Privacy Notice & FAQs

Introduction:

‘The Oaks’ is a Christian church: Oaks CommunityChurch – North East Derbyshire.

Registered charity:                                       # 1115427.

A company registered in England:           # 5291244

Registered address:                                      2 – 4 Lea Rd, Dronfield, S18 1SB.

Phone:                                                             01246 414448

The Oaks values everyone who engages with us by whatever means, and we do all we can to protect your privacy and that of others, and to make sure the personal data you provide us is kept safe.

This Privacy Notice explains how we collect data, how we use and store information and what it means for you. The overall aim of our data protection policy is to ensure that the holding and use of personal data is fair, lawful, and transparent by giving a clear explanation of the Oaks’ duties and the individual’s rights.

We treat all in line with our beliefs and values and we welcome any feedback on any of our policies, notices or actions. Just call us on 01246 414448, email us at office@oakscc.org.uk or pop in in person.

You can find a copy of our general consent form here, but please read our Privacy Notice in full before signing and returning to the Oaks office: Oaks General Data Consent form (This link also appears at the end of this page, FAQ Q12.)


Data collected:

The Oaks uses personal data (and occasionally ‘sensitive personal data’) for the purpose of:

  • General church administration
  • Finance
  • Demographics & metrics
  • Communication
  • Employer functions

Sensitive personal data may include, but is not limited to, information relating to your physical or mental health.

We may collect personal information each time you deal with us, for example when you make a donation by gift aid, request information, sign up for an event, provide comments, complete surveys or otherwise provide your personal details we collect the information you provide.

We do not collect data from third parties nor through our website (other than bookings for events through ChurchSuite), and nor do we use cookies.


What we use the data for:

We may use the personal data we collect to:

  • Keep you up to date on news and stories about our mission and work
  • Ask for support, such as volunteering, prayer or financial help
  • Process donations you give us
  • Provide information you have requested
  • Keep a record of your relationship with us e.g. questions you have asked or complaints you have made;
  • Measure attendance at meetings and events
  • Analyse the personal information we collect to aid our understanding of the Oaks
  • Conduct questionnaire research to aid our understanding of our church and their views.

How & where we store information:

How long?

We will keep your personal information only for as long as we consider it necessary to carry out each activity. You are able to view the specifics of our policy below.

We take account of legal obligations and accounting and tax considerations as well as considering what would be reasonable for the activity concerned. For example, we will retain details of donations for 7 years to meet tax and accounting requirements, but we will only hold sensitive medical personal information provided until the need to hold the information is completed. Legacy income is an important potential source of income. We may keep data you provide indefinitely to carry out the administration of legacies.

 Security:

Our data is stored in two places:

  1. ChurchSuite: This is a cloud-based on-line church management system. The servers are UK-based and ChurchSuite has sophisticated, military-grade security protocols and encryption of data.
  2. The Oaks Central Server: This is encrypted and password protected. For security, password changes are forced monthly and with change of personnel. Connections are firewall protected and the server is backed up daily. Back-ups are stored securely and an additional weekly back-up is stored securely off-site.

We ensure that access to personal data is restricted only to those staff members or volunteers whose job roles require such access and that suitable training is provided for these staff members and volunteers. 


When we share your data:

We do not share your data except by your permission.

However, we may need to pass on information if required by law or by regulatory body. For example, a Gift Aid audit by HMRC, or if asked for details by a law enforcement agency.


How we treat children and vulnerable persons:

All data collected on persons aged under 18 years is with parental consent.

Those without mental competence require the consent of either a Next of Kin, Legal Guardian (e.g. Power of Attorney or Court of Protection) or an Independent Mental Capacity Advocate (IMCA).


Your choices and telling us when things change:

Change of preferences:

You can change your preferences at any time on what you receive from us, or how we contact you, at any time by writing to us.

You can do so by:

  • Email us on: office@oakscc.org.uk
  • Letter to us at: 2-4, Lea Road, Dronfield, Derbyshire, S18 1SB.

Updating your details:

We do appreciate it if you keep your details up to date. You can do so at any time by writing to us at the addresses above.

Telling us to stop data processing:

You have the right to ask us to erase your personal data, to ask us to restrict our processing or to object to our processing of your personal data. You can do so at any time by writing to us at the addresses above.


Your rights – the DPA (1998) & the General Data Protection Regulation (2017):

You have the right to request details of the information we hold about you. To receive a copy of the personal information we hold please write by signed letter to us at 2-4, Lea Road, Dronfield, Derbyshire, S18 1SB.

We will respond within 30 days of receiving your letter.

For more information about your rights under the Data Protection Act you can visit the website of the Information Commissioner’s Office.


