DATA PROTECTION POLICY. Little Baddow Parochial Church Council

Similar documents
DATA PROTECTION POLICY

Southern Golden Retriever Rescue Data Protection Policy

GUIDANCE NOTE ON THE DATA PROTECTION ACT Information for clubs & county associations

Fitzwilliam College Data Protection Policy

Fair Processing Notice

Data Protection Policy. Newbury Academy Trust

This information, or "personal data" as it is often referred to, must be processed according to the principles contained within the Regulation.

London Borough of Redbridge

Data Protection: Fair processing of student personal information Contents

POSITIVE SOLUTIONS FAIR PROCESSING NOTICE

What is a Fair Processing Notice (FPN)? To ensure that we process your personal data fairly and lawfully we are required to inform you:

KCSP Data Protection Policy

Data Protection Cayman Islands

Appropriate Policy Document

Document Title. Date coming into force: Review Date: Edition No:

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

All Sorts UK Limited Data Protection Policy 17 th May 2018

DATA PROTECTION AND PERSONAL INFORMATION FAIR PROCESSING POLICY

GLOBAL DATA PROTECTION POLICY URUP

1.1. This policy lays out how Glebe Primary School will comply with its responsibilities under the Data Protection Act 1998.

Man and Machine - Data Protection Policy

Multi Agency Assessment Panels Data Protection Protocol

DATA PROTECTION ACT 1998

Welcome To Your Data Protection Journey. Paula Tighe Information Governance Executive

DATA PROTECTION NOTICE

EU Data Processing Addendum

PROTECTION OF PERSONAL INFORMATION POLICY (PoPI)

Data Protection Act Policy

Privacy Policy. HDI Global SE - UK

PRIVACY NOTICE Use of Information Data Controller and Data Processor

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

ASTRAZENECA GLOBAL POLICY DATA PRIVACY

Mobius Life Limited Data Privacy Notice

PROPFIN LTD. Data Protection Policy

Privacy Policy. Naval Group

The following guidelines have been developed to assist all staff with the adherence to the Privacy & Data Protection Act (Vic) 2014 (the PDP Act ).

Why do I need to read this?

Amgen Binding Corporate Rules (BCRs) Public Document

Data Protection Policy

Management of Personal Information Policy (Privacy Policy)

Data held by BASC clubs and syndicates - a brief guide

Arcare Aged Care APP Privacy Policy

Data Protection Privacy Notice for people not directly involved in the accident

henriksen limited This document sets out how Henriksen processes data and your rights as the data subject.

Privacy Policy. NESS Super is committed to respecting your right to privacy and protecting your personal information.

MONASH UNIVERSITY PRIVACY COMPLIANCE MANUAL

Privacy. Policy. Purpose. Coverage. Policy. Code and version control:

DATA PROTECTION POLICY

Privacy Policy. Amendment History. Trustee Name

PRIVACY POLICY OF BPO INSOLVENCY LIMITED (COMPANY REGISTRATION NO ) REGISTERED OFFICE 37 WALTER ROAD SWANSEA SA1 5NW

ERGO Versicherung AG UK Branch Data Privacy Notice

University of Wollongong

YOUR PERSONAL INFORMATION AND WHAT WE DO WITH IT

Privacy Notice under the General Data Protection Regulation (GDPR)

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

Institutional Investment Advisors Limited

The Pension and Life Assurance Plan of NG Bailey (Scheme) Privacy notice

BINDING CORPORATE RULES

DATA PROCESSING TERMS DEFINITIONS

Privacy Statement v 1.1

Privacy & Data Protection Procedure-Box Hill Institute Group

Data Protection Policy

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

FINANCIAL SERVICES OPPORTUNITIES INVESTMENT FUND LIMITED Company Registration Number: PRIVACY NOTICE

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team

AMIST Super. Privacy Policy

* Unless otherwise indicated, this policy will still apply beyond the review date.

CP is licenced and supervised by the Commission de Surveillance du Secteur Financier (hereinafter CSSF ).

DATA PRIVACY & FAIR PROCESSING NOTICE

Privacy Policy and Personal Data

ERGO Versicherung AG UK Branch Data Privacy Notice

What types of personal information is collected and why? Our privacy commitment to you. Personal information. What is personal information?

Where our documents ask for personal information, we will normally state the general purposes for its use and to whom it may be disclosed.

personal information AML information

Privacy Policy and. Credit Reporting Policy

LOCAL GOVERNMENT PENSION SCHEME. Memorandum of Understanding regarding Compliance with Data Protection Law. Introduction

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

North Yorkshire Pension Fund

We are the Sanne Group, a listed multinational provider of alternative asset and administration services.

The New EU General Data Protection Regulation (GDPR)

We take privacy and security of your information seriously and will only use such personal information as set out in this Privacy Notice.

Representative Church Body of the Church of Ireland General Data Protection Regulation Overview

Aboriginal Housing Victoria (AHV) Privacy Policy

European Union General Data Protection Regulation

Our privacy commitment to you. What types of personal information is collected and why? About us. Personal information. What is personal information?

