Data Protection Policy

Grace Church Beckenham

1. Introduction

Grace Church Beckenham uses personal data about living individuals for the purposes of general church administration, legal compliance and communication.

Grace Church Beckenham recognises the importance of the correct and lawful treatment of personal data. All personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards as specified in the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) 2018.

Grace Church Beckenham fully endorses and adheres to the key principles set out in the DPA/GDPR specifying the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data.

Employees and any others who obtain, handle, process, transport and store personal data for Grace Church Beckenham must adhere to these principles.

The Trustees have appointed Stephen Lock (email: info@gracechurchbeckenhm.org) as the Grace Church Beckenham Data Protection Lead.


2. The Principles

In summary - these key principles are:

  1. Lawfulness, fairness and transparency. Data must be processed lawfully, fairly and in a transparent manner.

  2. Purpose Limitation. Data must be collected for specified, explicit and legitimate purposes and shall not be processed in any manner incompatible with those purposes

  3. Data minimisation. The data collected shall be adequate for, and relevant and limited to those purposes.

  4. Accuracy. Data must be accurate and, where necessary, kept up to date.

  5. Storage limitation. Data shall be kept for no longer than is necessary to achieve the purposes for which it was collected.

  6. Integrity and confidentiality. Data shall be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage, using appropriate technical or organisational measures.


3. Use of Personal Information

Grace Church Beckenham will use personal data for the following main purposes:

  1. Church Administration. Primarily through a secure database of Church members to enable the day-to-day administration of the Church including pastoral oversight, preparation and operation of ministry rotas and (with an individual’s specific permission) the internal sharing of a church contact list with other members of Grace Church Beckenham; also names, emergency contact details and relevant health information (e.g. about allergies), and records of attendance/any incidents in respect of children who take part in Grace Church Beckenham activities for their health and safety and Safeguarding purposes.

  2. Legal Compliance. Financial / giving records so that we can meet legal obligations in relation to the reclaiming of Gift Aid on financial donations. Application forms, records of DBS checks and Safeguarding training, plus any notes on Safeguarding issues to meet legal Safeguarding requirements.

  3. Communication. Mailing Lists so that updates can be sent to anyone interested in keeping in touch and informed of church news, activities and events.

  4. Personnel Records. To assist the Trustees in the proper management of employees.


4. Security

4.1 Maintaining Confidentiality

Grace Church Beckenham will treat all personal information as private and confidential and (except where legally compelled to do so) will not disclose any data about individuals to anyone other than the employed staff and authorised leaders/ministry coordinators of the church in order to facilitate the administration and day-to-day ministry of the church.

Information and data stored by the Church will not be distributed in any form such as digital, hard copy or any other form which might breach the DPA/GDPR.

Personal information will not be given or sold to any other person, company or church.

All employed staff are required to sign a confidentiality clause written into their contract of employment.

All employed staff and authorised leadership/ministry coordinators who have access to personal data obtained under this policy will be required to agree to and adhere to this Data Protection Policy.


4. 2 Membership Database

Membership Information is held on secure servers at the ChurchSuite data centre. Access to this is password protected and can only be accessed by users who have been given permission to do so and is through SSL encryption.

Information collected by the Church will be stored on the Database and will not be used for any other purposes than set out in this policy.

1. Access to the Database is strictly controlled through the use of name specific passwords, which are setup and authorised by the Data Controller.

2. Only authorised administrators have access to the full database.

3. Personal information will not be passed onto any third parties outside of the church environment.

4. Personal information may be made available to others within the church environment via the password protected members area of ChurchSuite with the express permission of the data subject who will be given the opportunity to ‘opt in’ to this. This information may also be published in a church contact list which will be made available verbally or in paper form to church members without website access.

5. All data subjects are required to read, understand and accept the Grace Church Beckenham Privacy Notice before their data is entered onto the database. Data subjects can review and amend their own data at any time through their password protected login.

Data will be held whilst individuals are members of the church and destroyed 18 months after they leave the church or we receive a written request. The exception to this will be where there is a need to keep statutory records for a longer period.


4.3. Storage of Data on Other Electronic Media

All employed staff and authorised leadership and ministry overseers/coordinators who store personal information obtained under this policy on any electronic system not connected to the Grace Church Beckenham ChurchSuite account are required to do so in accordance with the principles of this policy and to take due care to ensure that the information remains secure through the use of passwords and encryption where appropriate. This includes:

Email / telephone / address books held on personal computers, mobile phones, PDA’s etc

Data stored on memory sticks and/or portable hard drives


4.4. Processing of Disclosure and Barring Service (DBS) Information

As an organisation using Disclosure and Barring Service (DBS) checking to help assess the suitability of applicants for positions of trust, Grace Church Beckenham seeks to comply fully with the code of practice regarding the correct handling, use, storage, retention and disposal of certificates and certificate information.

We will not keep any photocopy or other image of certificates or any copy or representation of the contents of a certificate. However, not withstanding the above, we may keep a record of the date of issue of a certificate, the name of the subject, the type of certificate requested, the position for which the certificate was requested, the unique reference number of the certificates and the details of the recruitment decision taken.

Any digital data e.g. spreadsheets which contain safeguarding information must be password protected and should be stored on a secure area (with limited access) within the Church information system. Any related physical data should be kept to a minimum, kept securely, in a lockable, non-portable, storage container with access strictly controlled, limited to those who are entitled to see it as part of their duties and destroyed as soon as no longer required.

In accordance with section 124 of the Police Act 1997, certificate information must only be passed to those who are authorised to receive it in the course of their duties (and we will keep a record of all those to whom certificates or certificate information has been revealed whilst recognising that it is a criminal offence to pass this information to anyone who is not entitled to receive it).

5. Individual Right of Access to Information

Employees and other subjects of personal data held by Grace Church Beckenham have the right (with some legal exceptions) to access any personal data that is being kept about them either electronically or in paper-based filing systems. This right may be withheld if the personal information also relates to another individual.

Any person who wishes to exercise this right should make the request in writing to the Grace Church Beckenham Data Protection Lead.

Grace Church Beckenham aims to comply with requests for access to personal information in accordance with the ICO's guidance as quickly as possible, but will ensure that it is provided within one month of receipt of a completed form unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.

Photographs taken at Grace Church Beckenham purely for personal use are exempt from the Data Protection Act. This means that parents, friends and family members can take photographs for the family album of their children and friends participating in church events.


6. Data Breaches

Where employees or volunteers think that this policy has not been followed, or data might have been breached or lost, this should be reported immediately to the Data Protection Lead (or if unavailable the Trustees) who will follow the personal data breaches process outlined on the Information Commissioner's Office (ICO) website.

We will report all data breaches which are likely to result in a risk to any person, to the ICO. Reports will be made to the ICO within 72 hours from when someone in the church becomes aware of the breach.

We will keep records of personal data breaches, even where we are not required to report them to the ICO.


7. Website Privacy Notice

A Privacy Notice is provided for users of the Church Website and ChurchSuite and can be viewed here:

https://www.gracechurchbeckenham.org/privacy-notice