General Privacy Notice
Your Personal Data—What Is It?
“Personal data” refers to any information about a living individual that enables them to be identified, such as a name, photographs, videos, email address, or postal address. This identification can occur either through this information alone or in combination with other information. The processing of personal data is governed by the Data Protection Act 2018 and other relevant legislation, including the Human Rights Act 1998.
Who Are We?
This privacy notice is provided by the Parochial Church Council (PCC) of St John the Evangelist, Blackheath, which serves as the data controller for your personal data. The notice is based on standard wording set out by the Church of England.
The Church of England consists of various organisations and officeholders working together to carry out the church’s mission. The PCC of St John the Evangelist, Blackheath, collaborates with:
- The incumbent of the parish, as listed under the Diocese of Southwark;
- The bishops of the Diocese of Southwark;
- The Southwark Diocesan Board of Finance, responsible for financial and administrative matters within the diocese.
Since the Church is made up of these persons and organisations working together, we may need to share personal data with them so they can fulfill their responsibilities to the Church and our community. These organisations are joint data controllers, meaning they are all responsible for processing your data. This privacy notice applies to the PCC and the other data controllers listed above. In this notice, “we” refers to each data controller, as appropriate.
What Data Do We Process?
We may process some or all of the following information where necessary to fulfill our tasks:
- Names, titles, aliases, and photographs;
- Contact details such as telephone numbers, addresses, and email addresses;
- Demographic information such as gender, age, date of birth, marital status, nationality, languages spoken, education/work histories, academic/professional qualifications, hobbies, family composition, and dependants, where relevant to our mission;
- Financial identifiers like bank account numbers, payment card numbers, transaction identifiers, policy numbers, and claim numbers, in cases where you make donations or pay for activities;
- Sensitive personal data that may suggest your religious beliefs or other sensitive categories, as defined by the ICO, where required by law.
How Do We Process Your Personal Data?
We comply with legal obligations to keep your personal data up to date, secure, and only retain it for as long as necessary. We use your data for the following purposes:
- Fulfilling legal and statutory obligations (e.g., maintaining the electoral roll);
- Conducting safeguarding procedures;
- Providing pastoral and spiritual care, including performing ecclesiastical services such as baptisms, weddings, and funerals;
- Delivering the church’s mission to our community and carrying out charitable activities;
- Administering parish, deanery, archdeaconry, and diocesan membership records;
- Fundraising and promoting the interests of the church and related charities;
- Maintaining our accounts and records;
- Processing donations (including Gift Aid information);
- Seeking your views or comments;
- Notifying you of changes to our services, events, and personnel;
- Sending you communications you have requested or that may be of interest to you, such as information about campaigns or fundraising activities;
- Processing grant or role applications;
- Providing voluntary services for the public benefit in accordance with our constitution.
Legal Basis for Processing Your Personal Data
Most of our data processing is necessary for our legitimate interests or the legitimate interests of a third party, such as another organisation within the Church of England. For example, safeguarding work is done to protect children and adults at risk. We will always consider your interests, rights, and freedoms.
Some processing is necessary for compliance with legal obligations, such as administering and publishing the electoral roll or announcing forthcoming weddings by publishing banns.
We may also process data if it is necessary for the performance of a contract with you, such as hiring church facilities.
Religious organisations are also permitted to process information about your religious beliefs to administer membership or contact details.
Where your information is used outside of these legal bases, we will first obtain your consent.
Sharing Your Personal Data
Your personal data will be treated as strictly confidential and only shared with third parties where necessary for performing our tasks or where you have given prior consent. We may need to share your data with:
- The appropriate bodies within the Church of England, including the other data controllers;
- Our agents, servants, and contractors (e.g., commercial providers for newsletters or database management);
- Other clergy or laypersons licensed by the bishops of the Diocese of Southwark;
- Other organisations within the Diocese of Southwark, such as the Southwark Diocesan Board for Schools;
- On occasion, other churches or para-church organisations with whom we conduct joint events or activities.
How Long Do We Keep Your Personal Data?
We will keep your data only as long as necessary, following the Church of England’s policies and any legal requirements. For example, financial records may be retained for a minimum of seven years for HMRC audits. However, data will be deleted when it is no longer needed.
Your Rights and Your Personal Data
You have the following rights regarding your personal data:
- Right to access information: You can request the data we hold on you, why we have it, who has access to it, and where we obtained it from. We will respond within one month. The first request is free unless deemed ‘manifestly unfounded or excessive.’
- Right to correct and update information: If your data is outdated, incomplete, or incorrect, you can inform us, and we will update it.
- Right to have your information erased: You can request that we erase your data if you believe we should no longer be using it or if we are using it illegally. We will confirm whether the data has been deleted or explain why it cannot be deleted.
- Right to object to processing: You can request that we stop processing your data. We will inform you if we can comply or if we have legitimate grounds to continue processing. Even if you object, we may retain your data to comply with other legal rights or obligations.
- Right to data portability: You can request that we transfer your data to another controller. We will comply, where feasible, within one month.
- Right to withdraw consent: You can withdraw your consent at any time for any data processing that required your consent. You can do this by contacting us via telephone, email, or post.
- Right to lodge a complaint: You can lodge a complaint with the Information Commissioner’s Office.
Transfer of Data Abroad
Any electronic personal data transferred outside the UK will only be placed on systems with equivalent protection for personal rights. Our website is accessible from overseas, so some personal data (e.g., in newsletters) may be accessed internationally.
