The Parish of Chelmsford Ascension with All Saints
Data Protection Policy
Introduction
The protection of personal data is enshrined in UK law, but it is also a moral responsibility that the Parish of Chelmsford Ascension with All Saints takes seriously. Embedding data protection within the organisation benefits the Parish of Chelmsford Ascension with All Saints, the Church and all individuals who interact with us, by enabling uniform and consistent decision making, building a culture of awareness and responsibility, making personal data management and infrastructure more resilient; and, through transparency and accountability, instilling trust and confidence in individuals when they provide us with their data, and ensuring their rights and freedoms are upheld.
1.1 Purpose
The purpose of this policy is to describe the steps that the Parish of Chelmsford Ascension with All Saints are taking to comply with data protection legislation, to ensure that our compliance with the relevant legislation is clear and demonstrable.
This policy is also intended to provide us with measures for ensuring that risks to individuals through misuse of personal data are minimised, such as:
personal data being used by unauthorised individuals through poor security or inappropriate disclosure;
individuals being harmed by decisions made using inaccurate or insufficient data;
individuals being uninformed by lack of transparency leading to unlawful practice;
the invasion of privacy due to over-collection or over-retention of data.
1.2 Scope
This policy applies to the Parish of Chelmsford Ascension with All Saints, which includes the Parochial Church Council (PCC).
We expect all those processing personal data on behalf of the Parish of Chelmsford Ascension with All Saints to act in accordance with this policy when engaged in the business of the parish.
1.3 Definitions
· Personal Data - Any information that relates to an identifiable living individual.
· Special Categories of Personal Data (also known as sensitive personal data) - Specific types of data that require additional care being taken when processing. The categories are: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation.
· Data processing – Any activity relating to the collection, recording, organising, structuring, use, amendment, storage, access, retrieval, transfer, analysis, disclosure, dissemination, combination, restriction, erasure or disposal of personal data.
· Data Protection Impact Assessment (DPIA) - A process designed to help systematically analyse, identify and minimise the data protection risks of a project or activity.
· Data Subject - The individual to whom the data being processed relates.
· Data Controller - A body or organisation that makes decisions on how personal data is being processed. Data Controllers almost always also process data.
· Data breach - any occasion when personal data is: accidentally or unlawfully lost, destroyed, corrupted or disclosed; accessed or passed on without proper authorisation; or made unavailable (through being hacked or by accidental loss/destruction.
2 Policy Statement
Personal data that the Parish of Chelmsford Ascension with All Saints collects, uses, stores, transfers, shares and disposes of must be handled in line with the following policy.
2.1 Data Protection Lead
The Parish of Chelmsford Ascension with All Saints has a Data Protection Officer (DPO), Revd Simon Pearce.
Revd Simon Pearce will be responsible for assisting the Parish of Chelmsford Ascension with All Saints to monitor internal compliance and to inform and advise on data protection obligations.
He will monitor data sharing agreements, data breaches, information risk, subject access requests and compliance with data protection policies and procedures. He will report to the PCC.
2.2 Principles of data protection
Personal data is processed according to the following principles:
1. Data is processed lawfully, fairly and in a transparent manner in relation to the data subject, through the provision of clear and transparent privacy notices and responses to individual rights requests.
2. Data is collected for specified, explicit and legitimate reasons and not further processed for different reasons incompatible with these purposes. Data that is stored and used for archiving purposes in the public interest, scientific or historical research or statistical purposes will be managed by and stored at the Essex Records Office.
3. Data is adequate, relevant and not more than is necessary to complete the task for which it was collected and will be subject to regular review of data collection and processing needs.
4. Data is accurate and up-to-date and reasonable steps will be taken to ensure this through regular data quality checks.
5. Data is not kept for longer than is necessary to complete the task for which it was collected, by the implementation of a retention schedule as set out in the Church of England Record Management Guide “Keep or Bin...? The Care of Your Parish Records” https://www.churchofengland.org/sites/default/files/2017-11/care_of_parish_records_keep_or_bin_-_2009_edition.pdf
6. Data is kept secure, with appropriate technical and organisational measures to protect against unauthorised or illegal processing, accidental corruption, loss or disclosure of personal data. This will include:
· storing paper copies of personal data in locked cabinets;
· maintaining password protection of electronic data held on computers and online storage;
· ensuring access to paper and electronic media is restricted only to those individuals authorised to access the data;
· ensuring that extra precautions are taken when personal data is carried in public places, to keep the risk of data breaches to an acceptable level.
To maintain appropriate data security, we will undertake regular risk assessments of our practices and provide awareness and training to all those processing personal data on behalf of the parish.
7. Accountability. The Parish of Chelmsford Ascension with All Saints are responsible for, and will demonstrate, compliance with the principles by:
· Adopting and implementing this data protection policy;
· Publish privacy notices to explain our data protection practices to those whose personal data we process
· Implementing annual reviews, to update the measures we have put in place.
2.3 Collecting personal data
Data protection legislation requires that the collection and use of personal data is fair and transparent. If we acquire any personal data related to an individual (including employees, officer holders, volunteers, suppliers, supporters or other external contacts), either directly from the data subject or from a third party, we must do so in line with the above ‘Principles of Data Protection’.
