General Privacy Notice
1. Your personal data – what is it?
‘Personal Data’ is any information relating to an identified or identifiable natural living person, commonly referred to as the ‘data subject’. Identification can be by the information alone or in conjunction with any other information that the data controller may possess or be likely to obtain. The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 & The Privacy and Electronic Communications Regulations (PECR).
2. Who are we?
This Privacy Notice is provided to you by the Diocese of Southwark which is the data controller. This means it decides how your personal data is processed and for what purposes. The Diocese of Southwark works with a number of different organisations and office-holders below to deliver the Church’s mission in the community:
- The Southwark Diocesan Board of Finance (DBF);
- The South London Church Fund;
- PCCs of the parishes within the Diocese and the incumbents of these parishes;
- Bishops and Archdeacons of the Diocese of Southwark;
- Together Southwark;
- Southwark Diocese Mothers’ Union; and
- The Church of England National Church Institutions (NCIs).
3. How do we process your personal data and what is the legal basis of processing your data?
Where your Diocesan role requires or where you have consented to receive communications:
- we send communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other fundraising activities
- we send information related to fundraising and promotion of the interests of the Diocese.
Where you have taken part in one of our events or activities and where you have given consent:
- we may use photographs in which you are identifiable to promote the activities of the Diocese
- we may seek and process your views, feedback or comments.
Where you are working on behalf of the Diocese:
- we process contact details such as names, titles, aliases, telephone numbers, addresses, and e-mail addresses
- we make your contact details available to others working on behalf of the Diocese in the Diocesan Directory which is either printed or made available online
- where they are relevant to our mission, or where you consent to provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependants
- where required as part of our safeguarding procedures (including due diligence a Disclosure Barring Service (DBS) checks and complaints handling) in accordance with our safeguarding policy A Safe Church
- to manage our employees and volunteers.
Where you make donations or pay for activities such as use of Diocesan premises:
- financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers
- to maintain our own accounts and records including the processing of donations and Gift Aid applications as required.
Where you apply for a role or where you follow a Diocesan discernment process to assess your suitability to be put forward for a role we process application forms, interview notes and references.
As a member of licensed clergy, role holder or person working under contract for the Diocese (e.g. DBF employee) we may process additional data related to your employment and benefits including expenses, housing and pensions.
The data we process is likely to constitute special category (sensitive) personal data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs. Where you provide this information, we may also process other categories of special category personal data such as: racial or ethnic origin, mental and physical health, details of injuries, medication/treatment received, criminal records, fines and other similar judicial records.
4. Sharing your personal data
Your personal data will be treated as strictly confidential. It will only be shared with third parties where it is necessary for the performance of our tasks or where you give us your prior consent. It is likely that we will need to share your data with some or all of the following (but only where necessary):
- Crockford’s Clerical Directory to provide role and contact information for ordained ministers
- our agents servants and contractors. For example, we use third parties to administer repairs and maintenance to Diocesan managed property; we use a third party to process our DBS checks; we use commercial software to manage newsletter and e-mail lists; we use third party software to manage our staff employment records
- to the Charity Commission where you are a trustee of one of our associated PCCs or charities
- to other authorities in compliance with our legal responsibilities. For example to the relevant local authority in respect of council tax and utility companies in the case that the property you live in is managed by the Diocese.
5. How long do we keep your personal data?
We keep data in accordance with the guidance set out in Save or Delete: the Care of Diocesan Records which is available from the Church of England here. We will keep some records permanently if we are legally required to do so.
Where we no longer need to process your personal data for the purposes set out in the Privacy Notice, we will delete your personal data from our systems.
6. Your rights and your personal data
To exercise your rights, please send your request to us in writing (using the contact details below). When exercising your rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights:
- the right to access information we hold on you
- the right to correct and update the information we hold on you
- the right to have your information erased. In the case that you request that we erase the data we hold, we will confirm whether the data has been deleted or the reason why it cannot be deleted (e.g. because we need it for our legitimate interests or a regulatory purpose)
- the right to object to processing of your data
- the right to data portability
- the right to withdraw your consent to the processing at any time for any processing of data to which consent was sought
- the right to object to the processing of personal data where applicable
- the right to lodge a complaint with the Information Commissioner’s Office.
7. Transfer of data abroad
From 1 January 2021, the UK will become a third country outside the European Economic Area (EEA). Any electronic personal data transferred either to countries or territories inside the European Economic Area (EEA) or to other third countries, will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the United Kingdom. Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas. We take all reasonable steps to ensure that your personal data is processed securely and will only transfer your personal data outside the United Kingdom where it is compliant with applicable data protection legislation or is part of a contract with specific individuals or organisations and the means of transfer provides adequate safeguards in relation to your personal data.
8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact details
Please contact us if you have any questions about this Privacy Notice or the information we hold about you or to exercise all relevant rights, queries or complaints to The Data Protection Lead E-mail: [email protected]
You can also contact the Information Commissioner’s Office on 0303 123 1113 or via e-mail https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.