DATA PROTECTION AND PRIVACY POLICY

Definitions:

“Diverse Church” means the Charitable Incorporated Organisation registered at the Charity Commission with charity no. 1179441.

“The Diverse Church Trustees” shall mean all individuals who are registered at the Charity Commission as being Trustees of Diverse Church from time to time.

“Diverse Church Leaders” shall mean individuals who have been asked by the Diverse Church Trustees to perform a leadership role within Diverse Church.

“DC Community” shall refer collectively to the individuals who are at any given time members of any of the message groups on social media (currently only Facebook) under the leadership of any of the Diverse Church Leaders in their capacity as Diverse Church Leaders.

“The Charitable Objects” shall mean the Charitable Objects of Diverse Church which are “the advancement of the Christian faith, in particular but not exclusively, amongst lesbian, gay, bisexual, trans, asexual and intersex Christians, through the provision of pastoral support, theological discussion and other activities as the trustees from time to time think fit.”

“Personal data” means any information relating to an identified or identifiable natural person (a “data subject”).  This includes information from which a person can be identified, directly or indirectly, by reference to an identifier – i.e. the data subject’s name, ID number, location data, online identifies etc.  It also includes information that identifies the physical, physiological, genetic, mental, economic, cultural or social identity of a data subject.

For this purpose, the members of the DC Community, the Diverse Church Leaders and the Trustees of Diverse Church are data subjects.  Other individual third parties about whom Diverse Church holds personal data are also likely to be data subjects.

“Controller” means the natural or legal person, public authority, agency or other body who alone or jointly with others, determines the purposes and means of processing the personal data.  In effect this means the controller is the individual, organisation or other body that decides how personal data will be collected and used.  For the purposes of this policy, Diverse Church is a data controller for members of the DC Community, and is a Joint Data Controller with Facebook for data held in Facebook

“Processing” means any operation which is performed on personal data such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  For Diverse Church, everything that it does with information held about its data subjects, as defined under “personal data” above, and with the personal information of individual third parties is “processing” as defined by the General Data Protection Regulation (“the GDPR”).

“Special categories of personal data” means personal data revealing:

• Racial or ethnic origin;

• Political opinions;

• Religious or philosophical beliefs;

• Trade union membership;

• The processing of genetic data or biometric data for the purpose of uniquely identifying a natural person;

• Data containing health data concerning a natural person’s sex life or sexual orientation.

Introduction:

Diverse Church is required to comply with the law governing the management and storage of personal data, which is set out in the General Data Protection Regulation 2016 (“GDPR”) and the Data Protection Act 2018.

For this reason, protection of personal data and respect for individual privacy is fundamental to the day-to-day operations of Diverse Church.

Compliance with the GDPR is overseen by the UK data protection regulator which is the information Commissioners office (“the ICO”).  Diverse Church is accountable to the ICO for its data protection compliance, and is registered with the ICO, reference number ZA760481. 

Purpose

This policy aims to protect and promote the data protection rights of individuals and of Diverse Church, by setting out and recording the procedures which Diverse Church must follow in order to ensure compliance with the GDPR. 

Scope

This policy applies to the activities of Diverse Church as set out in the Charitable Objects (themselves set out publicly on the Charity Commission website). 

This policy covers all personal data and special categories of personal data (as defined below), whether that data is stored and processed on computers, mobile devices or in paper files. 

Responsibilities

Diverse Church is a data controller and is solely responsible for monitoring compliance with this policy.   The trustee with oversight of data compliance is Andrew Grenfell.  Diverse Church is also a Joint Data Controller with Facebook for all data inputed, held and processed in Facebook by members of Diverse Church Facebook communities.  Facebook takes the primary responsibility to comply with the GDPR  obligations with regard to the processing of Facebook data within the EU/EEA.

The trustee with oversight of data compliance can be contacted as follows: 

· By emailing complaints@diversechurch.co.uk, or

· by leaving a message on 07761661529, or 

Diverse Church is responsible for the following: -

· Controlling, retaining and monitoring the retention of personal data;

· Developing and implementing data protection policies and procedures;

· Assisting with investigations into data protection breaches; and

· Liaising with the relevant supervisory authorities (currently the ICO) as necessary. 

Data protection principles 

The GDPR is based around eight principles which are the starting point to ensure compliance with the regulation.  Diverse Church must adhere to those principles in performing its day-to-day functions and duties. 

