Carpenders Park Church Privacy Notice
Carpenders Park Church ‘CPC’ (registered charity number 294977) is committed to respecting your privacy and making sure that the personal data you give us is used correctly according to the General Data Protection Regulation (GDPR).
1. Who we are
We are Carpenders Park Church (CPC).
CPC has members and leaders and conducts meetings and holds weekly services of worship in accordance with a written constitution.
The leaders of CPC are the charity trustees made up of Elders (one of whom is the Church Secretary) and a Treasurer. The trustees can be contacted via the Church Secretary, Bryan Jukes, at 81 Carpenders Avenue WD19 5BP, tel 020 8386 2157.
Under GDPR, the Trustees, and any staff, CPC members and volunteers who carry out work on behalf of CPC are collectively the ‘Data Controller’. When we use the word ‘we’ in this notice, we mean any of these people.
2. About this Privacy Notice
This notice explains how, when and why we collect data from people, and what we use it for. It also explains how we securely store that data, and people’s rights in relation to the data. We will email this notice to church members (whose email addresses we have) and display a copy on our Notice Board during our Sunday services. We will make copies available to those who attend CPC events.
We may change this notice if we make changes to how we do things or there are changes to legislation. If we do make changes, we will email church members, and display the revised notice as above.
We will comply with the General Data Protection Regulation (GDPR) when dealing with your personal data. Further details on the GDPR can be found at the Information Commissioner’s website
3. How we process personal data and on what basis
We process personal data from people in order to carry out the work of CPC. There are a number of lawful bases for processing people’s data. Depending on the activity being carried out, we will rely on one of the following conditions for processing:
• Processing is necessary for the pursuit of CPC’s legitimate interest. This is when processing personal data is necessary to carry out CPC’s ordinary business e.g. to maintain membership data or to administer Gift Aid.
• Processing is necessary to comply with a legal obligation e.g. safeguarding disclosures to a local authority or pursuant to statute or a court order
• Processing is necessary for a contract e.g. with a paid worker
• Vital interests – processing is necessary to protect someone’s health and/or life.
• Public task – the processing is necessary for CPC to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law
• Consent provided by an individual to use their data. If we are not relying on any of the above grounds we need to get consent from the individual. When we ask for consent, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it. Consent will be specific to each process we are requesting consent for and we will only ask for consent when a person has a real choice whether or not to provide us with their data. An individual can withdraw their consent at any time and if withdrawn, the processing will stop.
Listed below are the different situations when we process and retain personal data. In each case, we have identified on which lawful basis from GDPR we process that data (the lawful basis is highlighted in bold).
Our legal obligations regarding Safeguarding require us to process personal data. These include arranging DBS checks for relevant individuals, and keeping written records safeguarding concerns.
b) Open Door toddlers group. We require attendees to write their names on a register each week, and to complete a registration form with emergency contact and children’s medical information and date of birth details on it. This is in the legitimate interest of CPC and it protects people’s vital interests (i.e. in an emergency). We will obtain specific consent to email attendees information about events connected to CPC. A specific Open Door privacy notice is be given out and is displayed when Open Door is held at Carpenders Park Community Hall.
c) ‘Sparks’ Sunday School
It is in CPC’s legitimate interest to take a register of children’s names, and ages (so we can teach them in an age-appropriate way) when they come to Sparks. No other information about the children is recorded.
d) Church Directory
We distribute a Church directory containing names, addresses, their preferred phone number and email to members and regular attenders. It is in CPC’s legitimate interest to ensure members can contact each other, so explicit consent will not be sought from members. For non CPC members who attend CPC regularly, we will obtain specific consent in order to include them.
e) Emails to members
We email church members news and information which is necessary to CPC’s ordinary business, so this is in CPC’s legitimate interest. These include prayer letters as well as documents relating to Church Business Meetings (e.g. agendas, minutes, documents for consideration). We ‘cc’ emails to members (not ‘bcc’) as it is in CPC’s legitimate interest to ensure members can contact each other.
f) CPC Prayer Chain Requests for distribution to CPC members only
It is a core activity of CPC as a church to pray for each other, therefore using members’ contact phone numbers to communicate requests via text messages or email as part of CPC’s “prayer chain” is in CPC’s legitimate interest. If we are able to, we will discuss with the individual what they want the prayer message to say. If not, we will ask a close relative to agree the message. Such prayer requests are likely to include what GDPR describes as “sensitive personal data” e.g. information relating to a person’s health. Therefore, in accordance with GDPR, such information is strictly not for forwarding on to anyone who is not a CPC member. For prayer requests for non-CPC members, specific consent will be obtained from the individual to share that request with the membership of CPC.
g) Information processed by the CPC Treasurer
We collect information on the amount of regular givers’ donations to the church to plan annual budgets. We will not disclose individual’s specific information to the membership, but only as part of a combined amount of regular giving. We collect the personal data necessary for claiming gift aid. We use bank account details to reimburse employees or others’ expenses. All these are in CPC’s legitimate interest.
h) Ministry Reports for Annual General Meeting
It is in CPC’s legitimate interest to regularly communicate information to members about the activities of CPC, including the work of the Pastoral Worker. We will take particular care to consider if necessary to include information which may identify an individual in those reports. If there is any sensitive personal data, we will process it in accordance with the legitimate grounds set out in GDPR for doing so.
i) Website & Publicity Material
We will not include people’s personal data, including their photograph, on our website or other publicity material, whether online or in print, unless we have obtained specific consent.
We will process the relevant personal data we need from those we employ, such as tax and NI details, bank account details, or legal right to work in the UK. Data is processed in this way in order to comply with CPC’s obligations under a contract.
4. How we store and protect personal data
Written personal data will be kept securely in the homes of CPC members responsible for the relevant CPC activity. Electronic personal data will be kept on the password protected laptop/phone of the CPC members responsible for the relevant CPC activity. However, when people are transmitting information via email this can never be guaranteed to be 100% secure. We will notify people promptly in the event of any breach of their personal data which might expose them to serious risk. We will not transfer people’s personal data outside the EU without their consent.
5. Who else has access to personal data
We will never sell people’s personal data. We will not share personal data with any third parties without people’s prior consent (which they are free to withhold) except where required to do so by law.
6. How long we keep personal data
We will hold people’s personal data on our systems for as long as they are a member of the CPC and/or are a regular attender of CPC’s activities and for as long afterwards as it is in the CPC’s legitimate interest to do so or for as long as is necessary to comply with our legal obligations. We will review people’s personal data every year to establish whether we are still entitled to process it. If we decide that we are not entitled to do so, we will stop processing people’s personal data except that we will retain personal data in an archived form in order to be able to comply with future legal obligations e.g. compliance with tax requirements and exemptions, and the establishment exercise or defence of legal claims.
7. People’s rights
People have rights under the GDPR to:
• access their personal data
• be provided with information about how their personal data is processed
• have their personal data corrected
• have their personal data erased in certain circumstances
• object or restrict how their personal data is processed
• have their personal data transferred to themselves or another business in certain circumstances.
People have also the right to take any complaints about how we process their personal data to the Information Commissioner: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF,
0303 123 1113.