Version 9.0 – June 2014

1. Introduction

1.1 CityCoast Church is required by law to comply with the Data Protection Act, 1998 [the Act] which came into force on 1 March 2000.

1.2 Compliance with the Act is the responsibility of all employees and volunteers. A breach of the Data Protection Policy, whether deliberate or through negligence, could lead to disciplinary action being taken, or access to church facilities being withdrawn, while a breach of the Act could lead to criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.

1.3 The commitment of the church is to ensure that all employees and volunteers comply with the Act to ensure the confidentiality of any personal data held by the organisation, in whatever medium (electronic/paper).

1.4 The church needs to keep certain information about its employees, volunteers, members and other users of church facilities to allow it to function effectively and comply with legal requirements. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the organisation must comply with the Data Protection Principles that are set out in the Act. In summary these state that personal data shall be:

a) Processed fairly and lawfully and must not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are either that the individual has given consent to the processing, or the processing is necessary for the various purposes set out in the Act. Sensitive personal data may only be processed with the explicit consent of the individual and consists of information relating to:

• Race or ethnic origin.
• Political opinions and trade union membership.
• Religious or other beliefs.
• Physical or mental health or condition.
• Sexual life.
• Criminal offences, both committed and alleged.

b) Obtained only for one or more specified and lawful purposes, and not processed
in a manner incompatible with those purposes.
c) Adequate, relevant and not excessive.
d) Accurate and kept up to date.
e) Not kept for longer than is necessary.
f) Processed in accordance with the rights of employees under the Act.
g) Appropriate technical and organisational measures will be taken against
unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

h) Not transferred to a country or territory outside the European Economic Area
unless that country ensures an adequate level of protection for the processing of
personal data.

2. Registration

2.1 To comply with the Act, the church has applied to the Data Protection Registrar and has an entry in the Data Protection Register [the Register]. Entries in the Register show:

• The class(es) of personal data held.
• The purpose(s) for which data are held.
• The source(s) from which data are obtained.
• People or organisations to whom the user may wish to disclose the data.
• Any countries overseas to which the user may wish to transfer the data.

2.2 The church is required to ensure that its entry in the Register is correct and up to date, and the Data Protection Officer must be informed immediately of new applications or purposes for which data are held that may affect the organisation’s registration.

3. The Data Protection Officer

3.1 CityCoast Church is the Data Controller under the Act and the Trustees are ultimately responsible for implementation. However, the Data Protection Office has day-to-day responsibility for ensuring compliance with the Act.

3.2 The Data Protection Officer, who is the named contact with the Data Protection Registrar, is Simon Lewis. The Data Protection Officer attempts to ensure that the Data Protection Registration is kept up to date. Managers and leaders are responsible for ensuring that the personal data held by their departments is kept securely and used properly, within the terms of the Act. They are also responsible for informing the Data Protection Officer of the types of personal data held in their department, and any changes or new holdings. The Data Protection Officer can advise on the implementation of the policy.

4. Notification of data held and processed

4.1 All employees, volunteers and members and other users are entitled to:

• Know what personal information the church holds and processes about them and why.
• Know how to gain access to it.
• Know how to keep it up to date.
• Know what the church is doing to comply with its obligations under the Act.

5. Employee guidelines

5.1 All employees are responsible for:

• Checking that any information that they provide in connection with their employment is accurate and up to date.
• Informing the Data Protection Officer of any changes to information that they have provided, e.g. changes of address.
• Informing the Data Protection Officer of any errors or changes.

5.2 All employees and volunteers should ensure that any personal data that they control is compliant with the Data Protection Registration. This includes personal data for such purposes as research, personnel records etc. The Data Protection Officer should be consulted if an employee has any doubts about personal data that the employee controls.

6. Data security

6.1 All employees and volunteers are responsible for ensuring that:

• Any personal data that they hold, whether in electronic or paper format, is kept securely.
• Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.