The principles require Diverse Church to ensure that all personal data and special categories of personal data are:

a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

d) Accurate and, when necessary, kept up-to-date – every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed (“storage limitation”)

f) Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures (“integrity and confidentiality”) 

Diverse Church must be able to demonstrate its compliance with principles a) to f) above (“accountability”). 

Processing personal data and special category data 

Diverse Church will process all personal data in a manner that is compliant with the GDPR. 

In short, this means that Diverse Church must:

a) have legitimate grounds for collecting and using personal data;

b) not use the data in ways that have unjustified adverse effects on the individuals concerned;

c) be transparent about how it intends to use the data, and give individuals appropriate privacy notices when collecting their personal data;

d) handle personal data only in ways that data subjects would reasonably expect; and

e) make sure it does not do anything unlawful with the data. 

Diverse Church must ensure that it is aware of the difference between personal data and special categories of personal data and ensure that both types of data are processed in accordance with the GDPR. 

PERSONAL DATA 

The lawful reasons for processing personal data that are most relevant to the activities of Diverse Church are:

a) Diverse Church has been given the explicit consent to hold and process data by the data subject.  Whenever an individual joins the DC Community, the Diverse Church Leadership Team or the Trustees of Diverse Church, that individual will be given a copy of this data protection and privacy policy, which amongst other things, will inform the individual of how their data is processed fairly.

b) the processing relates to personal data that has already been made public by the data subject.  Data may have been made public where it is contained in a public register, or where it has otherwise been published in England, Wales or Northern Ireland (for example in the local or national press, be that in hard copy or online).

c) the processing is necessary for compliance with a legal obligation to which the controller is subject (for example the making of claims under the Gift Aid scheme) . 

d) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.  

The legitimate interests pursued by Diverse Church are those set out in the Charitable Objects as well as if reference is needed to be made to the data in the event of a complaint against Diverse Church, the Diverse Church Leaders or the Diverse Church Trustees. 

SPECIAL CATEGORIES OF PERSONAL DATA 

Given the Charitable Objects, in particular regarding the interactions of Diverse Church with data subjects who identify as Christian, or as practising another religion, or who identify as lesbian, gay, bisexual, trans, asexual and intersex Diverse Church will frequently retain and process special categories of personal data including but not limited to information about the sexual orientation, religious belief and on occasion the medical condition (particularly where an individual has volunteered that they have issues, for example, with their mental health) of data subjects. 

The lawful reasons for processing special categories of personal data that are most relevant to Diverse Church are:-

a) The data subject has given express consent.  Whenever an individual joins the DC Community, the Diverse Church Leadership Team or the Trustees of Diverse Church, that individual will be given a copy of this data protection and privacy policy, which amongst other things, will inform the individual of how their data is processed fairly.

b) The data processing is carried out in the course of the legitimate activities of Diverse Church with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects   

c) The data processing relates to personal data which are manifestly made public by the data subject.

d) The data processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Where Diverse Church processes personal data or special categories of personal data on the basis of the express consent of the data subject, that person has the right to withdraw their consent to the processing and retention of their personal data at any time. 

However, if a person withdraws their consent to the retention and processing of their personal data, the withdrawal of the consent will not affect the lawfulness of any data processing which occurred prior to the withdrawal of consent. 

As a result of the above, Diverse Church may retain personal data and special category personal data about Data Subjects who have withdrawn consent to process that data in so far as necessary for Diverse Church to pursue a legitimate interest, for example to comply its safeguarding policy or to defend any legal proceedings be they either criminal proceedings or civil proceedings (e.g. associated with any complaints, or allegations of negligence), or to comply with any requirements of HMRC (e.g. regarding Gift Aid claims). 

If data subjects have any concerns about the processing of their personal data or would like to withdraw their consent to the processing of their personal data, they are invited to contact Diverse Church.

Please note that no-one under the age of 18 is permitted to join the DC Community, and proof of age may be requested on joining if there is any doubt as to the age of the intended member. 

Diverse Church will ensure that all of the Diverse Church Leaders have read this Data Protection and Privacy Policy, are aware of their personal obligations under GDPR and have signed a statement acknowledging the same, which Diverse Church will retain on record for a period of 6 years from the date that that person ceases to be a leader.

Storage limitation and data minimisation 

Diverse Church will retain personal data and special category personal data for legal, professional and compliance reasons. 

Personal data is not recorded in paper files. 

Where Diverse Church retains personal data or special category personal data (in electronic format), it will be stored in an encrypted form, and Diverse Church will generally only retain such data for one year past the limitation period in which claims may be brought against it in negligence or in breach of contract. 

