Bethel Community Church Data Protection Policy Bethel Community Church holds and uses the personal data of the individuals who have given us their permission to do so for the purpose of general church administration and communication.
As a church, Bethel Community is committed to the correct and lawful treatment of personal data. In whatever medium a person’s data is held, whether paper or electronic, all data will be subject to the appropriate legal safeguards as specified in the General Data Protection Regulation 2018.
Bethel Community Church adheres to the principles of the GDPR that detail the legal conditions that must be met in relation to the obtaining, handling, processing, storage and transportation of personal data. All employees of Bethel Community Church and volunteers who are involved in any of the above activities must adhere to these principles.
The GDPR Principles
- Be processed fairly and lawfully
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and where necessary, kept up to date.
- Not be kept for longer than is necessary for that purpose.
- Be processed in accordance with the data subject’s rights.
- Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures.
- Not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- Lawfulness and Confidentiality
The purpose of Bethel Community Church, as a registered charity, is to extend the knowledge of the message of Jesus throughout our city, our nation, and the world; to fundraise, to employ people, and to support those with the same purpose as our own. In order to achieve our registered purpose, the collection, storage, and processing of personal data is lawful and necessary. Every individual’s personal data will be treated as private and confidential. Therefore no data regarding an individual will be disclosed other than to the leadership and administrative team in order to facilitate the administration, communication and day-to-day ministry of the church.
All church staff and volunteers who have access to personal data are required to sign the Data Protection Policy.
There are four exceptional circumstance to the above permitted by law:
- Where we are legally compelled to do so.
- Where there is a duty to the public to disclose.
- Where disclosure is required to protect your interest.
- Where disclosure is made at your request or with your consent.
- Data Protection Officer
In adherence to the GDPR, Bethel Community Church has assigned a Data Protection Officer (DPO), as stated in Appendix 1. The DPO will ensure that all data is obtained, stored, and processed in compliance with the General Data Protection Regulation 2018.
- Use of Personal Data
- Bethel Community Church will use your information for three main purposes:
- The day-to-day administration of the church. Including: the practicalities of pastoral care, such as calls, visits, and gifts; preparation of ministry rotas; maintaining financial records of giving for audit and tax purposes.
- Contacting you to keep you informed on upcoming activities and events.
- Statistical analysis: e.g. birthdays, small group sizes, and gaining a better understanding of the church’s geographic locations and demographics. Any subject who has handed us their personal data has the right to opt out of any of these activities at any time. This can be achieved by a written request to the Data Protection Officer via the church office or the following email address firstname.lastname@example.org.
- Children’s Data
All personal information regarding children is held by Bethel Community Church with the direct consent of parents/guardians. Their personal data enables us to tailor our children’s ministry content to different age groups with differing numbers of children, and ensure we maintain a high standard of safety, including: a registration system for all groups; and child-to-adult ratios that are in line with our Child Safeguarding Policy. Any sensitive information, such as medical details, is held in order to help us implement our Safeguarding Policy. Only those who require access to this data have authorisation.
- The Database
The majority of personal information held by Bethel Community Church is done so via our database, the server for which is hosted securely in the UK . The database is password protected and can be accessed remotely through the Internet. Bethel Community Church will take appropriate technical and organisation steps to ensure the security of all personal data:
- Access to the database is strictly controlled through the use of name-specific passwords, which are chosen by the individual.
- Those authorised to use the database only have access to their specific area of use within the database. This is controlled by the DPO and other specified administrators. Only these people can access and set the security parameters.
- Those with secure and authorised access include: Bethel Community Church Staff, voluntary data inputters, Ministry Team Leaders, Small Group Leaders, and Bethel Community Church Trustees.
- All those with authorised access to the database will be made aware of their duties under the GDPR and be required to sign this policy.
- No personal data will be shared with any third party outside of the EU, and therefore beyond the remit of the GDPR, unless prior consent has been obtained from the individual.
- All access and activity on the database is logged and can be viewed by the database controller.
- Personal information will not be passed onto any third parties outside of the church environment, unless it falls under one of the exceptions in Section 1, or express permission is given by the data subject.
- Subject Consent – the need to process data for normal purposes has been communicated to all data subjects.
- Some of the data collection methods used by Bethel Community Church are paper-based. Any form containing personal information (baptism, membership, children’s work application, child consent) is kept in a locked and secure location for the purposes of proving initial consent to hold information.
- Rights to Access information
Under the GDPR 2018, all data subjects have the following rights regarding the personal data held by Bethel Community Church:
- Ask what information the church holds about them and why, and view that information.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Request to opt out of receiving communication (this applies to section 9 – Retention of Data)
- Make certain elements of their information available to be shared with other church members. E.g. telephone number. OR restrict the availability of their personal information to church members.
- Be forgotten and removed from the database.
- Be informed what Bethel Community Church is doing to comply with its obligations under GDPR. Any data subject wishing to exercise any of these rights should make their request in writing to the Data Protection Officer. Bethel Community Church aims to comply with requests to personal information as quickly as possible, but will ensure that it is provided within 30 days of receipt of a written request.
- Rights to Access information
Accuracy Bethel Community Church endeavours to ensure the accuracy of all personal data we hold. Any inaccuracies can be amended upon the request of the individual.
- Retention of Data
In adherence to the principles of the GDPR, Bethel Community Church will NOT hold personal data for longer than its purpose requires.
- Members – The personal information of church members will be held as long as they remain members of Bethel Community Church. Upon leaving, any personal information held will remain active in the database for a maximum of 3 months for the purpose of statistical analysis. During this month period, the data will be archived for the purpose of a mailing list. See below for the archive data retention policy.
- Visitors – Bethel Community Church holds visitors’ personal information on a 6 month probationary period. If visitors do not return within those 6 months, their information is archived for the purposes of a mailing list which they can opt out of at any time.
- Archive – The personal information of visitors and members who are no longer coming or a member here will be archived for the following purposes: to keep them updated with events and activities; to hold a record that data subjects might require in the future – e.g. length of service in children’s ministry for a job application. The archive will be regularly reviewed, and data held for a maximum of 7 years before it is erased along with any paper copy documents.
- Secure Destruction
When data held in accordance with this policy is destroyed, whether in electronic or hardcopy form, it must be destroyed securely in accordance with best practice at the time of destruction.