Peterborough Diocesan Board of Finance Privacy Notice

 

Details on the Peterborough Diocesan Board of Finance privacy notice.

The Peterborough Diocesan Board of Finance (DBF) is committed to maintaining your trust by protecting your personal data.

Personal data is any information relating to an identified or identifiable person. The DBF will process your personal data in a transparent and lawful way, as stated in our Data Protection Policy above.

We may change this statement from time to time to reflect privacy or security updates. We encourage you to periodically review this page for the latest information.

Data Controller

The Church of England comprises many different charities and office holders; it is a community rather than an organisation. The Diocese of Peterborough itself is made up of multiple charities – one of which is the Peterborough Diocesan Board of Finance (“DBF” , !we”, “our”, “us”). The DBF is the legal entity through which many of the diocesan responsibilities and functions are achieved and is the data controller for any data it processes to achieve its purpose (s)

 

Why we collect and use your personal data+

Personal data is collected to enable the DBF to provide a range of services to carry out our many functions in support of Mission and Ministry in this diocese.  Your personal data may be processed by members of diocesan staff or volunteers for purposes connected with diocesan business, this includes:

  • Promoting and supporting the mission and ministry of the Church of England in this diocese.
  • The administration of membership records.
  • The provision of training and education.
  • To fundraise and promote the interests of the charity.
  • The provision of safeguarding services.
  • The provision of clergy housing.
  •  The provision of pensions, payroll and benefits.
  • Maintaining our own accounts and records.
  • Promoting news, events, activities and services happening throughout the diocese.
  • Supporting and managing our employees.
  • Supporting clergy to undertake their mission.

The lawful basis for using your information+

We collect and use information under one or more of the following legal bases.

  • Consent – we need your permission to use your information. Where we require consent to use your information we will make it clear when we ask for consent and explain how to go about withdrawing your consent.
  • Legal obligation – we need to process your information to comply with the law.
  • Public task – we need to process your information to exercise official authority or carry out tasks in the public interest.
  • Contract – we need to process your information as part of a contract such as a contract of employment.
  • Vital interest – we need to process your information to protect someone’s life in an emergency.
  • Legitimate interest – we need to process your information in order to undertake tasks and duties related to members of the Church of England.

 

  • In most circumstances we process your personal data in the course of our legitimate activities as a not for profit body with a religious aim. Where we require consent to use your information we will make it clear when we ask for consent and explain how to go about withdrawing your consent

 

Special category and criminal conviction data

We collect and use information under one or more of the following conditions:

  • Explicit consent – we need your permission to use your information.  Where we require consent to use your information we will make it clear when we ask for consent and explain how to go about withdrawing your consent
  • Employment law - carrying out the obligations and exercising specific rights in relation to employment law
  • Vital interest - we need to process your information to protect someone’s life in an emergency
  • Legitimate activity - processing is carried out in the course of our legitimate activities with appropriate safeguards 
  • Processing relates to personal data which are manifestly made public by the data subject
  • Legal claims - where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  • Substantial public interest, in accordance with the Data Protection Act 2018, Schedule 1, Part 2
  • Occupational health - processing is necessary for the purposes of preventive or occupational medicine
  • Archival or research purposes – where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

 

We may only use your personal data for the uses and purposes set out above unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original use and purposes

Who we collect from or share your information with

  • Other data controllers within the Church of England, such as National Church Institutions to provide a complete service to you without the need for you to provide the information more than once.
  • Information might be shared with individuals or organisations including: Members and their families, Employees, Prospective employers, other church bodies (eg. The Archbishops Council), volunteers engaged by the Diocese, other such recipients where it is necessary to share data to discharge Diocesan obligations.

 

  • Information may also be shared with any third party services the Diocese engages to help fulfil its obligations. These include:

 

  • Our IT Service Provider
  • Mailing providers
  • Survey tools
  • Training providers
  • Regulatory bodies required by law.

 

Countries outside of the UK/EEA

The DBF does not share your information with third countries outside of the UK or EEA without the safeguards being in place that are complaint with the UK GDPR or the EU GDPR.

How long do we keep your information?

There’s often a legal and/or business reason for keeping your information for a set period, we keep data in accordance with the guidance set out in the guide ‘Save or Delete’: The Care of Diocesan Records, which is available from the Church of England website here.