In general, this means that Diverse Church will retain data for 7 years after the date on which there was last contact with a data subject, but this general data retention period is subject to the following important exception.  If two or more of the Trustees of Diverse Church have good reason to believe that personal data or special category personal data needs to be retained in order to defend any criminal allegations made against Diverse Church, its Trustees, its Leaders or any of them, then that data will retained until such time as two or more of the Trustees of Diverse Church agree that its retention is no longer necessary. 

In all cases, Diverse Church will attempt to minimise the quantity of data it retains to that which it requires in order to comply with the legal and professional duties or Diverse Church and its Trustees. 

Subject to the above sub-paragraphs, Diverse Church aims: - 

i) to delete any incoming or outgoing emails sent to DC Community Members prior to their  being admitted to the annual Facebook group;

ii) at the end of the annual membership period, delete all data within its control (such as conversations or messages) which is held on Facebook 

Diverse Church will carry out an annual review of the data it retains on or around the 25th May in each year. 

Rights of the data subject 

The GDPR gives rights to individuals in respect of the personal data which any organisation holds about them.  These include the following rights:

a) rights of information and access to confirm details about the personal data that is being processed about them and to obtain a copy.  If a data subject would like to know what personal data of theirs is being held by Diverse Church then they should contact the trustee with oversight of data compliance (in the manner set out above).  Where this personal data is held in Facebook, then the request will be forwarded to Facebook within seven calendar days in accordance with the Joint Data Controllers Agreement. and processed by Facebook in line with the Facebook Policies. 

b) the right to rectification of any inaccurate personal data.  If Diverse Church becomes aware that any data it holds is inaccurate, it will correct that data as soon as reasonably practicable.

c) the right to erasure of personal data held about them (in certain circumstances).  If a data subject would like Diverse Church to erase their personal data, Diverse Church will do so, save where it is required to retain the data by law, to retain it for regulatory and compliance reasons, or to retain it because Diverse Church needs to keep a record of individuals who do not wish to be contacted in the future by Diverse Church.  If Diverse Church is asked to erase personal data and cannot do so for any reason, then Diverse Church will inform the data subject and explain why it cannot erase the data subject’s personal data.

d) the right to restriction on the use of personal data held about them (in certain circumstances).

e) the right to portability – or the right to receive data process by automated means and have it transferred to another data controller.

f) the right to object to the processing of their personal data. 

If a person wishes to exercise any of these rights, they should contact the trustee with oversight of data compliance (in the manner set out above). 

If Diverse Church receives a request to exercise any of these rights from a third party who is not the data subject, then for reasons of confidentiality the request will be declined. 

Confidentiality and data sharing 

Diverse Church must ensure that it only shares personal data with other individuals or organisations where it is permitted to do so in accordance with data protection law. 

Diverse Church will only share personal data with:

a) its professional indemnity insurers and/or legal advisers where it needs to do so in order to defend any claim brought against it.

b) (in certain circumstances) the government, the police and/or its legal agencies.

Wherever possible Diverse Church will ensure that it has the data subject’s consent before sharing their personal data.  In certain circumstances this will not be possible, for example if the disclosure is required by law. 

Any questions about data sharing should be directed to the trustee with oversight of data compliance. 

Data integrity and confidentiality 

Any paper files Diverse Church retains are stored in appropriately marked files, bundles or boxes. 

Diverse Church will store paper files in a secure, locked building. 

When any Trustee or Diverse Church Leader is travelling with personal data, that individual will take care to ensure that the personal data is kept secure and is kept with the individual at all times. 

All personal data in electronic format will be stored on a secure device with appropriate password protection.  All data stored on electronic devices (laptop, mobile telephone, other storage device, PC or Mac) will be securely encrypted. 

Personal data on any “cloud” storage system shall be protected by appropriate password protection, and Diverse Church will ensure that the data itself is encrypted whilst in the cloud. 

Wherever reasonably possible, Diverse Church leaders and Trustees will only communicate data using a password protected email address. 

Where a Diverse Church trustee or Diverse Church Leader has access to information about data subjects on a laptop computer or other electronic device (e.g. smartphone) , the trustee / leader will minimise the quantity of personal data on that device.  All such individuals will not work on a laptop in a public place if it is possible for others to see the screen.  Whenever reasonably possible, a Diverse Church trustee or Diverse Church leader will not transmit personal data using a public or other insecure wi-fi network. 

