Privacy Policy

Community Church Edinburgh is a Christian church in Edinburgh.

Registered charity:  SC032657

A company registered in Scotland:  SC433896

Registered address:  Kings Hall, 41 South Clerk Street, Edinburgh, EH8 9NZ.

Phone:  0131 466 8660

Community Church Edinburgh values everyone who engages with us by whatever means, and we do all we can to protect your privacy and that of others, and to make sure the personal data you provide us is kept safe.

This Privacy Notice explains how we collect data, how we use and store information and what it means for you. The overall aim of our data protection policy is to ensure that the holding and use of personal data is fair, lawful, and transparent by giving a clear explanation of Community Church Edinburgh’s duties and the individual’s rights.

Data collected:

Community Church Edinburgh uses personal data (and occasionally ‘sensitive personal data’) for the purpose of:

• General church administration
• Finance
• Demographics & metrics
• Communication
• Employer functions

Sensitive personal data may include, but is not limited to, information relating to your physical or mental health.

We may collect personal information each time you deal with us, for example when you make a donation by gift aid, request information, sign up for an event, provide comments, complete feedback forms or otherwise provide your personal details we collect the information you provide.

We do collect data from third parties through our websitand  we do use cookies.

What we use the data for:

We may use the personal data we collect to:

• Keep you up to date on news and stories about our mission and work
• Ask for support, such as volunteering, prayer or financial help
• Process donations you give us
• Provide information you have requested
• Keep a record of your relationship with us e.g. questions you have asked or complaints you have made;
• Record attendance at meetings and events
• Analyse the personal information we collect to aid our understanding of Community Church Edinburgh
• Conduct question based research to aid our understanding of our church and its views.

How & where we store information:

How long?

We will keep your personal information only for as long as we consider it necessary to carry out each activity,

We take account of legal obligations and accounting and tax considerations as well as considering what would be reasonable for the activity concerned. For example, we will retain details of donations for 7 years to meet tax and accounting requirements, but we will only hold sensitive medical personal information provided until the need to hold the information is completed.

 Security:

Our data is stored in two places:

1. ChurchSuite: This is a cloud-based on-line church management system. The servers are UK-based and ChurchSuite has sophisticated, military-grade security protocols and encryption of data.
2. Community Church Edinburgh NAS drive.

We ensure that access to personal data is restricted only to those staff members, leaders or volunteers whose job roles require such access and that suitable training is provided for these staff members, leaders and volunteers.

When we share your data:

We do not share your data except by your permission.

However, we may need to pass on information if required by law or by regulatory body. For example, a Gift Aid audit by HMRC, or if asked for details by a law enforcement agency.

How we treat children and vulnerable persons:

All data collected on persons aged under 18 years is with parental consent.

Those without mental competence require the consent of either a Next of Kin, Legal Guardian (e.g. Power of Attorney or Court of Protection) or an Independent Mental Capacity Advocate (IMCA).

Your choices and telling us when things change:

Change of preferences:

You can change your preferences at any time on what you receive from us, or how we contact you, at any time by writing to us.

You can do so by:

• Email us on: office@cce.community
• Letter to us at: Community Church Edinburgh, Kings Hall, 41 South Clerk Street, Edinburgh, EH8 9NZ

Updating your details:

We do appreciate it if you keep your details up to date. You can do so at any time by writing to us at the addresses above or by updating your details on ChurchSuite (if applicable).

Telling us to stop data processing:

You have the right to ask us to erase your personal data, to ask us to restrict our processing or to object to our processing of your personal data. You can do so at any time by writing to us at the addresses above.

Your rights – the DPA (1998) & the General Data Protection Regulation (2017):

You have the right to request details of the information we hold about you. To receive a copy of the personal information we hold please write by signed letter to us at Community Church Edinburgh, Kings Hall, 41 South Clerk Street, Edinburgh, EH8 9NZ.

We will respond within 30 days of receiving your letter.

For more information about your rights under the Data Protection Act you can visit the website of the Information Commissioner’s Office.

More detail:

The General Data Protection Regulation requires us to issue this “privacy notice” to explain the data requirements of Community Church Edinburgh, how that data will be stored and used, and also for how long the data will be kept for (the “data longevity”).

Community Church Edinburgh also needs to determine the legal basis upon which we hold and use that data; either through a “legitimate interest”.(most cases) or gaining  your “consent”. This is determined through a “balance test”, since seeking consent for everything would be unwieldy and be unnecessary where Community Church Edinburgh use that data in a way that you would readily accept and understand.

Community Church Edinburgh also need to explain the principles applied in holding and using that personal data, and outline your rights.

Data Protection principles (Community Church Edinburgh’s responsibilities)

Privacy Notices:

In order for the processing to be fair, lawful, and transparent, Community Church Edinburgh must make certain information available to you, such as providing this privacy notice. However, a privacy notice by itself does not mean that use is necessarily fair, lawful and transparent, and other elements of fairness need to be considered, such as, using information in a way that people would reasonably expect, and thinking about the impact of use.

Purpose Limitation:

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further used in a manner that is incompatible with those purposes.

 Data Minimisation:

Data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are used.

