5. What personal information do we process?
5.1 In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it is about, for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers, other churches, families, etc.
5.2 We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names and contact details, education or employment details, and visual images of people.
5.3 In some cases, we hold types of information that are called “special categories” of data in the GDPR. This is sensitive personal data that can only be processed under strict conditions.
‘Special categories’ of data (as referred to in the GDPR) includes information about a person’s: racial or ethnic origin; political opinions; religious or similar (e.g. philosophical) beliefs; trade union membership; health (including physical and mental health, and the provision of health care services); genetic data; biometric data; sexual life and sexual orientation.
5.4 We will not hold information relating to criminal proceedings or offences or allegations of offences.
5.5 Other data may also be considered ‘sensitive’ such as bank details, but will not be subject to the same legal protection as the types of data listed above.
6. Making sure processing is fair and lawful
6.1 Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources.
How can we legally use personal data?
6.2 Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the GDPR, is met:
a) the processing is necessary for a contract with the data subject;
b) the processing is necessary for us to comply with a legal obligation;
c) the processing is necessary to protect someone’s life (this is called “vital interests”);
d) the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;
e) the processing is necessary for legitimate interests pursued by Spurgeon Baptist Church or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject.
f) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent.
How can we legally use ‘special categories’ of data?
6.3 Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the GDPR, is met. These conditions include where:
a) the processing is necessary for carrying out our obligations under employment and social security and social protection law;
b) the processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent;
c) the processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes;
d) the processing is necessary for pursuing legal claims.
e) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent.
6.4 Before deciding which condition should be relied upon, we may refer to the original text of the GDPR as well as any relevant guidance, and seek legal advice as required.
What must we tell individuals before we use their data?
6.5 If personal data is collected directly from the individual, we will inform them in writing about; our identity/contact details and those of the Church Secretary, the reasons for processing, and the legal bases, [including explaining any automated decision making or profiling], explaining our legitimate interests, and explaining, where relevant, the consequences of not providing data needed for a contract or statutory requirement; who we will share the data with; if we plan to send the data outside of the European Union; how long the data will be stored and the data subjects’ rights.
This information is commonly referred to as a ‘Privacy Notice’.
This information will be given at the time when the personal data is collected.
6.6 If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information described in section 6.5 as well as: the categories of the data concerned; and the source of the data.
This information will be provided to the individual in writing and no later than within 1 month after we receive the data, unless a legal exemption under the GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication.
If we plan to pass the data onto someone else outside of Spurgeon Baptist Church, we will give the data subject this information before we pass on the data.
7. When we need consent to process data
7.1 Where none of the other legal conditions apply to the processing, and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it. Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their data.
7.2 Consent can however be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.
8. Processing for specified purposes
8.1 We will only process personal data for the specific purposes explained in our privacy notices (as described above in section 6.5) or for other purposes specifically permitted by law. We will explain those other purposes to data subjects in the way described in section 6, unless there are lawful reasons for not doing so.
9. Data will be adequate, relevant and not excessive
9.1 We will only collect and use personal data that is needed for the specific purposes described above (which will normally be explained to the data subjects in privacy notices). We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later.
10. Accurate data
10.1 We will make sure that personal data held is accurate and, where appropriate, kept up to date. The accuracy of personal data will be checked at the point of collection and at appropriate points later on.
11. Keeping data and destroying it
11.1 We will not keep personal data longer than is necessary for the purposes that it was collected for. We will comply with official guidance issued to our sector about retention periods for specific records.
12. Security of personal data
12.1 We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.
12.2 We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing.
Measures will include technical and organisational security measures. In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:
a) the quality of the security measure;
b) the costs of implementation;
c) the nature, scope, context and purpose of processing;
d) the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
e) the risk which could result from a data breach.
12.3 Measures may include:
a) technical systems security;
b) measures to restrict or minimise access to data;
c) measures to ensure our systems and data remain available, or can be easily restored in the case of an incident;
d) physical security of information and of our premises;
e) organisational measures, including policies, procedures, training and audits;
f) regular testing and evaluating of the effectiveness of security measures.
13. Keeping records of our data processing
13.1 To show how we comply with the law we will keep clear records of our processing activities and of the decisions we make concerning personal data (setting out our reasons for those decisions).