When you subscribe to one of our enewsletters we keep your details for 2 years unless there is active engagement (for example opening) of the newsletters, in which case you will remain on our mailing list.  You can unsubscribe from receiving our mailings at any time. 

Where do we keep your information?

Information the Diocese stores remains inside the EU. It is encrypted and securely held on password protected servers with no permitted access to anyone unless they have an operational/Diocesan business need to do so.

If a data subject permits us to do so, contact information will be made available through the Diocesan website or within the online Diocesan Directory. It should be noted this information will then be visible outside of the UK.

Automated decision making without access to human intervention

Your personal data will not be used for any automated decision making without access to human intervention.

 

Your rights

You have the following rights regarding your personal data, unless exempt:

  • The right to be informed about any personal information we collect and use about you;
  • The right to access and request a copy of your personal information which we hold about you;
  • The right to withdraw your consent at any time (where applicable);
  • The right to request that we correct any personal information if it is found to be inaccurate, incomplete or out of date;
  • The right to request your personal information is erased where it is no longer necessary for us to keep such information;
  • The right to request a restriction is placed on further processing, for example where there is a dispute in relation to the accuracy or processing of your personal information;
  • The right to object to the processing of your personal information;
  • The right to obtain and reuse your personal information to move, copy or transfer it from one IT system to another. (only applicable for data held online)

 

If you wish to exercise these rights please use this Individual Rights Request Form

Complaints or concerns

If you believe the DBF has not complied with your data protection rights, please contact the Data Protection Officer at [sue.ratcliffe@peterborough-diocese.org.uk] or write to:

The Data Protection Officer

The Diocesan Office

The Palace

Peterborough

PE1 1YB

You also have the right to complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues and contact details can be found on the ICO website – www.ico.org.uk or write to:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303 123 1113 (local rate)

Data Protection policy for the Peterborough Diocesan Board of Finance (DBF)

The Peterborough Diocesan Board of Finance (DBF) uses personal information to carry out their many functions supporting the mission and ministry of the Church of England. Legislation requires and sometimes empowers the DBF to provide goods and services to the wider Church.

The DBF therefore collects a wide range of personal data required for or incidental to the discharge of its functions, involving employees, clergy, pensions, housing, public consultations, recruitment and appointment, parliamentary functions etc.  The DBF will endeavour to ensure that they use personal information in line with the expectations and interests of those with whom they come into contact, including their employees, office holders and customers, for the benefit of the Church and wider society and in compliance with data protection legislation.

Your Rights

  1. The right to be informed
  2. The right to access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object

The DBF will facilitate such individual rights requests and ensure action is taken within the legislated timescales.

In dealing with the processing of valid requests the DBF will be guided by the following principles:

  • The DBF will be open and transparent with data subjects when communicating with them about their rights including the provision of appropriate privacy notices.
  • The DBF will comply with the request unless exemptions apply.
  • The DBF will provide an acknowledgement of the receipt of the request.
  • The DBF will accept requests by email and letter.
  • The DBF will provide a response in compliance with the duties placed upon it as Data controller.
  • The DBF will support the individual to make the request clear to enable them to get the best possible response.
  • The DBF will facilitate the exercise of data subjects’ rights in order to enable them to make their request to the correct data controller.
  • The DBF will ensure that partner organisations or third party processors are made aware of such requests and are expected to collaborate with the DBF and the data subject in order to fulfil them.

The DBF will provide a written response to all requests in the same format as the request was received (except social media) or in the most secure method available to meet the needs of the data subject.

The DBF will not comply with requests where the identity of the requester cannot be verified.

In responding to request(s) the DBF will meet the following timescales:

  • Provide an acknowledgement of the receipt of any request within 5 working days of receipt
  • Provide a response as required by law and set out in the table below:

Individual Rights Request

Timescale

Right of access (Subject Access Request)

One calendar month

Right to rectification

One calendar month

Right to erasure

One calendar month

Right to restrict processing

One calendar month

Right to data portability

One calendar month

Right to object

One calendar month

Right to challenge automated decision making or profiling

Not specified, but without undue delay

 

The right to be informed

This is your right know about how your data is being processed, who it is given to, for what purpose and anything else that guarantees your rights. The DBF will provide this information to you in the form of Privacy Notice.

 

The right of access

You have a right to access your personal data and relevant supplementary information. This is known as a Subject Access Request. 

Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

In most cases we cannot charge you a fee to comply with a subject access request. However, where the request is considered manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. We may also charge a reasonable fee if you request further copies of your data following a request. We would base this fee on the administrative costs of providing further copies.

