Data Privacy Notice - General

Ely Diocesan Board of Finance (EDBF) Data Privacy Notice

Updated: 29 July 2024

Version 4.2

Introduction

We, Ely Diocesan Board of Finance (collectively “EDBF”, “we” or “us”), want you to be familiar with how we collect, use and disclose personal data.

This Data Privacy Notice sets out details of the personal data we may collect from and / or about you, as well as how we may use that information in relation to your role in undertaking diocesan duties.

Your privacy is very important to us, and we are committed to safeguarding your personal data. Please take your time to read this Data Privacy Notice carefully (This Data Privacy Notice can be found on the Diocesan website – www.elydiocese.org)

“personal data” is information that identifies you as an individual or which relates to an identifiable individual. 

This Data Privacy Notice describes our processing practices in relation to personal data and covers:

  • Our responsibilities and who we are
  • How we process your personal data
  • Where we collect the personal data we process from
  • Why we process your personal data
  • What personal data we process about you
  • The legal basis for processing your personal data
  • How long we keep your personal data for
  • Who we share your personal data with
  • Your rights under data protection law.

Data Controller

The Ely Diocesan Board of Finance (EDBF) will either be a Data Controller for the personal data we process, the Joint Data Controller, where this information is jointly controlled with that of, for example, the Bishop of Ely’s office, or a Data Processer, where the EDBF may process personal information in the discharge of its duties to the wider church.

You can contact us in a variety of ways, including by telephone, email and post. 

  • Our postal address is: Etheldreda House, 206 Wellington Road, Lancaster Way Business Park, Witchford, Ely. CB6 3NX
  • The Ely Diocesan Board of Finance Data Protection Team can be contacted by email on data.protection@elydiocese.org or by telephone via 01353 652703. 
  • If you have any questions about this Notice or how we handle your personal data, please contact our Data Protection Officer (DPO) at dpoaas@grcilaw.com.

How we collect personal data

We collect personal data in a variety of ways including through our interactions with you in relation to your undertaking of diocesan duties, and from other sources as set out below.

If you disclose any personal data relating to other people to us, you represent that you have the authority to do so and to permit us to use that personal data in accordance with this Data Privacy Notice.

Sources of personal data  

We collect some of the personal data we process through our direct interactions with you, through whichever means that might be, including telephone calls, emails, in-person contact, letter correspondence and online means. This might include, but is not limited to:

  • Where you have registered for and / or attended a course or event run or organised by us
  • Where you have requested advice or assistance from us in relation to the undertaking of your diocesan duties
  • Where you have provided your contact or other details to us.
  • Where you use our website

We also receive personal data indirectly, for example:

  • Where you hold a Bishop’s Licence and information is available to us via the Bishop’s office, generally through access to a joint central diocesan database, for the joint discharge of services to support functions such as training and personal development and information sharing.
  • From National Church Institutions in relation to matters of finance (such as clergy payroll and pensions), education and communications
  • Access to third party sources of information such as Crockford’s Clerical Directory, A Church Near You, Parish websites and other publicly accessible sources such as Google where contact information might be sought to contact you on essential matters of diocesan business relevant to your role or interest in the church.

Why we process your personal data

We collect certain personal data to support you in your undertaking of Parish, Benefice, Deanery and/or Diocesan duties and to discharge our legal responsibilities.

For example, we need to be able to get in touch with you and other key people in parishes and deaneries across the Diocese to help us provide you with certain services as may be required.  These services (the “Services”) include:

  • ministry and mission support (including the filling of vacancies)
  • financial advice and support
  • legal advice relating to trusts and other matters
  • provision of safeguarding training and advice
  • work relating to pastoral reorganisation and the Church Representation Rules
  • work relating to parsonages and other housing and property management
  • advice relating to church buildings, their development and maintenance
  • educational work both in our church schools, academies and beyond
  • event management
  • publication of the Diocesan newsletter and all the news and guidance on our website.

In addition, we are legally required to consult with key office holders such as clergy, PCC Secretaries, PCC Treasurers and Churchwardens on certain matters affecting the Diocese.

The types of personal data we may process

We collect the following categories of personal data:

Name and Contact Details

Such as first and last name, title, postal address, email address, telephone number

Personal Details

Such as age, gender, data of birth, marital status, nationality

Identification Details

Such as passport details and visa information (if applicable) and via CCTV capture at Etheldreda House (Diocesan Offices) for the purposes of site security

Next of Kin

Such as first and last name, title, postal address, email address, telephone number, date of birth (where relevant for pastoral care) and relationship to data subject]

Disclosure and Barring Service (DBS) and Confidential Declarations

DBS check information will be processed where, for example, you have a role that requires it. Confidential Checks are also undertaken where they are required as part of your role.

