PRIVACY POLICY
Lammermuir Church SCOTTISH CHARITY NUMBER SC015414
The Kirk Session of Lammermuir Church Scottish Charity number SC015414 (the ‘Congregation’) is providing you with this Privacy Notice in order to comply with data protection law and to ensure transparency in the collection and use of your personal data.
Who is collecting the information
Lothian and Borders Presbytery Scottish Charity Number SC040976 is the Data Controller for the Congregation. Wendy Ferguson is the Data Protection Coordinator for the Congregation (t.01620 811069, e. [email protected]).
Why is this personal data collected and for what reason (Purpose)
This information is used to:
What personal data is collected
Personal data will include only what is necessary to fulfill the purposes listed, it may include:
The Congregation also collects some special category (sensitive) personal data, which may include:
The information source
The information is collected directly from you. Some data is collected via the Presbytery or the National Offices.
The lawful basis for the processing
The Congregation processes special category (sensitive) data is processed under UK GDPR Article 9(2)(d): “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”.
For the other processing activities, the lawful basis are:
Who data is shared with
Your personal information will only be shared where this is necessary for the purposes set out above. Information will not be shared with any third party out with the Church of Scotland without your consent unless the Congregation is obliged or permitted to do so by law.
How long the personal data is held for
The Congregation will keep your personal information for as long as you are a member or adherent, or have regular contact with the Congregation, or for as long as the Congregation is obliged to keep it by law or may need to do so in order to respond to any questions or complaints, or to show that the Congregation treated you fairly. When the information is no longer needed it will be securely destroyed following church procedure. Further information about our retention and disposal schedule is available below.
Individuals’ rights in relation to this processing
Under data protection laws, individuals have a number of rights in relation to the processing of their personal data. These rights are as follows:
Not all rights apply and it depends on the lawful basis as to what rights do apply.
For the processing purposes of this privacy notice, when the lawful basis is legal obligation the right of erasure, right to data portability and the right to object do not apply. All other rights do apply. For the processing purposes of this privacy notice when the lawful basis is legitimate interests, all rights apply except for data portability. If you wish to exercise any of your rights please contact the Data Protection Coordinator for Lammermuir Church, Wendy Ferguson (t.01620 811069, e. [email protected]).
If any processing is carried out on the basis of consent it’s important to note that you can withdraw your consent at any time. To do this please contact Wendy Ferguson (t.01620 811069, e. [email protected]).
Complaints to the Church of Scotland
If you are concerned about how your personal data is being used by the Church of Scotland, please contact - in the first instance - the Data Protection Coordinator for Lammermuir Church, Wendy Ferguson (t.01620 811069, e. [email protected]) and the Data Protection Officer for the Church of Scotland at [email protected], if required.
Complaints to the Information Commissioner’s Office (ICO)
If you are not satisfied with the outcome of your complaint to the Church of Scotland, a referral can be made to the UK regulator of data protection, the Information Commissioner’s Office (ICO).
The ICO has guidance on their website: https://ico.org.uk/your-data-matters/raising-concerns/. The ICO can be contacted by email [email protected] or by telephone on 0303 123 1113. Alternatively, their postal address is:
Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Further information
If you would like further information in relation to this Privacy Notice please contact the Church of Scotland Data Protection Officer at [email protected].
This Privacy Notice may be updated from time to time to reflect changes in legal requirements or other operational reasons. The latest version will always be available from Lothian and Borders Presbytery Scottish Charity Number SC040976. Wendy Ferguson is the Data Protection Coordinator for the Congregation [t.01620 811069, e. [email protected]].
DATA RETENTION POLICY
1. Introduction
1.1. Church of Scotland congregations gather personal information from individuals and external organisations as well as generating a wide range of personal data, all of which is recorded in documents and records, both in hard copy and electronic form.
