Issued By Executive Pastor
1.1 Organisations that process Personal Data, must comply with the Data Protection Legislation (as defined below), which includes a set of data protection principles that create standards for fair and lawful processing of Personal Data.
"Kingdom Faith Church Trust Charity no 278746" (or “we” or “our” or “us”) process Personal Data relating to Church members, visitors partners, attendees of Conferences and events, and our own employees and contractors.
Definition of data protection terms:
“Controller” means the people who or organisations which, alone or jointly with others, determine the purposes for which, and the means of the processing of Personal Data. They are responsible for establishing practices and policies in line with Data Protection Legislation. We are the data controller of all Personal Data used in our Organisation for our own purposes. “Data” means information which is stored electronically, on a computer, or in certain paper-based filing systems.
“Data Protection Legislation” means the Data Protection Act 1998 (the “DPA”) and from the 25th of May 2018, the General Data Protection Regulation2016/679 (the “GDPR”) until any UK data protection legislation replaces or adopts the GDPR in the UK.
“Data Users” means those of our employees whose work involves processing Personal Data. Data Users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
“Data Protection Officer” or “DPO” means the Data Protection officer appointed pursuant to the Data Protection Legislation.
“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Data Subject”). A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Personal Data.
“Human Resources” means the team administering Human Resources, policies and procedures.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means any person or organisation that is not a data user that processes Personal Data on our behalf and on our instructions. Employees of data controllers (i.e. our employees) are excluded from this definition but it could include suppliers which handle Personal Data on behalf of Kingdom Faith Church Trust.
“Special categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Sensitive Personal Data can only be processed under strict conditions, including a condition requiring the explicit permission of the person concerned.
2. Policy & Purpose
2.1 Everyone has rights with regards to the way in which their Personal Data is handled. During the course of our activities we will collect and process Personal Data about our Church members and visitors, suppliers, our employees, Teaching College and event attendees, customers and other third parties and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation.
2.2 All the Data Users are obliged to comply with this Policy when processing Personal data on our behalf. Any breach of this Policy may result in disciplinary action.
2.3 This policy does not form part of any employee's contract of employment and may be amended at any time.
2.4 This policy has been approved by Kingdom Faith Church Leadership. It sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store Personal Data.
2.5 The Executive Pastor is responsible for the general administration of this policy throughout Kingdom Faith Church and will be the first point of contact for anyone who has a question or concern about this policy or its application, on 01293 851543 or firstname.lastname@example.org
2.6 The Data Protection Officer is responsible for ensuring compliance with Data Protection Legislation and with this Policy. That post is held by Shelley Hellyer. Any concerns about a breach of Data Protection Legislation or a concern that the policy has not been followed, should be referred in the first instance Data Protection Officer.
2.7 Your information may be used in the following ways:
- To keep you informed by email as to Church services, activities, resources and conferences.
- To establish and maintain your involvement with the Church, events you have attended, what areas and activities of the Church you have supported, record and acknowledge any donation, to provide the products you have requested.
- To answer an inquiry or request for further information or complaint about the Church, its services, activities and events.
- To register you for events, conferences or partnership.
- For promotion of products or services and to keep you informed of new developments we believe may be of interest to you. If we contact you in this way without obtaining your prior consent, we will provide you with the opportunity to decline any further promotional communications.
3.1 We handle information including: Your activities and involvement with us will result in personal data being created. We collect personal data in connection with specific activities such as, but not limited to, being a visitor or attendee to one of our Church congregations, or attendee of a conference or event, applying to attend or being a student at Kingdom Faith Training College, ordering items from our online shop, registering to become a Kingdom Faith Partner. If you decide to donate to us then we’ll keep records of when and how much you give to a particular cause.
3.2 We have decided that it is appropriate to treat all information in our care and control with the same degree of security and confidentiality.
- To coordinate the information securely and data handling procedures we have in force
- To promote confidence in our Information security and data handling procedures
- To provide assurances for third parties dealing with us
- To comply with the Data Protection Legislation
- To provide a benchmark for employees on information security, confidentiality and data protection issues
3.4 Everyone should be able to feel reassurance that the information (or Personal Data) held on them by us or by our appointed Processors is relevant, accurate and secure. We are entitled to use Personal Data for administrative and management purposes and to meet legal obligations. We will ensure that it is not misused or passed onto others without permission, unless the law requires, or is for administrative and management purposes, or duty of care to you.
3.5 Where we seek Personal Data from you in connection with your work or application to work for Kingdom Faith Church Trust, you will be informed as to why this information is being collected and how it will be used.
3.6 We will aim to ensure that all Personal Data is processed in accordance with Data Protection Legislation. Anyone processing Personal Data must comply with the principles of good practice under Data Protection Legislation. These provide that Personal Data must be:
- Obtained and processed fairly, lawfully and in a transparent manner in relation to the Data Subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’)
- Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed
- Processed in line with the rights of the individual under Data Protection Legislation including the right of the individuals to access Personal Data that relates to them when they reasonably request it
- Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
- Not transferred to countries outside of the European Economic Area (EEA), or to a territory outside the European Economic Area (the “EEA”) in respect of which the European Commission has not made a positive finding of adequacy, without adequate protection
3.7 This site uses Google Analytics to track user interaction. This data is used to better understand how our users interact with our site. We may automatically collect the following information about you via Google Analytics:
Technical information, including your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and if you access our website via your mobile device we will collect your unique phone identifier
Information about your visit, including, but not limited to the full Uniform Resource Locators (URL) and query string, clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as but not limited to, scrolling, clicks, and mouse-overs), methods used to browse away from the page
3.8 We collect personal information each time you are in contact with us. For example, when you:
- Visit our website
- Register your or your family details
- Make a donation, by completion of Gift envelopes, via our website or electronic means
- Register for a conference or other event
- Provide your contact details, in writing or orally, to Church staff or volunteers
- Purchase goods or services, including when you provide credit or debit card details
- When you attend Church services or participate in other Church activities
- Communicate with the Church by means such as email, letter, telephone
- Face to face meetings with staff and volunteers
The Church does not hold any debit or credit card details for donations/payments made via our websites. All card payments are handled by service providers who encrypt card information.
4. Fair and lawful Processing
4.1 The Data Protection Legislation is not intended to prevent the processing of Personal Data, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject.
4.2 We will process the Personal Data of the individuals lawfully, fairly and in a transparent manner in relation to the individuals.
4.3 Before any Personal Data may be processed, a legal ground for processing must be met and, when Special Categories of Data are being processed, additional conditions must be met.
5. Processing for limited purposes (Purpose Limitation)
5.1 Data must be obtained only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those specified lawful purposes.
5.2 In the course of our operations, we may collect and process Personal Data. This may include Personal Data we receive directly from a Data Subject (for example, by correspondence with us by mail, phone, email, in person or otherwise) and Personal Data we receive from other sources (including, for example, Training College applications, event attendees, Church visitors and members).
5.3 We will only process Personal Data for the specific purposes attained and or for any other purposes specifically permitted by Data Protection Legislation
6. Notifying Data Subjects
6.1 If we collect Personal Data directly from Data Subjects, we will inform them about:
- The purpose or purposes for which we intend to process that Personal Data
- The types of third parties, if any, with whom we will share or to whom we will disclose that Personal Data
- The means, if any, by which Data Subjects can limit our use and disclosure of their Personal Data
7. Adequate, relevant and non-excessive processing
7.1 We will only collect Personal Data to the extent that it is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
8. Accurate data
8.1 We will keep the Personal Data we process accurate and, where necessary, kept up to date. We will take every reasonable step to ensure the Personal Data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
9. Data retention
9.1 Personal Data must not be kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the Personal Data is processed.
9.2 We will take all reasonable steps to destroy, or erase from our systems, all Personal Data which is no longer required.