 

The right to rectification

If you believe that any personal data we are holding about you is incorrect or incomplete, you have the right to have your personal data rectified if it is inaccurate or incomplete. In most cases we will delete information, correct information or add additional notes indicating corrections.

The right to erasure

You have the right to ask us to delete your personal data under certain circumstances. Please note that this although you may make a request, where the DBF is required to hold the information for statutory reasons we will not necessarily agree to erase such data.  

The right to restrict processing

You have a right to request the DBF restricts processing of your personal data. Please note that this is not an absolute right, and we may not be able to comply.

The right to data portability

You have the right to obtain and reuse your personal data for your own purposes. You have the right to receive your personal data in a structured, commonly used and machine-readable format. The DBF will assist in the transmission of such data to another entity, upon request, to the extent technically feasible. Note that this right only applies to automated information which you initially provided consent for us to use, or where we need the information to perform a contract for you.

The right to object to processing

You have the right to object to processing in certain circumstances.  This is not an absolute right, and may be refused.

The cessation of processing does not require the DBF to erase or delete data unless an erasure request has been made and agreed.

You have an absolute right to stop your data being used for direct marketing

The right to withdraw consent

If you have consented to the processing of your personal data via a consent form or process, you have the right to revoke such consent if you let us know in writing. This will be specific to the process you have consented to. If you withdraw your consent, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

 

Rights related to automated decision making including profiling

The DBF does not use automated decision making or profiling, however, there are restrictions on automated decisions based solely on automated means without any human involvement. Also there are restrictions on profiling.

 

Concerns about data protection

If you have a concern about the way we are collecting or using your personal data, we would appreciate the chance to deal with your concerns.  You can raise your concern by contacting the Data Protection Officer in writing or by email to:

Susan Ratcliffe

The Palace

Peterborough

PE1 1YB

Sue.ratcliffe@peterborough-dicoese.org.uk

You have the right to make a complaint at any time on the Information Commissioner's website  or by writing to them at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate)

Making a request

Individual rights requests may be submitted by phone, email, letter, or via social media. Whilst not a legal requirement, applicants are invited to complete our application form as this will assist us in identifying the data held about you.

We may need to request specific information from you to help us confirm your identity and ensure your rights to access your personal data (or to exercise any of the other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to help locate the information.

We may change this statement from time to time to reflect privacy or security updates. We encourage you to periodically review this page for the latest information.

 

Individual Rights Request Form

 

The Bishop of Peterborough
General Data Privacy Notice

This privacy notice is provided by the Bishop of Peterborough to explain what to expect when we collect and process your personal information in accordance with the [UK GDPR / the EU General Data Protection Regulation (GDPR)]. This notice covers data collected by the Bishop of Peterborough, the Bishop of Brixworth and their joint office (the bishops’ office).
Data controller(s)
The data controller is: 
•    The Rt Revd Debbie Sellin, The Bishops’ Office, The Palace, Peterborough PE1 1YA, bishop@peterborough-diocese.org.uk, 01733 562492

 

Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data.  Identification can be by the information alone or in conjunction with any other information in my possession or likely to come into such possession. The processing of personal data is governed by the UK General Data Protection Regulation 2016/679 (the “GDPR and the Data Protection Act 2018, (the “DPA 2018”)

How do I gather data?
I may gather data about you from emails or written correspondence you send to me or those who process data on my behalf.  I may also collect data from telephone calls you make to myself or the bishops office. 

I work closely with other Church of England bodies including The Archbishop’s Council, The Church Commissioners for England, the Church of England Central Services (“National Church Institutions” or “NCIs”), and the Diocesan Registry. I, and those who process data on my behalf, will only request data from these organisations when it is necessary to fulfil my role in providing a service to you. 

How do I process your personal data?
I comply with my obligations under the UK GDPR and DPA 2018 by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

You are responsible for ensuring the accuracy of all the personal data you supply to me and I will not be held liable for any errors unless you have advised me previously of any changes in your personal data.

I use your personal data for the following purposes: -
I use the data which I hold to exercise my legal and pastoral responsibilities as diocesan bishop. This includes:
•    oversight of and responsibility for clergy and licensed lay ministers in the diocese (see relevant privacy noticed for specific details of how I manage the data of each group)
•    carrying out any legal duties and requirements of the office of the Bishop of Peterborough
•    maintaining records of churchwardens and other bishop’s officers 
•    the pastoral care of people within the diocese, including clergy and their families
•    carrying out comprehensive safeguarding procedures in accordance with best safeguarding practice
•    carrying out procedures in relation to the clergy discipline measure
•    managing employment records of those who work in the bishops’ office 
•    maintaining my own accounts and records
•    maintaining records and correspondence linked to my responsibilities within the House of Lords or as a trustee, patron or vice president of other bodies.

What is the legal basis for processing your personal data?
Most of the data I hold is processed under the lawful reason of legitimate interest, that is that I need to process the data in order to fulfil my responsibilities as bishop and chief pastor to the Diocese of Peterborough.  An example of this would be the pastoral care of a clergy widower living in the diocese or to look into a complaint made about a priest in the diocese. 

Some of our processing is to comply with legal obligation.  An example of this would be to fulfil my duties under Canon Law to ensure that those I ordain have received the appropriate training.

I may also process data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract.  An example of this would be a priest applying for a parochial vacancy.  

I may process information about your religious beliefs.  This is permitted for religious organisations to administer membership or contact details.

I may also need to process (and share with certain 3rd parties listed below) special category data (most likely health data, data relating to religious and/or philosophical beliefs) to comply with my safeguarding duties and obligations.  I would process this only if it is necessary for reasons of Substantial Public Interest (under Article 9(g)).  When processing and/or sharing any special category data all efforts will be made to ensure appropriate measures are put in place regarding security of data and adherence to the requirements of Schedule 1 of the DPA 2018

If I wish to use your personal data for a new purpose, not covered by this Data Privacy Notice, then I will provide you with a new notice explaining this new use prior to commencing the processing of your personal data and setting out the relevant purposes and processing conditions.  Where and whenever necessary, I will seek your prior consent to the new processing.

Sharing your personal data
Your personal data will be treated as strictly confidential, and will be shared only when necessary with institutional bodies that comprise the Church of England or the third parties listed below.  The exception to this is for licensed clergy and clergy with permission to officiate who are required to have public contact details (see licensed clergy privacy notice and permission to officiate privacy notice) 

If I wish to share your personal data in any other way outside the Church of England, or in any other means, then I will always seek your consent first.  The exception to this is where it is in the public interest and is necessary for the purposes of:

•    protecting an individual from neglect or physical, mental or emotional harm; or
•    protecting the physical, mental or emotional well-being of an individual where that individual is a child or is an adult at risk.

Third parties

  • Institutional bodies that comprise the Church of England for the purposes of administrative functions (including governance bodies and committees) 
  • Internal and external auditors, and quality assurance reviewers, independent reviewers 
  • Judicial, statutory, regulatory bodies 
  • Law enforcement and prosecution agencies pursuing security or criminal investigations 
  • Legal or other internal/external advisors 
  • Third-party system providers: 
  • Legal or other internal/external advisors including:
  1. Anna Spriggs, a partner of Howes Percival LLP, fulfils the Diocesan Registry function and provide legal advice to the Bishop and James Stewart the Deputy Registrar (Hunt & Coombs LLP).
  2. The Diocesan Chancellor David Pittaway KC and the Deputy Chancellor Sir Martin Griffiths KC   
  3. Legal advisers who provide specialist, non ecclesiastical, legal advice to the Bishop. 
  4. Thirtyone:eight – an independent Christian safeguarding charity, who conduct Disclosure and Barring Service (DBS) checks on my behalf, as well as offering other safeguarding support services

A National Safeguarding Information Sharing Agreement (ISA) has been signed by Church of England bodies and the Church in Wales under the Church of England Information Sharing Framework.  
A National Safeguarding Data Sharing Agreement (DSA) has been signed by the Church of England bodies and the Church in Wales and the National Police Chiefs Council.

Transferring personal information outside the UK
I will not transfer your personal information to countries outside the United Kingdom, except where I or my office use the services of a third party (listed above) who host data outside the UK.  I and my office will only use third parties who ensure that data hosted outside the UK is held in accordance with UK GDPR.  Where data transfer is required outside these third parties, for example in relation to our international link diocese, separate consent will be sought.

How long do I keep your personal data?
I keep your personal data for no longer than reasonably necessary.  For further details contact the bishops’ office (see below)

Your rights and your personal data  
Unless subject to an exemption under the UK GDPR or DPA 2018, you have the following rights with respect to your personal data: -

  • The right to request a copy of your personal data which I hold about you; 
  • The right to request that I correct any personal data if it is found to be inaccurate or out of date;  
  • The right to request your personal data is erased where it is no longer necessary for me to retain such data;
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
  • The right to object to the processing of personal data, (where applicable) 
  • The right to lodge a complaint with the Information Commissioner who may be contacted at www.ico.org.uk/concerns or telephone 0303 1231113

Further processing
If I wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then I will update this privacy notice on the Bishops’ Office page of the Diocese of Peterborough’s website, and where practicable alert you to this new notice prior to commencing the processing and setting out the relevant purposes and processing conditions. Wherever and whenever necessary, I will seek your prior consent to the new processing.

Contact Details
To exercise all relevant rights, queries or complaints please contact Alex Tolley, EA to the Bishop of Peterborough, The Bishops’ Office, The Palace, Peterborough PE1 1YA, alex.tolley@peterborough-diocese.org.uk  You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Privacy Notice - Legitimate Interest Assessments
Where the legal basis under which I hold your data is legitimate interest I am required to justify that it is appropriate to use the lawful basis ‘legitimate interest’.  To do this I complete a legitimate interest assessment.  A summary of each of these assessments which relate to this privacy notice is below.  For a copy of the full Legitimate Interest Assessment, please contact alex.tolley@peterborough-diocese.org.uk 

Pastoral care of clergy widow(er)s

I have a specific purpose with a defined benefit To provide pastoral care to the widow(er)s of clergy who I am aware are either resident in the Diocese or whose spouse had a strong link with the Diocese
The processing is necessary to achieve the defined benefit.  Yes
The purpose is balanced against, and does not override, the interests, rights and freedoms of data subjects.      The widow(er)s rights and freedoms are overridden, but with the benefit to them of providing pastoral care and support.  Strict procedures are in place to ensure that contact details are not shared outside the Church of England.

Interviews for parochial posts and employment within the bishops’ office

I have a specific purpose with a defined benefit  To appoint the most suitable candidate to a post
The processing is necessary to achieve the defined benefit. Without processing it would not be possible to ensure that an appropriate candidate was being appointed
The purpose is balanced against, and does not override, the interests, rights and freedoms of data subjects. The processing does legitimately override the rights and freedoms of the candidate, but this is important to ensure that the right candidate is placed in the right parish
 

Temporary mailing lists for events, communications and Christmas cards

I have a specific purpose with a defined benefit  To form temporarily held mailing lists to allow for invitations to events, sending of Christmas Cards or other communications from the Bishops.
The processing is necessary to achieve the defined benefit. Yes.  It would not be possible to complete this defined purpose without creating temporary lists.
The purpose is balanced against, and does not override, your the interests, rights and freedoms. The processing does legitimately override the subjects rights and freedoms, however without this it would not be possible to make appropriate invitations or contact which may well be of benefit to the data subject.  There is a procedure in place to ensure that only up to date contact information is kept for an appropriate length of time.

Parish files

I have a specific purpose with a defined benefit.  To ensure completion of regulatory responsibilities connected to parishes and also pastoral care of parishes.
The processing is necessary to achieve the defined benefit.  Without processing of data it would not be possible to fulfil the defined purpose
The purpose is balanced against, and does not override, the interests, rights and freedoms of data subjects. Any personal data is held securely and procedures limit access appropriately.  

Churchwarden’s contact details

I have a specific purpose with a defined benefit. Maintenance of an accurate list of current churchwardens contact details, and those to be admitted to the office.
The processing is necessary to achieve the defined benefit. Without processing it would not be possible for the Archdeacon to comply with his duties.
The purpose is balanced against, and does not override, the interests, rights and freedoms of data subjects. The rights and freedoms of the churchwardens are legitimately overridden.  Without such records it would not be possible to support the churchwardens in their role.

General correspondence

I have a specific purpose with a defined benefit. Processing general correspondence received in the office
The processing is necessary to achieve the defined benefit.  It is not possible to respond appropriately to correspondence without this processing
The purpose is balanced against, and does not override, the interests, rights and freedoms of data subjects. 

The interests, rights and freedoms of the data subjects are not overridden as it is reasonable to assume that correspondence sent to and responded to by an office will be kept for an appropriate amount of time.

 

 

Privacy Notice | Powered by Church Edit