1.2. Examples of the types of information accumulated and generated are set out in Appendix 1 of this policy and include but are not limited to minutes of Kirk Session meetings; membership rolls; baptismal information; employment records; newsletters and other communications such as letters and emails.
1.3. In certain circumstances it will be necessary to retain documents to meet legal requirements and for operational needs. Document retention is also required to evidence agreements or events and to preserve information.
1.4. It is, however, not practical or appropriate for congregations to retain all records. Additionally, data protection principles require information to be as up to date and accurate as possible. It is therefore important that congregations have in place systems for the timely and secure disposal of documents that are no longer required.
1.5. This Data Retention Policy was adopted by the Congregation on 29 May 2018 and will be implemented on a day-to-day basis.
2. Roles and Responsibilities
2.1 Congregational office bearers and those involved with safeguarding will adopt the retention and disposal guidance at Appendix 1 of this policy and strive to keep records up to date.
2.1 Advice will be obtained from the Law Department or Safeguarding Department of the Church Office at 121 George Street if there is uncertainty about retention periods.
3. Retention and Disposal Policy
3.1. Decisions relating to the retention and disposal of data should be guided by:
3.1.1. Appendix 1 – Document Retention Schedule – Guidance on the recommended and statutory minimum retention periods for specific types of documents and records.
3.1.2. Appendix 2 – Quick Guide to document retention.
3.2. In circumstances where the retention period for a specific document or category of documents has expired, a review should be carried out prior to disposal and consideration should be given to the method of disposal.
4. Disposal
4.1. Documents containing confidential or personal information should be disposed of either by shredding or by using confidential waste bins or sacks. Such documentation is likely to include financial details, contact lists with names and addresses and pastoral information.
4.2. Documents other than those containing confidential or personal information may be disposed of by recycling or binning.
4.3. Electronic communications including email, Facebook pages, twitter accounts etc. and all information stored digitally should also be reviewed and if no longer required, closed and/or deleted so as to be put beyond use. This should not be done simply by archiving, which is not the same as deletion. It will often be sufficient simply to delete the information, with no intention of ever using or accessing it again, despite the fact that it may still exist in the electronic ether. Information will be deemed to be put beyond use if the Congregation is not able, or will not attempt, to use it to inform any decision in respect of any individual or in a manner that affects the individual in any way and does not give any other organisation access to it.
4.4. Deletion can also be effected by using one of the following methods of disposal:
The Kirk Session of Lammermuir Church Scottish Charity number SC015414 (the ‘Congregation’) is providing you with this Privacy Notice in order to comply with data protection law and to ensure transparency in the collection and use of your personal data.
Who is collecting the information
Lothian and Borders Presbytery Scottish Charity Number SC040976 is the Data Controller for the Congregation. Wendy Ferguson is the Data Protection Coordinator for the Congregation (t.01620 811069, e. [email protected]).
Why is this personal data collected and for what reason (Purpose)
This information is used to:
- administer membership records, including the Communion/Supplementary Rolls;
- enable pastoral care;
- enable participation in Congregational activities;
- provide you with information in relation to news, events, and activities within the Congregation or the wider Church of Scotland;
- provide the services of a parish church to the local community;
- fulfill legal obligations;
- further charitable aims, for example through fundraising activities;
- maintain accounts and records (including the processing of Gift Aid applications);
- comply with safeguarding obligations including, the protection of vulnerable groups scheme;
- maintain a directory of contact details.
What personal data is collected
Personal data will include only what is necessary to fulfill the purposes listed, it may include:
- Name
- Address
- Telephone number
- Mobile number
- Date of Birth
- Email address
- Bank details (for Gift Aid and fundraising purposes)
- Children’s data
- Photographs and videos (where applicable)
- Safeguarding information, including deed of covenant
The Congregation also collects some special category (sensitive) personal data, which may include:
- Role in Church (e.g. office bearer information such as Session Clerk, Treasurer etc.)
- Religious beliefs are collected by implication by being a church member.
