Privacy Notice and Retention Policy
Privacy Notice
GORBALS PARISH CHURCH Congregation No: 160943 and Charity No: SC002214
(the “Congregation”)
Purpose of this Notice
This Privacy Notice outlines the way in which the Congregation will use personal information provided to us. Personal information includes any information that identifies you personally, such as your name, address, email address or telephone number.
The Congregation recognises the importance of your privacy and personal information, and we have therefore outlined below how we use, disclose, and protect this information. The Congregation, jointly with the Presbytery of Glasgow is the data controller, because we decide how your data are processed and for what purpose. Contact details for us are provided below.
How we use information
We use the information you give to us:
to administer membership records, including a Communion Roll and Supplementary Roll.
for pastoral care purposes.
in relation to participation in Congregational activities.
to provide you with information about news, events, and activities within the Congregation or the wider Church of Scotland.
to provide the services of a parish church to the local community.
to fulfill contractual or other legal obligations.
to manage our employees.
to further our charitable aims, for example through fundraising activities.
to maintain our accounts and records (including the processing of Gift Aid applications).
if CCTV is in place, we have this for the prevention and detection of crime.
Disclosure of information
The Congregation will only share your personal information where this is necessary for the purposes set out above. Information will not be shared with any third party out with the Church of Scotland without your consent unless we are obliged or permitted to do so by law.
Basis for processing personal information
The Congregation processes your information in the course of its legitimate activities, with appropriate safeguards in place, as a not-for-profit body with a religious aim and on the basis that our processing relates solely to members, former members or people who have regular contact with us, and that this information is not disclosed to any third party without your consent.
We also process information where this is necessary for compliance with our legal obligations; where processing is necessary for the purposes of our legitimate interests and such interests are not overridden by your interests or fundamental rights and freedoms; and where you have given consent to the processing of your information for a particular purpose.
Storage and security of personal information
The Congregation will strive to ensure that personal information is accurate and held in a secure and confidential environment. We will keep your personal information for as long as you are a member or adherent or have regular contact with us or so long as we are obliged to keep it by law or may need it in order to respond to any questions or complaints or to show that we treated you fairly. We may also keep it for statistical purposes but if so we will only use it for that purpose. When the information is no longer needed it will be securely destroyed or permanently rendered anonymous. [Further information about our data retention policy is available at gorbalschurch.com. A copy of our data retention policy is attached to this Notice].
Getting a copy of your personal information
You can request details of the personal information which the Congregation holds about you by contacting us using the contact details given below.
Inaccuracies and Objections
If you believe that any information the Congregation holds about you is incorrect or incomplete or if you do not wish your personal information to be held or used by us, please let us know. Any information found to be incorrect will be corrected as quickly as possible.
You have the right to object to our use of your personal information, or to ask us to remove or stop using your personal information if there is no need for us to keep it. There may be legal or other reasons why we need to keep or use your data, but please tell us if you think that we should not be using it.
If we are processing your data on the basis of your explicit consent, you can withdraw your consent at any time. Please contact us if you want to do so.
Contact us
You can contact us by getting in touch with Fraser Ellis at onegpc@outlook.com.
How to complain
You have the right to complain to the Information Commissioner’s Office about anything relating to the processing of your personal information by the Congregation. You can contact the ICO via its website at www.ico.org.uk or at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Privacy Notice
The Kirk Session of GORBALS PARISH CHURCH Congregation No: 160943 and Charity No: SC002214 (the “Employer”)
The Employer collects and processes personal data relating to its employees to manage the employment relationship. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
What information do we collect?
We collect and process a range of information about you. This includes:
your name, address and contact details, including email address and telephone number, date of birth and gender;
the terms and conditions of your employment;
details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
information about your remuneration, including entitlement to benefits such as pensions, childcare vouchers or insurance cover;
details of your bank account and national insurance number;
information about your marital status, next of kin, dependants and emergency contacts;
information about your nationality and entitlement to work in the UK;
information about your criminal record;
details of your schedule (days of work and working hours) and attendance at work;
details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence;
information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments;
details of trade union membership; and
equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
We collect this information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of, or during employment; from correspondence with you; or through interviews, meetings or other assessments.
We also collect personal data about you from third parties, such as references supplied by former employers and, where applicable, information from criminal records checks permitted by law.
Data is stored in a range of different places, including in your personnel file and on our IT systems (including the email system).
