Personal data relates to a living individual who can be identified from that data either directly or indirectly (in combination with other information). The processing of such data by an organisation is subject to the appropriate legal safeguards as specified in the General Data Protection Regulation (GDPR) that came into UK law in May 2018.
The data can be stored on paper, computer or any other media and is subject to the same guidelines.
This policy aims to explain what personal data we collect, how we collect it, how we store and secure it and what we use it for.
Who are we?
York Elim Pentecostal Church is part of the Elim Foursquare Gospel Alliance (EFGA) which is a registered charity 251549 (England) and SC037754 (Scotland). York Elim is a data controller as we decide what personal data needs to be collected and how it will be used in the general administration and running of York Elim Church. York Elim are committed to protecting and respecting your personal data in everything we do.
How do we collect personal data?
York Elim church collects data when you are in contact with us.
- You complete a contact form either electronically or on paper.
- You sign up to a ChurchSuite account.
- You visit our website.
- You complete a Children’s and Youth Ministry registration form.
- You join a Church endorsed social media group.
- You make a donation through completing offering envelopes, a standing order form, Paythru (smart phone giving) or other electronic means.
- You complete a Gift Aid form.
- You provide contact details either in writing or verbally to Church staff and volunteers.
- You communicate with the Church through email, letter, telephone or social media/website.
- You complete a DBS check or volunteer form.
- Register for and attend a Church event or purchase goods and services (eg room hire).
Your data will be handled by York Elim staff and approved volunteers unless you agree for information to be shared more widely within the Church. For example, contact details available for other Church members to reach you.
What data do we collect?
We may collect the following data from you:
- Contact details such as name, address, email, phone number, online IDs which are used to include you in our communications and for you to be an active and effective part of Church life and events.
- Financial information such as bank details, donation amounts, Gift Aid details, payment details when booking events/services.
- Personal details such as marital status, age, gender, details on immediate family to help us understand how the Church can best serve you and your family.
- Photos, videos and audio for use on our website and social media platforms where explicit consent has been given.
- Information on education, employment, previous church role(s) where you are working for the church or volunteering for a role. Where there is a safeguarding implication then information required for a DBS check and the result of that check will be gathered.
- Attendance information for events, groups and training endorsed by the Church. This would include availability for church rotas and times you served on rotas.
- Information collected as part of the pastoral care work of the Church (unless you request for no record). This may include information classed as sensitive personal data such as health and mental conditions, religious beliefs and racial origin that you may inform us about.
How will we use your data?
York Elim will treat all your personal data as private and confidential with access limited to key people within the leadership and administration of the Church based on the access their specific role requires.
There are four potential exceptions to this:
- Where we are legally compelled to release data,
- Where there is a duty to the Public to disclose,
- Where disclosure is required to protect your interest, and
- Where disclosure is made at your request or written consent.
Examples of how your data would be used:
- Processing a donation to the Church including any Gift Aid.
- Processing an application for a job or volunteer role within the Church and managing our staff and volunteers.
- Keeping you informed of Church news and events.
- Where you purchase tickets for events or hire a room.
- Keeping you informed of Church groups and rotas you are involved in.
- For pastoral care involving calls, visits and support. Identifying ways you can become more involved in the Church.
- Statistical analysis to help the Church better understand who it is serving.
- Safeguarding of children and vulnerable adults.
- Managing Church memberships.
- Maintain the Church accounts and records (such as baptism, marriage and dedications).
- Placing you in appropriate Church groups by age (Sunday School/youth groups) or location (Life groups).
- With your consent, seeking prayer support from Church members for you.
What is the legal basis for processing your data?
We must have a legal basis under GDPR before we can collect and process personal data. There are four legal bases we rely on and different processes may rely on a different basis.
- We would rely on “legal obligation” for recording and claiming Gift Aid, data related to employment, data related to safe-guarding children and vulnerable adults and detecting fraud.
- We would rely on “contract” as a basis where tickets for events were being bought or rooms were being hired with associated goods & services being provided.
- In most cases we rely on “consent” as the basis which covers data needed to administer church memberships and include those who regularly attend the church, additional employment data and volunteer details, participation in groups (adult and youth), signing up to contact lists, attending and buying tickets for events, pastoral work and youth mentoring and joining our social media groups.
