The scope of this procedure encompasses all information processing of data subjects by Unity Church Orpington
Note: a data subject is a person whose data is processed by Unity Church Orpington. For ease of reading this document and others within the GDPR regulations we will refer to a data subject as a person or anyone or everyone.
2. Fair Processing Notice
Responsibility for the Fair Processing Notice rests with the Unity Church Orpington trustees and directors, who must ensure that it is factually correct and that appropriate mechanisms are in place to ensure that everyone has access to this document so they can become aware of its contents prior to the commencement of Unity Church Orpington’s data collection.
Personal data may only be processed upon receipt of authorisation from the Unity Church Orpington trustees and directors. The following information must be provided to data subjects prior to data collection, in plain and clear language:
- Organisation Name, including contact details;
- Objective behind the processing of personal information;
- Duration of time the personal data will be stored for and the storage criteria;
- Statement regarding the disclosure of personal information to third parties;
- Information regarding the rights of people in respect of their personal data, including but not limited to:
- The right to access personal information.
- The right to withdraw consent;
- The right to amend personal data;
- The right to request that personal data be permanently deleted;
- The right to strict processing; and
- The right to raise an official complaint with the relevant authority;
- Whether personal data must be provided for the purposes of fulfilling or entering into a contract and the outcome should the data subject refuse to provide personal data;
- Details regarding the destination of the personal data:
- Whether personal data will be transferred outside of the European Union; and
- Whether an adequacy decision has been made regarding the destination of the data; and/or
- Whether any safeguards are in place to ensure the adequacy of the destination; and
- Any other material that would ensure that the data processing is always fair. All data subjects must be notified prior to the processing of their personal data by Unity Church Orpington in a FAIR PROCESSING NOTICE (within the Privacy Notice), containing the following statements:
To provide information on our ministries, activities, events, fundraising purposes and pastoral care, whether currently or in the future:
“Please note that you have provided explicit (firm) consent for the use of your personal information by Unity Church Orpington to provide information on our ministries, activities, events and fundraising purposes. You may withdraw your consent by emailing: firstname.lastname@example.org at any time and you will be immediately withdrawn from all of our contact lists.”
4. GDPR responsibilities of the Unity Church Orpington trustees and directors
- Consent procedures: To incorporate procedures in relation to personal data processing based on consent, ensuring that processing ceases when consent is withdrawn;
- Consent withdrawal: To monitor all requests withdrawing consent by keeping a register of all relevant requests and ensuring that all requests are actioned as soon as possible following receipt;
- Sensitive personal data: To ensure that the Fair Processing Notice sets out explicitly the purpose or purposes for which sensitive personal data will, or may, be used, when sensitive personal information is collected for a specific purpose or purposes;
- Parental consent: To ensure that parental consent has been provided in relation to everyone of 16 years of age, or younger;
- Data protection law: To ensure that all new data collection methods comply with data protection laws and good practice, by reviewing and signing off all new such methods;
- Specified purpose: To approve all written requests for changes to the purpose of processing of personal data and determine if additional consent is required from the person:
In the event that additional consent is required, to determine the form of the consent and the protocol to be followed by Unity Church Orpington to ensure that the person is informed of the new purpose and has provided the necessary consent;
- To identify a relevant exemption, when applicable, in the Authorisation to Process; and
- To update the Data Inventory Schedule by setting out details of the new purpose, referring directly to the Authorisation to Process; and
- Data protection: To ensure that personal data that is shared with a third party complies with Unity Church Orpington’s notification to the Information Commissioner’s Office and with the terms of the Fair Processing Notice previously provided to the person and any relevant consents provided by the them:
To ensure that an agreement drafted by Unity Church Orpington’s legal advisors is entered into with the third party, setting out the purpose or purposes for which the information will, or may be, used and listing any restrictions or limitations on the use of the personal information for other purposes;
- To ensure that the agreement contains an undertaking, or other applicable evidence, by the third party that it is committed to processing its data in such a way that it adheres to the requirements of the Data Protection Authority at all times;
- To ensure the agreement contains appropriate controls and safeguards to ensure the protection of personal information pursuant to the GDPR, when such information may be legally shared without the consent of the person; and
- To ensure that any data profiles created by matching data collected by Unity Church Orpington with other data are not used outside of the context of the ICO notification and the consents of that person.
- Personal Data Usage: A Data Usage Log of any personal data of data subjects used by the leaders, trustees and officers of Unity Church Orpington has been compiled. This shows what data is kept and by whom and how it is used. In addition, the Log states where data is held, (computer, paper file etc.) and what the backup regime is. The church has imposed a requirement for a computer back up to be done of each user’s device at least once every two weeks or that a cloud back up system is used. An annual review of personal data usage will be carried out every January and the log updated. Any data kept on paper should be stored securely.
5. Document owner
The Unity Church Orpington trustees/directors are the owners of this policy document and must ensure that it is periodically reviewed according to the review requirements contained herein.
The latest version of this policy document dated 01/07/2020 is available to all employees and volunteers of Unity Church Orpington.
This policy document was approved by Unity Church Orpington’s Board of trustees and directors and is issued by the Chair on a version-controlled basis.
Name of Chair: Peter Bell.
Date: 1st July 2020