Data Management Policy - Destiny College

DESTINY MINISTRIES (SC020228)

Destiny College is a Destiny Ministries subsidiary therefore we comply and adhere to Destiny Ministries Data Protection Policies and Procedures

PRIVACY POLICY

MAY 2018

Destiny Ministries (DM) has adopted this Privacy Policy as we take seriously, fairly and lawfully the right of people to keep their personal data private.

This policy covers DM’s handling of personally identifiable information that you provide to us and that we hold. It sets out how we comply with the General Data Protection Regulation (GDPR) law which came into effect on 25 May 2018.

DM is a global organisation

WHY DM COLLECTS PERSONAL DATA AND HOW WE USE YOUR DATA

We collect personal data from you in order that we can:

connect you with any of our local church groups or teams you may wish to join and, thereafter, to inform you of DM related updates, services, activities, conferences and resources;
partner with you on your spiritual journey.

We will not use your personal information for any other purpose.

HOW DM COLLECTS PERSONAL DATA

When you first connect with us, we collect your personal data as follows:

ask for consent;
if consent is granted, record your personal data which is then submitted to our Database. It is saved only in our Database.

PROCESSING DATA

Principles relating to the processing of personal data are as follows:

Data will be:

processed fairly, lawfully, and in a transparent manner;
collected only for legitimate purposes;
adequate, relevant and limited to meet the need;
accurate and where necessary – kept up to date;
held for only as long as is legitimately necessary;
processed in a manner that protects the data from breach or loss.

COLLECTING DATA

There are 4 reasons why we may collect personal data:

Consent
Legitimate Interest in data (involvement in ministry life as well as Pastoral care) – in order for DM to carry out its tasks – as long as it does not infringe on the person’s other rights.
Legal contracts – such as a lease agreement / Workplace Contracts.
Legal obligations to which the controller is subject – Gift Aid Declarations / PVGs.

When Collecting Data

We will ensure that you understand clearly when providing data:

why the data is being collected;
how the data will be used;
and by whom.

If any of the above were to change – you be notified in advance and given the option to then opt-out. The consequences of opting-out should be made clear at the time.

If the data was ever to be passed onto another body (e.g. Destiny church Trust) – you will be advised at the time you give consent.

Consent

Consent will be given by a clear, affirmative act establishing a freely given, specific, informed and unambiguous indication of your agreement to the processing of personal data relating to you, such as by a written statement, including by electronic means, or an oral statement.

This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.

Consent will cover all processing activities.

Consent will be clear – easily read, understood and accessible (e.g. privacy policy on our website).

If consent relates to multiples uses – each use will have its own clear consent.

You can withdraw consent at any time – this does not impact on the data collected previously to this happening.

Parental consent is needed for children under 16

Children

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.

Extra care and protection will apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.

The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

WHO SEES YOUR INFORMATION

Our Processers are competent and demonstrate the appropriate levels of knowledge in handling our information.

Confidentiality Agreements are in place for any volunteers who would regularly process data (e.g. Pastors, Growth Group / Small Group Leaders, Finance team etc).

Training has been given to each along with written instructions and a record that such has been given should be kept.

Processors will not sub-contract their responsibilities without prior consent of Destiny.

All data will be returned or deleted after the processor has finished with it.

Where the processor sub-contracts this responsibility – they too must show compliance of all of the above

REQUESTS AND RIGHTS

You have the right to request a number of things in relation to their data, which includes:

Access: the right to access the data held about you.

Rectification: the right to ensure data is accurate and up-to-date.

Erasure: request to be forgotten.

For more information regarding your rights or to request for one or more to be executed, please contact Destiny Ministries using the contact details provided at the end of this Privacy Policy.

PHOTOGRAPHS AND FILMING

GDPR does not require us to stop taking photographs or filming within the church or at ministries events because these are considered public places. However, as an individual has the right to privacy as such we ensure that everyone is informed when photography and filming is taking place.

SECURITY

All personal data is held on our Database which is stored on a secure server.

We take the necessary steps to keep secure all the personal data we hold.

THIRD PARTY SHARING

DM may share data with Destiny Church Trust

IF YOU NEED TO CONTACT US

Destiny Ministries (DM) (SC020228)

Principal Address: 70 Cathedral Street, Glasgow, G4 0RN

Email: DataProtection@destiny-church.com Tel: 0141 616 6777

DATA PROTECTION POLICY

MAY 2018

Destiny College is a Destiny Ministries subsidiary therefore we comply and adhere to Destiny Ministries Data Protection Policies and Procedures

Destiny Ministries (DM) (SC020228) Data Protection Policy has been reviewed and updated in line with the EU’s General Data Protection Regulation (GDPR) which came into force on 25 May 2018.

This Policy states that DM, as the Data Controller, is compliant with GDPR in the way it collects, handles and stores data as well as the destruction of the personal data of an individual known as the Data Subject.

DM is committed to protecting a Data Subject’s privacy and to treat personal data securely, fairly and lawfully complying with all aspects of GDPR.

