General Data Protection Regulation for St James Mar Thoma Church UK

General Data Protection Regulation for St James Mar Thoma Church UK (Parish of Mar Thoma Syrian church of Malabar,  a parish within the Zone of Mar Thoma Parishes and Congregations in the UK and Europe’

Registered Charity No. 1059210.

Privacy Notice Issued on  May 2018

  1. Purpose:

The policies are drawn   out below are under the obligations of the St. James Mar Thoma Church UK (STJMTC) with regard to the data protection and the rights of the members. This is in compliance with the use of personal data under the Data Protection Bill/Act 2017, the General Data Protection Regulation (GDPR) 2016/679 and other regulations relating to personal data and rights such as the Human Rights Act 1998.

  1. Who we are?

The following private policy notice is provided to you by the STJMTC. The  STJMTC works together with the following members of the parish and other agencies who handle personal data:

  • Members of the Parish
  • Parish Excecutive Committee of the Parish
  • Recognised organisation of the church namely: Sevika Sanghom, Youth Fellowship, Sunday School, Edavaka Mission, Choir,
  • Vicars, Diocesan Bishop.
  • The Parent church and organisations.
  • All members of the Mar Thoma Zone in the UK and Europe

As the STJMTC is engaged with all these entities working together, we may need to share personal data we hold with them so that they can carry out their responsibilities to the Church and our community. The organisations or their appointed representatives referred to above are joint data controllers. Therefore, we are all responsible to the members for how we process your data.

Each of the data handlers have their own tasks within the parish and a description of what data is processed and what purpose is set out in this Privacy and Data Policy Document. In the rest of this Data Protection Policy, we use the word ‘we’ to refer to each data controller, as appropriate.

  1. What data the Controllers listed above possess?

They will process some or all of the following where necessary to perform their tasks:

  • Name, titles, and aliases, photographs;
  • Contact details such as email ID, postal addresses and telephone numbers;
  • Where they are relevant to our Christian mission and charitable work, or where you provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education/ work patterns, academic/ professional qualifications, hobbies, family composition and dependents;
  • Where you make donations or pay for activities such as the use of the church hall or conferences, financial identifiers such as bank account numbers, payment card numbers, payment transaction identifiers, policy numbers and claim numbers, and Gift Aid information;
  • The data we process is likely to constitute sensitive personal data because, as a church, the fact we process your data all may be suggestive of your religious orientation. Where you provide this information, we may also process other categories of personal data: racial or ethnic origin, mental and physical health, details of injuries (in prayers), medication/ treatment received, political belief and affiliation,  genetic and biometric data, data concerning  sexual orientation and criminal records, fines and other similar judicial records.
  1. How do we process your personal data?

The data handlers will comply with their legal obligations to keep personal data up to date; store and destroy it securely; to not collect or retain excessive amount of  data; to keep personal data secure, and protect personal data from loss, misuses, unauthorised access and disclosure that appropriate technical measures are in place to protect personal data.

We use your personal data for some or all of the following purposes:

  • To enable us to meet all legal and statutory obligations (which include maintaining and publishing our annual parish membership list according to the parish register in accordance with the constitution of the Church);
  • To carry out comprehensive safeguarding procedures (including due diligence and complaint handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments This includes DRB checks for those involved with children and adult-at-risk;
  • To minister to you and provide you with pastoral and spiritual  care (such as visiting you when you are ill or bereaved) and to organise ecclesiastical services for you and your family such as baptism, confirmation, birthday thanksgiving prayers, praying for the sick,  wedding and funerals;
  • To deliver church’s mission to the community, and to carry out any other voluntary and charitable activities for the benefit of the public as provided for  in the constitution and the statutory framework of each data handler;
  • To administer the parish, COMPE, Zone membership records;
  • To fund raise and promote the interests of the church and its Charitable work;
  • To maintain the accounts and records of parish, Zone / COMPE
  • To process a donation that you have made for charitable work (Gift Aid information);
  • To seek your view or comments on the work of the parish, congregation, COMPE and the Zone;
  • To notify of changes to our services, programmes, events and office bearers;
  • To send you communications which you have requested and that may be of interest to you. These may include information about Parish activities, events, conferences, campaigns, appeals, ecumenical and interfaith events;
  • To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as part of the outreach initiaties (e.g. prison and hospital visit);
  • Our processing may include security systems for the prevention of crimes.
  1. What is the legal basis for processing your data?