Qualification and Training Records

Such as clergy Ministrerial development review Data, training requirements required as part of the church role, including safeguarding training requirements. Job applicant CVs may also be processed for the duration required to determine suitability of a role and outcome of the recruitment process.

Financial Details

Financial information including your bank account and payment details (such as salary, pension payments, tax information and / or expense information)

Preferences

Such as dietary requirements and/or allergies where required

Religious beliefs and associated information

Such as proof of baptism and confirmation

Health Information

Such as information about your physical and mental health as may be relevant to your relationship with us. This might include for example accessibility information and notes such as eyesight or hearing impairment. 

 

Please note, health data may reveal certain other categories of sensitive personal information. Where this information is revealed, we will not process it any further except with your consent]

Technical information

Such as IP addresses and analytics data collected via the website.

 

Lawful basis for processing your personal data

We use your personal data for legitimate purposes relevant to the diocesan business and our provision of the Services, all as described in the overview below:

Purpose of Processing

Examples of Processing Activity

Categories of Personal data involved

Lawful basis of Processing

Legitimate Interests (if applicable)

Ministry And Mission Support

Support and engagement (inclusive of vocational support) of lay members and other officers, including chaplaincy, curacies,  ordinands, advisors and specialist support workers such as youth workers, and children and family support workers.  Admin and organisation in relation to overseas mission trips and operation of the ministry experience scheme

Name and Contact details;

 

Identification Details;

 

Preferences;

 

Religious Beliefs and Associated Information;

 

Financial Information;

 

Qualification and Training Records

Consent, for example in connection with the issue of engagement newsletters

 

Legitimate interest, such as to determine the suitability of candidates for relevant positions as well as appropriate vocational supports for personnel.

Conduct of normal business

Event Management

Administration and Management of diocesan events, including social events and conferences

Name and Contact Details;

 

Photographs and recordings taken for potential online and print promotion. (notices issued at the event and exemption processes in place at the time of event)

 

Dietary preferences and allergy information

 

Health Information to ensure access to the premises can be assured.

Contractual Performance,

 

Legitimate Interest, for example to enable social events to be organised to support community engagement activities.

Conduct of normal business

Financial Operations and Financial Advice and Support

Payroll operations, payment of expenses and invoicing, provision of financial advice to help manage operational funding and financial administration, and to provide finance-related training

Name and Contact Details

 

Financial Information

 

Qualification and Training Records

Contractual Performance, for example to enable the payment of invoices and expenses

 

Legal Obligation, for example to ensure payment of payroll

 

Legitimate Interest, for example to ensure personnel with financial responsibilities are suitably trained to complete their duties effectively

 

Management of Operational Funding

 

 

 

 

 

Maintaining informed local treasurers

Provision of legal advice in relation to trusts and other matters (such as legacy giving)

Advice on regular giving, legacies and legal issues

Name and Contact Details

Legitimate interest, for example to ensure that parishes can conduct business appropriately

Normal conduct of business

Pastoral reorganisation and the Church Representation Rules

Advice, guidance and the management of pastoral reorganisation process

Name and Contact Details

Legal Obligation, for example to discharge the requirements of Church Representation Rules.

 

Advice and legal obligations relating to church buildings, their development and maintenance

Advice, guidance and delivery of legal obligations relating to the management and care of church buildings

Name and Contact Details

Legal Obligation, for example to discharge the requirements of Church Representation Rules.

 

Legitimate interest, for example to ensure that parishes are supported in their own legal obligations relating to the care of church buildings

 

 

 

 

 

Supporting local church leaders when asked for support

Work relating to parsonages and other housing and property management

Oversight and management of clergy housing standards and maintenance

Name and Contact Details

Legal Obligation, for example to discharge the requirements of property maintenance and access requirements.

 

Legitimate interest, for example to ensure that clergy are supported in their own homes.

 

Contractual Performance, for example to enable the payment of invoices and expenses relating to property maintenance.

Conduct of normal business

Provision of safeguarding training and advice

Training and advice where needed in relation to safeguarding issues or other matters involving minors or vulnerable persons

Name and Contact Details

 

DBS Check Information

Legal Obligation, for example to ensure that all applicable legal obligations related to safeguarding responsibilities are complied with as required on a recurring basis and to maintain accurate records.

 

Legitimate Interest, for example, to maintain capacity to provide suitably qualified safeguarders to meet requirements.

As per the obligations and to keep an accurate record of safeguarding training undertaken and to send certificates; to inform safeguarding officers of upcoming courses to keep their training up to date.

Monitoring of IT and telecommunications systems to maintain the integrity of the systems and prevent misuse

Provide technical support to staff, and users of IT systems, email, mobile devices and telephones

Identification Data

 

Contact Data

 

Technical Data

Legitimate Interest, for example to maintain the security and safety of company data.

