Glenavy Parish Data Protection Policy
Glenavy Parish (‘the Parish’) has a duty to respect and protect personal identifiable data, complying with the regulations set out in the EU General Data Protection Regulations (GDPR) and as enshrined in the UK Data Protection Act 2018.
Glenavy Parish holds a range of personal data relating to its members, attendees at parish run organisations and activities, voluntary helpers, employees and contractors. This policy, which applies to all personal data held by the Parish (including manual, electronic, photographic, audio, and whether held centrally in the Parish office, or by a Parish employee or a Parish Volunteer Leader’s records in their home). It sets out the data protection principles, how the Parish manages its records (including retention and disposal), the procedure for responding to a subject access request (SAR) and the procedure to be followed in the event of a data breach.
All Parish employees and volunteers are required to comply with this policy.
General Data Protection Principles
The GDPR sets out seven key principles:
Lawfulness, fairness and transparency in the use of personal data;
Purpose limitation (limiting the processing of personal data to specified, explicit and legitimate purposes);
Data minimisation (only collect the minimum amount of data that is necessary);
Integrity and confidentiality (security);
These principles lie at the heart of the Parish’s approach to processing personal data.
The GDPR provides the following rights for individuals:
The right to be informed;
The right of access;
The right to rectification;
The right to erasure (note this right is not absolute, and depends on the lawful basis for holding the data);
The right to restrict processing;
The right to data portability;
The right to object;
Rights in relation to automated decision making and profiling.
Glenavy Parish is committed to the following:
Using and collecting personal data in line with the appropriate lawful basis. Much of the personal data held by the Parish is held under the lawful basis of ‘legitimate interest’ (i.e. necessary for the legitimate interest of running the Parish), while other data is held by consent. Appendix 1 lists the types of data held and the lawful basis for holding the data.
Storing personal data safely and securely, whether electronic or manual, held in the Parish office or off-site. (Appendix 2 - Data Security)
Restricting access to data to only those who need to have access to it.
Only keeping data for as long as it is necessary to keep the data (See Retention and Disposal Schedule in Appendix 3).
Informing individuals of the personal data we hold and the reason for holding it, both at the point of collecting the data and through the Parish Privacy Notice on our web site (www.glenavyparish.co.uk). The Parish notice sheet and posters in Parish facilities are also used to inform people.
Responding to requests to view, update, delete (where appropriate) an individual’s personal data. (See Appendix 4 - Responding to Subject Access Requests)
Responding quickly and appropriately in the event of any data breach. (See Appendix 5 - Responding to a Data Breach)
Parish Data Protection Officer
Name: Derek Gilmore
Contact Details: Admin@Glenavyparish.org
Address: St Aidan’s Parish Church, 2 Belfast Road, Glenavy, Crumlin, BT29 4LL
For further information on data protection, please see the Information Commissioner Office website -
Appendix 1: Lawful Basis for holding data
The Parish undertook an audit of all data held in March/April 2018, using the Church of Ireland data audit template. The template was issued to all employees and volunteers who may have been holding personal data. Following the return of the completed audit templates a meeting was held to review the data. The meeting was chaired by the Rev Rutter and was attended by the majority of those holding data (Parish Children’s Worker, Honorary Treasurer, Honorary Secretary, Parish Administrator, Parish Commissioned Lay Minister (CLM?) and Mothers Union Branch Leader. A smaller sub-group was established, comprising Rev Rutter, Parish Administrator, Children’s Worker and Honorary Secretary. The sub-group reviewed all the data and agreed on the lawful basis for holding the data (based on Church of Ireland guidance). The sub-group also agreed procedures to maintain a secure and single data base for Parish membership records (using the Omega system), as well as a procedure for seeking consent for the use of data for ‘marketing’ purposes.
The Parish Database includes data on all parishioners - names, address, telephone number, email address, baptism date (note all fields will not be held for all parishioners). This data is held under legitimate interest, that is to enable the legitimate purpose of running the Parish (including provision of pastoral care, funerals, baptisms, weddings of parishioners, as well as to identify ‘members’ who are eligible to be included in the Parish Register and therefore vote at the annual Easter Vestry meeting and be elected to the Select Vestry).
However, it is recognised that this legitimate interest does not include a right to communicate directly with Parishioners to inform them about, for example, news, events, activities or services. The Parish therefore undertook an exercise to seek the explicit consent of Parishioners to communicate with them for these purposes. Parishioners were asked to complete a consent form (either confirming agreement or not) at Sunday Services during late May/ early June 2018. Those not present at any of these services were written to.