The information source
The information is collected directly from you. Some data is collected via the Presbytery or the National Offices.
The lawful basis for the processing
The Congregation processes special category (sensitive) data is processed under UK GDPR Article 9(2)(d): “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”.
For the other processing activities, the lawful basis are:
- UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”.
- Article 6(1)(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
- Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. This is specific to safeguarding purposes and Sunday School and other related activities dealing with children. Consent will be sought from parents/guardians for processing a child’s personal data.
Who data is shared with
Your personal information will only be shared where this is necessary for the purposes set out above. Information will not be shared with any third party out with the Church of Scotland without your consent unless the Congregation is obliged or permitted to do so by law.
How long the personal data is held for
The Congregation will keep your personal information for as long as you are a member or adherent, or have regular contact with the Congregation, or for as long as the Congregation is obliged to keep it by law or may need to do so in order to respond to any questions or complaints, or to show that the Congregation treated you fairly. When the information is no longer needed it will be securely destroyed following church procedure. Further information about our retention and disposal schedule is available below.
Individuals’ rights in relation to this processing
Under data protection laws, individuals have a number of rights in relation to the processing of their personal data. These rights are as follows:
- The right to be informed – this privacy notice meets that right.
- The right of access – this means you have the right to have access or receives copies of personal data held by the organisation
- The right to rectification – this means you have the right to correct incomplete or inaccurate data held about you
- The right to erasure – this means you have the right to have your data deleted from an organisation’s records.
- The right to restrict processing – this means you have the right to restrict processing. This right is normally used with other rights, e.g. rectification
- The right to data portability – this means you have the right to request your data in a machine-readable format (e.g. a .csv file) and transfer this to another organisation
- The right to object – this means you have the right to object to how your data is processed
- Rights in relation to automated individual decision making, including profiling – the Church does not carry out this type of processing.
Not all rights apply and it depends on the lawful basis as to what rights do apply.
For the processing purposes of this privacy notice, when the lawful basis is legal obligation the right of erasure, right to data portability and the right to object do not apply. All other rights do apply. For the processing purposes of this privacy notice when the lawful basis is legitimate interests, all rights apply except for data portability. If you wish to exercise any of your rights please contact the Data Protection Coordinator for Lammermuir Church, Wendy Ferguson (t.01620 811069, e. [email protected]).
If any processing is carried out on the basis of consent it’s important to note that you can withdraw your consent at any time. To do this please contact Wendy Ferguson (t.01620 811069, e. [email protected]).
Complaints to the Church of Scotland
If you are concerned about how your personal data is being used by the Church of Scotland, please contact - in the first instance - the Data Protection Coordinator for Lammermuir Church, Wendy Ferguson (t.01620 811069, e. [email protected]) and the Data Protection Officer for the Church of Scotland at [email protected], if required.
Complaints to the Information Commissioner’s Office (ICO)
If you are not satisfied with the outcome of your complaint to the Church of Scotland, a referral can be made to the UK regulator of data protection, the Information Commissioner’s Office (ICO).
The ICO has guidance on their website: https://ico.org.uk/your-data-matters/raising-concerns/. The ICO can be contacted by email [email protected] or by telephone on 0303 123 1113. Alternatively, their postal address is:
Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Further information
If you would like further information in relation to this Privacy Notice please contact the Church of Scotland Data Protection Officer at [email protected].
This Privacy Notice may be updated from time to time to reflect changes in legal requirements or other operational reasons. The latest version will always be available from Lothian and Borders Presbytery Scottish Charity Number SC040976. Wendy Ferguson is the Data Protection Coordinator for the Congregation [t.01620 811069, e. [email protected]].
DATA RETENTION POLICY
1. Introduction
1.1. Church of Scotland congregations gather personal information from individuals and external organisations as well as generating a wide range of personal data, all of which is recorded in documents and records, both in hard copy and electronic form.
