The Parochial Church Council (PCC) of St Augustine of Hippo (“St Augustine’s”) takes its obligations with regard to data protection seriously. As such, we are providing this notice (“Privacy Notice”) to you so that you are provided with information about how St Augustine’s collects and processes your personal data in accordance with the General Data Protection Regulation (“GDPR”).
- Your personal data – what is it?
Personal data is information that relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the GDPR.
Where you choose to provide personal data to us, the personal data which we may process may include your name and contact information, such as your address, telephone number and email address, your date of birth, gender and marital status. Where you contact us for specific purposes (such as to arrange a baptism, confirmation, wedding or funeral) then we may need to collect and process additional information that is relevant to that purpose.
- Who are we?
St Augustine’s is a “data controller”. This means that we are responsible for deciding how we hold and use personal data about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
- How do we process your personal data?
St Augustine’s complies with its obligations under GDPR and relevant data protection law. This provides that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in a way that is incompatible with those purposes.
- Relevant to the purposes that we have told you about and limited to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
St Augustine’s complies with these obligations, by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for various purposes that are relevant to the operation and life of St Augustine’s Church. These may include the following purposes:
- To enable us to provide a voluntary service for the benefit of the public in our parish and outside our parish.
- To administer membership records.
- To fundraise and promote the interests of St Augustine’s and the Church of England.
- To manage and train our employees and volunteers.
- To maintain our own accounts and records (including the processing of Gift Aid applications).
- To manage and monitor the services we provide and check that they are being delivered in the most efficient and effective way.
- To comply with laws that require us to provide personal information to other organisations, e.g. Registration service, bodies involved in the administration of justice.
- To inform you of news, events, activities and services running at St Augustine’s.
- To share your contact details with the Diocese of St Edmundsbury and Ipswich so they can keep you informed about news in the diocese and events, activities and services that will be occurring in the diocese and in which you may be interested.
- What is the legal basis for processing your personal data?
We may process your personal data using one or more of the following legal basis:
- Consent of the data subject so that we can keep you informed about news, events, activities and services and keep you informed about diocesan events.
- The processing is necessary for carrying out our legal obligations, such as the processing of your Gift Aid donations or obligations under employment, social security or social protection law, or a collective agreement.
- Where we have another legitimate interest to process the personal data.
- The processing is carried out by a not-for-profit body with a religious aim on the basis that:
- the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
- there is no disclosure to a third party without consent.
- Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with church employees or other members of the church in order to carry out a service to you and other church members or for purposes connected with the church. We will only share your data with third parties outside of the parish with your consent, or where it is necessary to administer a working relationship with you, or where we have another legitimate interest in doing so, or where we are required to do so by law, for example in relation to:
- Court proceedings
- Detection/prevention of crime or fraud
- To protect a child
- To protect a vulnerable adult.
We will always aim to share the minimum information that will enable us to fulfil our legal obligations and will try where possible to protect your information by using anonymization. We will keep you informed about what information we have shared and with whom, where we are legally able or required to do so.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees and other third parties who have a need to know. We use a number of measures to ensure that we are holding your personal information in a secure manner. These include:
- Secure and encrypted email
- Access controls on our systems
- Staff security training.
- How long do we keep your personal data?
We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected have it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and the applicable legal requirements.
We keep data in accordance with the guidance set out in the guide “Keep or Bin: Care of Your Parish Records” which is available from the Church of England website [see footnote for link].
- Your rights and your personal data
Under certain circumstances, by law you have the following rights:
- The right to request a copy of your personal data which St Augustine’s holds about you (commonly known as a “data subject access request”).
- The right to request that St Augustine’s corrects any personal data if it is found to be inaccurate or out of date.
- The right to request your personal data is erased where it is no longer necessary for St Augustine’s to retain or process such data.
- Where we are processing your personal data on the basis of your consent, the right to withdraw your consent to the processing.
- The right to request that the St Augustine’s provide you with your personal data and, where possible, to transmit that data directly to another data controller (known as the right to data portability). This is only applicable where the processing is based on consent or is necessary for the performance of a contract with you and (in either case) we are processing the data by automated means.
- The right to request a restriction is placed on further processing of your personal data, for example to suspend further processing while its accuracy is established or to establish the reason for processing.
- The right to object to the processing of personal data in circumstances where St Augustine’s is relying on a “legitimate interest” for such processing and there is something about your particular situation which makes you want to object to processing on this ground.
- The right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe that St Augustine’s has not complied with the requirements of the GDPR with regard to your personal data (contact details below).
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Parish Administrator (contact details below).
- Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where necessary under data protection legislation, we will seek your prior consent to the new processing.
To exercise all relevant data subject rights, or in case of any queries or complaints, please in the first instance contact the Parish Administrator, Parish Office, Bucklesham Road, Ipswich IP3 8TH. Our telephone number is 01473 723960 or you can email us at firstname.lastname@example.org.
You can contact the Information Commissioner’s Office (ICO) on 0303 123 1113 or via the website https://ico.org.uk.
You can download a copy of this policy here – Data Privacy Notice
 Details about retention periods can currently be found in the Record Management Guides located on the Church of England website at: – https://www.churchofengland.org/more/libraries-and-archives/records-management-guides