1. Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the UK General Data Protection Regulation (the “UK GDPR”).
2. Who are we?
The Charity Trustees of St Philip’s Church are the data controller (contact details in section 10). This means it decides how your personal data is processed and for what purposes.
3. Who do we collect personal data from?
Our Data Subjects typically fall into one of the following categories:
- church members/ regular attenders
- individuals we support
- trustees
- employees (and former employees)
- team members
- volunteers/ interns
- parents of children/young people participating in or enquiring about our youth and children’s activities
- donors
- Gift Aiders
- enquirers
- website/ social media visitors
- in person visitors
- course attendees
- complainants
- supporters
- advisers and representatives of other organisations, including those who provide services to us
Most of the personal data we collect relates to church members, who may fall into other data subject categories. Therefore, this is the primary lens through which this privacy notice focuses. Where data collected relates specifically to other data subjects for a different purpose, this will be clarified.
4. How do we process your personal data?
The Charity Trustees of St Philip’s Church complies with its obligations under the “UK GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We may collect, use, store and transfer different kinds of personal data about you for the following purposes: –
Identity data (full name, username (or similar identifier), title, marital status, date of birth, gender, ethnicity details of CAF Bank signatories and Trustees* and any other biographical information you may provide us, media identity data: photographs, video footage, audio recordings, written material):
- To communicate with you.
- To identify you for accounting, governance, employment/volunteering, administration, or safeguarding purposes where necessary.
- Your media identity data may be used for:
- Inclusion in communication given to members, whether in print or electronic format.
- For display purposes within the church premises e.g., notice boards or PowerPoint presentations.
- For use on the St Philip’s website.
- For use in public livestreams.
- For use in Zoom meetings.
- For inclusion in any of St Philip’s publicity, presentations, banners, or marketing material.
- To display the life of the church on social media sites.
We will not publish media identity data that relates to you without your consent. We will only publish this data for the purposes that you consent to.
- Children’s date of birth and full names are recorded for safeguarding reasons.
- Date of birth and ethnicity details of trustees and CAF bank signatories are collected to share with CAF Bank for financial governance purposes. Date of birth details of trustees are also shared with the Charity Commission for governance purposes.
- Date of birth, name and gender information collected from employees for payroll purposes.
- Audio recordings as Ansa phone messages or WhatsApp voice note messages from any data subject are collected for administration purposes. They are noted and responded to, then deleted.
Contact data (postal address, email address, telephone number)
- To keep in touch with you and inform you of news, events, activities, and services at St Philip’s Church in our Mailchimp update emails.
- To contact you regarding rotas, roles, or responsibilities you have within church and to inform planning of gatherings or activities.
- To provide pastoral support.
- Address details used for accounting purposes (including the processing of Gift Aid applications and payroll).
- Medical and emergency contact data of children/young people participating in youth/children’s activities collected in case of medical or other emergency/ concerns.
- Contact data used for maintaining contact with all data subjects, when provided by them, for the purposes expressed in the initial contact. We will only make further contact for legitimate purposes.
- Emergency contact data of Employees held in case of an emergency.
- Contact details of Trustees shared with Charity Commission and CAF Bank for governing purposes.
See appendix 1 for further details relating to the processing and use of contact details relating to members/regular attenders.
Membership/denominational data* (denominational affiliation, record of membership, mission initiative roll)
- To administer membership records (including informing religious ceremonies e.g.- dedications or baptisms).
- To ensure voting rights at whole church meeting.
- To report to denominations where required.
Financial data (bank account and payment card details, declaration and record of regular giving amount and Gift Aid declaration, expense claim forms, invoices, payment schedules & contracts which identify you, annual accounts and reports, legacy information, employee payroll set up details (including national insurance numbers, previous employment and student loans information), adjustments made to pay based on parental leave, furlough, staff sickness* and redundancy pay information and pension details)
- To maintain our own accounts and records (including the processing of Gift Aid applications) and for financial transparency.
- To pay members back for expense claims.
- For reviewing annual commitment and budgets.
- To pay employees, those that provide services to us or for refund purposes.
- To give financial gifts to individuals and organisations we support.
Transaction data (details about payments to and from you and other details of events, products or services you have purchased from us or gifts you have donated to us):
- To maintain our own accounts and records (including the processing of Gift Aid applications) and for financial transparency.
- To contribute to aggregated data for informing reports made to analyse financial performance.
- For reviewing budgets.
Administrative data (rota information, running order/gatherings plans, record of whose contact details need updating, administrative notes and communication trails related to all data subjects where communication has taken place, either verbally or digitally)
- For maintaining and administering the life of the church.
- Notes taken, so information is accurate and can be acted upon effectively.