6.2 Items which are marked “Personal” or “Private and Confidential”, or which appear to be of a personal nature, should be opened by the addressee only or by a person (such as a secretary) acting on the specific instruction of the addressee. Unless post items are marked in this way they will be considered not to contain confidential information. Employees are discouraged from using their church address for non-church matters.

6.3 Each church leader is responsible for ensuring that appropriate technical and organisational measures are taken within their department to ensure against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, such data. Each church leader is responsible for keeping the church Data Protection Officer informed of changes in the collection, use and security of personal data within their department.

6.4 All employees and volunteers dealing with data should ensure that casual access to data is not possible (for example seeing computer screens or printouts). Computer screens should be cleared after use and should not be left unattended without being logged off. Printouts should be kept securely and shredded, e.g. at CityCoast Centre, when no longer required. Particular care must be taken when laptop computers are used in public places, on public transport and when working at home.

6.5 All employees dealing with data should ensure that back-up or duplicate copies of data are held in case of unauthorised destruction or loss of data.

6.6 It should not be assumed that documents sent by electronic mail (email) are secure, and confidential information should not be sent by email (or where it must be, it should be encrypted before transmission). It is not advisable to send sensitive data like credit card numbers by email. While the organisation will normally endeavour to honour the privacy of personal electronic mail, the church will normally be the legal owner and may inspect it (for example to ensure the security of systems by virus checking) and may be required to disclose it as part of a disclosure or other civil or criminal legal process.

6.7 Be aware that those seeking information sometimes use deception in order to gain access to it. Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone.

6.8 Where the church provides you with code words or passwords to be used before releasing personal information, for example by telephone, you must strictly follow the organisation’s requirements in this regard.

7. Subject consent to processing sensitive information

7.1 In many cases the church can only process personal data with the consent of the individual. In some cases, if the data are sensitive, express consent must be obtained. Agreement to the church processing some specified classes of personal data is a condition of acceptance of a member onto any programme and a condition of employment for employees.

7.2 Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The church has a duty under the Children’s Act and other enactments to ensure that employees are suitable for the job the courses offered. The church also has a duty of care to all employees and church members and must therefore make sure that employees and those who use church facilities do not pose a threat or danger to other users.

7.3 The church may ask for information about a person’s health, particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes, for use in the event of a medical emergency. The church may also ask for information about a person’s criminal convictions, race and gender and family details. This is to ensure that the church is a safe place for everyone, or may be to operate other church policies.

7.4 Because this information is considered sensitive, all prospective employees and volunteers may be asked to give signed Consent to Process regarding particular types of information when an offer of employment is made.

7.5 Do not disclose confidential personal information to anyone except the data subject. In particular, it should not be:

• Given to someone from the same family.
• Passed to any other unauthorised third party.
• Placed on the CityCoast Church website.
• Posted on the Internet in any form.
8. Publication of church information

8.1 Information that is already in the public domain is exempt from the 1998 Act. It is the organisation’s policy to make public as much information about the church as possible. In particular the following information will be available to the public for inspection:

• The Church Elders.
• The Trustees.
• The church leadership list.
• A list of employees.

8.2 Any employee, volunteer or member having good reason for wanting details in these lists or categories to remain confidential should contact the Data Protection Officer.

8.3 The church database is not a public document.

9. Special cases

9.1 Video recordings: the Act applies to data held on video recorders that are obtained from closed circuit television surveillance systems. Guidance about this is available from the office of the Data Protection Registrar.

10. Rights to access information

10.1 Employees, volunteers, members and other users of the church facilities have the right to access any personal data that are being kept about them. Any person who wants to exercise this right should make their request in writing to the church Data Protection Officer with a fee of £10, which is the statutory charge.

10.2 The Data Protection Officer will require the following information from the individual:

• Evidence of their identity, e.g. birth certificate, driving licence, utility bill (one with a photograph).
• An indication of the type of information sought and/or where they believe this information is held, to speed administration.

10.3 The organisation aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within forty days unless there is a good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.

11. Retention of data

11.1 CityCoast Church retains certain information in line with financial, legal and archival requirements. Personal data will not normally be retained on employees or church members for longer than a period of ten years after their leaving.