OUR RESPONSIBILITY

Failure to comply with GDPR could result in DM being subject to very large fines and could seriously impact the ability to perform services going forward. This responsibility doesn’t only sit with DM as an organisation though. If there is a data breach caused by someone processing the data then, if DM provides sufficient evidence that, as a Controller it took all necessary steps to comply with GDPR, the liability rests with the individual or Data Processor.

That means everyone is responsible for ensuring all necessary care is taken. Everyone must play their part to ensure compliancy.

KEY DEFINITIONS

‘Personal Data’: means any information relating to an identifiable person directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’: means any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘Filing System’: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

‘Controller’: means the body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

‘Processor’: means a person, or other body which processes personal data on behalf of the controller (this includes volunteers who work on behalf of the ministry: Admin support, Ministry Team Leaders etc).

‘Consent’: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

‘Personal Data Breach’: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

PRIVACY NOTICES

DM provides transparency and accessibility in relation to how it handles a Data Subject’s personal data. This is set out in our Privacy Notices which are readily available to everyone and are included on the Destiny Ministries websites:

www.destiny-ministries.com

In line with GDPR, our Privacy Notices state:

the type of personal data we collect;
who handles this data;
what we plan to do with the data.

THIRD PARTY SHARING

DM may share data with Destiny Church Trust.

WHY DM COLLECTS PERSONAL DATA

We collect personal data from a Data Subject in order that we can:

communicate with them: in the first instance, to inform them of Destiny Church and Destiny Ministries related updates and news;
partner with them on their spiritual journey.

HOW DM COLLECTS PERSONAL DATA

When a Data Subject first connects with us, we collect their personal data as follows:

ask for consent to take their personal data;
if consent is granted, their personal data is recorded on a ‘New Connection’ card or an electronic ‘New Connection’ form;
once the card or form is completed:

(i) the data is submitted to, and saved in, the Destiny Ministries Database NB: No details are saved on the electronic devices;

(ii) the Data Subject receives an email confirming the details we have taken and

how their data will be used and stored.

COLLECTING DATA

There are 4 reasons DM may collect data:

Consent
Legitimate Interest in data (involvement in ministry e.g. teams etc) – in order for the controller to carry out its tasks – as long as it does not infringe on the persons other rights.
Legal contracts – such as a lease agreement / Workplace Contracts.
Legal obligations to which the controller is subject – Gift Aid Declarations / PVGs.

Only data that is legitimate, useful and up-to-date should be kept and stored.

Data that is unnecessary or out of date should either be updated or deleted.

When Collecting Data

The person should understand clearly when giving their data:

why the data is being collected – the purpose;
how the data will be used – the processors;
and by whom – the controllers.

If any of the above were to change, the person should be notified in advance and given the option to then opt-out. The consequences of opting-out should be made clear at the time.

If the data was ever to be passed onto another body (e.g. DCT), the person should know this at the time they give consent.

Consent

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the person’s agreement to the processing of personal data relating to them, such as by a written statement, including by electronic means, or an oral statement.

This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the Data Subject’s acceptance of the proposed processing of their personal data.

Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Consent should cover all processing activities.

Consent should be clear: easily read, understood and accessible (e.g. privacy policy on our website).

We should be able to clearly show that consent has been given.

If consent relates to multiples uses – each use must have its own clear consent.

The person can withdraw consent at any time – this does not impact on the data collected previously to this happening.

Parental consent is needed for children under the age of 13.

Children

Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.

The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Collecting Sensitive Information – Including Religious Beliefs

Some of the information we collect is ‘sensitive’ – with regards to a person’s belief or ethnicity. Special care should be taken when collecting, storing and processing such data.

Special care should also be applied to counselling data. Counselling should abide by the law and regulation already in place to safeguard that.

Some of the changes we are making as a result:

When collecting any data, a clear disclaimer is given and we will request consent from the person.
We will have Privacy Policies on our websites.

We will provide sufficient training for staff and volunteers to ensure everyone understands the new policy.

PROCESSING DATA

Principles relating to the processing of personal data are as follows:

Data will be:

processed fairly, lawfully, and in a transparent manner;
collected only for legitimate purposes;
adequate, relevant and limited to meet the need;
accurate and where necessary – kept up to date;
held for only as long as is legitimately necessary;
processed in a manner that protects the data from breach or loss.

This means a number of things for us:

we must ensure that if we are holding data that it is held in a secure location;
we do not circulate data unnecessarily;
the software that we use needs to also comply with GDPR.

We need to be able to demonstrate compliance with this.

Our Processors (People Using the Data)

Our Processers should be competent and demonstrate the appropriate levels of knowledge in handling our information.

Confidentiality agreements should be in place for any volunteers who would regularly process data (e.g. Admin Support, ministry volunteers, Finance team including Counting Team).

Training should be given with written instructions and a record that such training has taken place should be held.

Processors should not sub-contract their responsibilities without prior consent of DCT.

All data must be returned or deleted after the processor has finished with it.

Where the processor sub-contracts this responsibility – they too must show compliance of all of the above.