Data Accuracy:

Community Church Edinburgh (the “Data Controller”) is responsible for taking all reasonable steps to ensure that personal data are accurate.

Data Retention:

Personal data must be kept in a form that permits identification of “Data Subjects” (the individual whose information is held) for no longer than is necessary and for the purposes for which the personal data are used. However, there are specific provisions on the using of personal data for historical, statistical, or scientific purposes.

Data Security:

Personal data must be used in a manner that ensures appropriate security of such data, including protection against unauthorised or unlawful use, accidental loss, destruction, or damage.

Accountability:

We are obliged to demonstrate that our data using activities are compliant with the Data Protection Principles.

Data subjects’ Rights (your individual rights)

Identifying data subjects:

Third parties might attempt to exercise your rights without proper authorisation to do so. Community Church Edinburgh are required to obtain proof of identity from you, before giving effect to your rights. This helps to limit the risk of third parties gaining unlawful access to personal data.

Right of Access:

You have the right to access your personal data and supplementary information. This allows you to be aware of, and verify the lawfulness of the use.

Time limits for complying with the rights of data subjects:

Community Church Edinburgh is obliged to give effect to your rights within specified time periods. E.g. This is 30 days for “Subject Access Requests”.

Erasure & Correction:

You have the right to correction of incorrect data and erasure of personal data (the “right to be forgotten”).

Restricted processing:

In some circumstances, you may not be entitled to the erasure of your personal data (e.g. the exercise or defense of legal claims; protecting the rights of another person or entity; purposes that serve a substantial public interest), but you may be entitled to limit Community Church Edinburgh use of that data.

Right to object to processing:

You have the right to object to the use of your personal data for the purposes of direct marketing. (This right must be communicated to you no later than the time of the first marketing communication).

 Obligations to Inform Subjects of the Right to Object:

Community Church Edinburgh are obliged to inform you of your right to object to the using of your personal data.

Right not to be Evaluated based on Automated Processing.

You have the right not to be evaluated, in any material sense, solely based on the automated processing of your personal data.

Profiling:

Organisations must adhere to the strict guidelines when using automated processing of personal data. This includes having appropriate procedures, technical, and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.

Balance test:

Taking consent for every time a name (or initials) is used would be burdensome and unnecessary where Community Church Edinburgh use that data in a way that you would readily accept and understand.

It is therefore appropriate to determine what personal data requires “consent” to use within a particular process, and what can be assumed to be “legitimate interest”. This is intended to permit the use of personal data for legitimate reasons, provided those uses do not override by the rights or freedoms of the affected individuals.

Test: Where personal data is stored or used as a result of any of the following, then a legitimate interest could reasonably be assumed:

• An incidental record rather than systematic use. E.g. Safeguarding notes, ministry notes, etc
• A request initiated by the data subject rather than Community Church Edinburgh. E.g. Applications, reimbursements, etc.
• Data processing as a consequence of an action of a data subject rather than Community Church Edinburgh, including membership and attendance at groups or meetings. E.g. Registers, agendas, minutes & notes, gifts & donations, Gift Aid, etc.
• A request initiated by Community Church Edinburgh where the purpose is to harvest opinions or views to be used at aggregate level, not the personal data itself. E.g. feedback or evaluations
• Where personal data will be stored or processed on a temporary basis for a specific episode or event and deleted thereafter, rather than kept indefinitely. E.g. applications, permission slips, etc.

 Therefore, on balance, Community Church Edinburgh will seek consent for: –

• All sensitive personal data (e.g. medical information for minors (<18yr old), holding DBS certificate numbers)
• All permissions & consents relating to minors (<18yr old)
• Photographs of minors (<18yr old)
• Photographs of adults

Similarly, on balance, Community Church Edinburgh will assume “legitimate interest” for: –

• Communications regarding matters pertaining to church or “church membership”
• Processes or communications regarding requests & applications
• Registers
• Agendas, minutes and notes
• Feedback and evaluations
• Policies

Where there is genuine difficulty in applying or interpreting the Balance Test, or where the result creates concern, Community Church Edinburgh will err on the side of “consent” rather than “legitimate interest”.

Personal Data required:

This privacy notice covers the five data “systems” of Community Church Edinburgh.

General administration: ChurchSuite online database, meeting agendas, minutes of meetings, attendance registers, conflicts of interest and register of interests, safeguarding notes, Protecting Vulnerable Groups (PVGs), booking forms, accident forms, permission activity forms (under 18s), medical information (under 18s), Image consents for adults & minors (<18yr old), Image storage for adults & minors (<18yr old), Pastoral notes, mentorship notes, feedback forms, evaluation forms, policies

Finances: Donations, Gift Aid declarations, Gift Aid claims (to HMRC),  reimbursements

Demographics and metrics: Group membership, group attendance registers, Team rotas

Communications: Notices, prayer requests and updates, letters, emails, texts and other apps, Dropbox, Google apps, Recording of sermons, references to 3^rd parties

Employer functions: Personnel files, attendance, PAYE, Salary, Appraisals, medical information, employment checks, interview of candidates, staff references from 3^rd parties,