First Presbyterian Church Greenville is committed to protecting personal data and respecting the rights of our data
subjects (people whose personal data we collect and use). First Presbyterian Church Greenville values the personal
information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting
We process personal data to help us:
- Maintain a list of our church members
- Provide pastoral support for members and others connected with our church
- Provide services to the community including Childcare, etc.
- Safeguard children, young people and adults at risk
- Recruit, support and manage staff and volunteers
- Maintain our church accounts and records
- Promote our services
- Maintain the security of property and premises
- Respond effectively to enquirers and handle any complaints
- And for any fundraising events that might require this information.
This policy has been approved by the [Insert Church Name] Trustees who are responsible for ensuring
that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain,
store or use personal data.
Why this policy is important
- We’re committed to protecting personal data from being misused, getting into the wrong hands
as a result of poor security or being shared carelessly, or being inaccurate, as we’re aware that
people can be upset or harmed if any of these things was to happen.
- This policy sets out the measures we’re committed to taking as an organization and, what each
of us will do to ensure we comply with the relevant legislation.
- We’ll make sure that all personal data is:
- Processed lawfully, fairly and done transparently
- Processed for specific, explicit and legitimate purposes and not in a manner that’s
incompatible with those purposes
- Adequate, relevant and limited to what is necessary for the purposes for which it’s being
- Accurate and, where necessary, up-to-date
- Not kept longer than necessary for the purposes for which it’s being processed
- Processed in a secure manner, by using appropriate technical and organizational means
- Processed in keeping with the rights of data subjects regarding their personal data.
How this policy applies to you and what you need to know:
- As an employee, volunteer or trustee processing personal information on behalf of the church, you’re require to comply with this policy. If you think that you’ve accidentally breached the policy it’s important that you contact our Data Protection Trustee immediately so that we can take swift action to try and limit the impact of the breach.
- Anyone who breaches the Data Protection Policy may be subject to disciplinary action, andwhere that individual has breached the policy intentionally, recklessly or for personal benefit they may also be liable to prosecution or to regulatory action.
- As a leader and/or manager you’re required to make sure that any procedures that involve personal data, that you’re responsible for in your area, follow the rules set out in this Data Protection Policy.
- As a data subject of First Presbyterian Church Greenville: We will handle your personal information in line with this policy.
- As an appointed data processor/contractor: Companies who are appointed by us as a data processor are require to comply with this policy under the contract with us. Any breach of this policy will be taken seriously and could lead to us taking contract enforcement action against the company, or terminating the contract.
- Our Data Protection Trustee is responsible for advising First Presbyterian Church Greenville and its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy.
- Before you collect or handle any personal data as part of your work (paid or otherwise) for First Presbyterian Church Greenville, it’s important that you take the time to read this policy carefully and understand exactly what is required of you, as well as the organization’s responsibilities when we process data.
- Our procedures will be in line with the requirements of this policy, but if you’re unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Protection Trustee.
OUR DATA PROTECTION RESPONSIBILITIES
What personal information do we process?
- In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it’s about, for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers.
- We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names and contact details, education or employment details, and visual images of people.
Making sure processing is fair and lawful:
- Processing of personal data will only be fair and lawful when the purpose of the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.
How can we legally use personal data?
Processing of personal data is only lawful if at least one of these legal conditions is met:
- The processing is necessary for a contract with the data subject
- The processing is necessary for us to comply with a legal obligation
- The processing is necessary to protect someone’s life (this is called “vital interests”)
- The processing is necessary for us to preform a task in the public interest, and the task has a clear basis in law
- The processing is necessary for legitimate interests pursued by First Presbyterian Church Greenville or another organization, unless these are overridden by the interests, rights and freedoms of the data subject.
- If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.
Keeping data and destroying it
We’ll not keep personal data longer than is necessary for the purposes that it was collected for. We’ll comply with the First Presbyterian Church Greenville Data Retention policies about retention periods for specific records.
Security of personal data
- We’ll use appropriate measures to keep personal data secure at all points of the processing.
- Keeping data secure includes protecting it from unauthorized or unlawful processing or from accidental loss, destruction or damage.
- Security measures will include technical and organizational security measures. In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:
- The quality of the security measure
- The costs of implementation
- The nature, scope, context and purpose of processing
- The risk to the rights and freedoms of data subjects
- The risk which could result from a data breach.
- Measure may include:
- Technical systems security
- Measures to restrict or minimize access to data
- Measures to ensure our systems and data remain available, or can be easily restored in the case of an incident
- Physical security of information and of our premises
- Organizational measures such as policies, procedures, training and audits
- Regular testing and evaluating of the effectiveness of security measures.
Keeping records of our data processing
- To show we comply with the law we’ll keep clear records of our processing activities and of the decisions we make concerning personal data.
WORKING WITH PEOPLE WE PROCESS DATA ABOUT (DATA SUBJECTS)
Data subjects’ rights
- We’ll process personal data in line with data subjects’ rights, including their right to:
- Request access to any of their personal data held by us (known as a Subject Access Request)
- Ask to have inaccurate personal data changed
- Restrict processing, in certain circumstances
- Object to processing, in certain circumstances, including preventing the use of their data for direct marketing
- Data portability, which means to receive their data, or some of their data, in a format that can be easily used by another person (including the data subject themselves) or organization
- Withdraw consent when we are relying on consent to process their data
- If a colleague receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded to our Data Protection Trustee immediately.
- We’ll act on all valid requests as soon as possible, and at the latest within one calendar month, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.
- All data subjects’ rights are provided free to charge.
- Any information provided to data subjects will be concise and transparent, using clear and plain language.
Direct marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed, to individuals. “Marketing” does not need to be selling anything, or be advertising a commercial product. It includes contact made by organizations to individuals for the purposes of promoting the organization’s aims.
Any direct marketing material that we send will identify First Presbyterian Church Greenville as the sender and will describe how people can object to receiving similar communications in the future. If a data subject exercises their right to object to direct marketing we will stop the direct marketing as soon as possible.
WORKING WITH OTHER ORGANIZATIONS AND TRANSFERRING DATA
Sharing information with other organizations
- We will only share personal data with other organizations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared (in a privacy notice), unless legal exemptions apply to informing data subjects about the sharing. Only authorized and properly instructed staff/Trustees are allowed to share personal data.
- We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied.
- Before appointing a contractor who will process personal data on our behalf (a data processor) we will carry out due diligence checks. The checks are to make sure the processor will use appropriate technical and organizational measures to ensure the processing will comply with data protection law, including keeping the data secure, and upholding the rights of data subjects. We will only appoint data processors who can provide us with sufficient guarantees that they will do this.