1.2. Examples of the types of information accumulated and generated are set out in Appendix 1 of this policy and include but are not limited to minutes of Kirk Session meetings; membership rolls; baptismal information; employment records; newsletters and other communications such as letters and emails.
1.3. In certain circumstances it will be necessary to retain documents to meet legal requirements and for operational needs. Document retention is also required to evidence agreements or events and to preserve information.
1.4. It is, however, not practical or appropriate for congregations to retain all records. Additionally, data protection principles require information to be as up to date and accurate as possible. It is therefore important that congregations have in place systems for the timely and secure disposal of documents that are no longer required.
1.5. This Data Retention Policy was adopted by the Congregation on 29 May 2018 and will be implemented on a day-to-day basis.
2. Roles and Responsibilities
2.1 Congregational office bearers and those involved with safeguarding will adopt the retention and disposal guidance at Appendix 1 of this policy and strive to keep records up to date.
2.1 Advice will be obtained from the Law Department or Safeguarding Department of the Church Office at 121 George Street if there is uncertainty about retention periods.
3. Retention and Disposal Policy
3.1. Decisions relating to the retention and disposal of data should be guided by:
3.1.1. Appendix 1 – Document Retention Schedule – Guidance on the recommended and statutory minimum retention periods for specific types of documents and records.
3.1.2. Appendix 2 – Quick Guide to document retention.
3.2. In circumstances where the retention period for a specific document or category of documents has expired, a review should be carried out prior to disposal and consideration should be given to the method of disposal.
4. Disposal
4.1. Documents containing confidential or personal information should be disposed of either by shredding or by using confidential waste bins or sacks. Such documentation is likely to include financial details, contact lists with names and addresses and pastoral information.
4.2. Documents other than those containing confidential or personal information may be disposed of by recycling or binning.
4.3. Electronic communications including email, Facebook pages, twitter accounts etc. and all information stored digitally should also be reviewed and if no longer required, closed and/or deleted so as to be put beyond use. This should not be done simply by archiving, which is not the same as deletion. It will often be sufficient simply to delete the information, with no intention of ever using or accessing it again, despite the fact that it may still exist in the electronic ether. Information will be deemed to be put beyond use if the Congregation is not able, or will not attempt, to use it to inform any decision in respect of any individual or in a manner that affects the individual in any way and does not give any other organisation access to it.
4.4. Deletion can also be effected by using one of the following methods of disposal:
- Using secure deletion software which can overwrite data;
- Using the function of “restore to factory settings” (where information is not stored in a removable format);
- Sending the device to a specialist who will securely delete the data.
Appendix 1 Data Retention Schedule
(Safeguarding records are held by Lammermuir Church).
Record and Retention Period
Minutes of Meetings – 6 years
Kirk Session Minutes – 50 years - permanent. After 50 years pass the minutes to the principal clerk’s office, who then liaise with the National Records of Scotland for archiving.