Each year Diverse Church convenes a closed group on Facebook, to which members of the DC Community are invited.  The conditions of use of that closed group are expressly communicated to the members of DC Community, who are requested to agree to abide by them.  The conditions are set out at Annexe A below. 

A secure record of members of the DC community and of their contact details is kept electronically by the Secretary to the Trustees in an encrypted form.  Diverse Church also retains a secure electronic record of the email addresses and any email conversations which DC Community members have had with any Trustees or Leaders of Diverse Church.  This record is maintained by the Secretary to the Trustees. 

The Closed Group” Message Board (currently on Facebook)

DC Community Members are asked to use their common sense when posting messages to Facebook.  Control of data on Facebook is subject to Facebook’s own privacy policies and is the subject of a Joint Data Processing Agreement where Facebook takes the primary responsibility to comply with the GDPR obligations with regard to the processing of Facebook data within the EU/EEA.   For further information, please see:

Facebook Data Policy         https://www.facebook.com/policy

Facebook Cookies Policy   https://www.facebook.com/policies/cookies/

Facebook Joint Data Controller Information www.facebook.com/legal/terms/page_controller_addendum

DC Community Members are informed that their membership of, and participation in, the DC Community Facebook group is subject to the possibility that another member (as opposed to the Diverse Church leadership or Trustees) may use their data: - 

a) in a way that they did not intend; or 

b) with which they had not provided consent. 

For example information posted into messages in Facebook may be shared with third parties by another group member and this may, for example, result in the individuals being “outed” (i.e. in their being an unwanted breach of personal privacy for that individual) without their consent.   

It is the policy of Diverse Church that the sharing of personal information – which includes special category personal information relating to an individual’s sexual orientation, sexuality or religion – without the consent of the individual whose information is shared, is forbidden.   

Diverse Church’s policy is that anyone who is found to have shared such data with non-group members without the consent of the individual whose data is shared will be immediately removed from the Facebook group.  

It is the view of Diverse Church that the benefits of the ‘secret’ Facebook group, subject to this policy, outweigh the drawbacks.  Nonetheless, 

a) users are advised to be aware of the small possibility that someone may use their  data in a way which is not in line with the policies of Diverse Church. 

b) be aware that Diverse Church is unable to control how Facebook itself treats their data, and users are reminded to familiarise themselves with Facebook’s policies concerning GDPR, and privacy and retention of personal and special category personal data. 

Diverse Church has a zero tolerance approach to the sharing of special category personal data or personal data outside the Facebook group.  DC Community members are advised that if they think that someone has shared their personal data without their consent to contact the Diverse Church Leaders, who will listen to what the member has to say and who will investigate any issues and act in accordance with Diverse Church’s policies.   

DC Community members are advised to address any such issue in the first instance via the “contact us” URL on the Diverse Church website (http://diversechurch.website/connect).

If a DC Community member decides to enter into an intimate personal relationship with a Diverse Church Leader, then the Diverse Church Leader is obliged to inform the other Diverse Church Leaders and the National Director of the existence of that relationship. The National Director in turn may consider in their absolute discretion that the Trustees should be informed of the same. 

Policy review: 

The trustees of Diverse Church will review the terms of the policy at least annually on or around 25th May each year. 

Where there is a change in the law or the regulations Diverse Church will also review this policy. 

Breaches 

A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. 

Diverse Church has a duty to report any actual or suspected data protection breach without delay. 

A breach will be reported to the Information Commissioner’s Office by the trustee with oversight of data compliance, without undue delay and where feasible, not later than 72 hours after having become aware of the breach, unless it can be demonstrated that the breach is unlikely to result in a risk to the rights and freedom of any data subjects. 

The trustee with oversight of data compliance will maintain a central register of the details of any data protection breaches. 

Complaints 

Complaints relating to breaches of the GDPR and/or complaints that an individual’s personal data is not being processed in accordance with the data protection principles should be referred to the trustee with oversight of data compliance without delay. 

Data subjects also have the right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; Tel: 0303 123 1113 

Penalties 

Diverse Church understands the implications for Diverse Church if it fails to meet its data protection obligations. 

Failure to comply could result in:

a) criminal and/or civil action;

b) fines and/or damages;

c) personal accountability and liability;

d) suspension/withdrawal of the right process personal data by the ICO;

e) loss of confidence in the integrity of Diverse Church’s systems and procedures; and

f) irreparable damage to my the reputation of Diverse Church.

g) Loss or suspension of charitable status

 

Diverse Church Trustees

20 July 2020