Most of our data is processed because it is necessary for legitimate interests, or the legitimate interest of a 3rd party (such as a sister church, ecumenical partners such as, WCC, CTE and CTBI). We will always take into account your interests, rights and freedoms. Some of our processing is necessary for compliance with a legal obligation. For example, we are required to publish wedding bans.  Religious organisations are permitted to process information about your religious beliefs to administer membership register. Where your personal data is used other than in accordance with one of these legal bases, we will first obtain your consent to that use.

  1. Sharing your personal data

Your personal data will be treated strictly confidential. It will only be shared with 3rd parties where it is necessary for the performance of our tasks or where you first give us your prior consent. It is likely that will need to share your data with some or all of the following (but only where necessary):

  • To authorised organisation of the Church;
  • Our agents, servants and contractors. For Example. we may ask agencies which help us to obtain Visas for our clergy, visiting evangelists, bishops and other speakers of conference;  we may ask a commercial provider to send out newsletters and other publications on our behalf, or to maintain our data base software;
  • Our clergy or lay person nominated or appointed by the Diocesan Bishop or Metropolitan for carrying out the mission of the church;
  • On occasions, other churches, ecumenical bodies with which we are carrying out joint programmes.
  1. How long do we keep your personal data?

We will keep some records such as parish register, baptism records, marriage register and any such if we are legally required to do so permanently. For Example, it is the practice to keep financial records for a period of seven years to facilitate HMRC inspections. In general, we will endeavour to keep data only as long we need it. This means that we may destroy it when it is no longer needed.

  1. Your rights and your personal data

You have the following rights with respect to your personal data:

When exercising any rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof your identity (Passport, driving Licence, etc.) before you can exercise your right.

  1. 1. The right to access information we hold on you.
  • Any time you can contact us to request the information we hold on you as well as why we have such information and where we obtained the information from. Once we have received your request we will respond within one month.
  • There are no fees or charges for the first request but additional request for the same data may be subject to an administrative fee.

 

  1. 2. The right to correct and update the information that we hold on you.
  • If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.
  1. 3. The right to have your personal data removed
  • If you feel that we should no longer be using your personal data or that we are illegally using your data you can request that we remove the data we hold.
  • When we receive your request we will confirm whether the data has been deleted of the reason why it cannot be deleted (for example because we need it for legitimate interest for regulatory purpose(s).

7.4. The right to object to processing your data

  • You have the right to request that we stop processing your data. Upon receiving the request we will contact you and let you know if we are able to comply or we have legitimate grounds to continue to process your data. Even after you exercise your right object, we may continue to hold your data to comply with your other rights or bring or defend legal claims.

 

  1. 5. The Right to data transferability
  • You have the right to request that we transfer some of your data to other data handler as indicated in section 2 of this document. We will comply with your request, where it is feasible to do so, within one month of receiving your written request.
  1. 6. The right to withdraw your consent by email or post (see contact details below).
  2. 7. The right to object to the processing of the personal data where applicable.
  3. 8. The right to lodge a complaint with the ‘Information Commissioner’s office.
  4. Transfer of Data Abroad

Our website (Parish websites), digital publication (ECHO and Newsletters)   are accessible from other countries and so on some occasion personal data may be assessed from overseas.

  1. Further processing

If we wish you to use your data for a new purpose, not covered by this document, then we will provide you with a new notice of information explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever, necessary, we will seek your prior consent to the new processing of personal data.

  1. Contact details

Please contact us if you have any questions about this Privacy notice or the information we hold about you or to exercise all relevant rights, queries or complaint at:

Public Relation officer of the COMPE. Email ID:

Other contact points: Information Commissioner’s Office on 0303 123 1113 or via email:

https://ico.org.uk/gobal/contact-us/email/ or by post Information Commissioner’s office,

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.