Further Processing
If we wish to use your personal data for a new purpose not covered by this notice, we will provide a new notice explaining the new use and seek your consent where necessary.
Contact Details
If you have questions about this privacy notice or the data we hold on you, or to exercise your rights, please contact:
The Churchwardens
St John the Evangelist,
Blackheath, London, SE3 0RW.
You can also contact the Information Commissioner’s Office at 0303 123 1113 or via email at ico.org.uk/global/contact-us/email/, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
– – – – –
Appendix
Privacy Policy Relating to Children
Introduction
This Privacy Policy shall supplement and be read together with the General Privacy Notice of St John the Evangelist, Blackheath (the “Church”). The Data Protection Act 2018 (DPA 2018) places a high level of responsibility on organisations to protect the personal data of individuals, including children. This is particularly important at St John the Evangelist, where children’s data may be processed for various activities such as Sunday School, youth groups, baptisms, confirmations, and other religious or community events.
Legal Basis for Processing Children’s Data
Under DPA 2018, processing children’s personal data must be lawful, fair, and transparent. The most relevant legal bases for processing children’s data in a church setting include:
- Consent: For children under the age of 13, consent must be obtained from the parent or guardian. For children aged 13 and over, they can provide their own consent, but it should be clear, informed, and specific to the activity in question.
- Legitimate Interests: The church may process children’s data based on legitimate interests, provided it does not override the rights and freedoms of the child. This includes activities like managing church records, organizing events, and providing pastoral care.
- Legal Obligations: The church may process data to comply with legal obligations, such as safeguarding requirements, maintaining records of baptisms and confirmations, or complying with statutory reporting duties.
- Vital Interests: In situations where processing is necessary to protect the vital interests of a child, such as in emergencies, data may be processed without consent.
What Data Is Collected?
The Church may collect and process various types of personal data related to children, including but not limited to:
- Personal Identifiers: Name, date of birth, gender, and photographs.
- Contact Information: Address, phone number, and email (where appropriate).
- Religious Information: Details related to baptisms, confirmations, Sunday School attendance, and other religious activities.
- Health Information: Medical conditions, allergies, or other relevant health information necessary for the child’s care during church activities.
- Parental or Guardian Information: Contact details and consent records.
How Is Children’s Data Used?
Children’s data is used in the church environment to:
- Administer and organise religious ceremonies such as baptisms, confirmations, and first communions.
- Provide pastoral care and support tailored to the child’s spiritual development.
- Communicate with parents or guardians about events, activities, or changes to church services that affect their children.
- Safeguard the welfare of children during church events and activities.
- Maintain accurate church records for legal and historical purposes.
Sharing Children’s Data
Children’s personal data will be treated as strictly confidential and will only be shared with specific parties under certain conditions:
- Within the Church: Data may be shared with clergy, Sunday School leaders, youth group coordinators, and other relevant church officers who need the information to carry out their roles.
- Third Parties: Data may be shared with third-party service providers who assist with church activities (e.g., event organisers, safeguarding advisors), but only where it is necessary and where appropriate safeguards are in place.
- Legal Requirements: Data may be shared with statutory bodies or agencies in compliance with legal obligations, particularly in safeguarding contexts.
Safeguarding and Data Security
The Church places a strong emphasis on safeguarding children. Appropriate technical and organisational measures are in place to ensure that children’s personal data is protected against unauthorized access, loss, or misuse. These measures include:
- Access Controls: Limiting access to children’s data to authorized personnel only.
- Data Minimization: Collecting only the necessary data required for the specific purpose.
- Secure Storage: Storing physical and electronic data securely, with encryption used where appropriate.
- Training: Providing data protection and safeguarding training to staff and volunteers who handle children’s data.
Parental Rights and Children’s Rights
Under DPA 2018, both parents (or guardians) and children have rights regarding their personal data. These rights include:
- Right to Be Informed: Parents and children must be informed about how their data is being used, who it will be shared with, and how long it will be retained.
- Right to Access: Parents and children have the right to request access to the data held about the child.
- Right to Rectification: Parents and children can request that inaccurate or incomplete data be corrected.
- Right to Erasure: Parents and children can request that personal data be deleted if it is no longer necessary for the purposes for which it was collected, or if consent is withdrawn.
- Right to Restrict Processing: Parents and children can request that the processing of the child’s data be restricted under certain circumstances.
- Right to Object: Parents and children can object to the processing of the child’s data, particularly in cases where the church is relying on legitimate interests as the legal basis.
Retention of Data
Children’s data will be retained only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the Church of England guidelines and statutory requirements. For example:
- Sacramental Records: Information relating to baptisms and confirmations may be retained indefinitely for historical and ecclesiastical purposes.
- Event Registration: Data collected for specific events (e.g., holiday clubs) will be deleted once the event and any related follow-up activities are completed unless there is a legal reason to retain it longer.
Contact Information
If you have questions or concerns about how your child’s data is being handled, or to exercise any of your or your child’s rights under GDPR, you can contact:
The Churchwardens of St John the Evangelist, Blackheath
office@stjohnsblackheath.org.uk
St. John’s Church Blackheath
Stratheden Road
Blackheath, SE3 7TH
You can also contact the Information Commissioner’s Office (ICO) for further guidance or to lodge a complaint.