’s appointed Data Protection Person.