Pre-employment enquiries, applications, letters, references – 6 months after completion of recruitment, unless data to be retained for future similar opportunity, in which case 1 year
Congregational Roll – 100 years
Certificates of Transference/Lines – 100 years
Employee/appointments records including: contracts, time records etc - Duration of employment plus 7 years
Volunteer records – Duration of placement plus 7 years
Databases for mailing lists, distribution – Reviewed annually and out-of-date information deleted
Miscellaneous contact information – Delete when there is no longer a requirement for the information
Documents relating to litigation or potential litigation – Until matter is concluded plus 7 years
Hazardous material exposures – 30 years
Injury and illness incident reports (RIDDOR) – 5 years
Pension plans and retirement records – Permanent
Salary schedules, ranges for each job description – 2 years
Payroll records – Minimum 7 years, no maximum
Contracts – 7 years following expiration
Construction documents – Permanent
Fixed asset records – Permanent
Application for charitable and/or tax exempt status – Permanent
Sales and purchase records – 5 years
Resolutions – Permanent
Audit and review work papers – 5 years from the end of the period in which the audit or review was concluded
OSCR filings – 5 years from date of filing
Records of financial donations – 7 years
Accounts Payable and Receivables ledgers and schedules – 7 years
Annual audit reports and financial statements – Permanent
Annual plans and budgets – 2 years
Bank statements, cancelled cheques, deposit slips – Minimum of 7 years
Business expense records – 7 years
Cash/ cheque receipts – 7 years
Electronic fund transfer documents – 7 years
Employee expense reports – 7 years
General ledgers – Permanent
Journal entries – 7 years
Invoices – 7 years
Petty cash vouchers – 7 years
Tax records – Minimum 7 years
Filings of fees paid to professionals – 7 years
Environmental studies – Permanent
Insurance claims/applications – Permanent
Insurance contracts and policies (Directors and Officers, General Liability, Property, Workers' Compensation) – Permanent
Leases – 7 years after expiration
Property/buildings documentation (including loan and mortgage contracts, title deeds) – Permanent
Warranties – Duration of warranty plus 7 years
Records relating to potential or actual legal proceedings – Conclusion of any tribunal or litigation proceedings plus 7 years
(Safeguarding records are held by Lammermuir Church).
Record and Retention Period
Minutes of Meetings – 6 years
Kirk Session Minutes – 50 years - permanent. After 50 years pass the minutes to the principal clerk’s office, who then liaise with the National Records of Scotland for archiving.
Pre-employment enquiries, applications, letters, references – 6 months after completion of recruitment, unless data to be retained for future similar opportunity, in which case 1 year
Congregational Roll – 100 years
Certificates of Transference/Lines – 100 years
Employee/appointments records including: contracts, time records etc - Duration of employment plus 7 years
Volunteer records – Duration of placement plus 7 years
Databases for mailing lists, distribution – Reviewed annually and out-of-date information deleted
Miscellaneous contact information – Delete when there is no longer a requirement for the information
Documents relating to litigation or potential litigation – Until matter is concluded plus 7 years
Hazardous material exposures – 30 years
Injury and illness incident reports (RIDDOR) – 5 years
Pension plans and retirement records – Permanent
Salary schedules, ranges for each job description – 2 years
Payroll records – Minimum 7 years, no maximum
Contracts – 7 years following expiration
Construction documents – Permanent
Fixed asset records – Permanent
Application for charitable and/or tax exempt status – Permanent
Sales and purchase records – 5 years
Resolutions – Permanent
Audit and review work papers – 5 years from the end of the period in which the audit or review was concluded
OSCR filings – 5 years from date of filing
Records of financial donations – 7 years
Accounts Payable and Receivables ledgers and schedules – 7 years
Annual audit reports and financial statements – Permanent
Annual plans and budgets – 2 years
Bank statements, cancelled cheques, deposit slips – Minimum of 7 years
Business expense records – 7 years
Cash/ cheque receipts – 7 years
Electronic fund transfer documents – 7 years
Employee expense reports – 7 years
General ledgers – Permanent
Journal entries – 7 years
Invoices – 7 years
Petty cash vouchers – 7 years
Tax records – Minimum 7 years
Filings of fees paid to professionals – 7 years
Environmental studies – Permanent
Insurance claims/applications – Permanent
Insurance contracts and policies (Directors and Officers, General Liability, Property, Workers' Compensation) – Permanent
Leases – 7 years after expiration
Property/buildings documentation (including loan and mortgage contracts, title deeds) – Permanent
Warranties – Duration of warranty plus 7 years
Records relating to potential or actual legal proceedings – Conclusion of any tribunal or litigation proceedings plus 7 years
Appendix 2 General guidance for documents NOT included in the retention schedule.
On-going business use is subjective, but generally refers to documents still required for on-going projects, or documents that may still need to be referred to for on-going activities.