Some of the changes we are making as a result

We will continue to update our Database regularly (at least once annually).

– When a paper copy or digital ‘New Connection Card’ is filled out this data will be entered into the Destiny Ministries Database – but will be flagged for the Data Processors to verify and approve.
– Each team leader or Pastor will be sent only the data that is relevant for them.

REQUESTS AND RIGHTS

A person has the right to request a number of things in relation to their data, which includes:

Access: the person has the right to access the data held about them.

Rectification: the right to ensure data is accurate and up-to-date.

Erasure: the person can request to be forgotten.

Right to Access

If someone requests access to the data we hold, we must supply this within one month of the request. The data provided must be clear and given free of charge.

If a request is made the Business & Operations Manager must be notified. An assessment will be made whether or not the request is ‘excessive’ and legitimate ie ensuring that the person requesting the data is proved to be the legitimate person.

When a request for access is made, we must supply:

if data has been collected and processed regarding the person;
the identity and contact details of DM;
the contact details of the Data Protection Officer – if applicable;
the purpose for which the data is collected and the legal basis for processing it;
if the reason is for ‘legitimate reasons’ – then the legitimate reason must be given;
the recipients of the data (e.g. team leaders);
the categories of the data collected;
if we intend to transfer the data to a 3^rd party;
how long the data will be stored – or if not possible – the criteria for assessing the length of time (e.g. as long as the person is a associated with DM);
information detailing the right to be forgotten;
the right to withdraw consent but understanding the consequences for doing so and the fact that it doesn’t infringe on our right to the data before the request is made;
the right to lodge a complaint to the ICO;
whether it is a contractual requirement to hold the data – and the consequences for not allowing Destiny to do so (e.g. resulting in a termination of contract);
if we use the data for more than what was originally intended, how we will notify the person in advance of this.

The right to access data should not impact on others’ right to privacy.

If we do not supply the data, we must notify the person why.

Important: We must be able to verify the authenticity of an access request before sending out any personal data.

Right to Rectification

The person should be allowed to rectify any data held if inaccurate.

Right to Erasure (right to be forgotten)

The person has the right to be forgotten if:

the data is no longer necessary for the purposes in which it was collected;
the person withdraws consent;
the person objects to the purpose and there are no overriding grounds for processing;
the data has been unlawfully processed;
the data has to be erased to comply with other regulations or laws.

Before erasing data – the person should be notified of any consequences of us doing so, e.g. a team member who requests to be forgotten – will result in them not being a team Member any longer – we cannot provide spiritual care for someone who does not allow us to store the necessary data required to do so.

DM has to do its utmost to ensure that any and all data is erased once a right to be forgotten has been granted.

Data should not be erased in the following circumstances:

exercising the right of freedom of expression and information;
to comply with a legal obligation (e.g. lease agreements or for Gift Aid purposes) for the establishment of legal claims;
if there is a legitimate reason for keeping the data – but DM must be able to demonstrate without doubt that there is such a reason.

WORKING PARTNERSHIPS: JOINT CONTROLLERS – DM AND DESTINY CHURCH TRUST

Controllers that are part of a group of institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group for internal administrative purposes, including the processing of clients’ or employees’ personal data.

This means that where there are legitimate reasons for doing so – data can be transferred between DM and Destiny Church Trust (SCO17898).

However, the person is allowed to object to this. Clear consent for this is needed before this takes place (e.g. marketing for SURGE / DLR etc.).

DATA BREACHES

The ICO understands that Data Breaches occur often – the purpose of GDPR is to reduce the risk involved and to protect the rights of the person.

A serious Data Breach is one that could lead to physical, material or non-material damage.

In particular, where it could result in:

discrimination;
identity theft or fraud;
financial Loss;
damage to the reputation;
loss of confidentiality.

If a data breach was to occur that could result in any of these the following action would be taken:

The Processors will notify the Business & Operations Manager as soon as possible and provide the following information:

the nature of the personal data breach, categories of data, number of people affected;
describe the likely consequences of the data breach;
what measures have been taken to mitigate the breach.

Upon receiving this information the controller should then notify the ICO.

When the data breach is likely to impact the person then the person must be notified

PHOTOGRAPHS AND FILMING

GDPR does not require us to stop taking photographs or filming within the church or at church events because these are considered public places. However, as an individual has the right to privacy, we will ensure that everyone is informed when photography and filming is taking place.

SECURITY

All personal data is held on the Destiny Church Glasgow and Destiny Church Edinburgh Database which is stored on a secure server.

We take the necessary steps to keep secure all the personal data we hold.

DCT KEY PERSONNEL AND CONTACT DETAILS

Data Controllers

Destiny Ministries (DM) (SC020228)

Principal Address: 70 Cathedral Street, Glasgow, G4 0RN

Email: DataProtection@destiny-church.com Tel: 0141 616 6777

Data Processors

Business and Operations Manager for Destiny Church, Glasgow: Daniel Owen

Email: daniel.owen@destiny-church.com Tel: 0141 616 6777

Senior Administration Officer: Lou Walls