Data Protection Policy
Duffield Baptist Church is committed to a policy of protecting the rights and privacy of individuals, Duffield Baptist Church needs to collect and use certain types of Data in order to carry on our work. This personal information must be collected and dealt with appropriately.
The Data Protection Act 1998 (DPA) governs the use of information about people (personal data). Personal data can be held on computer or in a manual file, and includes email, minutes of meetings, and photographs. Duffield Baptist Church will remain the data controller for the information held. Duffield Baptist Church and it’s volunteers will be personally responsible for processing and using personal information in accordance with the Data Protection Act.
The leadership team, Diaconate and Pastor and volunteers running Duffield Baptist Church activities who have access to personal information, will be expected to read and comply with this policy.
The purpose of this policy is to set out Duffield Baptist Church’s commitment and procedures for protecting personal data. Duffield Baptist Church regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with.
The Data Protection Act Legislation
This contains 8 principles for processing personal data with which Duffield Baptist Church will comply. Personal data:
- Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met,
- Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes,
- Shall be adequate, relevant and not excessive in relation to those purpose(s)
- Shall be accurate and, where necessary, kept up to date,
- Shall not be kept for longer than is necessary
- Shall be processed in accordance with the rights of data subjects under the Act,
- Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,
- Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.
The following list contains definitions of the technical terms we have used and is intended to aid understanding of this policy:
Data Controller – The person who (either alone or with others) decides what personal information Duffield Baptist Church will hold and how it will be held or used.
Data Protection Act 1998 – The UK legislation that provides a framework for responsible behaviour by those using personal information.
Data Protection Officer – The person on the management committee who is responsible for ensuring that it follows its data protection policy and complies with the Data Protection Act 1998
Data Subject/Service User – The individual whose personal information is being held or processed by Duffield Baptist Church (for example: a service provider or member)
‘Explicit’ consent – is a freely given, specific and informed agreement by a Data Subject (see definition) to the processing of personal information about her/him.
Explicit consent is needed for processing sensitive data this includes the following:
(a) racial or ethnic origin of the data subject
(b) political opinions
(c ) religious beliefs or other beliefs of a similar nature
(d) trade union membership
(e) physical or mental health or condition
(f) sexual orientation
(g) criminal record
(h) proceedings for any offence committed or alleged to have been committed
Notification – Notifying the Information Commissioners Office (ICO) about the data processing activities of Duffield Baptist Church. Note: Not-for-profit organisations are exempt from notification.
Information Commissioner – The UK Information Commissioner responsible for implementing and overseeing the Data Protection Act 1998.
Processing – means collecting, amending, handling, storing or disclosing personal information
Personal Information – Information about living individuals that enables them to be identified – e.g. names, addresses, telephone numbers and email addresses. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual volunteers of the Group.
Applying the Data Protection Act within Duffield Baptist Church
Whilst access to personal information is limited to the staff and volunteers., Volunteers may undertake additional tasks which involve the collection of personal details from members of the public.
Members of the congregation who are in receipt of the church directory have the responsibility of NOT sharing that information with others without the explicit permission of the person the data concerns.
In such circumstances we will let people know why we are collecting their data and it is our responsibility to ensure the data is only used for this purpose.
Individuals have a right to have data corrected if it is wrong, to prevent use which is causing them damage or distress or to stop marketing information being sent to them.
Duffield Baptist Church is the Data Controller under the Act, and is legally responsible for complying with Act, which means that it determines what purposes personal information held will be used for.
The Leadership team will take into account legal requirements and ensure that it is properly implemented, and will through appropriate management, strict application of criteria and controls:
- Observe fully conditions regarding the fair collection and use of information,
- Meet its legal obligations to specify the purposes for which information is used,
- Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements,
- Ensure the quality of information used,
- Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:
- The right to be informed that processing is being undertaken
- The right of access to one’s personal information
- The right to prevent processing in certain circumstances and
- The right to correct, rectify, block or erase information which is regarded as wrong information
- Take appropriate technical and organisational security measures to safeguard personal information,
- Ensure that personal information is not transferred abroad without suitable safeguards,
- Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information,
- Set out clear procedures for responding to requests for information
The Data Protection Officer on the management committee is: