King's Church Hastings & Bexhill and Hastings Centre - Privacy Notice
King's Church Hastings & Bexhill (the Church) is the data controller both for King's Church and Hastings Centre. This means it decides how your personal data is processed and for what purposes. The Data Protection Officer is the Operations Director of King’s Church/Hastings Centre.
Your privacy is really important to us, and we understand how important it is to you. Our aim is to be as clear and open as possible about what we do with your personal information and why we do it. The Church is committed to the privacy of all its members, former members and those who have regular contact with us including those who attend the Church’s services, events and access our ministries. The Hastings Centre is similarly committed to the privacy of data relating to all its clients and contacts.
How do we process your personal information?
The Church and the Hastings Centre comply with their obligations under the General Data Protection Regulation (GDPR) by keeping personal information up-to-date; by storing and destroying it securely; by not collecting or retaining excessive amounts of information; by protecting personal information from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal information.
In the interests of transparency and to be as clear as possible, you can read in this notice about the specific information we collect about you, how we keep your information confidential and secure, and how you can access your information. This notice explains what we will use information for…
- If we collect information about you or your children
- If you make a financial donation to the church
- If you are a client who makes a booking at the Hastings Centre
- If you are an authorised user of the church’s database
- If you sign up for one of our events
- If you sign up for one of our small groups
- If you check your visiting child in to one of our children groups
In summary, in each case we will only use your personal information for the following purposes:
- To administer membership records;
- To comply with safeguarding regulations;
- To manage our employees and volunteers;
- To maintain our own accounts and records (including the processing of Gift Aid);
- To inform you of news, events, activities and services run by the Church;
- In the case of the Hastings Centre, to administer our contractual and legal requirements and to advise you of changes in the services we offer.
What is the legal basis for processing your data?
We have various scenarios under which we may use your information, and for each have identified a lawful basis, as described below:
- Legitimate interest applies:
- Where we maintain and process information about our church members, former members and those who are in regular contact with us.
- Where you sign up for an event or group run by the Church or the Hastings Centre and we communicate with you about that event or group.
- Where you have contacted us independently for information about the Church or Hastings Centre. In this context we will only use your contact details to respond to your enquiry unless you explicitly consent for us to use your information for another purpose.
- Where we need to communicate with you about:
- Church news, events, course, services and ministries;
- A public-interest matter, for example to let you know if an event is cancelled due to bad weather;
- A ministry or group that you are involved in as part of a serving team;
- For good governance and accounting, for planning, analysis and developing new ministries.
- Legal obligation applies:
- Where the Hastings Centre has contracted with you for the hire of facilities or the provision of services.
- When you exercise your rights under data protection law and related disclosures.
- Where we are required to maintain and report financial/accounting information for up to six years from the end of the tax year in which a financial transaction was processed. This would typically be in respect of donations you may make to the church, or ticket payments for certain events or courses run by the church or for hirings and related services provided by the Hastings Centre.
- Where we are required to maintain attendance records at groups or events for safeguarding purposes.
- Consent applies:
- Where you have voluntarily subscribed to the church or Hastings Centre mailing lists. You can unsubscribe from these at any time using the unsubscribe link in the footer of those periodic emails.
- Where you have provided your details directly to a church group or project leader in order for them to administer the group, knowing that in these cases the data will not be stored on a secure server.
Sharing your personal information
The information we hold about you will be treated as strictly confidential and we will only share your data with third parties with your prior consent, or when required to do so by law.
King’s Church Hastings & Bexhill and Hastings Centre employ an external payroll provider. Employees’ personal data will be made available to this provider for this explicit purpose and will be subject to the provider confirming their own compliance with the requirements of GDPR.
How secure is your information?
All personal data held by King’s Church Hastings & Bexhill and the Hastings Centre in electronic form is stored on our secure Exchange server.
All paper documents with personal information will be kept in robust, locked filing cabinets at the Hastings Centre, clearly labelled with documented key holders.
Access to any personal data, in either electronic or hard copy form, will only be permitted to employees of King’s Church or one its operating companies or to authorised volunteers all of whom must have signed a copy of our data protection policies. These data will only be used for the purposes and processes for which they are needed and records will be deleted as soon as they are no longer required for these purposes.
The church is moving to the use of a secure church management system (ChurchSuite) that is only accessible by authorised church leaders, staff and ministry leaders. This system is compliant with the requirements of GDPR and will store all data in secure cloud (remote, web-accessed) storage. By late 2018 that system will allow you to directly view the data the church holds for you and will allow you to specify how we communicate with you and manage your data. We have taken all practical and reasonable technical measures to ensure our administrative and processing activities are secure.
How long do we keep your personal information?
We keep data in accordance with the guidance set out by the GDPR. We endeavour to maintain only data that is relevant, accurate and up-to-date. We have internal processes to periodically review the data we hold and delete data that is no longer relevant to our purpose for processing. Specifically, we retain member and former member information while it is still current and for 7 years after a person ceases to be a member of the church; Gift Aid declarations and financial data for up to 6 years after the calendar year to which they relate; and legal registers (baptisms, marriages, funerals) and safeguarding records permanently.
Your rights and your personal information
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal information:
- Access to your information: You have the right to request a copy of the personal information that we hold about you.
- Correcting your information: We want to make sure that your personal information is accurate, complete and up-to-date and you may ask us to correct any personal information about you that you believe does not meet these standards.
- Deletion of your information: You have the right to ask us to delete personal information about you where:
- You consider that we no longer require the information for the purposes for which it was obtained or that we no longer need to retain it in accordance with our statutory obligations;
- You have validly objected to our use of your personal information – see ‘Objecting to how we may use your information’ below;
- Our use of your personal information is contrary to law or our other legal obligations.
- Objecting to how we may use your information:Where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
- Restricting how we may use your information:In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information but you do not want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
- Withdrawing consent to the use of your information:Where we use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given. Please contact us directly in writing if you wish to exercise any of these rights.
- Lodging a complaint: If you feel we have used your information incorrectly or without lawful basis, or you dispute our lawful basis, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Wherever and whenever necessary, we will seek your prior consent to the new processing.
Our contact details
We can provide you with access to your personal data at any time. We ask that requests are made in writing to: The Data Protection Officer, King’s Church, Hastings Centre, The Ridge, Hastings, East Sussex, TN34 2SA.