Diocese of Chichester


Introduction

The law relating to data protection has changed. This affects all organisations in the UK, including businesses and charities, from 25 May 2018. On this date, a new EU regulation called the General Data Protection Regulation (GDPR) came into force.

As a registered charitable business, which holds data about clergy, licensed ministers and people holding positions within parishes – such as churchwardens and PCC secretaries – the Diocese of Chichester is legally required to review and refine how it collects, holds, processes, uses and publishes this data.

More information on GDPR can be found on the Information Commissioner’s Office (ICO) website.

Further advice, specifically for parishes, is also available in our toolkit – TOOLKIT or on the Parish Resources website.

The Diocese’s Data Privacy Notice is set out below. Amongst other things, this provides an overview on why and how the Diocesan Office processes information.

Please contact the Data Controller to request information about:

  • What personal data we hold about you
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has/will be disclosed
  • How long we intend to store your personal data for
  • If we did not collect the data directly from you, information about the source
  • The right to have incomplete or inaccurate data about you corrected or completed and the process for requesting this
  • The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
  • The right to lodge a complaint or seek judicial remedy and who to contact in such instances


DATA PRIVACY NOTICE

THE DIOCESE OF CHICHESTER

1. Your personal data – what is it?

Personal data is any information relating to a living individual (the data subject) who can be identified from that data.Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into their possession. The processing of personal data is governed by the Data Protection Act 2018 and the General Data Protection Regulation 2016/679 (the “GDPR”) and other legislation relating to personal data and rights such as the Human Rights Act1998.

Personal data is about living people and could be; for example

  • their name
  • contact details
  • medical details or banking details

Sensitive personal data is also about living people, but it includes one or more details of a data subject’s:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • membership of a trade union
  • genetic data or biometric data where used for identification purposes
  • health
  • sex life or sexual orientation


2. Who are we?

This Privacy Notice is provided to you by the Chichester Diocesan Fund and Board of Finance (Incorporated) (the “diocese”) which is the data controller for your data.

The Church of England is made up of a number of different organisations and office holders who work together to deliver the Church’s mission in each community. The diocese works together with:

  • archdeacons and bishops of the Diocese;
  • the Dean and Chapter of the Cathedral;
  • the incumbents of the parishes within the Diocese (that is, the vicar or rector of each parish);
  • the Parochial Church Councils (PCC) of parishes within the Diocese;
  • the deanery synods and the diocesan synod ;
  • the National Church Institutions.

As the Church is made up of all these persons and organisations working together, we may need to share personal data we hold with them so that they can carry out their responsibilities to the Church and our community. The organisations referred to above are joint data controllers. This means we are all responsible to you for how we process your data.

Each of the data controllers has their own tasks within the Church and a description of what data is processed and for what purpose is set out in this Privacy Notice. This Privacy Notice is sent to you by the Diocese on our own behalf and on behalf of each of these data controllers. In the rest of this Privacy Notice, we use the word “we” to refer to each data controller, as appropriate.


3. How do we process your personal data?

The Diocese of Chichester and the data controllers comply with their obligations under the “GDPR” by: -

  • keeping personal data up to date;
  • storing and destroying it securely;
  • not collecting or retaining excessive amounts of data;
  • protecting personal data from loss, misuse, unauthorised access and disclosure; and
  • ensuring that appropriate technical measures are in place to protect personal data.

We use your personal data for some or all the following purposes: -

  • To enable us to provide a voluntary service for the benefit of the public within the Diocese of Chichester;
  • To deliver the Church’s mission to our community, and to carry out any other voluntary or charitable activities for the benefit of the public as provided for in the constitution and statutory framework of each data controller;
  • To enable those who undertake pastoral care duties as appropriate;
  • To administer records of:

- Ordained and lay holders of offices or other posts or roles within the Diocese and where appropriate their families;

- Those exploring a vocation to lay or ordained ministry and those training for ordination and their families

- Anglican partners

- Landlords, tenants and managing agents of properties owned or rented by the DBF

- Suppliers and contractors

- Applicants for church building permissions and inspecting architects and surveyors

