Data Protection

Data Privacy Notice


1.  Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data.  Identification can be by the information alone, or in conjunction with any other information which is in the possession of the 'Data Controller' (or is likely to come into its possession).  The processing of personal data is governed by the Data Protection Act 2018 (PDF download, 354 pages, 2.9 MB) which incorporates the UK General Data Protection Regulation ("GDPR") legislation.

2.  Who are we?

The Parochial Church Council ('the PCC') of St Michael’s Church is the 'Data Controller'.  This means the PCC decides how your personal data is processed and for what purposes.  St Michael’s PCC is registered as a Data Controller with the Information Commissioner’s Office ('the ICO'), under the Data Protection Regulations 2018 – registration number Z4950869.

3.  How do we process your personal data?

The PCC of St Michael’s complies with its obligations under GDPR:

  • by keeping personal data up to date;
  • by storing personal data securely, and by destroying it securely;
  • by not collecting or retaining excessive amounts of personal data;
  • by protecting personal data from loss, misuse, unauthorised access and disclosure;
  • by ensuring that appropriate technical measures are in place to protect personal data.

We use your personal data for many different purposes, including the following:

  • To enable us to provide services within the Parish for the benefit of church members and the wider community;
  • To administer our own records (including membership records) and accounts (including the processing of Gift Aid donations);
  • To comply with all applicable laws;
  • To promote the charitable interests of the church;
  • To raise funds to ensure the continued operation of the church on a prudent and sustainable basis;
  • To manage our employees and volunteers;
  • To inform you of news, events, activities and services running at St Michael’s.

The PCC may process your personal data for one or more purposes, and in each instance there may be a different legal basis for that processing.

4.  What is the legal basis for processing your personal data?

Personal Data

There are six possible lawful bases for processing personal data, as laid down by GDPR.  Of these, only four are used by St Michael’s – these are:

  • Consent – where you have given consent for your personal data to be used for a specific purpose;
  • Legal Obligation – where the processing is necessary for you and/or the PCC to comply with the law;
  • Legitimate Interests – where the processing is necessary for the legitimate interests of the PCC (or a third party) except where there is a good reason to protect personal data which overrides those legitimate interests;
  • Contract – where the processing is necessary for you and/or the PCC to fulfil an agreement or contract between us.

Special Category Personal Data

Data which reveals religious/philosophical beliefs or which concerns racial/ethnic origin, health, sexual life, sexual orientation, political opinions or trade union membership is classed as being in a 'special category of personal data'.  GDPR lays down ten lawful bases for processing these special categories of data.  Of these lawful bases, only five are normally used by St Michael’s – these are:

  • Explicit Consent – where you have given explicit consent to the processing of the data for one or more specified purposes;
  • Employment etc – where the processing is necessary for fulfilling the rights and obligations of either party in the field of employment, social security and social protection law;
  • Legitimate [Religious] Activities – where the processing is carried out (with appropriate safeguards) in the course of its legitimate activities by a not-for-profit organisation with a religious/philosophical/trade-union aim, provided that:
    • the processing relates only to members or former members or those in regular contact with the organisation in connection with its aim/purposes; and
    • there is no disclosure to a third party without consent;
  • Substantial Public Interest – where it may be necessary to process your information for the protection of the general public against seriously improper conduct or for safeguarding purposes;
  • Legal claims – where there is a legal claim or judicial process requiring your information to be processed.

5.  Sharing your personal data

Your personal data will be treated confidentially by restricting how it may be shared.

Within the Church

Your data may be shared only with those members of the church who have a 'need to know' in order to discharge their responsibilities and fulfil their role/function within the church.

Outside of the Church

Your data will not be shared with any third parties outside St Michael’s Church unless:

  • we have sought and obtained your explicit consent, or
  • there is a legal requirement to share data (e.g. the archiving of Parish Registers), or
  • there are legitimate interests for sharing, for example:
    • CCTV data shared with the Police due to a report or suspicion of a crime, civil offence or threat to persons or property;
    • special category data shared with the appropriate authorities for safeguarding purposes.

6.  How long do we keep your personal data?

We generally keep personal data for the minimum necessary period, according to the type of data and the purpose to which it is put.  For example, contact details are normally kept for a minimum of six years;  Electoral Roll data is retained while it is still current;  Gift Aid declarations and other financial documents are normally kept for six years after the year to which they relate;  Parish Registers (banns, marriages, baptisms, confirmations, burials) are kept indefinitely.

Please refer to section 10 below and the detailed records of processing activities for the relevant type of data.