Basis for processing personal data
We need to process data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer pension and benefit entitlements.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question.
In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to:
run recruitment and promotion processes;
maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
obtain occupational health advice, to ensure that we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that we comply with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
ensure effective business administration;
provide references on request for current or former employees;
respond to and defend against legal claims; and
maintain and promote equality in the workplace.
Where we rely on legitimate interests as a reason for processing data, we have considered whether or not those interests are overridden by the rights and freedoms of employees or workers and have concluded that they are not.
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow us to operate check-off for union subscriptions.
We process other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief. This is done for the purposes of equal opportunities monitoring. Data that we use for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
Who has access to data?
Your information will be shared internally, including with members of the Kirk Session, your line manager, and, if in post, the local Community Development Worker.
We share your data with third parties in order to obtain pre-employment references from other employers and obtain necessary criminal records checks from Disclosure Scotland.
We also share your data with third parties that process data on our behalf in connection with payroll and the potential provision of occupational health services.
How do we protect data?
We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by those in the performance of their duties.
Where we engage third parties to process personal data on our behalf, we do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For how long do we keep data?
We will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are set out in the Data Retention Policy.
Your rights
As a data subject, you have a number of rights. You can:
access and obtain a copy of your data on request;
require us to change incorrect or incomplete data;
require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
object to the processing of your data where we are relying on our legitimate interests as the legal ground for processing; and
ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.
If you would like to exercise any of these rights, please contact [insert name and contact details].
If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner. You can contact the ICO on its website at www.ico.org.uk or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
What if you do not provide personal data?
You have some obligations under your employment contract to provide us with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable us to enter a contract of employment with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
WHAT TO KEEP
GORBALS PARISH CHURCH Charity No: SC002214 (the “Congregation”)
DATA RETENTION POLICY
Introduction
Church of Scotland congregations gather personal information from individuals and external organisations as well as generating a wide range of personal data, all of which is recorded in documents and records, both in hard copy and electronic form.
Examples of the types of information accumulated and generated are set out in Appendix 1 of this policy and include but are not limited to minutes of Kirk Session meetings; membership rolls; baptismal information; employment records; newsletters and other communications such as letters and emails.
In certain circumstances it will be necessary to retain documents to meet legal requirements and for operational needs. Document retention is also required to evidence agreements or events and to preserve information.
It is however not practical or appropriate for congregations to retain all records. Additionally, data protection principles require information to be as up to date and accurate as possible. It is therefore important that congregations have in place systems for the timely and secure disposal of documents that are no longer required.
This Data Retention Policy was adopted by the Congregation on 28 Oct 2021 and will be implemented on a day-to-day basis.
Roles and Responsibilities
Congregational office bearers and those involved with safeguarding will adopt the retention and disposal guidance at Appendix 1 of this policy and strive to keep records up to date.
Advice will be obtained from the Law Department or Safeguarding Department of the Church Office at 121 George Street if there is uncertainty about retention periods.
Retention and Disposal Policy
Decisions relating to the retention and disposal of data should be guided by:
Appendix 1 – Document Retention Schedule – Guidance on the recommended and statutory minimum retention periods for specific types of documents and records.
Appendix 2 – Quick Guide to document retention.
In circumstances where the retention period for a specific document or category of documents has expired, a review should be carried out prior to disposal and consideration should be given to the method of disposal.
Disposal
Documents containing confidential or personal information should be disposed of either by shredding or by using confidential waste bins or sacks. Such documentation is likely to include financial details, contact lists with names and addresses and pastoral information.
Documents other than those containing confidential or personal information may be disposed of by recycling or binning.
Electronic communications including email, Facebook pages, twitter accounts etc and all information stored digitally should also be reviewed and if no longer required, closed and/or deleted so as to be put beyond use. This should not be done simply by archiving, which is not the same as deletion. It will often be sufficient simply to delete the information, with no intention of ever using or accessing it again, despite the fact that it may still exist in the electronic ether. Information will be deemed to be put beyond use if the Congregation is not able, or will not attempt, to use it to inform any decision in respect of any individual or in a manner that affects the individual in any way and does not give any other organisation access to it.
Deletion can also be affected by using one of the following methods of disposal:
Using secure deletion software which can overwrite data.
Using the function of “restore to factory settings” (where information is not stored in a removeable format).
Sending the device to a specialist who will securely delete the data.