Attendance data: (registers for children’s/ youth work, count of attendance (at gatherings, Alpha courses, outreach activities, whole church meetings and council meetings):
- Count of attendance at gatherings, on Alpha courses and other outreach activities taken to inform aggregate data for church statistics, reported to denominations annually.
- Attendance at whole church or council meetings taken for governance purposes.
- To help team leaders with pastoral oversight.
- Registers of volunteers and children/young people attending children’s/ youth work for safeguarding reasons.
Pastoral/prayer data* (pastoral notes, prayer ministry notes, prophetic words, personal or prayer information shared by a member with staff, team, or community leaders)
- To help inform prayer and the prayer/pastoral process.
- For personal encouragement and support.
- Notes are taken in a pastoral meeting, so an accurate record of a conversation can be recorded, to safeguard minister and member.
- Member may request personal or prayer information to be shared with the wider church.
See appendix 2 for further details on the processing of pastoral data.
Medical data* (medical information about children provided on parental consent forms, information given by members for pastoral concern or re COVID-19, information about staff sickness, accident reporting):
- To care for children/young people appropriately and prevent/respond to a medical emergency.
- To protect medically vulnerable members.
- Reporting of accidents ensures good standards of Health and Safety.
- For pastoral care and to inform prayer.
- Information about staff sickness kept for legal purposes, accountability, and transparency.
Consent data (parental consent for child/ young person to attend children/youth activities, media consent data)
- For children/young people to be able to attend children’s/ youthwork activities. If parental consent forms are not completed, children/ young people will be unable to attend children’s work activities.
- For UK GDPR compliance, keeping an effective record of media identity consent so that staff know what data can be shared and for what purposes.
Employment data (application form, equal opportunities form*, references, interview feedback, performance appraisals, contract, timesheet, information about staff sickness*, parental leave records, staff redundancy and furlough records)
- To aid fair interview recruitment process.
- Feedback and appraisals support professional development.
- For accountability and transparency.
- To ensure staff are paid correctly.
- To ensure that holidays and overtime are worked out transparently.
See appendix 3 for further details on the processing of employment data.
Intern & volunteer enrolment data (references, application forms, notes taken at enrolment meeting, internship review notes)
- To aid intern and volunteer enrolment process.
- For safeguarding reasons, ensuring that interns and volunteers can appropriately and safely carry out their roles. If a potential intern/ volunteer is unable to provide required information, they will not be allowed to carry out the role.
- Review notes taken to support intern development.
Team & Vision data (strategy meeting notes from team, community leaders or members taking part)
- To shape vision and actions taken.
Governance data (council minutes and agenda, documents for council viewing, AGM minutes, TAR and financial statements)
- Legal documentation.
- Data is required to be shared with the Charity Commission or CAF Bank where appropriate.
Technical data (internet protocol (IP) address, browser type and version time zone setting and location, browser plug-in types and versions, browser ID, operating system and platform and other technology on the devices you use to access the website, Mailchimp campaigns, social media sites or audio sharing sites):
- For website, email campaign, social media or audio sharing site performance.
This data is not collected directly by us and we do not store it. However, our website providers, Mailchimp, social media and audio sharing sites may collect some of this information to aid performance. Please refer to their individual privacy policies to find out more, in Appendix 4 and Appendix 6.
Usage data (information on how you interact with update emails sent through Mailchimp, cookies and other tracking technologies on Mailchimp, our website, social media pages -Facebook Page Insights, Twitter, Instagram, YouTube, Google page, WhatsApp and audio sharing sites- Apple, Spotify and Google page)
- To inform and monitor effectiveness of our social reach.
This information is not collected directly by us, although it is often available for us to view. With regards to our website, please see the cookies policy for more information on what cookies are collected. See appendix 4 for more details regarding sharing your information or consenting to us sharing it on social media or audio sharing sites and links to their privacy policies. There are also links to the privacy policies of other third-party platforms that we make use of in Appendix 6, including Mailchimp, where you would need to view the ‘privacy for contacts’ section.
Profile data (username/profile on social media sites or groups, your interests, preferences, feedback and survey responses*):
- To inform our events, activities and services at St Philip’s Church.
- To connect with you and facilitate communication/ connection between members.
- For ease and speed of survey/ feedback response- forms can be completed easily online rather than in person.
Safeguarding data (risk assessments, children’s work attendance records, details of children’s work activities and concerns raised in children’s/ young people’s groups. Records of child/adult protection allegations/ concerns such as referral information, advice and guidance offered from Sheffield Diocese, case files and records. Information relating to recruitment, support and training of staff, trustees, interns and volunteers in line with Safer Recruitment Practice Guidance including records of DBS checks records and self-declarations. Information relating to disciplinary action in relation to staff/trustees. Information relating to safeguarding leadership and governance and development of practices and policy).
