site policy agreement
SHEFFIELD DIOCESAN BOARD OF FINANCE DATA PRIVACY NOTICE Data controller: Sheffield Diocesan Board of Finance, Church House, 95-99 Effingham Street, Rotherham S65 1BL Data Compliance Officer: Heidi Adcock, Diocesan Secretary, Telephone Number 01709 309100 This notice explains what personal data (also referred to as ‘information’) we hold about you, how we collect it, and how we use it. The notice also explains how we may share information about you during the course of your relationship with us and after it ends. Please ensure that you read this notice and any other similar notice we provide to you from time to time when we collect or process personal data about you. We are committed to being transparent about how we collect and use your data and to meeting our data protection obligations. What is personal data? Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (2016/679 EU). What information do we collect? We collect and process a range of information about you. The personal information we hold will vary, depending on the nature of the relationship we have with you. To help you understand what information we collect, how we process it and who we share it with we have provided a brief overview of the type of data we hold. Volunteers and Officers To help us manage our relationship with our officers and volunteers, including for example Diocesan Synod, Parish Parochial Councils or District Church Councils, Parish Safeguarding Officers, or Children and Youth Workers, we collect personal information to help us meet our legitimate and legal obligations. For example we may collect information relating to individual’s names, titles, addresses, email addresses, bank account details, office holding or voluntary position. We have collected your personal data in the process of you agreeing to take on voluntary roles and as a consequence of your involvement with us. Communications Your privacy is important to us. We will use your details to keep in touch about things that matter to you. If you choose to hear from us, we may send you information about what is going on in the Diocese and the wider Church of England; this may include information about events, news updates, book reviews and information about personnel changes in the Diocese. The personal data we will use includes name, title, email address, church attended and photographs. We will only communicate with you if you agree to this and we will never share your information with third party marketing organisations. If you agree to receive information from us, you can change your mind at a later date. We may sometimes use third parties to help us manage our communications and understand the information we have, for example Google Analytics, Mailchimp and Typeform. Using anonymised data like this helps us to understand the numbers, geographical location and actions of people visiting our website. We will only use third parties where we are confident they will treat your data securely and in accordance with the General Data Protection Regulations. We may also hold personal data on our Diocesan Contact Management database. The types of data we may hold includes name, title, date of birth, gender, contact details (including address, email address and telephone numbers), details about any volunteer or ecclesiastical offices you hold and which church you belong to. We may also hold information relating to any training you have attended. Safeguarding We take the safeguarding of children and vulnerable adults very seriously and to enable us to fulfil our legal obligations, we may hold personal data that helps us to do this. We may hold personal data on individuals raising safeguarding concerns either themselves or on behalf of others, alleged perpetrators or witnesses. The kinds of personal data we hold may include name, title, contact details (address, telephone number, and email address), marital status, gender of those involved and details of the safeguarding concern. We may hold notes of telephone conversations or meetings that take place. We keep information relating to those holding volunteer posts in safeguarding (for example, parish safeguarding officer), in a particular parish and the training the postholder has completed. We may also hold information relating to your disclosure and barring check and as a result of this, any blemishes, including criminal offences, which are recorded as part of a risk assessment. Business Administration To help us manage our business effectively we collect personal information to help us meet our legitimate objectives and legal obligations. For example we may collect names, titles, addresses, email addresses, bank account details, office holding or voluntary position. We use this information to manage our finance processes effectively and ensure that we meet our obligations, for example, in relation to creditor and debtor processes, for gift aid purposes and to help us prepare our accounts. We have a number of boards, committees and task/project groups and we may collect personal data on those involved in these boards, committees and task/project groups in order to communicate and organise this process. We manage a number of time-limited projects, which through your involvement with us results in us collecting personal data about you. For security and health and safety purposes, we record who is in our building, this includes visitors and staff. We collect information relating to name and vehicle registration number. We also record, through CCTV, the images of those individuals entering our building. Discernment of Ordination For those individuals who are contemplating undertaking ordination training, we hold personal information to enable us to support them moving through the discernment process. This information may include name, title, date of birth, gender, religious belief, contact details, education and employment history, references, information regarding family circumstances, information relating to criminal check (disclosure and barring service) and health information. We may also hold notes of meetings, which include personal reflections, beliefs and opinions. Housing Personal information and data is collected to enable us to manage our portfolio of housing stock, commercial stock and glebe land, including housing maintenance and dilapidations. Personal information, such as name, business email address, contact telephone numbers, profession and job title, is collected to enable the preparation and management of contracts with trades’ people and professional bodies such as property management organisations. Personal information and data is also collected to enable us to manage housing for clergy and private tenants, including name, title, address, contact details, date of birth, age, gender, partner and/or other dependant information, tenancy references and bank details. Your activities and involvement with us will result in personal data being created. We will however only collect the data we need and will only share it with third parties for genuine business reasons or where we are required to do so by the law. We may collect this information in a variety of ways. For example, data might be collected through consent forms, contracts for services, tenancy agreements, and face to face meetings. In some cases, we may collect personal data about you from third parties, such as tenancy references. We also hold personal data in relation to other areas of work which are covered by separate data privacy notices. These are available on the diocesan website at www.sheffield.anglican.org/privacy. How do we process your personal data? We comply with our obligations under the General Data Protection Regulation (GDPR) by: keeping personal data up to date; storing and destroying it securely; not collecting or retaining excessive amounts of data; protecting personal data from loss, misuse, unauthorised access and disclosure; ensuring that appropriate technical measures are in place to protect personal data. Why do we process personal data? We typically collect your personal data to ensure that we are complying with our legal obligations or for the purposes of our legitimate interests or those of a third party but only if these are not overridden by your interests, rights or freedoms. Who has access to your data? Your information may be shared internally within the organisation with employees and office holders of the SDBF and with the senior leadership team. We may share your data with third parties where we are required by law, where it is necessary to administer our relationship with you or where we have another legitimate interest in doing so. We will only share your information where we are permitted or required to do so by law, or where you have told us we can do so. We will not transfer your data to countries outside the European Economic Area without your permission. How do we protect your data? We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties. We limit access to your personal data to those who have a genuine business need to know or use it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. Physical personal data is stored securely in locked filing cabinets or drawers. Data stored on HR, Finance and IT systems is password protected and information held on drives with restricted access. Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected breach where we are legally required to do so. For how long do we keep data? We will hold your personal data in accordance with our retention policy. We will not retain your data for any longer than is necessary for the purpose we obtained it. Your rights As a data subject, you have a number of rights. You can: access and obtain a copy of your data on request; require us to change incorrect or incomplete data; require us to delete or stop processing your data, for example where it is no longer necessary for the purposes of processing; object to the processing of your data where we are relying on its legitimate interests as the legal ground for processing; request that we transmit your data directly to another data controller where this is possible; withdraw your consent to processing at any time if we are relying on consent as the legal ground for processing. In circumstances where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law. If you would like to exercise any of these rights, please email Heidi Adcock, Diocesan Secretary at email@example.com or telephone 01709 309100. If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone number 0303 123 1113. What if you do not provide personal data? If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you or we may be prevented from complying with our legal obligations. Automated decision-making Decisions are not based on automated decision-making. Further processing Where we wish to process existing personal data for a new purpose not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
My Learning Plan
As a member I could add this to my learning plan, sign up here