If we acquire data in error (that is, data we should not have access to), by whatever means, we must inform the Data Protection Lead who will assess whether the data should be retained and if so, arrange for it to be given to the appropriate individual.
2.4 Privacy Notices
Individuals have the right to be informed about the collection and use of their personal data and the Parish of Chelmsford Ascension with All Saints will be open and transparent about our use of personal data in line with this Policy.
We shall create and maintain one or more privacy notices, covering our data processing activities relating to personal data. Privacy notice(s) will provide this to
individuals at the time we collect or significantly amend their personal data.
If our data processing practices change, causing a Privacy Notice to be updated, we will reissue the notice to the affected data subjects, by email.
2.5 Lawful bases
Personal data must only be processed once we have identified an appropriate lawful reason to do so. There are six available lawful bases for processing. These include:
1. Legitimate interest - The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Legitimate Interest Assessment. When can you rely on legitimate interests?
· When processing is not required by law but is of benefit to you
· When there is a limited privacy impact on the data subject
· When the data subject would reasonably expect your processing to take place
In order to use legitimate interests as your lawful basis for processing, your processing must therefore meet all of the following criteria:
· Have a specific purpose with a defined benefit
· Be necessary – if your defined benefit can be achieved without processing personal data then legitimate interests is not appropriate
· Be balanced against, and not override, the interests, rights and freedoms of data subjects
2. Contract - The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation - The processing is necessary for you to comply with the law (not including contractual obligations).
4. Consent - The individual has given clear consent for you to process their personal data for a specific purpose.
If Consent is used it must be valid (freely given, unambiguous, actively selected, can easily be withdrawn); both giving and withdrawing consent must be recorded.
For consent to be valid, i.e. the correct basis, it must be a choice - so if the data subject refuses to give consent, does that mean that the service can't be provided? If it is an essential service (e.g. pension, payroll etc) then the data controller cannot refuse the service, so there is effectively no choice, so
consent is not valid.
5. Vital interests - The processing is necessary to protect someone’s life.
6. Public Task - The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
No single basis is ’better’ or more important than the others, we must decide which basis is most appropriate depending on our purpose and relationship with the individual.
2.6 Individual rights
Data protection legislation gives individuals specific rights regarding their personal data:
1. The right to be informed
2. The right to access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability (unlikely to be relevant to parishes or deaneries)
7. The right to object
8. Rights in relation to automated decision making and profiling (unlikely to be relevant to parishes or deaneries)
2.7 Data Sharing
As a data controller, we recognise that when we share personal data with third parties, we are responsible for:
· ensuring the third party complies with GDPR, and
· stating any constraints or requirements about what the third party can or cannot do with our data.
When sharing or disclosing personal data we shall ensure that:
· We consider the benefits and risks, either to individuals or the Church, of sharing the data, along with the potential results of not sharing the data;
· We are clear about with whom we can share the data. If we are unsure, we check with the data owner, or our Data Protection Lead person.
· We do not disclose personal data about an individual to an external organisation without first checking that we have a legitimate reason to do so (see above ‘Lawful bases’ section).
· If we must transfer or share data, we do so using appropriate security measures;
· If we are sharing data outside of the UK, we take particular care to ensure that the destination country meets all the necessary requirements to protect the data.
Data Sharing statements - We may state any constraints or requirements on the use of data shared with third parties in the following ways, depending on the level of risk:
· Through the use of disclaimer-type statements in emails or on contractor job sheets
· By the inclusion of a ‘Data Protection’ section of a contract with a third party (such as a leasing agreement)
· By a standalone ‘Data Sharing Agreement’
2.8 Storing and disposing of data
We will ensure that we use the most appropriate and secure methods available for both storage and disposal of personal data. We will ensure that:
· In so far as we are able, all personal data in our possession is kept secure from unauthorised access;
· We lock physical files containing personal data in a secure document bag with code lock;
· We are vigilant of our surroundings, in particular when working outside of normal office locations, being careful not to place any personal data in a position where it can be viewed, stolen or lost;
· All devices used to handle personal data are password protected and we do not share passwords;
· Desks are kept clear of personal data when not occupied.
2.9 Fact versus Opinion
When using personal data, it is our policy not to write comments about any individual that are unfair, untrue or offensive and that you would not be able to defend if challenged. In general we:
· Express facts, not opinions
· Work on the basis that anything written about an individual might be seen by that individual.
This includes emails. Although a certain amount of informality attaches to email writing, it should not be overlooked that these can provide a written record of our comments and, in the event of a Subject Access Request, they are subject to disclosure if they contain personal data.
2.10 Data Breaches
A personal data breach means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Any data breach, as described above, is to be reported to the Data Protection Lead person.
Where a breach is known to have occurred which is likely to result in a high risk to the rights and freedoms of individuals, our Data Protection Lead person will report this to the Information Commissioner’s Office (ICO) within 72 hours and will co-operate with any subsequent investigation. We will contact the affected data subject(s) where it is necessary to do so.
2.11 Training
We will provide appropriate support and training to all those involved in the parish in the safe and lawful processing of personal data.
This policy was adopted by the PCC on 28th November 2023.
Annual Policy Review
This policy is due for annual review November 2024 by the PCC.