Privacy statement
The privacy and protection of your data is important to us.
1. Your personal data – what is it?
Personal data is any information (either electronic or on paper) relating to a living individual who can be identified from that data. The way we deal with personal data is governed by the General Data Protection Regulation (GDPR).
2. Who Are We?
We are St Paul’s Church, Salisbury. Our legal governing body is the Parochial Church Council of the Ecclesiastical Parish of Fisherton Anger (St Paul), Salisbury, which is a registered charity number 1132168 and they are the data controller (make decisions on how your personal data is processed and for what purposes). The rector of St Paul’s, Salisbury when acting as a data controller also works under this policy.
Details of how to contact us are at the end of this statement.
3. How do we process your personal data?
We comply with our obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use personal data for the following purposes: -
To enable us to provide a voluntary service for the benefit of the public in Salisbury and the surrounding area;
To co-ordinate our pastoral work;
To administer membership and electoral roll records;
To fundraise and promote the interests of the charity;
To manage our employees and volunteers;
To maintain our own accounts and records (including the processing of gift aid applications);
To inform you of news, events, activities and services running at St Paul’s, Salisbury;
To fulfil our legal and professional obligations in relation to Health and Safety, Safeguarding, counselling, registration of marriage and other activities, for the prevention of crime and to defend civil claims.
To allow people to watch gatherings they are unable to attend in person via livestream or video recording.
4. What is the legal basis for processing your personal data?
The data we hold can be divided into four types.
Church Operational Data. This is the information we need for the day-to-day running of the church. Examples of this includes information such as names and contact detail of church members and records relating to involvement in church activities.
We hold this data as part of our legitimate interests. This means that processing is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided: -the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
there is no disclosure to a third party without consent.
Contact Details enabling us to keep people up to date with news and events at St Paul’s (marketing data). An example of this is the rector’s weekly update. After May 25th 2018 we will only contact people in this way if they have consented for us to do so by opting explicitly opting-in. The legal basis for holding this data is the consent of the data subject.
Contractual Data Examples of this include data we need to carry out the contracts of employment with our staff and venue hire contracts with those hiring our premises. The legal basis for holding this information is that processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement;
CCTV Recordings. We operate CCTV cameras in the outside areas of the Church and Church Centre and within the SP2 Hope Centre. We hold this data for a limited period (usually 15 days) as part of our legitimate interest to prevent and detect crime and to ensure the safety of our staff and volunteers.
Video Recordings of Gatherings. We operate on the basis of consent. This is obtained via our online booking system and posters on display in the building.
5. Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with other members of the church in order to carry out a service to other church members or for purposes connected with the church. If you ask us to, we will include your name and contact details in the church directory.
We work with a number of organisations to help us process your data (for example the companies who supply our church database and accounting software). We carefully check that they have adequate procedures in place to keep your data safe, and when it is processed outside the European Economic Area (for example in the USA and New Zealand) that it is covered by agreements which ensure that the standards of data protection in the GDPR are delivered. These processors will never use your data in any way not connected with St Paul’s, Salisbury and described above. Apart from this we will only share your data with other organisations if you specifically ask us to or where we have a legal obligation to do so.
6. How long do we keep your personal data?
We have a policy to ensure that we only keep your data for as long as we need to, and after that it is securely disposed of. This policy is in accordance with the guidance set out in the guide “Keep or Bin: Care of Your Parish Records” which is available from the Church of England website.
Specifically, we retain electoral roll data while it is still current; CCTV recordings for 15 days (unless a download is made of a specific incident), gift aid declarations and accounting paperwork for up to 6 years after the calendar year to which they relate; and parish registers (baptisms, marriages, funerals) permanently. Video Recordings of gatherings may be kept indefinitely and remain publicly available via our website and social media such as Youtube and Facebook. Data to support NHS Track and Trace is destroyed within 30 days of collection. Eventbrite booking data may be retained for up to one year.
7. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
The right to request a copy of personal data which we holds about you;
The right to request that we correct any personal data if it is found to be inaccurate or out of date;
The right to request your personal data is erased where it is no longer necessary for us to retain such data;
The right to withdraw your consent to the processing at any time
When we are processing data because you have given your consent, or to perform a contract with you, you have the right to request that we provide you with your personal data and where possible, to transmit that data directly to another data controller, (this is known as the right to data portability).
The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
When we process data to provide you with information about St Paul’s (marketing), in order to carry out our work (legitimate interests) or to produce research statistics, you have the right to object to the processing of personal data, (where applicable)
The right to lodge a complaint with the Information Commissioners Office.
8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact Details
If you have any queries or concerns you can contact Dawn Evans by phone on 01722 334005, by email at dawn@wearestpauls.church, or by writing to her at our office: St Paul’s Church, Fisherton Street, Salisbury SP2 7QW.
You can contact the Information Commissioners Office using the details on https://ico.org.uk/global/contact-us/.