This policy (inclusive of Schedules 1-7 annexed) is for the use of Committee, staff, and volunteers who serve in BCEC, and takes effect on May 25, 2018.
In this policy:
- “BCEC” is the Birmingham Chinese Evangelical Church of 14 Upper Gough St, Birmingham B1 1JG (Registered Charity Number 1048256).
- A data subject is a person whose personal data is held by/processed by BCEC in the course of its work as a registered charity.
- Personal Data is data relating to a living individual who can be identified from that data
- Sensitive Personal Data is as defined by the Data Protection Act
- The BCEC Data Manager is a member of the BCEC Committee whose duties include implementation of this policy and the management of Personal Data and Sensitive Personal Data under this policy.
- A Permitted Personal Data Holder is a person who is authorised to hold and process personal data as shown in the BCEC Data Protection Overview document.
Policy principles operational within BCEC
- BCEC will comply with the eight core GDPR principles in relation to Personal Data:
- Fair and lawful processing
- Obtaining data only for a specified and lawful purpose
- Adequate, relevant and not excessive
- Accurate and where necessary, kept up to date
- Not kept longer than necessary
- Processed in accordance with statutory rights
- Taking measures to ensure unauthorised or unlawful processing and against accidental loss of destruction of or damage to it
- Not transferring data outside the European Economic Area without adequate levels of protection for the rights of data subjects
- Accordingly, Personal Data collected by and used by BCEC will only be for the purpose stated when collected, or as agreed with a data subject at a later date. This will normally be stated in a privacy notice given when the data is collected (Schedule 4). BCEC may also rely on other bases such as legitimate purpose when processing data.
- No Personal Data is to be shared by BCEC with any outside party or agency unless required by statutory authority or under the performance of a contract, and it would be reasonable for the data subject to anticipate that the data would be shared (e.g. processing of Gift Aid records, audit or management of BCEC accounts and records by an accountant or auditor employed under contract by BCEC).
- No Sensitive Personal Data is to be collected, processed, or held by BCEC, unless it is appropriate for BCEC as a Christian church to do so, and only with the consent of the Data Subjects.
- In relation to children under 16, data will only be collected from and with the consent of the parent/guardian who represents that they have the right to give the information, and the collected data should be handed without delay to the leader of the group the child is joining who will retain it securely.
- BCEC will appoint a member of the committee as the BCEC Data Manager, who will also handle complaints, or requests for data access from a data subject.
- The Overview (Schedule 1) lists the persons authorised to hold, access, and process Personal Data in BCEC.
Policy adopted 2018
Review date 2020
Schedule 1: BCEC Data Protection Overview document
Schedule 2: Security of information
- Only a person listed in the Overview (Schedule 1) as a Permitted Personal Data holder is entitled to hold and process personal data. If the data is on paper, it is to be filed in a secure place, and if on an electronic device, it is to be password protected or encrypted. The only exceptions to this are items of data in the public domain.
- Additionally, BCEC staff and volunteers are permitted to hold and process Personal Data which has been provided to them by data subjects and processed under legitimate interest where it is clear that the data subject would reasonably expect that member of staff or volunteer to receive, process and retain their personal data. Such Personal Data is to be held securely in the same way as Personal Data processed by a Permitted Personal Data holder.
- Others may be permitted to access data, as shown in the Overview, but only as and when it is necessary to do so, and not as a general right.
- Where a member of the BCEC staff team or a volunteer travels (whether in the European Economic area or outside) with a laptop computer or other electronic device on which personal data is processed, they are required to ensure that the data is at all times security password protected or encrypted, and they are expected to take care not to lose or mislay the laptop or device. Loss of any such device and any loss of data is to be reported immediately to the BCEC Data Manager with a full report as to the circumstances in which this has occurred. The BCEC Data Manager will then consider what further steps are to be taken (See Schedule 7 – Breaches of Policy etc).
Schedule 3: Conditions for processing
3.1 Consent. Where possible, data subject consent will be requested before the collection of data that is not in the public domain. This will normally take the form of a privacy notice on a form, with provision where appropriate for a signature or other form of acknowledgement on the part of the data subject which will operate as an “opt in” consent.
3.2. Legitimate Interest. Some data subject contact with BCEC will be classified as legitimate interest. The classification cannot be retrospective: if legitimate interest is to be relied upon an assessment must have been made prior to collection of the data.
3.2.1 Data provided by people wishing to sign up for or be involved with events arranged by a staff worker or volunteer in their own locality will be treated as legitimate interest, on the basis that it would be reasonable for the data to be held and processed, and that the data subject would reasonably anticipate this. A short form privacy notice will be included (see Schedule 4 para 2 below).
3.2.3 All the rights of data subjects still apply in the case of data treated by BCEC as being processed by BCEC staff and volunteers under the category of legitimate interest, whether or not a privacy notice has been given to the data subjects concerned. Such data is not to be used for any other purpose without first issuing a privacy notice and obtaining the consent of data subjects (e.g. data from a staff members personal mailing list cannot be used for BCEC mailings without such consent being obtained).
3.3 Data processing for the performance of a contract (e.g. a staff employment contract) will not require the prior consent of the data subject.
3.4 Regardless of the condition under which BCEC processes personal data, BCEC will not in any event give, sell or part with personal data to another party, except as stated in the Overview, or under statutory authority.
Schedule 4: Privacy Notices
- The purpose of a privacy notice is to explain to data subjects the ways in which BCEC will process personal data and uphold the rights of data subjects.
- Specimen short form BCEC privacy notice:
The information given on this form will be used only for the purposes of [state purpose]. It will not be disclosed to any other party. To see the full BCEC Privacy Notice please visit https://www.thebcec.org.uk/Downloads/BCECPrivacyNotice.pdf
BCEC Data Privacy Notice
Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
Who are we?
The Committee of BCEC is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.
How do we process your personal data?
The Committee of the BCEC complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
E-Mail and postal communications to you may be sent through a third party supplier for mail delivery, only using your data in accordance with this notice.
We use your personal data for the following purposes:
- To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution;
- To administer membership records;
- To fundraise and promote the interests of the church;
- To manage our employees and volunteers;
- To maintain our own accounts and records (including the processing of gift aid applications);
- To inform you of news, events, activities and services running at BCEC;
- To share your contact details with the Church office so they can keep you informed about news in the Church and events, activities and services that will be occurring in the Church and in which you may be interested.
Processing your personal data.
In the case of contact with the BCEC office, personal data you give to us is processed on the basis of your consent. With that consent we can keep you informed about our work, our news, activities, and process gifts and gift aided gifts. Data processed under legitimate interest will not be used for other purposes without your consent.
Sometimes personal data may be gathered by BCEC using third party websites and programmes, for example (but not limited to) Facebook, WhatsApp, Mailchimp or WeChat. BCEC can give no warranty as to the way in which personal data is processed by such third parties. You should check their websites for details of their privacy policies.
Will we share your personal data?
We will not share your data with any third party unless required to do so by law (e.g. Gift Aid claims to HMRC). Data may be used as mentioned above solely within BCEC and only for the purposes of our work. We will only share your personal data with third parties outside of the BCEC with your consent.
Is data kept forever?
No, we cannot retain it forever. Some, such as Gift Aid records and accounting records have to be kept for at least 6 years. Your personal data will be held in our records during the period of our active relationships. We will not keep your data for any longer than is necessary. Once it is no longer required we will take all reasonable steps to destroy it or erase it from our systems.
Your rights – your data
Subject to limited exemptions under GDPR you have the following rights:
- The right to request a copy of your personal data which the Committee of BCEC, holdsabout you;
- The right to request that the Committee of BCEC corrects any personal data if it is found tobe inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for theCommittee of BCEC to retain such data;
- The right to withdraw your consent to the processing at any time
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
- To complain to the Information Commissioner’s Office (details below)
If you have any concern about our use of your personal data, please contact
BCEC Data Manager,
BCEC, 14 Upper Gough Street, Birmingham, B1 1JG
The Information Commissioner’s Office: Wycliffe House, Water Lane Wilmslow Cheshire SK9 5AF
Schedule 5: Retention of records
4.1 Records relating to staff and volunteers may be retained until:
4.1.1 the expiry of the limitation period for actions in contract or in tort
4.1.2 the expiry of the period required for Inland Revenue purposes, or for pension records.
4.2 Other records will only be retained insofar as necessary for the work and mission of BCEC.
4.3 All records are to be held securely by the permitted Personal Data holder for that category of data subject at BCEC. Out of date records are to be destroyed/deleted. Subject to any statutory exceptions, all requests from data subjects for amendment or deletion of personal data are to be dealt with promptly.
Schedule 6: Complaints and disclosure requests
5.1 The BCEC Data Manager will receive and deal with any complaints regarding the handling of data by BCEC. Replies to complaints are not to be given by staff.
5.2 If a data subject requests details of data on them held by BCEC, the BCEC Data Manager will contact the Permitted Personal Data holders for details of the data held by BCEC and will respond to the person making the request to provide the information within 30 days.
Schedule 7: Breaches of policy/legal requirements
If there is a breach or alleged breach of this policy, the BCEC Data Manager is to review the matter and consider what further steps (if any) are required. In the event that notification to the Information Commissioner’s Office is legally required, the Data Manager will seek clearance to do so from the Committee Chairman (or if not available another member of the Church Committee), and simultaneously with such notification to the Information Commissioner will inform any data subject affected that the notification is being given. Any notification given to the Information Commissioner is also to be advised promptly to the Chairman of the BCEC Committee.