10. Processing in line with Data Subjec’s rights. The Data Subjects have the following rights:
10.1 Data Subjects access requests: The relevant Data Subject has the right to obtain from us confirmation as to whether or not Personal Data concerning him or her is being Processed, and, where that is the case, access to the Personal Data and the following information:
- The purposes of the Processing
- The categories of Personal Data concerned
- Where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period
- The existence of the right to request from the controller rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the Data Subject or to object to such processing
- The right to lodge a complaint with the ICO
10.2 Rights to object to processing a relevant Data Subject may have his or her Personal Data erased, rectified, amended or completed as specified below:
- Deletion: right to ask us to delete Personal Data we hold about the Data Subject though we may need to keep all or part of such data in accordance with applicable Data Protection Legislation (e.g. if we need to keep all or part of this Personal Data to comply with our legal obligations, for record keeping or to keep providing you any of our services)
- Rectification: entitled to have any inaccuracies in the information we hold about him or she corrected
- Withdraw consent: right to withdraw consent to any particular use of his or her Personal Data
- Information: right to be informed of the use to which the Personal Data is put
- Restriction: under certain circumstances specified by Data Protection Legislation, a Data Subject has the right to request us to restrict the processing of his or her Personal Data, or we may restrict the processing of such data (e.g. if a Data Subject claims his or her Personal Data is inaccurate or objects to the processing of such Personal Data and we are considering the request, or if processing is unlawful and the Data Subject opposes erasure and request restriction instead, etc.
11. Data security
11.1 We will process the Personal Data in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
11.2 We will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data will only be transferred to a Processor if he agrees to comply with those procedures and policies, or if they puts in place adequate measures themselves, in line with GDPR.
11.3 We will maintain Personal Data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
- Confidentiality means that only people who are authorised to use the Personal Data can access it
- Integrity means that Personal Data should be accurate and suitable for the purpose for which it is processed
- Availability means that the Data Users should be able to access the Personal Data if they need it for authorised purposes
11.4 Security procedures include:
- Entry controls. Any stranger seen in entry-controlled areas should be reported
- Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind (Personal Data is always considered confidential)
- Methods of disposal. Paper documents should be disposed via approved shredder. Digital storage devices should be physically destroyed when they are no longer required
- Equipment. Data Users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended
11.5 Storage of information. Kingdom Faith Church Trust is based in the UK and we store our data within the European Union (EU). All traffic between this website and your browser is encrypted and delivered over HTTPS.
12. Dealing with subject access requests
12.1 Data Subjects must submit a formal request to access the information we hold about them. This must be made in writing. Employees who receive a written request should forward it to the Data Protection Officer. We have 30 days to respond to a Data subject access request.
12.2 The Data Subject requests from Employees must be made in writing to HR Department.
13. Changes to this policy
13.1 We reserve the right to change this Policy at any time.
14. Responsibilities Managers
14.1 Line Managers at all levels have responsibility for the type of Personal Data collected, how they use it and for communicating this to anyone in their team.
14.2 Everyone is required to be mindful of their personal responsibility for data protection, for example, ensuring that all paperwork containing Personal Data relating to a named individual must be locked away in a secure cabinet. There is a risk in sending confidential information by email or fax. Where the communication of such information by email is essential then this must be protected by a password agreed with the intended recipient and not on the email.
14.3 Examples of paperwork which may contain Personal Data:
- Personnel Record Sheet
- Pension Choices Opt In form
- Accident report forms
- Recruitment forms
- Student Applications
- Required to keep the Human Resources Team informed of any changes to personal details which are relevant to the employment relationship
- Required to follow the IT Policy including security of data
- Responsible for ensuring any Personal Data they Process in the course of their work is in accordance with Data Protection Legislation and with this Policy
15. Statutory Role
15.1 The Executive Pastor has overall responsibility for ensuring that Kingdom Faith Church Trust complies with the Data Protection Legislation and will ensure that guidance, policies and procedures around Personal Data processing are kept up to date. The Data Protection Officer is responsible to monitor and audit Kingdom Faith Church Trust application of the Data Protection Legislation and this policy and will also liaise with the Information Commissioners Office as necessary.
16. Breaches Report Procedures
16.1 If you become aware or suspect there has been a breach of the Data Protection Legislation or this policy, please report immediately to the Data Protection Officer at email@example.com
16.2 If you become aware or suspect there has been a Personal Data breach (including any data loss) please report immediately to the Data Protection Officer Data breach report procedures must be followed.
16.3 Examples of data breaches/loss:
- Loss or theft of data or IT equipment/ memory stick, laptop or mobile device on which Personal Data is stored
- Unauthorised access to Personal Data Processed by us
- Credentials (user name and passwords) compromised
- Ransomware attacks
- Inappropriate access controls allowing unauthorised use
- Unforeseen circumstances such as fire or flood
- Hacking attack
- Blagging - where information is obtained by deceiving the organisation who holds it
Version 1: 18/5/2018 SRC