This data is stored on the Parish Omega (electronic) system, ensuring that a single master copy can be kept accurate (and can ensure that records are deleted if requested by an individual). The data is password protected, and access is restricted to the Vicar, Honorary Treasurer and Parish Administrator.
Data is held relating to gift aid declarations, staff account details, staff tax/national insurance details, lay staff account details and freewill offerings.
Parishioners who have made gift aid declarations, have consented to the Parish holding this data through the completion of the necessary gift aid declarations.
Data on freewill offerings is held under legitimate interest for the legitimate purpose of running the Parish (as above).
Data on employed staff and lay staff accounts is held under legitimate interest for the legitimate purpose of paying direct Parish employees or the Parish Diocesan Readers for services provided.
Data is held on children who attend the various Parish organisations/activities (including GB, Spark, Jigsaw, YF, Holiday Bible Club, Rocky’s Plaice, Blaze, Magic Monday), for the legitimate interest of running the organisation/activity. This includes data necessary under Child Protection (Safeguarding) requirements, health related data and parent/guardian contact details, for the safety of children attending.
It should be noted that parent/guardians also provide signed parental forms when providing information.
Information is also held in respect of staff and volunteers helping with children’s activities, as required for the statutory duty of Safeguarding Trust (legitimate interest). Information held includes; Worker Application Forms, Interview Notes, Referee Forms, Declaration of Acceptance of Safeguarding Trust and a “duty of care”, Forms for verification of Access NI checks, Annual Prosecutions Pending Forms, Accident and Incident forms, Form for reporting child protection concerns.
The Open Door
Data is held in respect of older people attending ‘The Open Door’, including data relating to health and emergency contacts. This data is held under legitimate interest, for the purpose of running the ‘Open Door’ and ensuring the safety of those attending.
Select Vestry/Charity Trustees
Data is held on members of the Select Vestry, under legitimate interest for the purpose of contacting members to ensure the running of the Parish (as per the purposes of the select vestry). Personal details as required by the Charities Commission are recorded on the secure Charities Commission website.
Various essential tasks and duties for the purpose of running the Parish are carried out by a number of rotas. Only the contact details are retained, as provided by the rota members, and this data is only shared with the members of that particular rota (i.e. for the purpose of enabling the ‘swapping’ or rotas and for those who need the information for the purposes of managing the service.) Names (and not contact details) may only be included on rota lists on church notice boards.
Appendix 2 - Data Security
All data relating to Glenavy Parish, and personal data in particular, should be held securely and safely. The following guidelines should be adhered to:
Always only hold and retain the minimum amount of personal data you require (for the specified legitimate purpose) for the minimum amount of time you need it (also see appendix 3).
Personal data should never be shared with anyone who is not authorised to receive it. (NB data can be shared if there is a legitimate purpose for doing so, i.e. a small amount of personal data can be shared with another leader if there is a legitimate and demonstrable need to do so.) Also personal data can be shared with the relevant regulatory authority, eg PSNI, or Health and Social Services, where this is necessary to ensure the safety of an individual, and where it is lawful to do so.
Personal data, whether electronic or hard copy, should be stored securely and safely.
Electronic data should always be password protected.
Where a specific electronic software, eg Omega, is used, data access controls should be set up to ensure that legitimate multiple users can only access the data that they need to see.
Computers should not be left switched on and unattended where non-authorised individuals can access them.
It is recognised that authorised Parish users may access data from personal computers/laptops in their own homes. It is essential that the same security measures are applied to these.
Where laptops are used, these must be kept in a safe and secure place. Laptops should never be left unattended, should never be left in a visible place in a vehicle, public wi-fi should never be used to access personal data, and personal data should never be viewed in a public space.
Hard copy data, where kept in the Parish Hall, must always be kept in a locked filing cabinet. The key should be kept in a secure place, which should only be known to those who have authority to have access to the data.
Hard copy data may legitimately be kept in the home of an authorised church volunteer. It is the responsibility fo the volunteer to ensure that any personal data, relating to Glenavy Parish, that they hold, is kept in a secure place (locked in a secure cupboard, desk or safe), and is not accessible to anyone else (including family members) in their home.
ALWAYS REMEMBER PERSONAL DATA IS PERSONAL TO THE INDIVIDUAL TO WHOM IT BELONGS. WE NOT ONLY HAVE A LEGAL RESPONSIBILITY, BUT ALSO A CHRISTIAN RESPONSIBILITY, TO ENSURE THAT WE TREAT IT WITH APPROPRIATE RESPECT.
