Port Glasgow St Andrew s Data Protection Policy

Similar documents
Data Protection Policy

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

European College of Business and Management Data Protection Policy

Data Protection Act 1998 Policy

Data Protection Policy. Malta Gaming Authority

Charities & Not-for-Profits Overview of Data Protection Law

Data Protection Policy

Law Enforcement processing (Part 3 of the DPA 2018)

Access to Personal Information Procedure

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

Staff Data Protection Policy

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

16 March Purpose & Introduction

Brussels, 16 May 2006 (Case ) 1. Procedure

The Freedom of Information (Jersey) Law, 2011

DATA PROTECTION POLICY STATUTORY

Canadian Anti-Doping Program Privacy and Personal Information Policy. processed by the CCES in the course of administrating and implementing the CADP.

DATA SHARING AND PROCESSING

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

ARTICLE 29 DATA PROTECTION WORKING PARTY

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

Saturday, 7 November 15

- and - OPINION. Reasons

CSCU9Q5. Data Protection and Freedom of Information Acts

Annex - Summary of GDPR derogations in the Data Protection Bill

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

Data Protection Bill [HL]

COMP Article 1. Article 1 Subject matter and objectives

THE GDPR AND DFIR THE IMPACT OF THE EU GENERAL DATA PROTECTION REGULATION ON DIGITAL FORENSICS AND INCIDENT RESPONSE

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

CCTV CODE OF PRACTICE

DATA PROTECTION (JERSEY) LAW 2018

GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

OTrack Data Processing Terms

Decision Notice. Decision 083/2018: Ms L and Edinburgh College

Brussels, 3 May 2006 (Case ) 1. Procedure

BACKGROUND INFORMATION

CCTV Code of Practice

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

General Data Protection Regulation

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Privacy Guidelines. 1. Introduction

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Interest Balancing Test Assessment regarding data processing for the purpose of the exercise of legal claims

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Policy To Protect Personal Information

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

SIMON READHEAD Q.C. PRIVACY NOTICE

Security Video Surveillance Policy

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

Data Protection. Policy & Procedure. Greater Manchester Police

closer look at Rights & remedies

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

Schools Subject Access Request Procedures

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

5418/16 AV/NT/vm DGD 2

Health Information Privacy Code 1994

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

AIA Australia Limited

Data Protection Bill [HL]

Data protection. Guide to the Law Enforcement Provisions

PERSONAL INFORMATION PROTECTION ACT

Memorandum of Understanding. between. HM Land Registry. and. Solicitors Regulation Authority (SRA)

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

University of Wollongong

How we use Personal Information

FOUR SEASONS HOTELS BOGOTÁ PERSONAL DATA TREATMENT POLICY HOTELES CHARLESTON BOGOTÁ S.A.S.

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

DATA PROTECTION (JERSEY) LAW 2005

Data Protection Policy and Procedure

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Principles and Rules for Processing Personal Data

COBIS Policy on Disclosure & Barring Service Checks for Member Schools COBIS Policy on the Recruitment of Ex-Offenders... 3

Privacy. Purpose. Scope. Policy. Appendix A

Data Protection Act 1998

DOCUMENT DETAILS DOCUMENT CONTROL. Version history. Issued by. update 1 First draft DOCUMENT APPROVAL. Date Approved. applicable)

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Data Protection Bill [HL]

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

PERSONAL DATA PROCESSING AGREEMENT

Data Protection. Guidance for Schools

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Data Protection Policy

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

Page1. Employment of Ex- Offenders. Issue Date 01/01/2017 Issue 1 Document No: 105 Uncontrolled when copied

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

How we use Personal Information

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Telecommunications Information Privacy Code 2003

Telekom Austria Group Standard Data Processing Agreement

DBS CHECKS AND EMPLOYING EX- OFFENDERS: GUIDE TO POLICY AND PROCEDURE

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Transcription:

Port Glasgow St Andrew s Data Protection Policy CONTENTS 1. Overview 2. Data Protection Principles 3. Personal Data 4. Special Category Data 5. Processing 6. How personal data should be processed 7. Privacy Notice 8. Consent 9. Security 10. Sharing personal data 11. Data security breaches 12. Subject access requests 13. Data subject rights 14. Contracts 15. Review

Data Protection Policy 1 Overview 1.1 The congregation takes the security and privacy of personal information seriously. As part of our activities we need to gather and use personal information about a variety of people including members, former members, adherents, employees, office-holders and generally people who are in contact with us. The Data Protection Act 2018 (the 2018 Act ) and the EU General Data Protection Regulation ( GDPR ) regulate the way in which personal information about living individuals is collected, processed, stored or transferred. 1.2 This policy explains the provisions that we will adhere to when any personal data belonging to or provided by data subjects, is collected, processed, stored or transferred on behalf of the congregation. We expect everyone processing personal data on behalf of the congregation (see paragraph 5 for a definition of processing ) to comply with this policy in all respects. 1.3 The congregation has a separate Privacy Notice which outlines the way in which we use personal information provided to us. A copy can be obtained from Ms Lorna Stein Congregational Data protection co-ordinator. 1.4 All personal data must be held in accordance with the congregation s Data Retention Policy, which must be read alongside this policy. A copy of the Data Retention Policy can be obtained from [insert as per 1.3 above]. Data should only be held for as long as necessary for the purposes for which it is collected. 1.5 This policy does not form part of any contract of employment (or contract for services if relevant) and can be amended by the congregation at any time. It is intended that this policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this policy, the congregation intends to comply with the 2018 Act and the GDPR. 1.6 Any deliberate or negligent breach of this policy by an employee of the congregation may result in disciplinary action being taken in accordance with our disciplinary procedure. It is a criminal offence to conceal or destroy personal data which is part of a subject access request (see Paragraph 12 below) and such conduct by an employee would amount to gross misconduct which could result in dismissal. 2 Data Protection Principles 2.1 Personal data will be processed in accordance with the six Data Protection Principles. It must: be processed fairly, lawfully and transparently; be collected and processed only for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for the purposes for which it is processed; be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay; not be kept for longer than is necessary for the purposes for which it is processed; and be processed securely. 2

We are accountable for these principles and must be able to demonstrate compliance. 3 Definition of personal data 3.1 Personal data means information which relates to a living person (a data subject ) who can be identified from that data on its own, or when taken together with other information which is likely to come into the possession of the data controller. It includes any expression of opinion about the person and an indication of the intentions of the data controller or others, in respect of that person. It does not include anonymised data. 3.2 This policy applies to all personal data whether it is stored electronically, on paper or on other materials. 4 Definition of special categories of personal data 4.1 Special categories of personal data are types of personal data consisting of information revealing: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health; sex life and sexual orientation; and any criminal convictions and offences. 4.2 A significant amount of personal data held by the congregation will be classed as special category personal data, either specifically or by implication, as it could be indicative of a person s religious beliefs. 5 Definition of processing 5.1 Processing means any operation which is performed on personal data, such as collection, recording, organisation, structuring or storage; adaption or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; and restriction, destruction or erasure. 6 How personal data should be processed 6.1 Everyone who processes data on behalf of the congregation has responsibility for ensuring that the data they collect and store is handled appropriately, in line with this policy, our Data Retention policy and our Privacy Notice. 6.2 Personal data should only be accessed by those who need it for the work they do for or on behalf of the congregation. Data should be used only for the specified lawful purpose for which it was obtained. 6.3 The legal bases for processing personal data (other than special category data, which is referred to in Paragraph 8 below) are that the processing is necessary for the purposes of the congregation s legitimate interests; or that (so far as relating to any staff whom we employ) it is necessary to exercise the rights and obligations of the congregation under employment law. 3

6.4 Personal data held in all ordered manual files and databases should be kept up to date. It should be shredded or disposed of securely when it is no longer needed. Unnecessary copies of personal data should not be made. 7. Privacy Notice 7.1 If someone would not reasonably expect the way in which we use their personal data, we will issue information about this using a Privacy Notice which will be given to them at the point when the data is provided. 7.2 If our use of personal data is what someone would reasonably expect, we will provide information about this using a Privacy Notice which will be available on the congregation s website [and/or will be printed in the congregational newsletter from time to time AND/OR and can be found on the noticeboard 8. When is consent needed for the processing of personal data? 8.1 A significant amount of personal data held by the congregation will be classed as special category personal data, as it could be indicative of someone s religious beliefs. 8.2 Processing of such special category data is prohibited under the GDPR unless one of the listed exemptions applies. Two of these exemptions are especially relevant (although others may also apply): the individual has given explicit consent to the processing of the personal data for one or more specified purposes; OR processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the data subjects. 8.3 Most of the processing carried out by the congregation will fall within the latter exemption, and will be carried out by the congregation with appropriate safeguards to keep information safe and secure. This information will not be disclosed outside the Church without consent. Such processing will not require the explicit consent of the data subject. 8.4 Where personal data is to be shared with a third party, the congregation will only do so with the explicit consent of the data subject. For example, personal data will only be included in a directory for circulation or included on a website where consent has been obtained. 8.5 If consent is required to process the information this should be recorded using the style consent form. If consent is given orally rather than in writing, this fact should be recorded in writing. 9. Keeping personal data secure 9.1 Personal data should not be shared with those who are not authorised to receive it. Care should be taken when dealing with any request for personal information over the telephone or otherwise. 4

Identity checks should be carried out if giving out information to ensure that the person requesting the information is either the individual concerned or someone properly authorised to act on their behalf. 9.2 Hard copy personal information should be stored securely (in lockable storage, where appropriate) and not visible when not in use. Filing cabinets and drawers and/or office doors should be locked when not in use. Keys should not be left in the lock of the filing cabinets/lockable storage. 9.3 Passwords should be kept secure, should be strong, changed regularly and not written down or shared with others. 9.4 Emails containing personal information should not be sent to or received at a work email address (other than an @churchofscotland.org address) as this might be accessed by third parties. 9.5 The bcc rather than the cc or to fields should be used when emailing a large number of people, unless everyone has agreed for their details to be shared amongst the group. 9.6 If personal devices have an @churchofscotland.org account linked to them these should not be accessed on a shared device for which someone else has the pin code. 9.7 Personal data should be encrypted or password-protected before being transferred electronically. 9.8 Personal data should never be transferred outside the European Economic Area except in compliance with the law. 10. Sharing personal data 10.1 We will only share someone s personal data where we have a legal basis to do so, including for our legitimate interests within the Church of Scotland (either within the Presbytery or to enable central databases held within the Church Office at 121 George Street, Edinburgh to be maintained and kept up to date). This may require information relating to criminal proceedings or offences or allegations of offences to be processed for the protection of children or adults who may be at risk and to be shared with the Church s Safeguarding Service or with statutory agencies. 10.2 We will not send any personal data outside the European Economic Area. If this changes all individuals affected will be notified and the protections put in place to secure your personal data, in line with the requirements of the GDPR, will be explained. 11. How to deal with data security breaches 11.1 Should a data security breach occur, the congregation will notify the Presbytery Clerk immediately. If the breach is likely to result in a risk to the rights and freedoms of individuals then the Information Commissioner s Office must be notified within 72 hours. 9.2 Breaches will be handled by the Presbytery Clerk in accordance with the Presbytery s data security breach management procedure. 12. Subject access requests 12.1 Data subjects can make a subject access request to find out what information is held about them. This request must be made in writing. Any such request received by the congregation should be 5

forwarded immediately to the Presbytery Clerk who will coordinate a response within the necessary time limit (30 days). 12.2 It is a criminal offence to conceal or destroy personal data which is part of a subject access request. 13. Data subject rights 13.1 Data subjects have certain other rights under the GDPR. This includes the right to know what personal data the congregation processes, how it does so and what is the legal basis for doing so. 13.2 Data subjects also have the right to request that the congregation corrects any inaccuracies in their personal data, and erase their personal data where we are not entitled by law to process it or it is no longer necessary to process it for the purpose for which it was collected. Data should be erased when an individual revokes their consent (and consent is the basis for processing); when the purpose for which the data was collected is complete; or when compelled by law. 13.3 All requests to have personal data corrected or erased should be passed to Ms Lorna Stein Congregation Data Protection co-ordinator who will be responsible for responding to them in liaison with the Presbytery Clerk. 14. Contracts 14.1 If any processing of personal data is to be outsourced from the congregation, we will ensure that the mandatory processing provisions imposed by the GDPR will be included in the agreement or contract. 15. Policy review The Kirk Session will be responsible for reviewing this policy from time to time and updating the congregation in relation to its data protection responsibilities and any risks in relation to the processing of data. 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback