Privacy Notice - Diocese of Peterborough

Peterborough Diocesan Board of Finance Privacy Notice

Details on the Peterborough Diocesan Board of Finance privacy notice.

The Peterborough Diocesan Board of Finance (DBF) is committed to maintaining your trust by protecting your personal data.

Personal data is any information relating to an identified or identifiable person. The DBF will process your personal data in a transparent and lawful way, as stated in our Data Protection Policy above.

We may change this statement from time to time to reflect privacy or security updates. We encourage you to periodically review this page for the latest information.

Data Controller

The Church of England comprises many different charities and office holders; it is a community rather than an organisation. The Diocese of Peterborough itself is made up of multiple charities – one of which is the Peterborough Diocesan Board of Finance (“DBF” , !we”, “our”, “us”). The DBF is the legal entity through which many of the diocesan responsibilities and functions are achieved and is the data controller for any data it processes to achieve its purpose (s)

Why we collect and use your personal data+

Personal data is collected to enable the DBF to provide a range of services to carry out our many functions in support of Mission and Ministry in this diocese. Your personal data may be processed by members of diocesan staff or volunteers for purposes connected with diocesan business, this includes:

Promoting and supporting the mission and ministry of the Church of England in this diocese.
The administration of membership records.
The provision of training and education.
To fundraise and promote the interests of the charity.
The provision of safeguarding services.
The provision of clergy housing.
The provision of pensions, payroll and benefits.
Maintaining our own accounts and records.
Promoting news, events, activities and services happening throughout the diocese.
Supporting and managing our employees.
Supporting clergy to undertake their mission.

The lawful basis for using your information+

We collect and use information under one or more of the following legal bases.

Consent – we need your permission to use your information. Where we require consent to use your information we will make it clear when we ask for consent and explain how to go about withdrawing your consent.
Legal obligation – we need to process your information to comply with the law.
Public task – we need to process your information to exercise official authority or carry out tasks in the public interest.
Contract – we need to process your information as part of a contract such as a contract of employment.
Vital interest – we need to process your information to protect someone’s life in an emergency.
Legitimate interest – we need to process your information in order to undertake tasks and duties related to members of the Church of England.

In most circumstances we process your personal data in the course of our legitimate activities as a not for profit body with a religious aim. Where we require consent to use your information we will make it clear when we ask for consent and explain how to go about withdrawing your consent

Special category and criminal conviction data

We collect and use information under one or more of the following conditions:

Explicit consent – we need your permission to use your information. Where we require consent to use your information we will make it clear when we ask for consent and explain how to go about withdrawing your consent
Employment law - carrying out the obligations and exercising specific rights in relation to employment law
Vital interest - we need to process your information to protect someone’s life in an emergency
Legitimate activity - processing is carried out in the course of our legitimate activities with appropriate safeguards
Processing relates to personal data which are manifestly made public by the data subject
Legal claims - where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
Substantial public interest, in accordance with the Data Protection Act 2018, Schedule 1, Part 2
Occupational health - processing is necessary for the purposes of preventive or occupational medicine
Archival or research purposes – where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

We may only use your personal data for the uses and purposes set out above unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original use and purposes

Who we collect from or share your information with

Other data controllers within the Church of England, such as National Church Institutions to provide a complete service to you without the need for you to provide the information more than once.
Information might be shared with individuals or organisations including: Members and their families, Employees, Prospective employers, other church bodies (eg. The Archbishops Council), volunteers engaged by the Diocese, other such recipients where it is necessary to share data to discharge Diocesan obligations.

Information may also be shared with any third party services the Diocese engages to help fulfil its obligations. These include:

Our IT Service Provider
Mailing providers
Survey tools
Training providers
Regulatory bodies required by law.

Countries outside of the UK/EEA

The DBF does not share your information with third countries outside of the UK or EEA without the safeguards being in place that are complaint with the UK GDPR or the EU GDPR.

How long do we keep your information?

There’s often a legal and/or business reason for keeping your information for a set period, we keep data in accordance with the guidance set out in the guide ‘Save or Delete’: The Care of Diocesan Records, which is available from the Church of England website here.

When you subscribe to one of our enewsletters we keep your details for 2 years unless there is active engagement (for example opening) of the newsletters, in which case you will remain on our mailing list. You can unsubscribe from receiving our mailings at any time.

Where do we keep your information?

Information the Diocese stores remains inside the EU. It is encrypted and securely held on password protected servers with no permitted access to anyone unless they have an operational/Diocesan business need to do so.

If a data subject permits us to do so, contact information will be made available through the Diocesan website or within the online Diocesan Directory. It should be noted this information will then be visible outside of the UK.

Automated decision making without access to human intervention

Your personal data will not be used for any automated decision making without access to human intervention.

Your rights

You have the following rights regarding your personal data, unless exempt:

The right to be informed about any personal information we collect and use about you;
The right to access and request a copy of your personal information which we hold about you;
The right to withdraw your consent at any time (where applicable);
The right to request that we correct any personal information if it is found to be inaccurate, incomplete or out of date;
The right to request your personal information is erased where it is no longer necessary for us to keep such information;
The right to request a restriction is placed on further processing, for example where there is a dispute in relation to the accuracy or processing of your personal information;
The right to object to the processing of your personal information;
The right to obtain and reuse your personal information to move, copy or transfer it from one IT system to another. (only applicable for data held online)

If you wish to exercise these rights please use this Individual Rights Request Form

Complaints or concerns

If you believe the DBF has not complied with your data protection rights, please contact the Data Protection Officer at [sue.ratcliffe@peterborough-diocese.org.uk] or write to:

The Data Protection Officer

The Diocesan Office

The Palace

Peterborough

PE1 1YB

You also have the right to complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues and contact details can be found on the ICO website – www.ico.org.uk or write to:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303 123 1113 (local rate)

Data Protection policy for the Peterborough Diocesan Board of Finance (DBF)

The Peterborough Diocesan Board of Finance (DBF) uses personal information to carry out their many functions supporting the mission and ministry of the Church of England. Legislation requires and sometimes empowers the DBF to provide goods and services to the wider Church.

The DBF therefore collects a wide range of personal data required for or incidental to the discharge of its functions, involving employees, clergy, pensions, housing, public consultations, recruitment and appointment, parliamentary functions etc. The DBF will endeavour to ensure that they use personal information in line with the expectations and interests of those with whom they come into contact, including their employees, office holders and customers, for the benefit of the Church and wider society and in compliance with data protection legislation.

Your Rights

The right to be informed
The right to access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object

The DBF will facilitate such individual rights requests and ensure action is taken within the legislated timescales.

In dealing with the processing of valid requests the DBF will be guided by the following principles:

The DBF will be open and transparent with data subjects when communicating with them about their rights including the provision of appropriate privacy notices.
The DBF will comply with the request unless exemptions apply.
The DBF will provide an acknowledgement of the receipt of the request.
The DBF will accept requests by email and letter.
The DBF will provide a response in compliance with the duties placed upon it as Data controller.
The DBF will support the individual to make the request clear to enable them to get the best possible response.
The DBF will facilitate the exercise of data subjects’ rights in order to enable them to make their request to the correct data controller.
The DBF will ensure that partner organisations or third party processors are made aware of such requests and are expected to collaborate with the DBF and the data subject in order to fulfil them.

The DBF will provide a written response to all requests in the same format as the request was received (except social media) or in the most secure method available to meet the needs of the data subject.

The DBF will not comply with requests where the identity of the requester cannot be verified.

In responding to request(s) the DBF will meet the following timescales:

Provide an acknowledgement of the receipt of any request within 5 working days of receipt
Provide a response as required by law and set out in the table below:

Individual Rights Request	Timescale
Right of access (Subject Access Request)	One calendar month
Right to rectification	One calendar month
Right to erasure	One calendar month
Right to restrict processing	One calendar month
Right to data portability	One calendar month
Right to object	One calendar month
Right to challenge automated decision making or profiling	Not specified, but without undue delay

The right to be informed

This is your right know about how your data is being processed, who it is given to, for what purpose and anything else that guarantees your rights. The DBF will provide this information to you in the form of Privacy Notice.

The right of access

You have a right to access your personal data and relevant supplementary information. This is known as a Subject Access Request.

Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

In most cases we cannot charge you a fee to comply with a subject access request. However, where the request is considered manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. We may also charge a reasonable fee if you request further copies of your data following a request. We would base this fee on the administrative costs of providing further copies.

The right to rectification

If you believe that any personal data we are holding about you is incorrect or incomplete, you have the right to have your personal data rectified if it is inaccurate or incomplete. In most cases we will delete information, correct information or add additional notes indicating corrections.

The right to erasure

You have the right to ask us to delete your personal data under certain circumstances. Please note that this although you may make a request, where the DBF is required to hold the information for statutory reasons we will not necessarily agree to erase such data.

The right to restrict processing

You have a right to request the DBF restricts processing of your personal data. Please note that this is not an absolute right, and we may not be able to comply.

The right to data portability

You have the right to obtain and reuse your personal data for your own purposes. You have the right to receive your personal data in a structured, commonly used and machine-readable format. The DBF will assist in the transmission of such data to another entity, upon request, to the extent technically feasible. Note that this right only applies to automated information which you initially provided consent for us to use, or where we need the information to perform a contract for you.

The right to object to processing

You have the right to object to processing in certain circumstances. This is not an absolute right, and may be refused.

The cessation of processing does not require the DBF to erase or delete data unless an erasure request has been made and agreed.

You have an absolute right to stop your data being used for direct marketing

The right to withdraw consent

If you have consented to the processing of your personal data via a consent form or process, you have the right to revoke such consent if you let us know in writing. This will be specific to the process you have consented to. If you withdraw your consent, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

Rights related to automated decision making including profiling

The DBF does not use automated decision making or profiling, however, there are restrictions on automated decisions based solely on automated means without any human involvement. Also there are restrictions on profiling.

Concerns about data protection

If you have a concern about the way we are collecting or using your personal data, we would appreciate the chance to deal with your concerns. You can raise your concern by contacting the Data Protection Officer in writing or by email to:

Susan Ratcliffe

The Palace

Peterborough

PE1 1YB

Sue.ratcliffe@peterborough-dicoese.org.uk

You have the right to make a complaint at any time on the Information Commissioner's website or by writing to them at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate)

Making a request

Individual rights requests may be submitted by phone, email, letter, or via social media. Whilst not a legal requirement, applicants are invited to complete our application form as this will assist us in identifying the data held about you.

We may need to request specific information from you to help us confirm your identity and ensure your rights to access your personal data (or to exercise any of the other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to help locate the information.

We may change this statement from time to time to reflect privacy or security updates. We encourage you to periodically review this page for the latest information.

Individual Rights Request Form