Data Protection Policy
Hillview Community Church
1. Your Personal Data – What is it?
As part of the work of Hillview Community Church, we need to process personal data. “Personal data” is any information about a living individual which allows them to be identified from that data (for example name, phone number, email address or address). Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The process of personal data is governed by the Data Protection Act 2018 (the “Act”) and the General Data Protection Regulations 2018 (the “GDPR”).
2. Who are we?
Hillview Community Church is the data controller of the information. This means we decide how your personal data is processed and for what purposes.
3. What personal information do we hold?
The data we process is likely to constitute sensitive personal data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs. The information we hold includes:
- Names and titles;
- contact details such as telephone numbers, address and email addresses;
- date of births;
- details of members and church family who are baptised;
- Where you make a donation or pay for activities involving the church; financial identifiers such as bank account numbers, payment card numbers, payment transaction identifiers;
- camera or video footage that identifies individuals (where prior consent has been obtained);
- Information contained in checks provided by Disclosure Scotland;
- Your participation in rotas for service in the church;
- Information relevant to your suitability for membership and participation in rotas for service in the church;
- Information contained in emails or other correspondences from you and record of telephone calls or meetings with you;
- Information shared for the purposes of pastoral care;
- Medical information where necessary to ensure that the care and hospitality that we provide for you is appropriate to your needs;
4. Who has access to your personal information?
The church leadership team, elders, small group leaders, ministry leaders, child protection officers and administrative staff will have access to your personal information. Members of the church and our church family will not have access to your without your prior consent. Sensitive information will only be accessed by those who require access to run specific ministries within the church, i.e. child protection.
5. Whose information do we hold and why?
Information is held in relation to friends of the church, members, former members and those who have regular contact in connection with the pursuit of our purposes as a church. Personal data is not disclosed outside the church processes without the consent of the data subject (i.e. those to whom the data belongs).
Hillview Community Church will comply with their legal obligations under the GDPR to keep personal data up to ; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We will collect and handle your personal information either with your consent or because it is necessary for us to do so for the purposes of our legitimate interests outlined above. Personal data collected could be used in a number of ways:
- To tell you about events that the church is running which we think may be of interest to you and to keep you updated about church services, activities and resources;
- To provide pastoral care, support, teaching and challenge for you in accordance with the teaching of the Bible;
- To enable and maintain appropriate safeguarding arrangements for our children, young people and vulnerable adults;
- To help our church family identify where they could serve in the life of the church;
- To administer membership records and maintain our own financial accounts and records (including the processing of donations and gift aid applications);
- For your personal information to be stored on the external email marketing platforms.
As a church, we use a third-party instant messaging service, WhatsApp, for our messenger app service. Hillview Community Church uses WhatsApp groups to organise events, small groups and our various ministries. These groups require you to opt in and you are free to leave the WhatsApp group at any time through the Group Info settings. The WhatsApp group will only be used in accordance with the objective of the church. Where you agree to be included within groups, your mobile number and personal information will be stored on the app and the other members of the group have access to your mobile number and other personal information saved within your profile.
8. Storage of Personal Data
Hillview Community Church shall take reasonable and appropriate security measures to protect the storage of personal data, such as:
- Storing hardcopies of documents with personal records in locked filing cabinet systems and locked rooms;
- Electronic files will be saved on locked computers.
Hillview Community Church will ensure that:
- that host personal data are secured and protected against unauthorised access.
- Hillview Community Church computers and other electronic devices that may access or store personal data are password protected and encrypted. Computers and electronic devices will not be used for personal matters.
- Where information is processed outside of the European Economic Area, we will ensure that the personal data is protected in accordance with Chapter V of the GDPR or to the equivalent standards. .
9. What is the legal basis for processing your personal data?
Data is processed by Hillview Community Church because it is necessary for our legitimate interests. An example of this would be our safeguarding work to protect children and adults at risk. We will always take into account your interests, rights and freedoms.
Religious organisations are permitted to process information about your religious beliefs to administer membership or contact details. Processing is carried out by a not-for-profit body with a religious aim provided: –
- the processing relates only to the church family and church members (or those who have regular contact with the church);
- there is no disclosure to a third party without consent.
Hillview Community Church will ensure that your explicit consent has been obtained so that we can keep you informed about news, events, activities and services and process your gift aid donations and keep you informed about church events and to further the objectives of the church. Where your information is used other than in accordance with one of these legal bases, we will first obtain your consent to that use.
10. Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with other members and friends of the church in order to carry out a service to other church members or for purposes connected with the church. We will only share your data with third parties outside the church with your prior written consent.
11. Data Retention Policy
. It may also be archived as part of our historical record of membership of the church. You can withdraw consent for us to hold your data at any time and we will immediately take action to delete/destroy it. Past members and members of the church family will be kept on mailing lists until they ask to be removed.
In general, we will endeavour to keep data only for as long as we need it. This means that we may delete it when it is no longer needed without your prior consent.
We will keep some records permanently where we are legally required to do so. We may keep some other records for an extended period of time. For example, it is current best practice to keep financial records for a minimum period of 7 years to support HMRC audits.
Hillview Community Church shall ensure the disposal of personal data is performed appropriately with little possibility to recover the information from the disposal process. Such methods may include shredding paper records and deleting and wiping electronic records.
12. Your Rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –
When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.
- The right to request a copy of your personal data which Hillview Community Church holds about you;
- Information will be provided within 30 days.
- The right to request that Hillview Community Church corrects any personal data if it is found to be inaccurate or out of date;
- If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.
- The right to request that your personal data is erased where it is no longer necessary for Hillview Community Church to retain such data;
- If you feel that we should no longer be using your data you can request that we erase the data that we hold
- The right to withdraw your consent to the processing at any time;
- The right to data portability
- You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.
- The right to object to the processing of personal data (where applicable);
- The right to lodge a complaint with the Information Commissioners Office.
- The right to request a copy of your personal data which Hillview Community Church holds about you;
13. Further Processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. When and wherever necessary, we will seek your prior consent to the new processing.
14. Contact Details
Please contact us if you have any questions about this Privacy Notice or the information we hold about you or to exercise all relevant rights, queries or complaints:
The Data Controller is: Hillview Community Church
Points of contact: Andrew Wilson and Paul Thomson
Address: Hillview Community Church, Earlswells Road, Cults, Aberdeen, AB15 9NY
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.