A number of useful guidance documents are available, such as "Keep or Bin: Care of Your Parish Records", 2009 (PDF download, 22 pages, 286 KB) – in need of some updating, but still available from the Church of England website.

Note about Email Systems

These are proprietary computer systems which operate as communication channels, and not as structured filing systems for personal data organised by the identity of the data subject.  The Data Controller may have no facilities (or very limited facilities) for locating, selecting or deleting personal data relating to a named individual.  Consequently some personal data may persist in such systems for longer than the retention periods given in this Data Privacy Notice.

7.  Your rights and your personal data

You have the following rights under GDPR with respect to your personal data (unless it is subject to an exemption):

  • Consent Withdrawal – the right, where the legal basis for processing is your consent, to withdraw your consent at any time;
  • Access – the right to request a copy of the personal data about you held by the PCC;
  • Rectification – the right to request that the PCC corrects any personal data if it is found to be inaccurate or out of date;
  • Erasure – the right to request that your personal data is erased where it is no longer necessary for the PCC to retain such data;
  • Restriction – the right, where the accuracy or processing of your data is in dispute, to request a restriction on further processing;
  • Objection – the right to object to processing of data for a ‘direct marketing’ purpose, or on the legal basis of 'legitimate interests';
  • Escalation – the right to lodge a complaint with the Information Commissioner’s Office.

Automated Processing 

GDPR defines additional rights where the automated processing or profiling of personal data occurs – the right to Data Portability, and the right not to be subjected to automated processing.  Since the PCC does not perform any automated processing or profiling, there is no personal data to which these rights are applicable.

8.  Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes, legal bases and processing conditions.  Wherever and whenever necessary, we will seek your prior consent to the new processing.

9.  Contact details

To exercise all relevant rights, queries or complaints – in the first instance, please contact the Parish Secretary at the Parish Office.  The PCC may also be contacted through the Parish Office.  The Information Commissioner's Office will expect any complaint to be raised initially with the church as Data Controller.

Parish Secretary

Information Commissioner's Office

Parish Office
St Michael's Church
New Lane Hill
Tilehurst
Reading
RG30 4JX

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone  0118-942-7331
(10am to 12pm, Mon/Tues/Thurs/Fri)

Telephone  0303-123-1113
(office hours, Monday – Friday)

For email, refer to the
ContactUs webpage

For email, visit website
ico.org.uk/global/contact-us/email/

10.  Detailed Records of Processing Activities (RPA)

The processing activities applicable to each set of personal data held under PCC control are described (in a separate document) using the following standard headings. These detailed records are currently being reviewed and may be published on this website in due course.

RPA Standard Headings

  • Reference & Title – the ID and name by which the collection of personal data is known.
  • Data Subjects – the persons whose personal data is held.
  • Data Description – the various types of data held.
  • Source – how the data was collected, identifying any forms used.
  • When Collected – the timing of data collection, or any triggering events.
  • How Held – e.g. electronically and/or on paper.
  • Custodian – who holds the data collection (and any forms) on behalf of the PCC.
  • Purpose – the reasons why the data is needed, and the uses to which it is put.
  • Legal Basis – the GDPR-defined legitimacy to process the data for those purposes.
  • Internal Sharing – how any data is shared within the church, and with whom.
  • External Disclosure – how any data is disclosed outside the church, including any lawful access by the public (e.g. Parish Registers).
  • Retention – how long data is retained for, including any minimum/maximum periods.
  • Destruction & Archiving – whether destroyed (e.g. hard-copy forms) or deleted (e.g. electronic records) or permanently archived (e.g. Parish Registers).

Sets of Personal Data

  • RPA-01 – Church Contact List
  • RPA-02 – Church Electoral Roll
  • RPA-03 – Church Attendance List
  • RPA-04 – Church Groups (centred on Children & Young People)
  • RPA-05 – Church Groups (centred on Adults)
  • RPA-06 – Register of Banns
  • RPA-07 – Register of Marriages
  • RPA-08 – Register of Baptisms
  • RPA-09 – Thanksgiving for the Gift of a Child
  • RPA-10 – Register of Confirmations
  • RPA-11 – Register of Burials
  • RPA-12 – Christian Stewardship Planned Giving
  • RPA-13 – Magazine Subscriber List
  • RPA-14 – Employment Records
  • RPA-15 – Pastoral Care
  • RPA-16 – Prayer List for the Sick / Intercessions List
  • RPA-17 – Prayer List for Deceased & Bereavement Service
  • RPA-18 – Funeral & Burial Wishes
  • RPA-19 – CCTV Records
  • RPA-20 – Safeguarding Records
  • RPA-21 – PCC Membership Records