Conduct of normal business

Monitoring website

Use of minimum website cookies required to facilitate core website function and Google analytics service.

Core data in relation to basic website traffic monitoring through Google analytics, including IP address and any other such personal information that might be submitted manually by the user via the website.

Legitimate Interest, for example to improve technical performance and website visitors’ browsing experience

Conduct of normal business to maintain service

Educational work in our church schools, academies and beyond

Oversee the operations and management of Diocesan schools.

 

Name and Contact Details

 

Sensitive school information including: school performance data, staffing, welfare, safeguarding etc. Although anonymised, it may be possible to identify individuals within smaller schools from the information recorded.

Legal Obligation, for example to process complaints

 

Legitimate interest, for example to assess performance records

 

Contractual Performance, for example to enable recruitment and people management.

 

Consent, for example to manage information for Ely Diocesan Regional Adviser roles.

Conduct of normal business

Publication of the Diocesan newsletter and all the news and guidance on our website

Publication and distribution of newsletter and guidance

Contact and Identification Details

Consent, for example to receive the e-newsletter (opt-out available)

 

Consultation with key office holders (such as clergy, PCC Secretaries, PCC Treasurers and Churchwardens)

Communication and consultation with key personnel on matters affecting the diocese such updates on key dates for the submission of Church finance and statistics for mission data or procedural changes for example where national Synod passes a motion that dioceses must consider and/or adopt.

 .

Contact and Identification Details

Legal Obligation, such as notification of a rule or guidance change to church business.

 

Legitimate Interest, such as a notification on deadlines for the submission of parish statistics data.

Normal conduct of business

Visitor management

Manage staff and visitor sign in to Etheldreda House to maintain the using the Sign-in App software and hardware.

Name, contact information and car registration

Legal Obligation, such as knowing who is onsite for fire safety requirements.

 

Legitimate interest, to ensure visitors are known to the diocese and where required a record is available

Normal conduct of business

Using CCTV monitoring at the EDBF office

CCTV recordings

Vehicle  registration numbers

Static and moving video images of individuals

Legitimate Interest, for example to ensure the security of our premises and protect staff and visitors from possible criminal behaviour

Create a safer environment

 

Consent

We want you to be able to make informed decisions.  This means that in cases where we need your consent to use your personal data, we will always explain to you upfront why we are asking for that consent and will provide you with details of how and why your personal data will be used, should you give us that consent. Where we rely on your consent to process your personal data, we will only do so where such consent has been explicitly provided by you. 

In circumstances where you have provided your consent to our processing of your personal data for a specific purpose, you also have the right to withdraw that consent at any time. To withdraw your consent, please contact the Data Protection Officer via data.protection@elydiocese.org.

Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another lawful basis for doing so.

What if I do not want to provide the information asked for? 

Where we ask you to provide us with your personal data, you do not have to provide us with that personal data if you do not want to. However, failure to provide any personal data that we need from you to carry out our duties will mean that we may not be able to provide you with the Services and may also limit (or preclude) your ability to carry out your diocesan duties.

How long will we keep your information?

We will only keep your personal data for as long as necessary to fulfil the purposes outlined in this Data Privacy Notice, unless a longer retention period is required or permitted by law, for example to comply with any legal, regulatory, tax, accounting or reporting requirements.  This is in line with our retention schedule, a copy of which can be obtained from the Data Protection Officer via data.protection@elydiocese.org.

Our retention schedule has been devised in line with Church of England guidance and has appropriate regard to such factors as (i) the length of time we have an ongoing relationship with you for the purposes of your provision of diocesan duties and our provision of Services to you; and (ii) any relevant legal obligations with which we must comply.

Where a legal obligation arises, or retention is advisable in light of our legal position, in some circumstances we will retain certain personal data about you, even if we no longer have a relationship with, or provide Services to, you.

For example:

To cooperate with law enforcement or public, regulatory and government authorities:

  • If we receive a preservation order or search warrant related to our relationship with you, we will preserve personal data subject to such order or warrant (to the extent that we hold it) even after our relationship with you has come to an end such that you no longer undertake diocesan duties and/or we no longer provide Services to you.

To purse or defend a legal action:

  • We may retain relevant personal data in the even of a legal claim or complaint, or if we reasonably believe there is a prospect of litigation (whether in respect of our relationship with you or otherwise.

Sharing information

For some of our activities we use data processors, who are third parties, to provide certain services / elements of service for us.

We share information with such third parties as set out in the table below. In all cases, the data processors we use are instructed by us which means that they cannot do anything with your personal data unless we have specifically asked them to do so, and they are not permitted to share your personal data with anyone other than us.