- In the case of visitors to the Church we rely on “legitimate interest” as a means to make a follow-up contact to see if we can help them find a spiritual home either with us or another local Church. If the invitation is declined then all contact details will be removed. This basis would also apply to recording details for Church events such as marriages, dedications and baptisms.
How is the data stored securely?
Most administration tasks are handled by ChurchSuite which is a private, secure and remote piece of software run on servers stored in the UK and owned by the company behind ChurchSuite. They take compliance with GDPR seriously and provide the tools and security for us to ensure your data is protected.
Finance data is stored on private and secure systems such as the DK accounting system, Natwest Bankline and Paythru donation system. The information from these systems is only accessible by the Church finance team. Spreadsheets and other documents are held under a secure Microsoft 365 account with appropriate access restrictions set.
Social media platforms used by the Church such as Facebook, WhatsApp (see social media policy for full list) have their own terms and conditions all users must satisfy based on the platform provider you sign up to. The Church will only post personal information with written consent from the individual.
Pastoral and youth mentoring notes along with other electronic documents containing personal information are stored under a secure Microsoft 365 Church account with access restrictions set for individual users.
Any paper notes are kept secure with restricted access with an aim to convert these to electronic format to be stored under the 365 account.
Church emails are used where necessary to keep Church information stored away from personal emails for key Church workers.
Where appropriate Church mobiles are provided to keep separation from private phones.
Who can access the data?
You have access to your own data within ChurchSuite and can select your preferences on how we can use that data.
Access to the ChurchSuite database is limited for individual users based on their role within the Church. Only the pastor and pastoral worker have full administrative rights to maintain the database and set access restrictions.
There are a handful of third-party providers we deal with:
- We have a requirement to pass financial data relating to Gift Aid through to Elim headquarters (EFGA) and ultimately HMRC.
- For staff of York Elim payroll is handled centrally by Elim headquarters (EFGA) and so data relating to that work must be shared.
- Our DBS checks for safeguarding are carried out by a specialist organisation called Thirtyone:eight who securely store the data needed for this process.
York Elim would not pass your details on to any other third-parties without your explicit written consent. For example, we would request your consent to pass on information to other Church members so they can provide support and prayer for you.
Other stored data outside of ChurchSuite is restricted access to those members of staff or appointed volunteers who need access as part of their role.
How long do you keep my data?
- Information relating to the Church accounts and Gift Aid are kept for seven years.
- Information relating to marriages, dedications and baptisms are permanent.
- Contact details and member records would be kept no longer than 2 years after last contact with the Church had occurred.
- Employment and volunteer records would be kept for six years after the termination of the role.
- Where information relates to a child the records may be retained for longer, normally until the child reaches eighteen.
- Information relating to a contract for services or goods would be retained in line with the financial records it supports.
- Data relating to events organised by the church would be retained for 2 years after the event.
What about children?
Information about children is given special protection under GDPR. Under UK law where the child is over 13 they have the same rights as an adult with regard to their personal data. As such, they would be expected to provide their own data consent and have access to their own ChurchSuite account. York Elim would take steps to ensure the child understood this policy and what they were agreeing to and if deemed necessary may request the child informs their parents before we agree to process their data.
We would always seek parental consent for children under the age of 13 before processing their data or setting up a ChurchSuite account. In this case the parents would also have access to the account to help with the administration.
What are my rights?
You have a choice about whether you receive information from us and can at any time opt out of communications. This can be done through ChurchSuite or alternatively write to firstname.lastname@example.org.
You can also contact email@example.com in relation to:
- Obtaining a copy of the information that we hold on you.
- Asking to Change, amend or delete information we hold on you. Please help us to ensure our data remains accurate and notify us of any changes that are needed.
- Preventing automated decision making – York Elim do not do this but please contact us if you have any concerns.
- Asking us to transfer personal information which we will do our best to assist with, although it depends on system compatibility with the receiving organisation.
- Asking us to restrict the processing of your personal data.
- Asking us to stop the processing of your personal data.
You can lodge a complaint with the pastor at any time you are unhappy with how your personal data is being processed. If this is not resolved to your satisfaction internally then you are free to raise the matter with the Information Commissioner’s Office (ICO) as follows:
Information Commissioner’s Office Wycliffe House
When was this policy last reviewed?
We aim to keep this policy under regular review to capture changes in the law and also any changes that have occurred in the Church. This policy was last reviewed in July 2020.