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

For further reference, readers are also advised to be in touch with:

DATA PROTECTION AND DOCUMENT RETENTION POLICY

1. What Data do we collect and where do we get it from?

Privacy Notice Student Loans Company Ltd

TEREX CORPORATION DATA PROTECTION POLICY

Who are we? Our commitment to protect your privacy

Our lawful basis for processing. Processing is necessary. Processing is necessary for compliance with. legal obligation.

Privacy Statement for Intermediaries

FULL PRIVACY NOTICE. for the members and beneficiaries of the South Yorkshire Pension Fund

Vanguard Group (Ireland) Limited Vanguard Funds plc Vanguard Investment Series plc Privacy policy. May 2018

University of Sunderland Business Assurance Information Classification Policy

Transcription:

DATA PROTECTION POLICY Little Baddow Parochial Church Council INTRODUCTION: The Data Protection Act 1998 ( the Act ) seeks to protect individuals against the unfair use of personal information. There are a number of fundamental principles which the Act establishes: The right of an individual to know what data is being held about him/her and to check its accuracy. That Personal Data should be used only for the specific purposes for which it is held and not disclosed to those not authorised to have it. A Government agency should regulate and enforce proper standards relating to personal data. If a church holds Personal Data either on a computer or in a paper-based filing system, it must follow the rules set out in the Act. Failure to do so could result in a criminal conviction for those who are responsible for processing the data (usually the PCC members). This does not, of course, include acts that it are required by law to be undertaken (e.g publication of the Electoral Roll before the Annual Church Meeting) The Chelmsford Diocesan Office has confirmed that, for the purposes of the Act, records held by organizations affiliated to the Church (e.g bell ringers, Messy Church etc) would all come under the umbrella of the PCC and would be treated in the same way. This does not apply to individuals who keep an address book for their own private benefit nor would it apply to Data held separately by the Priest. He/she would be a separate Data Controller and would need to notify the ICO (see below) The Act requires every Data Controller (The PCC in this case) who is processing personal information to notify the( ICO ), unless they are exempt. For as long as the PCC is only processing Personal Data for the purposes of establishing or maintaining membership of the Church or for support of the Church, or for administering activities for individuals who are either members of the Church or have regular contact with it then notification is not required. If Personal Data is being processed outside the scope of this exemption (eg Sensitive Data is being held) then notification is required. Those processing Data are required to follow and abide by the Data Protection Principles. The Policy sets out how the PCC will ensure that the provisions of the Act are complied with in respect of activities involving the Church. DEFINITIONS The Church : St Mary s Parish Church, Little Baddow Data : recorded information whether stored electronically on a computer, in paper based filing systems or other media. Data Controller : the persons or organisation who determine the purposes for which, and the manner in which, any Personal Data is processed. They have a responsibility to establish practices and policies in line with the Act. The Date Processing Principles : these are set out in the Act and can be summarised as follows: Personal Data shall be processed fairly and lawfully.

Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Personal Data shall be accurate and, where necessary, kept up to date. Personal Data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Personal Data shall be processed in accordance with the rights of Data Subjects under this Act. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. Personal Data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data. Data Protection Co-Ordinator : Such person as shall from time to time be appointed by the PCC to fulfil the functions of this post Data Subject : includes all living individuals about whom Personal Data is held. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Personal Data. Data Users such of the officers and authorised volunteers of the PCC who are from time to time authorised by the PCC to use the Personal Data. Data Users have a duty to protect the information they handle and to follow this Policy at all times. ICO : The Information Commissioner s Office. The PCC The members for the time being of the Parochial Church Council of the Church of St Mary the Virgin, Little Baddow. Personal Data : Data relating to a living individual who can be identified from that Data (or from that Data and other information in the possession of the Data Controller). Personal Data can be factual (such as a name, address or date of birth) or it can be an opinion. It can even include a simple email address. It is important that the information has the Data Subject as its focus and affects the individual's privacy in some way. Mere mention of someone's name in a document does not necessarily constitute Personal Data, but personal details such as someone's contact details would fall within the scope of the Act. Details of the sources of Personal Data held by the PCC are set out in the Appendix to this document and are subject to annual review as hereinafter referred to. The Policy this document and any subsequent document amending or replacing the same Processing : any activity that involves use of the Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties. The definition of processing is very wide and it is difficult to think of anything an organisation might do with data that will not be processing. Sensitive Data : personal data which consists of information concerning the Data Subject s racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, membership of a Trade Union, physical or mental health condition, sexual life, commission or alleged commission of any offence, a record of any proceedings for any offence committed or alleged, or a record of any sentence or proceedings.), for example if personal data is held in connection with pastoral counselling. 2

