In accordance with the General Data Protection Regulations (GDPR), we have implemented this privacy notice to inform you of the types of data that we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
Data Protection Principles
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
- processing is fair, lawful and transparent
- data is collected for specific, explicit, and legitimate purposes
- data collected is adequate, relevant and limited to what is necessary for the purposes of processing
- data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
- data is not kept for longer than is necessary for its given purpose
- data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- we comply with the relevant GDPR procedures for international transferring of personal data
Your personal data – what is it?
“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be by the information alone or in conjunction with any other information.
This privacy notice is provided by City Church Manchester, which is the data controller for your data. In the rest of this notice “we” refers to City Church Manchester.
Your privacy is important to us and we are committed to safeguarding the privacy of your information.
Special Categories of Personal Data – what is it?
Data relating to:
- sex life
- sexual orientation
- ethnic origin
- political opinion
- trade union membership
- genetic and biometric data
Types of Data Held
We keep several categories of personal data in order to carry out effective and efficient processes. We keep this data in locked cabinets located in the operations office and we also hold the data within computer systems such as ChurchSuite, Asana, Google Apps, Xero Financial, Mailchimp Marketing, Stewardship Giving, Stripe Credit/Debit, and GoCardless Direct Debit
The categories of information that we collect, hold and share include:
- Personal details such as name, titles, aliases, photographs;
- Contact details such as telephone numbers, addresses, and email addresses;
- Where they are relevant to our mission, or where you provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependents;
- Where you make donations or pay for activities such as events, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers;
- The data we process is likely to fall under special categories of data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs.
Why are we collecting your data?
The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to provide appropriate pastoral care, to monitor and assess the quality of our services, to fulfil our purposes as a church and to comply with the law regarding data sharing. In legal terms this is called ‘legitimate interests’. When it is required, we may also ask you for your consent to process your data. We do not share your information with others except as described in this notice.
An example of this would be our safeguarding work to protect children and adults at risk. We will always consider your interests, rights and freedoms. Some of our processing is necessary for compliance with a legal obligation. For example, we are required by HMRC to provide details of your personal data when your donations are eligible for Gift Aid. Religious organisations are also permitted to process information about your religious beliefs to administer membership or contact details. Where your information is used other than in accordance with one of these legal bases, we will first obtain your consent to that use.
How do we process your personal data?
We, as the data controllers, will comply with the legal obligations to keep personal data up to date; to store and destroy it securely; to not collect or retain excessive amounts of data; to keep personal data secure, and to protect personal data from loss, misuse, unauthorised access and disclosure and to ensure that appropriate technical measures are in place to protect personal data.
We use your personal data for some or all of the following purposes:
- To enable us to meet all legal and statutory obligations
- To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments;
- To minister to you and provide you with pastoral and spiritual care (such as meeting with you).
- To deliver the church’s mission to our community, and to carry out any other voluntary or charitable activities for the benefit of the public as provided for in the constitution and statutory framework of each data controller;
- To administer the church attenders and membership records;
- To fundraise and promote the interests of the church and charity;
- To maintain our own accounts and records;
- To process a donation that you have made (including Gift Aid information);
- To seek your views or comments;
- To notify you of changes to our services, events and role holders;
- To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other fundraising activities;
Storing your data
We hold your data for varying lengths of time depending on the type of information in question but in doing so we always comply with Data Protection legislation. We will contact you annually to check that the information we are holding is accurate and that you agree to us holding it.
Who do we share your information with?
We will not share your information with third parties without your consent unless the law requires us to do so. Your personal data will be treated as strictly confidential. It will only be shared with third parties where it is necessary for the performance of our tasks or where you first give us your prior consent. It is likely that we will need to share your data with some or all of the following (but only where necessary):
- Internally: We will share your data amongst staff, trustees, treasurers, elders, team and Connect group leaders, for example, only when it is relevant to do so. When you give us your email address or number, for example, that is stored in our staff-only database (we use the programme ChurchSuite). The staff use that information for their specific roles and if you join a Connect group or serving team, the leaders are given access to that basic information, for example. Children’s data is seen by their City Kids leaders on a Sunday.
- Legal compliance: We are legally obliged to share some information to adhere to UK law. For example, as we are a registered charity, we must submit our accounts, which need to be audited by a third part accountant. We must also fulfil our legal requirements for safeguarding, for which it may be necessary to share your information with law enforcement entities.
- Approved 3rd Parties: When we use the term 3rd party, we mean systems or organisations that are necessary for City Church Manchester to function, as we are not able to internally do that work or create those programmes. We will carefully vet these before use to ensure they will in turn keep personal data secure in line with the law. We do not give, sell, trade or share any of your personal data to organisations that we think may be of interest to you, ever.
Examples of our approved 3rd parties are:
- IT: Google (staff email and administrative tools), ChurchSuite, Mailchimp (email distribution and design).
- Financial organisations: HMRC (gift aid reporting), our main bank account provider, Stewardship (giving), Stripe & GoCardless (online card payment processing).
Your details will never be shared with anyone outside of City Church Manchester without your express advance permission, except in certain limited situations, such as where we are required to do so by law or to protect members of the public from serious harm.
We take the safeguarding and personal privacy of children extremely seriously. The information in this Privacy Notice is equally applicable to children. According to UK Law, the age that children are considered a parent’s responsibility for the purposes of data protection is up to 12 years old. Following that age, children’s data protection will be treated in the same way as an adult (with consent sought from them as needed). For more information about Children’s Rights, please visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/
There is a minimum amount of personal data that we need to keep and use for your children, for legal and safeguarding purposes. On Sunday mornings, for example, if your child is going into City Kids, we need to know your child’s name, their age, if they have allergies and who their parents are etc, so we can keep them safe and know what to call them! You will have filled out a registration form the first time you put them in.
Requesting access to your personal data
Under Data Protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information contact our Operations Director.
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing, damage or distress
- prevent processing for the purpose of direct marketing
- object to decisions being taken by automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- claim compensation for damages caused by a breach of the Data Protection regulations.
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.
For further information on how your information is used, how we maintain the security of your information and your rights to access information we hold on you please contact the Operations Director.
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact:
+44 7804 552238