Data Management Policy
Data Management Policy
This policy outlines how St Mary’s Church, Whitkirk and its associated groups manage and process personal data, along with best practices to be followed whilst doing so.
St Mary’s Church by necessity collects, stores and processes personal data as part of its day-to-day operations. Our publicly available Privacy & Data Policy outlines the kinds of data we collect, what we do with it and how we store it.
The Church’s Data Protection Officer is responsible for making sure the various data controllers and data processors within the Church follow the relevant legislation and best practices.
The role of the Data Protection Officer is not to decide if any particular piece of data is worth collecting or how to process it – although they can certainly help with this.
The Church’s current Data Protection Officer is:
Data controllers are individuals within the Church who are responsible for maintaining a particular collection of data which includes personal data. In particular, they have responsibility for deciding what data is collected and how it is stored and used in line with this policy and the relevant legislation, as well as deciding who has access to it.
A list of data controllers and which data collections they have responsibility for is kept by the Data Protection Officer.
Data processors are individuals who have access to and who use personal data. They have the responsibility to only view and use personal data in line with this policy and the relevant legislation.
There is no central list of data processors for any given collection of data – it is the responsibility of the relevant data controller to make sure they are aware of who has access to and use of data, and for what purpose.
If you need any help or advice on how to collect, store, manage or use data you can contact the Data Protection Officer at email@example.com.
This policy covers the current best practice for collecting, storing, managing and using data within the Church. It should be read by all data controllers and data processors, and a record of this kept by the Data Protection Officer.
If you have not yet signed to say you have read this policy, you can do so using this form.
The process for ensuring people re-sign their acceptance of this policy on a regular basis is managed via ChurchSuite.
According to the ICO:
Personal data means data which relate to a living individual who can be identified –
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
This definition includes a lot of the data which are collected during the regular operation of the Church, for example, names, addresses, dates of birth and contact details.
In some cases where the Church serves a statutory role (such as in the Parish Electoral Roll or in keeping a register of marriages) our responsibilities with regard to personal data vary. If you are responsible for keeping a statutory collection of data you should already be familiar with its requirements, but if you are unsure please contact the Data Protection Officer by emailing firstname.lastname@example.org.
It is important to keep data safe and only process or handle it in suitable ways.
The easiest way to keep a person’s data safe is to simply not have it – only collect the minimum amount of data needed to perform a task. It can be tempting to collect more, but unless you have plans to use it then you shouldn’t be keeping it.
It might seem safer to split data up, but it’s easier to keep track of and secure if it’s in one place.
All personal data should be kept somewhere secure, where you can control who has access. This might be electronically secured or keeping paper forms in a locked cupboard or filing cabinet.
You should review all your data on a regular basis, and destroy the information you no longer have a reason to keep (for example, if the person is no longer part of a group you manage).
The Data Protection Officer has no need to see the contents of any collection of data you hold but does need to know that you hold it.
You must never share personal data outside of the Church without the prior knowledge and approval of the relevant data controller.
If a person within the Church asks you for a copy of any personal data where they do not seem to need it, even for a reason which seems benign, you should not provide it and instead seek advice from the relevant data controller. If you’re not sure who this is, the Data Protection Officer will be able to help.
It might seem convenient to have everybody’s name and address printed for reference, but there is always a risk of it being mislaid. It will also quickly become out of date.
Printing data for specific short-term use, such as printing address labels, is always acceptable as long as those labels are then treated with the same considerations as any other data.
It’s very easy to export absolutely everything, but you should always export the bare minimum needed for a task.
It is always preferable to give a person access to an existing collection of data should they need it, rather than to copy data and send it to them. This both reduces the risk in the number of copies being available and ensures that there is only one place which must be kept protected and updated.
If you must copy data, you must only copy the bare minimum needed, and ensure that the copy is still suitably protected and handled.
People have a right to ask to see any and all information we hold about them. This is sometimes also called a Subject Access Request. In general, these requests will be directed via the Data Protection Officer who will then contact individual data controllers to request more information and collate responses.
Following a request under Right of Access, we must provide a complete copy of the data we hold on an individual within one month.
Also known as the Right to Be Forgotten, people we hold personal data about have the right to ask us to permanently remove that data. In general, these requests will be directed via the Data Protection Officer who will then contact individual data controllers to request removal.
Following a request under Right to Erasure, we must remove all personally identifiable information about that person within one month. This includes all electronic and paper records.
This does not necessarily apply to legally required collections such as the Parish Electoral Roll or the Register of Marriage, but the Data Protection Officer will be able to provide more information or assistance if needed.
— / —