In some circumstances we may also be legally obliged to share information with third parties, for example if we receive a court order requiring our cooperation in a civil, commercial, criminal, regulatory or taxation matter, or where we are involved in the resolution of a legal dispute or the handling of an internal investigation.  We will only ever share such information where we have satisfied ourselves that we have a lawful basis for so doing, and we will only ever share the minimum amount of information necessary to comply with any such disclosure requirement.

 

Recipient (Type)

Purpose

Church Bodies

To support the broader operation of the church by sharing information to the relevant national church organisations for the discharge of, for example, the Church Representation Rules, Pastoral Changes, Clergy pay and the national register of those that hold public office such as a bishops licence.

 

Information Technology and related Infrastructure Service providers

Providing information technology services and support;

Fraud prevention and security;

Operations and general business.

Website hosting platform to support the website

Database hosting third party to maintain and hold the diocesan database

Training Providers

Exchange of information with the National church in relation to the completion of safeguarding and other training required as part of a role

Exchange of information with clergy and church role holder learning institutions for the delivery of the training service

 

Where do we keep this information

We store the personal data that we process within the UK. It is encrypted and securely held on password protected servers with no permitted access to anyone unless they have an operational/Diocesan business need to do so.

However, if you permit us to do so, your contact information will be made available through the Diocesan website or within the online and printed Diocesan directory.  It should be noted that this information will then be visible in countries outside of the UK / EEA and which may have data protection rules in place that are different to those which apply in the UK / EEA.

In addition, your personal data may also be stored and processed by third-party service providers we engage in countries outside of the UK / EEA.  For example, we make use of certain third-party services for subscription e-newsletters and or questionnaires.  These third parties (and others) may process data outside of the UK / EEA.  This means that your personal data will be transferred to countries outside of the UK / EEA, including the United States, to enable such third-party service providers to provide their services to us.  These other locations may have different data protection rules in place to those which apply in the UK / EEA.

Where engagement with such third-party service providers will involve transferring your personal data outside of the UK / EEA we ensure that a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

Adequacy Decisions: Some non-EEA countries are recognised under UK GDPR and by the European Commission, as providing an adequate level of data protection according to EEA standards https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Standard Contractual Clauses: For transfers of personal data from the UK [and / or the EEA] to specific relevant third countries where personal data is transferred but which are not considered adequate under UK GDPR and / or by the European Commission, we will put in place standard contractual clauses adopted under UK GDPR and by the European Commission to protect your personal data.  Where applicable, you will be able to obtain a copy of these measures by contacting us via email at data.protection@elydiocese.org.

(Note: “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.)

Security

We have put in place appropriate security measures to prevent the personal data in our care from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.  However, no data or storage system or transmission can be guaranteed to be 100% secure.  If you have reason to believe that your interaction with us is no longer secure, please notify us by contacting the Data Protection Manager using the contact details set out in this Data Privacy Notice.

Your rights 

Under certain circumstances, by law you have the right to:

  • Request access to your personal data (commonly known as a data subject access request). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal data (sometimes also referred as “the right to be forgotten”). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest to do so (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to another party.
  • Object to automated processing, including profiling, of your personal data. We currently do not carry out any automated decision-making or profiling: if this changes we will update this privacy notice accordingly.

If you want to exercise any of your above listed rights to review, please contact the Data Protection Manager at data.protection@elydiocese.org.

Please note, before we can progress your request, we may need to seek specific information from you to help us confirm your identity and ensure your right to access the personal data (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances.

Please note, we may need to retain certain information for record-keeping purposes and / or our own purposes to comply with legal or regulatory requirements, in which case we may be unable to delete your personal data in the case of a deletion request.  In some circumstances, exercising some of these rights (including the right of erasure, the right restriction of processing and exercising your right to withdraw consent) may mean that we are unable to continue providing you with some or all of the Services and your ability to carry out your diocesan duties may also be limited or precluded.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Complaints

In the event that you wish to make a complaint about how your personal data is being processed by us (or third parties we engage with as described above) please contact the Data Protection Manager at data.protection@elydiocese.org. in the first instance. 

In the event that you are not happy with the outcome of a complaint, you also have the right to complain to the data protection regulator. In the UK this is the Information Commissioner’s Office (ICO).

You can lodge a complaint or report a concern with the ICO here, or by contacting them as follows: Tel: 0303 123 1113

Changes to this Data Privacy Notice

We reserve the right to update this Data Privacy Notice at any time, and we will provide you with a new Data Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

Cookies

Our website uses cookies. Some of these cookies are essential, while others help us to improve your experience by providing insights into how the site is being used. You may choose to accept or reject our recommended usage of cookies or turn individual cookies on and off using the checkboxes. Please visit https://www.civicuk.com/cookie-control/ to see what cookies manager we use.

Page last updated: Thursday 21st November 2024 1:12 AM
Powered by Church Edit