DORKING METHODIST CHURCH AND CHRISTIAN CENTRE
DATA PROTECTION STATEMENT
The Dorking Methodist Church and Christian Centre are committed to protect your privacy and to process your personal information in accordance with the General Data Protection Regulations 2018
WHAT PERSONAL INFORMATION WE MIGHT NEED AND WHY
We may collect and process the following examples of personal information, although we may, at times, also need to collect other personal information that is not listed here:-
- Your name
- Contact information (for example address, telephone number, email address)
- Information about your education, qualifications, skills and expertise (employees only)
- Information about your age, ethnicity, gender, nationality, disability status (employees only)
- CCTV images in the Christian Centre
We may use/process this information to:-
- Contact you when necessary
- Maintain our Church membership records
- Manage the use of the Christian Centre by employees, volunteers, tenants and hirers.
- Share it with third parties only for the purpose of obtaining professional advice and in complying with our contractual obligations (almost exclusively for employees), or with the police in the case of CCTV images
We have appropriate measures in place to protect your information. We will handle and protect your information in line with our Data Protection Procedures and the following data protection principles are:-
- Personal data will be processed fairly and lawfully
- Personal data will be obtained only for one or more specified and lawful purpose(s) and will not be processed in a manner that is not compatible with that purpose(s)
- Personal data will be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed
- Personal data will be accurate and where necessary, kept up to date
- Personal data will not be kept for longer than is necessary
- Personal data will be processed in accordance with the data subject’s rights under the GDPR
- Appropriate technical and organisational measures are in place to protect personal data from unauthorised or unlawful processing and from accidental loss, damage or destruction
ACCESSING YOUR INFORMATION (SUBJECT ACCESS REQUESTS)
Under the GDPR, you are entitled to ask for a copy of the personal information that we hold about you and to have any inaccuracies in your personal information corrected. When you submit a request for your personal information, you are entitled to:-
- Know what personal information we are processing or have processed
- Know why we have processed your personal data − the reason(s) and purpose(s) for the processing of your personal information
- Know if we have shared your personal information and if so, with whom and for what purpose(s)
- Requests for your personal information must be submitted to us in writing. Postal requests should be sent to either The Manager or the Church Council Secretary, as appropriate, at the following address:- Dorking Christian Centre, Church Street, Dorking RH4 1DW. Requests for CCTV images must be made within 4 weeks of the date when the images were taken as they are likely to be have been deleted after this time
- If at any time you feel that there is a problem with the way in which we are using your data you have a right to complain to the (Information Commissioner’s Office) ICO - helpline on 0303 123 1113
SHARING YOUR PERSONAL INFORMATION
- We may need to share your information with third parties, particularly for employees. This may be for a variety of reasons but will always be to enable us to undertake our statutory functions or to comply with our legal obligations
- When your personal information is shared it will be done so in line with the GDPR. You are entitled to know why and how we are sharing your personal information (as noted above) and the organisation or individual receiving your personal information will be required to protect your information in line with the GDPR. This is most likely to be in situations such as for employee’s pay and will never be to Third Parties for marketing purposes. CCTV images may at times be requested by the police
SHORT VERSION PRIVACY NOTICE
The Christian Centre is committed to protecting your privacy in line with GDPR 2018. Any personal data collected will be processed fairly and lawfully and only used for legitimate purposes. Please see a full GDPR Statement below.
Policy Concerning the General Data Protection Regulations
DATA PROTECTION STATEMENT
The Dorking Methodist Church and Christian Centre are committed to protecting the privacy of individuals and to process personal information in accordance with the General Data Protection Regulations (GDPR) 2018.
TO COMPLY WITH THESE REGULATIONS THE CHURCH AND CHRISTIAN CENTRE MUST:-
- Only collect data for the purpose for which it is required. e.g. for Gift Aid purposes and the reclaiming of tax from HMRC and only store that data for as long as it is needed for that purpose.
- Securely delete or destroy all records, preferably by shredding paper documents, once the purpose for which the Church or Christian Centre hold personal data has expired,.
- Never pass on personal data to a third party without consent.
- Complete an annual Data Audit of all the personal data held and verify that information has been updated, so that it is accurate. Any that is no longer required for the purpose for which it is stored, must be deleted. The lawful basis on which any data is stored, should be verified.
- Once an electronic device has come to the end of its shelf life, ensure that all data is erased and that the hard drive is wiped. The device should be disposed of using professional services. Employees should not use their own personal equipment so that data is not taken away once employment ceases.
- Remember that a person has the right to see the data the Church and Christian Centre are holding about them. Care is therefore needed as to what information is held and it must be possible to retrieve it quickly in the case of a data subject access request.
- Encrypt or password protect all communications sent electronically which contain sensitive personal data.
- Ensure that all computers, screensavers and documents are password protected. Passwords should be at least 8 characters long and include upper and lower characters as well as symbols and numbers.
- Ensure that the Privacy Notice is updated annually.
- Ensure that if anyone keeps personal data at home then it is stored in such a way that there is adequate protection from data breaches, that it is accurate, and limited to the purpose for which it is collected.
- Ensure that when a new person takes over a role, they should be given all the data held by the previous post holder or it must be deleted immediately as only the people who actually need the data should hold it.
THE USE OF THE CCTV SYSTEM
- The surveillance camera system (CCTV) is in operation solely for the purposes of monitoring the use of the building, particularly in ‘out of office’ hours, for the personal safety of staff members and to prevent crime. Disclosure of the images will only take place when it is necessary for these purposes or for law enforcement. Images will otherwise not be given to third parties.
- The images retained are the personal information of the people recorded and are therefore covered by the demands of the GDPR.
- The Centre Managers are responsible for monitoring the CCTV images. These will be stored on a computer in the Managers’ Office which is password protected. The images will normally be kept for no more than 2 months unless requested by the police or another responsible body, after which time all images will be deleted. No one else will monitor the images unless they are given express permission by the Managers.
- Notices warning people of the CCTV images will be displayed clearly at all entrances and inside the building.
- There will be regular checks on the quality of the images and also the accuracy of the date and time, particularly when the clocks change.
- If a Subject Access Request is made the Managers will consult the Handbook, The Data Protection Code of Practice, or contact the Information Commissioner’s Office (ICO) for advice. All data requests must be dealt with within 4 weeks, before any data is deleted.
- The legitimate aims and use of the system will be reviewed annually to ensure that data is not collected unnecessarily for the specific purposes identified.
- The CCTV system will be registered annually with the ICO.