THE DATA PROCESSING PRINCIPLES IN PRACTICE 1 Fair and lawful Processing The Act is not intended to prevent the processing of Personal Data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. For Personal Data to be processed lawfully, certain specific conditions have to be complied with and it is only lawful if it meets at least one of the following criteria (as specified in Schedule 2 of the Act): With the consent of the Data Subject, or, If there is a legal obligation (for example under prevention of terrorism legislation), or For the protection of the vital interests of the individual (for example to prevent injury or other damage to the health of the data subject), or, In the legitimate interest of the Data Controller, unless it is prejudicial to the interests of the individual Personal Data must meet all of the following criteria in order to be processed fairly : Data will only be collected from persons who have the authority to disclose it. If personal information is collected from a third party, the data subject will be informed of the use of the information. Data Subjects will not be deceived or misled in any matter related to the use of Personal Data. When Sensitive Personal Data is being processed, it may only be processed if it meets at least one of the following criteria (as specified in Schedule 3 of the Act): The Data Subject has given explicit consent. It is necessary to meet requirements of employment law. It is necessary to protect the vital interests (i.e. if the situation is a matter of life or death) of the subject or another person. The data subject has already manifestly made the information public. It is necessary for legal proceedings, obtaining legal advice or defending legal rights. It is necessary for the carrying out of official or statutory functions. It is necessary for medical purposes. It is necessary for equal opportunities. It is necessary in order to comply with legislation from the Secretary of State. The PCC will ensure that, when Personal Data is collected, it will be held in accordance with the requirements of the Act and in compliance with this Policy, a copy of which can be obtained from the Data Protection Co-Ordinator. All instances involving Sensitive Personal Data will be referred to the Data Protection Co-ordinator who will ensure that the requirements of the Act are followed. This may include a requirement for the registration of the Church with the ICO. 2 Processing for Limited Purposes The PCC will ensure that Personal Data is only collected for the legitimate purposes of the PCC or other purposes for which it was obtained and that it is not subsequently used for any other purpose. If it becomes necessary to change the purpose for which the Data is processed, the Data Subject will be informed of the new purpose before any processing occurs. 3 Adequate, Relevant and Non-excessive processing 3

Personal Data should only be collected to the extent that it is required for the specific purpose notified to the Data Subject. The PCC will ensure that only necessary Data is collected and that any Data which later becomes irrelevant will be destroyed. 4 Accurate Data Personal Data must be accurate and kept up to date. The PCC will take steps to check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data will be destroyed. 5 Timely Processing Personal Data should not be kept longer than is necessary for the purpose for which it was collected. The PCC will at its first meeting following the Annual Church Meeting in each year, review Personal Data held in order to assess whether the information is still required and will ensure that data is destroyed or erased from its systems when it is no longer required. 6 Processing in line with Data subject s rights Data must be processed in line with the rights of the Data Subject.. The PCC will ensure that Data Subjects have a right to the following: To request access to any data held about him/her. To prevent the processing of their Data for direct-marketing purposes. To ask to have inaccurate Data amended. To prevent processing that is likely to cause damage or distress to themselves or anyone else 7 Security and Disclosure of Personal Data The Act requires the PCC to put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. The PCC will ensure that appropriate security measures are taken to prevent unlawful or unauthorised processing of Personal Data and against the accidental loss of, or damage to, Personal Data. In particular, the PCC will ensure that Personal Data is only disclosed in accordance with the Policy. The PCC will also take the following steps to secure Personal Data: Only those people who are authorised by the PCC to use the Data will be able to access and process it Personal data will be: o Kept in a locked filing cabinet, or o In a locked drawer; or o (If it is computerised) password protected, or o Kept only on disk which itself is kept securely. When destroying Personal Data, paper documents will be shredded and CD- ROMs will be physically destroyed When receiving telephone or email enquiries, Data Users will be required to be careful about disclosing any Personal Data held by the PCC. In particular, they will: Check the caller's identity to make sure that Data is only given to a person who is entitled to it Suggest that the caller put their request in writing where the Data User is not sure about the caller's identity and where their identity cannot be checked 4

Refer to the Data Protection Co-ordinator for assistance in difficult situations. Personal Data will only be transferred to a third-party Data Processor, such as a supplier under contract to the PCC, if he or she agrees to comply with the Policy and the provisions of the Act. 8 Transfer outside the Country No Data will be allowed out of the country under any circumstances GENERAL APPLICATION All Data Users will be required to adhere to the Policy. Any breach of this Policy will be taken seriously. DEALING WITH A DATA SUBJECT S ACCESS REQUESTS A formal request from a Data Subject for information held about him/her, or who considers that the Policy has not been followed in respect of Personal Data about him/her or others must in each case be made in writing in the first instance to one or other of the Churchwardens. APPENDIX (Personal Data held by the PCC) Electoral Roll Gift Aid details (envelopes, register and records) Stewardship campaign and freewill offering information. Email information to facilitate distribution of service details etc. PCC accounts Those who have been DBS checked. Sidesmen and PCC member details. Approved by the PCC at its meeting held at St Andrews Room, North Hill, Little Baddow. The following were authorised by the PCC at the same meeting to use the Data: The Priest; Treasurer, Secretary and Churchwardens from time to time. On the 8th day of March 2016 John Wheeldon (Chairman) 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback