General Privacy Notice
1. Your personal data – what is it?
“Personal Data” is any information relating to an identified or identifiable natural living person, commonly referred to as the “data subject”. Identification can be by the information alone or in conjunction with any other information that the data controller may possess or be likely to obtain. The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and The Privacy and Electronic Communications Regulations (PECR).
2. Who are we?
This Privacy Notice is provided to you by the South London Church Fund & Diocesan Board of Finance, hereafter referred to as “The Diocese of Southwark”, which is the data controller. This means it decides how your personal data is processed and for what purposes. The Diocese of Southwark works with a number of different organisations and office-holders below to deliver the Church’s mission in the community:
- PCCs of the parishes within the Diocese and the incumbents of these parishes
- Bishops and Archdeacons of the Diocese of Southwark
- Diocesan Registry
- Together Southwark
- Southwark Diocese Mothers’ Union
- The Church of England National Church Institutions (NCIs).
As the Church of England is made up of all these persons and organisations working together, we may need to share personal data we hold with them so that they can carry out their responsibilities to the Church of England and our community. The organisations referred to above are joint data controllers. This means they are equally responsible to you for how your data is processed.
Each of the data controllers have their own tasks within the Church of England and a description of what data is processed and for what purpose is set out in this Privacy Notice. This Privacy Notice is sent to you by the Diocese of Southwark on our own behalf and on behalf of each of these other data controllers. In the rest of this Privacy Notice, we use the word “we” to refer to each data controller, as appropriate.
3. How do we process your personal data and what is the legal basis of processing your data?
Where your Diocesan role requires, or where you have consented to receive, communications the Diocese will process your personal data on the basis of legitimate interest (Art 6(1)(f) of the UK GDPR) for the following purposes:
- sending communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other fundraising activities
- sending information related to fundraising and promotion of the interests of the Diocese.
Where you have taken part in one of our events or activities, we may:
- use photographs in which you are identifiable to promote the activities of the Diocese
- seek and process your views, feedback or comments.
Where you are working on behalf of the Diocese:
- we process contact details such as names, titles, aliases, telephone numbers, addresses and email addresses
- we make your contact details available to others working on behalf of the Diocese in the Diocesan Directory which is either printed or made available online
- where they are relevant to our mission, or where you consent to provide them, we may process demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition and dependants
- where required as part of our safeguarding procedures (including due diligence and Disclosure Barring Service (DBS) checks and complaints handling), we will process data in accordance with our safeguarding policy as laid out in A Safe Church
- we process data as required to manage our employees and volunteers.
Where you make donations or pay for activities such as use of Diocesan premises:
- we process financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers and claim numbers
- we process your data in order to maintain our own accounts and records, including the processing of donations and Gift Aid applications as required.
Where you apply for a role or where you follow a Diocesan discernment process to assess your suitability to be put forward for a role we process application forms, interview notes and references.
As a member of licensed clergy, role holder or person working under contract for the Diocese (for example, DBF employee) we may process additional data related to your employment and benefits including expenses, housing and pensions.
The data we process is likely to constitute special category (sensitive) personal data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs. Where you provide this information, we may also process other categories of special category personal data such as racial or ethnic origin, mental and physical health, details of injuries, medication/treatment received, criminal records, fines and other similar judicial records.
4. Sharing your personal data
Your personal data will be treated as strictly confidential. It will only be shared with third parties where it is necessary for the performance of our tasks or where you give us your prior consent. It is likely that we will need to share your data with some or all of the following (but only where necessary):
- Crockford’s Clerical Directory to provide role and contact information for ordained ministers
- our agents, servants and contractors. For example, we use third parties to administer repairs and maintain Diocesan-managed property; we use a third party to process our DBS checks; we use commercial software to manage newsletter and email lists; and we use third-party software to manage our staff employment records
- the Charity Commission, where you are a trustee of one of our associated PCCs or charities
- other authorities in compliance with our legal responsibilities, for example, the relevant local authority in respect of council tax and utility companies in the case that the property you live in is managed by the Diocese.
5. How long do we keep your personal data?
We keep data in accordance with the guidance set out in Save or Delete: the Care of Diocesan Records, which is available from the Church of England at www.churchofengland.org/about/libraries-and-archives/records-management-guides. We will keep some records permanently if we are legally required to do so.
Where we no longer need to process your personal data for the purposes set out in the Privacy Notice, we will delete your personal data from our systems.
6. Your rights and your personal data
To exercise your rights, please send your request to us in writing (using the contact details below). When exercising your rights listed below, in order to process your request we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights:
- the right to access information we hold on you
- the right to correct and update the information we hold on you
- the right to have your information erased. In the case that you request that we erase the data we hold, we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example, because we need it for our legitimate interests or a regulatory purpose).
- the right to object to processing of your data
- the right to data portability
- the right to withdraw your consent to the processing at any time for any processing of data to which consent was sought
- the right to object to the processing of personal data where applicable
- the right to lodge a complaint with the Information Commissioner’s Office.
7. Transfer of data abroad
The UK is a third country outside the European Economic Area (EEA). Any electronic personal data transferred either to countries or territories inside the European Economic Area (EEA) or to other third countries, will be subject to safeguards. The two safeguards employed by the Diocese are (a) sending data to countries deemed under UK law as offering an adequate level of data protection or (b) ensuring that recipients of your data are contractually obliged to protect your data using contracts approved under UK law. Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas. We take all reasonable steps to ensure that your personal data is processed securely and will only transfer your personal data outside the United Kingdom where it is compliant with applicable data protection legislation or is part of a contract with specific individuals or organisations and the means of transfer provides adequate safeguards in relation to your personal data.
8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact details
Please contact us if you have any questions about this Privacy Notice or the information we hold about you or to exercise all relevant rights, queries or complaints by emailing the Data Protection Lead at: [email protected]
You can also contact the Information Commissioner’s Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or by writing to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.