Harefield Church uses personal data about living individuals for the purpose of general church administration and communication.

Harefield Church recognises the importance of the correct and lawful treatment of personal data.  All personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards as specified in the General Data Protection Regulation 2017

Harefield Church fully endorses and adheres to the eight principles of the GDPR.  These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation and storage of personal data.  Employees and any others who obtain, handle, process, transport and store personal data for Harefield Church must adhere to these principles.

ICO registration

Our Data Protection Public Register reference is ZA254008.

Your personal data – what is it?

Personal data relates to a living individual (the “Data Subject”) who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.  The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).

Who are we?

Harefield Church is the data controller (contact details below).  This means it decides how your personal data is processed and for what purposes.

The Principles

The principles require that personal data shall:

  • Be processed fairly and lawfully and shall not be processed unless certain conditions are met.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and where necessary, kept up to date.
  • Not be kept for longer than is necessary for that purpose.
  • Be processed in accordance with the data subject’s rights.
  • Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures.
  • Not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

How do we process your personal data?

Harefield Church complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

We use your personal data for the following purposes: –

  • The day-to-day administration of the church; e.g. pastoral care and oversight including calls and visits, preparation of rotas, maintaining financial records of giving for audit and tax purposes (including the processing of gift aid applications).
  • To administer membership and contact records;
  • To manage our employees and volunteers;
  • Contacting you to keep you informed of church activities and events.
  • Statistical analysis; gaining a better understanding of church demographics.

Storage of information

Information is stored upon various servers and databases –

  • Payroll bureau – for processing of payroll;
  • Web hosting – for church website including church directory;
  • Mailchimp – for newsletters
  • Church server – for documents, accounts, etc.
  • Individual PC’s – for rotas, names and addresses.
  1. Access to databases and servers is strictly controlled through the use of name specific passwords, which can be updated and controlled by the individual.
  2. Those authorised to use our storage of information only have access to their specific area of use within a database.  This is controlled by the Data Controller and other specified administrators.  These are the only people who can access and set these security parameters.
  3. People who will have secure and authorised access to the database include Harefield Church Staff, Church Leaders, Life Group Leaders, volunteers and Harefield Church Trustees.
  4. Our databases will NOT be accessed by any authorised users outside of the EU, in accordance with the Data Protection Act, unless prior consent has been obtained from the individual whose data is to be viewed.
  5. Subject Access – all individuals who are the subject of personal data held by Harefield Church are entitled to:
  • Ask what information the church holds about them and why;
  • Ask how to gain access to it;
  • Be informed how to keep it up to date;
  • Be informed what Harefield Church is doing to comply with its obligations under the 1988 Data Protection Act.
  1. Personal information will not be passed onto any third parties outside of the church environment.
  2. Subject Consent – The need to process data for normal purposes has been communicated to all data subjects.
  3. Sensitive personal data may only be processed with the explicit consent of the individual and consists of information relating to:
  • Race or ethnic origin;
  • Political opinions and trade union membership;
  • Religious or other beliefs;
  • Physical or mental health or condition;
  • Sexual life;
  • Criminal offences, both committed and alleged.

Rights to Access Information

Employees and other subjects of personal data held by Harefield Church have the right to access any personal data that is being held in certain manual filing systems.  This right is subject to certain exemptions: Personal Information may be withheld if the information relates to another individual.

Any person who wishes to exercise this right should make the request in writing to braodcast@harefieldchurch.org.

How long do we keep your personal data?

We only keep information as legally required and information that is relevant to the work of the church and charity.

Specifically we retain gift aid declarations and associated paperwork for a minimum of 7 years after the tax year to which they relate.

If personal details are inaccurate, they can be amended upon request

You can update your personal details and password online.

Harefield Church aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days of receipt of a completed form unless there is good reason for delay.

In such cases, the reason for delay will be explained in writing to the individual making the request.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –

  • The right to request a copy of your personal data which Harefield Church holds about you;
  • The right to request that Harefield Church corrects any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for Harefield Church to retain such data;
  • The right to withdraw your consent to the processing at any time;
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to lodge a complaint with the Information Commissioner’s Office.

Maintaining Confidentiality

Your personal data will be treated as strictly confidential and will only be shared with other members of the church in order to carry out a service to other church members or for purposes connected with the church.

We will only share your data with third parties outside of the church with your consent.
All Harefield Church staff and volunteers who have access to Personal Data are required to maintain confidentiality of personal information.

There are four exceptional circumstances to the above permitted by law:

  1. Where we are legally compelled to do so.
  2. Where there is a duty to the public to disclose.
  3. Where disclosure is required to protect your interest.
  4. Where disclosure is made at your request or with your consent.

Further processing

If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.  Where and whenever necessary, we will seek your prior consent to the new processing.

Contact details

To exercise all relevant rights, queries of complaints please in the first instance contact the Harefield Church by email at broadcast@harefieldchurch.org

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.