  • To enable us to meet all legal and statutory obligations (which include maintaining and publishing electoral rolls in accordance with the Church Representation Rules and administering election processes);
  • To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments;
  • To seek your views or comments;
  • To fundraise and promote the interests of the Diocese and its constituent parts and partners;
  • To provide a support service for the benefit of Church of England Schools within the Diocese of Chichester
  • To manage our employees and volunteers;
  • To notify you of changes to our services, events and role holders;
  • To send you communications which you have requested and that may be of interest to you, which may include information about campaigns, appeals, other fundraising activities;
  • To process a grant or application for a role;
  • To maintain and update our own accounts and records (including the processing of gift aid applications);
  • To inform you of news, information, events, activities, diocesan process changes/updates, resources and services running either within the Diocese of Chichester or further afield through: -

- Mailings (by email &/or hard copy)

- News (a subscription email service from which you can unsubscribe at any time)


4. What is the legal basis for processing your personal data?

  • Processing may be carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided: -

- the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and

- there is no disclosure to a third party without consent except as set out in 5 below.

  • Unless you are a current employee or office holder we need your explicit consent to keep you informed about news, events, activities and services.
  • We also need your explicit consent to process your gift aid donations.
  • If data processing is necessary for carrying out obligations or enforcing rights under a contract of employment, social security or social protection law, or a collective agreement your consent is implicit.
  • If you are not an employee (i.e. you do not have a contract of employment), most of your data is processed because it is necessary for our legitimate interests, or the legitimate interests of a third party (such as another organisation in the Church of England). This may also be an additional reason if you are an employee. An example of this would be our safeguarding work to protect children and adults at risk. We will always take into account your interests, rights and freedoms.
  • Some of our processing is necessary for compliance with a legal obligation. For example, we are required by the Church Representation Rules to administer and publish electoral data.
  • We may also process data if it is necessary for the performance of a separate contract with you, or to take steps to enter into a contract. An example of this would be processing your data in connection with the hire of Church House facilities.
  • We will also process your data in order to assist you in fulfilling your role in the church including pastoral and administrative support or if processing is necessary for compliance with a legal obligation.
  • Religious organisations are also permitted to process information about your religious beliefs to administer membership or contact details.
  • Where your information is used other than in accordance with one of these legal bases, we will first obtain your consent.

We will process data about employees/role holders for legal, personnel, administrative and management purposes and to enable us to meet our legal obligations, for example to pay employees, monitor their performance and to confer benefits in connection with their employment. “Role Holders” includes office holders, volunteers, contractors, agents, staff, retirees, temporary employees, beneficiaries, workers, treasurers and other role holders.

Our processing may include the use of CCTV systems for the prevention and prosecution of crime.

We may also process sensitive personal data relating to Role Holders and employees including, as appropriate:

  • information about their physical or mental health or condition in order to monitor sick leave and take decisions as to fitness for work;
  • racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation;
  • in order to comply with legal requirements and obligations to third parties.


5. Sharing your personal data

Your personal data will be treated as strictly confidential and will only be shared within the Diocese of Chichester, in order to carry out a service to other church members or for purposes connected with the Diocese, with certain third parties outside of the Diocese as set out in Annex 1, and in compliance with any legal obligations.


6. How long do we keep your personal data?

We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. In general, we will endeavour to keep data only for as long as we need it and in accordance with the guidance set out in the guide “Save or Delete: the Care of Diocesan Records” which is available from the Church of England website at https://www.churchofengland.org/more/libraries-and-archives/records-management-guides.


7. Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -

  • The right to request a copy of your personal data which the Diocese of Chichester holds about you;

- At any point you can contact us to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your request we will respond within one month.

  • The right to correct or update any personal data if it is found to be inaccurate or out of date;

- If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.

  • The right to request your personal data is erased where it is no longer necessary for the Diocese of Chichester to retain such data;

- If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold. When we receive your request we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because we need it for our legitimate interests or regulatory purpose(s)).

  • The right to withdraw your consent to the processing at any time;

- You can withdraw your consent easily by telephone, email, or by post (see Contact Details at the end of this document).

  • The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability).

- You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.

  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.

- Upon receiving the request to stop processing your data we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims.

  • The right to object to the processing of personal data, (where applicable). Upon receiving the request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims.
  • The right to lodge a complaint with the Information Commissioner’s Office. Contact details for the ICO can be found at the end of this document.

When exercising any of the rights listed above, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.


8. Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.