APPENDIX 3 - Retention and Disposal Schedule
When a volunteer (or Parish employee) stands down from their role (which necessitates them to hold personal data), they must ensure that they return all personal data to the Parish. It may not be necessary for all the personal data to be forwarded to the new volunteer or employee, rather it may need to be dealt with in line with this retention and disposal schedule. It is the responsibility of the retiring volunteer to make contact with the Parish Data Protection Officer to discuss the personal data they continue to hold and what should be done with it.
The Vicar should always be aware of who is standing down/taking up a volunteer (or employed) leadership role, and he should have oversight of this process, reminding the individual that they need to ‘pass on’ any records they hold (electronic and hard copy), and ensuring that the Parish Data Protection Officer is involved.
The need to retain data varies depending on the type of data. Some data can be immediately deleted, and some must be retained until reasonable potential for future need no longer exists. This schedule sets out the principles of retention and disposal for Glenavy Parish, as a guide to when and for how long data should be retained and when it should be disposed of.
Retention and Disposal should be in line with the EU General Data Protection Regulations, UK Data Protection Act 2018, legislation relating to the retention of public records in Northern Ireland and other relevant legislation and regulations pertaining to the wider Church of Ireland, as stipulated by the RCB.
Good practice suggests that any data held should only be kept for a long as it is necessary and useful. Personal data should not be held indefinitely unless there is a valid reason for doing so. Data should always be deleted if an individual has withdrawn consent (unless there is a legal reason that requires it to be kept), if a contract has completely completed (and there is no legal reason to retain the data), or if the data is no longer up to date. Certain elements of data can be held indefinitely if these are anonymised (removing personally identifiable data).
This Retention and Disposal schedule applies to both electronic and hard copy data.
Once the retention disposal timeframe expires, the data must be securely destroyed. Hard copy data should be shredded, ensuring that no recognisable personal data remains. Electronic data must be securely and completely destroyed (deleting the data from hard-drives and any cloud based software without the option for recovery). Any computers, tablets, laptops that have held personal data must also be securely disposed of at the end of their life, to ensure that no residual personal data can be transferred to a third party. Please note that failure to dispose of personal data/equipment holding personal data securely may result in a data breach, with resultant distress to the individual, reputiational damage to the Church and severe financial penalties for the church.
It should also be noted that data must not be destroyed in violation of this policy.
APPENDIX 4 - Responding to Data Subject Access Requests
Subject access requests can be made verbally or in writing, addressed to the Vicar or the ParishData Protection Officer.
Requests must be made by the data subject (i.e. the individual who’s data is requested), his/her authorised representative or if a child (18 years or under), by their parent or legal guardian (with evidence of authority to act).
An individual is only entitled to their own personal data and not to information about anyone else.
The Parish data protection officer will deal with all requests, liaising with the relevant Parish data holder, as appropriate, to obtain the data.
Data subject access requests will be responded to promptly and no later than one month from receipt of request.
Data subject access requests will be responded to in writing.
A request may be refused if it is manifestly unfounded or excessive. The requester should be informed of the decision to refuse the request without undue delay. The response should include the reasons for refusing the request, and their right to make a complaint to the ICO.
The Parish data protection officer should maintain a record of all data subject access requests and the response given.
APPENDIX 5 - Data Breach Procedure
A data breach may relate to electronic or manual records. It includes the physical loss of data, loss of computer equipment holding personal data, cyber security (‘hack’) attack, sharing of personal data with anyone who should not receive it, theft etc. (This is not an exhaustive list)
Any suspected data breach must be reported immediately to the Parish Data Protection Officer.
It is the Parish Data Protection Officer’s responsibility to ensure that the Vicar is kept fully informed.
Immediate steps should be taken to contain the breach.
The Parish Data Protection Officer will carry out an investigation to ascertain the nature of the breach, including how it happened, the type of data and the scope.
A decision will be taken regarding the need to inform the data subjects (i.e. the individuals whose data has been lost or compromised), taking full account of the need for transparency, but also recognising where the breach has been contained and informing may cause unnecessary distress.
Consideration should be given to the need to inform the Diocesan Office, the PSNI or the ICO, depending on the nature of the breach. (Nb if the incident needs to be reported to the ICO, this must take place within 72 hours of becoming aware of the breach, where feasible.)
A report should be prepared, including learning from the incident. Immediate steps should be taken to ensure (where appropriate) that a similar breach does not happen in future.
The report of the incident should be presented to the vestry, and steps taken to share learning as appropriate with other data holders in the parish.