Policy Policy

HomePolicy Policy
Policy statement

The Chapel Centre is committed to protecting personal data and respecting the rights of our data subjects; the people whose personal data we collect and use. We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws, and adopting good practice.

We process personal data to help us:

a) maintain our list of church members and regular attenders;
b) provide pastoral support for members and others connected with our church;
c) provide services to the community including Sunny Days and Cuppa & Chat.
d) safeguard children, young people and adults at risk;
e) recruit, support and manage staff and volunteers;
f) maintain our accounts and records;
g) promote our events and other activities;
h) maintain the security of property and premises;
i) respond effectively to enquirers and handle any complaints

This policy has been approved by the church’s Charity Trustees who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.

Why this policy is important

We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security or being shared carelessly, or being inaccurate, as we are aware that people can be upset or harmed if any of these things happen.

In particular, we will make sure that all personal data is:

a) processed lawfully, fairly and in a transparent manner;
b) processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
d) accurate and, where necessary, up to date;
e) not kept longer than necessary for the purposes for which it is being processed;
f) processed in a secure manner, by using appropriate technical and organisational means;
g) processed in keeping with the rights of data subjects regarding their personal data.

How this policy applies to you & what you need to know

As an employee, trustee or volunteer processing personal information on behalf of the church, you are required to comply with this policy. If you think that you have accidentally breached the policy it is important that you contact our Data Protection Officer immediately so that we can take swift action to try and limit the impact of the breach. Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where that individual has breached the policy intentionally, recklessly, or for personal benefit they may also be liable to prosecution or to regulatory action.

As a leader: You are required to make sure that any procedures that involve personal data, that you are responsible for in your area, follow the rules set out in this Data Protection Policy.

As a data subject of The Chapel Centre: We will handle your personal information in line with this policy.

Our Data Protection Officer (Jayne Collins) is responsible for advising The Chapel Centre and its staff and members about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy. Any questions about this policy or any concerns that the policy has not been followed should be referred to her at jaynecollins13@gmail.com.

Before you collect or handle any personal data as part of your work (paid or otherwise) for The Chapel Centre, it is important that you take the time to read this policy carefully and understand what is required of you, as well as the organisation’s responsibilities when we process data.

Our procedures will be in line with the requirements of this policy, but if you are unsure about whether anything you plan to do, or are currently doing, might breach this policy you must first speak to the Data Protection Officer.

Training and guidance

We will provide any necessary training for all general training at least annually for all staff, leaders and volunteers to raise awareness of their obligations and our responsibilities, as well as to outline the law.

We may also issue procedures, guidance or instructions from time to time.

What personal information do we process?

In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it is about, for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers and churches they have attended.

We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names and contact details, education or employment details, and visual images of people.

In some cases, we hold types of information that are called “special categories” of data in the GDPR. This personal data can only be processed under strict conditions. ‘Special categories’ of data (as referred to in the GDPR) includes information about a person’s: racial or ethnic origin; political opinions; religious or similar (e.g. philosophical) beliefs; trade union membership; health (including physical and mental health, and the provision of health care services); genetic data; biometric data; sexual life and sexual orientation.

We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is a clear lawful basis to process this data such as where it fulfils one of the substantial public interest conditions in relation to the safeguarding of children and of individuals at risk or one of the additional conditions relating to criminal convictions set out in either Part 2 or Part 3 of Schedule 1 of the Data Protection Act 2018. This processing will only ever be carried out on the advice of the Ministries Team of the Baptist Union of Great Britain or our Regional Association Safeguarding contact person.

Other data may also be considered ‘sensitive’ such as bank details, but will not be subject to the same legal protection as the types of data listed above.

What personal information do we process?

In the course of our work, we may collect and process information (personal data) about many different people (data subjects). This includes data we receive straight from the person it is about, for example, where they complete forms or contact us. We may also receive information about data subjects from other sources including, for example, previous employers and churches they have attended.

We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names and contact details, education or employment details, and visual images of people.

In some cases, we hold types of information that are called “special categories” of data in the GDPR. This personal data can only be processed under strict conditions. ‘Special categories’ of data (as referred to in the GDPR) includes information about a person’s: racial or ethnic origin; political opinions; religious or similar (e.g. philosophical) beliefs; trade union membership; health (including physical and mental health, and the provision of health care services); genetic data; biometric data; sexual life and sexual orientation.

We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is a clear lawful basis to process this data such as where it fulfils one of the substantial public interest conditions in relation to the safeguarding of children and of individuals at risk or one of the additional conditions relating to criminal convictions set out in either Part 2 or Part 3 of Schedule 1 of the Data Protection Act 2018. This processing will only ever be carried out on the advice of the Ministries Team of the Baptist Union of Great Britain or our Regional Association Safeguarding contact person.

Other data may also be considered ‘sensitive’ such as bank details, but will not be subject to the same legal protection as the types of data listed above.

Making sure processing is fair and lawful
Processing of personal data will only be fair and lawful when the purpose for the processing meets a legal basis, as listed below, and when the processing is transparent. This means we will provide people with an explanation of how and why we process their personal data at the point we collect data from them, as well as when we collect data about them from other sources. How can we legally use personal data? Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the GDPR, is met: a) the processing is necessary for a contract with the data subject; b) the processing is necessary for us to comply with a legal obligation; c) the processing is necessary to protect someone’s life (this is called “vital interests”); d) the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law; e) the processing is necessary for legitimate interests pursued by The Chapel Centre or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject. f) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent. How can we legally use ‘special categories’ of data? Processing of ‘special categories’ of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the GDPR, is met. These conditions include where: a) the processing is necessary for carrying out our obligations under employment and social security and social protection law; b) the processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual and the data subject is incapable of giving consent; c) the processing is carried out in the course of our legitimate activities and only relates to our members or persons we are in regular contact with in connection with our purposes; d) the processing is necessary for pursuing legal claims. e) If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their explicit consent. Before deciding which condition should be relied upon, we may refer to the original text of the GDPR as well as any relevant guidance, and seek legal advice as required. What must we tell individuals before we use their data? If personal data is collected directly from the individual, we will inform them about; our contact details and those of the Data Protection Officer, the reasons for processing, and the legal bases, explaining our legitimate interests, and explaining, where relevant, the consequences of not providing data needed for a contract or statutory requirement; who we will share the data with; if we plan to send the data outside of the European Union; how long the data will be stored and the data subjects’ rights. This information is commonly referred to as a ‘Privacy Notice’. This information will be given at the time when the personal data is collected. If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information described in section 6.5 as well as: the categories of the data concerned; and the source of the data. This information will be provided to the individual in writing and no later than within 1 month after we receive the data, unless a legal exemption under the GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication. If we plan to pass the data onto someone else outside of The Chapel Centre, we will give the data subject this information before we pass on the data.