Annex A

Your personal data will be treated as strictly confidential. It will only be shared with third parties including other data controllers where it is necessary for the performance of the data controllers’ tasks or where you first give us your prior consent. It is likely that we will need to share your data with:

  • The appropriate bodies of the Church of England including the other data controllers;
  • Our agents, servants and contractors and in particular:

- MailChimp for subscription e-newsletters

- SurveyMonkey for questionnaires

- Worthers for database software

- Sussex HR and Warner Goodman solicitors for payroll and HR purposes

- Trident for IT support

- XLedger for accounting records

- CPOMS for safeguarding records

  • Members of the clergy or lay persons nominated or licensed by the bishops of the Diocese of Chichester to support the mission of the Church in the parishes. For example, the Diocese works alongside our rural deans and archdeacons, who may provide confidential mentoring and pastoral support. Assistant or temporary ministers, including curates, deacons, licensed lay ministers, authorised lay ministers or persons with Bishop’s Permissions may participate in our mission in support of our regular clergy;
  • Other persons or organisations operating within the Diocese of Chichester, including, where relevant,the Chichester Diocesan Board of Education.
  • The Diocesan Database (contact management system) is a shared resource between the following individuals and bodies and their staff: -

- The bishops and archdeacons of the Diocese

- The Diocesan Synod and Board of Finance and its sub-committees

- The Diocesan Board of Education

- The Diocese of Chichester Academy Trust

- Chichester Cathedral

- The clergy and PCC / DCC /Deanery Synod officers within the Diocese

- The Chancellor and Deputy Chancellor for the Diocese of Chichester

- The Diocesan Registrar

- Sussex HR

- Christian Publishing and Outreach

- MailChimp

- Trident IT support

- Letting Agents for our properties

- Limited third parties with legitimate interests such as funeral directors and chaplains

The contact details of Petitioners and/or applicants on individual applications will be shared, through the Online Faculty System (OFS) with the following individuals and bodies and their staff: -

-The bishops and archdeacons of the Diocese

-The Chancellor and Deputy Chancellor or the Diocese of Chichester

-The Diocesan Registrar

-Statutory Consultees (The Church Buildings Council, Historic England, national Amenity Societies and local authorities) to facilitate the consideration of applications for either a Faculty or a Matter not requiring a Faculty under the Faculty Jurisdiction Rules

  • Clergy details will be provided: -

- To Crockford’s Clerical Directory

- To the Church Commissioners

- When necessary, by the Diocesan Property Team to its representatives for the purpose of undertaking works of repair / maintenance of Diocesan clergy housing and the letting of Diocesan properties

- To the relevant local authority (in respect of Council Tax) and utility companies (in respect of supplies of energy to the property)


What data do the data controllers listed above process?

  • Names, titles, aliases and photographs.
  • Contact details such as telephone numbers, addresses, and email addresses.
  • Where they are relevant to our mission, or where you provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, employment details,hobbies,family composition, and dependents.
  • Non-financial identifiers such as passport numbers, driving licence numbers, vehicle registration numbers, taxpayer identification numbers, employee identification numbers, tax reference codes, and national insurance numbers.
  • Financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers.
  • Financial information such as salary or stipend, bonus, record of earnings, tax code, tax and benefits contributions, expenses claimed,creditworthiness,amounts insured, and amounts claimed.
  • Other operational personal data created, obtained, or otherwise processed in the course of carrying out our activities, including but not limited to, CCTV footage, recordings of meetings, telephone conversations and video conferences, IP addresses and website visit histories, logs of visitors, and logs of accidents, injuries and insurance claims.
  • Other data (not covered above) relating to Role Holders and employees including emergency contact information; gender, birth date, referral source (e.g. agency, employee referral); level, performance management information, languages and proficiency; licenses/certificates, citizenship, immigration status; employment status, retirement date; billing rates, office location, practice and specialty; publication and awards for articles, books etc.; prior job history, employment references and personal biographies.
  • The data we process is likely to constitute sensitive personal data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs. Where you provide this information, we may also process other categories of sensitive personal data: racial or ethnic origin, sex life, mental and physical health, details of injuries, medication/treatment received, political beliefs, labour union affiliation, genetic data, biometric data, data concerning sexual orientation.


Transfer of Data Abroad

Any electronic personal data transferred to countries or territories outside the EU will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. Our website is accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas.


Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.


Contact Details

Please contact us if you have any questions about this Privacy Notice or the information, we hold about you or to exercise all relevant rights, queries or complaints at:

The Data Controller, Chichester Diocesan Fund and Board of Finance (Incorporated),Diocesan Church House, 211 New Church Road, Hove BN3 4ED, Email: data.protection@chichester.anglican.org

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK95AF.

03 August 2020


Related Resources