- To ensure highest standards of safeguarding and accountability.
- To report to denominations and authorities on a need-to-know basis where necessary.
- To ensure children’s work activities are planned and run safely, following correct procedure. To be able to give an account of this to parents, denominations, and authorities.
We have a separate privacy notice for information collected on self-declaration forms, written on the form itself. This is included in Appendix 7.
Personal data about criminal allegations, proceedings or convictions
We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is a clear lawful basis for doing so, such as where it fulfils one of the substantial public interest conditions in relation to the safeguarding of children and adults at risk or one of the additional conditions relating to criminal convictions set out in either Part 2 or Part 3 of Schedule 1 of the Data Protection Act 2018. You can request to see Schedule 3 of our Data Protection policy for more information.
Special categories of personal data
Some of the information we hold comes within the definition of special categories of data* in the UK GDPR. Where this has been listed within the other categories of data above, this has been marked by a *. This personal data can only be processed under strict conditions and will be treated as highly confidential.
Examples of data containing special categories of data that we may hold are:
Equal opportunities forms, staff health and sickness records, accident reports, children’s allergy/ records of medical conditions, ethnicity details of trustees and CAF Bank signatories, pastoral/ prayer ministry notes or information passed on verbally or in written form and denominational affiliation/membership data.
*(Special categories of personal data includes details about your race or ethnicity, religious or philosophical beliefs, sexual life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).
Aggregated data
We collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data by law as the data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature or to inform fundraising and grant applications and promote the interests of the charity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
5. What is the legal basis for processing your personal data?
- Most of your data is processed because it is in the church’s legitimate interest to do so, which means that we use it in ways that you would reasonably expect. Where this is not the legal basis for processing your data, this has been outlined below.
- Media identity data is processed because of explicit consent of you, the data subject.
- Processing some of your data is necessary for carrying out legal obligations in relation to Gift Aid or under employment, social security or social protection law, for safeguarding reasons, accountability and transparency or a collective Agreement. For example, some financial, transaction, medical, employment, intern & enrolment, contact, identity, consent, governance and safeguarding data.
- Some data is processed because of contractual obligations. This includes employment, financial, contact and identity data.
- Some data is processed to perform a public task, such as to report to denominations or the Charity Commission where required. This includes aggregated data, membership/denominational data, some attendance, financial and governance data.
- Very rarely, data might be processed and shared because it is in a person’s vital interests, necessary for protecting their life. For example, a child protection allegation for protecting the vital interests of a child.
- To process special categories of data and criminal offence data, there are extra conditions which need to be met, alongside these legal bases. For a full outline of these, you can request to view our data protection policy.
6. Sharing your personal data
Your personal data will be treated as strictly confidential and will not be shared with other church members, authorised personnel or third parties without your consent, unless there is a legal basis for doing so.
See appendix 5 for more information on the legal bases we use for sharing your information and who it is shared with, both internally and externally, including storing information on third party systems. Also see appendix 5 for more information on what personal data may be shared with us.
7. How long do we keep your personal data?
We do not keep your data longer than necessary. If we do keep your information after the period of our relationship with you, there is usually a legal reason for doing so and a set period of time for this, as set out in our data retention schedule, which follows Baptist Union guidance or where it relates to Safeguarding, guidance from the Church of England. Any data that is not required to be kept will be shredded or deleted if electronic.
Specifically, we retain contact and membership data while it is still current; most financial records for 6 years from the end of the financial year the records relate to (if related to gift aid, this will be 6 years from the date of the last donation) and parish registers (baptisms, marriages, funerals) permanently. For Safeguarding reasons, we keep parent/carer consent forms, registers and first Aid/ accident forms for 50 years, to align with guidance from the Church of England. To view our full data retention schedule, you can request this from us at any point.
8. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –
- The right to request a copy of your personal data which the Charity Trustees of St Philip’s Church holds about you;
- The right to request that the Charity Trustees of St Philip’s Church corrects any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for the Charity Trustees of St Philip’s Church to retain such data;
- The right to withdraw your consent to the processing at any time
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
- The right to lodge a complaint with the Information Commissioners Office.
9. Changes to this policy
We may amend this policy from time to time to take account of changes to our processes including new information being processed or changes to data protection or other legislation, so please check it periodically. We will notify members and regular attenders of these changes by email. Where and whenever necessary, we will seek your prior consent to new processing.
10. Contact Details
To exercise all relevant rights, queries or complaints please in the first instance contact the administrator at St Philip’s Church, The Stamp House, 52 Bank Street, Sheffield, S1 2DS or admin@stphilipssheffield.org).
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.