More detail:

The General Data Protection Regulation requires us to issue this “privacy notice” to explain the data requirements of the Oaks, how that data will be stored and used, and also for how long the data will be kept for (the “data longevity”).

The Oaks also needs to determine the legal basis upon which we hold that data; either that personal data requires your “consent” for us to hold and use it, or that we hold and use that data through a “legitimate interest”. This is determined through a “balance test”, since seeking consent for everything would be unwieldy and be unnecessary where the Oaks use that data in a way that you would readily accept and understand.

The Oaks also need to explain the principles applied in holding and using that personal data, and outline your rights.


Data Protection principles (The Oaks’ responsibilities)

Privacy Notices:

In order for the processing to be fair, lawful, and transparent, the Oaks must make certain information available to you, such as providing this privacy notice. However, a privacy notice by itself does not mean that use is necessarily fair, lawful and transparent, and other elements of fairness need to be considered, such as, using information in a way that people would reasonably expect, and thinking about the impact of use.

Purpose Limitation:

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further used in a manner that is incompatible with those purposes.

 Data Minimisation:

Data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are used.

Data Accuracy:

The Oaks (the “Data Controller”) is responsible for taking all reasonable steps to ensure that personal data are accurate.

Data Retention:

Personal data must be kept in a form that permits identification of “Data Subjects” (the individual whose information is held) for no longer than is necessary and for the purposes for which the personal data are used. However, there are specific provisions on the using of personal data for historical, statistical, or scientific purposes.

Data Security:

Personal data must be used in a manner that ensures appropriate security of such data, including protection against unauthorised or unlawful use, accidental loss, destruction, or damage.

Accountability:

We are obliged to demonstrate that our data using activities are compliant with the Data Protection Principles.


Data subjects’ Rights (your individual rights)

Identifying data subjects:

Third parties might attempt to exercise your rights without proper authorisation to do so. The Oaks are required to obtain proof of identity from you, before giving effect to your rights. This helps to limit the risk of third parties gaining unlawful access to personal data.

Right of Access:

You have the right to access your personal data and supplementary information. This allows you to be aware of, and verify the lawfulness of the use.

Time limits for complying with the rights of data subjects:

The Oaks is obliged to give effect to your rights within specified time periods. E.g. This is 30 days for “Subject Access Requests”.

Erasure & Correction:

You have the right to correction of incorrect data and erasure of personal data (the “right to be forgotten”).

Restricted processing:

In some circumstances, you may not be entitled to the erasure of your personal data (e.g. the exercise or defense of legal claims; protecting the rights of another person or entity; purposes that serve a substantial public interest), but you may be entitled to limit the Oaks use of that data.

Right to object to processing:

You have the right to object to the use of your personal data for the purposes of direct marketing. (This right must be communicated to you no later than the time of the first marketing communication).

Obligations to Inform Subjects of the Right to Object:

The Oaks are obliged to inform you of your right to object to the using of your personal data.

Right not to be Evaluated based on Automated Processing.

You have the right not to be evaluated, in any material sense, solely based on the automated processing of your personal data.

Profiling:

Organisations must adhere to the strict guidelines when using automated processing of personal data. This includes having appropriate procedures, technical, and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors.


Balance test:

Taking consent for every time a name (or initials) is used would be burdensome and unnecessary where the Oaks use that data in a way that you would readily accept and understand.

It is therefore appropriate to determine what personal data requires “consent” to use within a particular process, and what can be assumed to be “legitimate interest”. This is intended to permit the use of personal data for legitimate reasons, provided those uses do not override by the rights or freedoms of the affected individuals.

Test: Where personal data is stored or used as a result of any of the following, then a legitimate interest could reasonably be assumed:

  • An incidental record rather than systematic use. E.g. Safeguarding notes, ministry notes, etc
  • A request initiated by the data subject rather than the Oaks. E.g. Applications, reimbursements, etc.
  • Data processing as a consequence of an action of a data subject rather than the Oaks, including membership and attendance at groups or meetings. E.g. Registers, agendas, minutes & notes, gifts & donations, Gift Aid, etc.
  • A request initiated by the Oaks where the purpose is to harvest opinions or views to be used at aggregate level, not the personal data itself. E.g. feedback or evaluations
  • Where personal data will be stored or processed on a temporary basis for a specific episode or event and deleted thereafter, rather than kept indefinitely. E.g. applications, permission slips, etc.

 Therefore, on balance, the Oaks will seek consent for: –

  • All sensitive personal data (e.g. medical information for minors (<18yr old), holding DBS certificate numbers)
  • Personal data that is hosted on 3rdparty servers (e.g. ChurchSuite)
  • Data that is, or is likely to be shared (e.g. Church Directory)
  • All permissions & consents relating to minors (<18yr old)
  • Photographs of minors (<18yr old)
  • Photographs of adults

Similarly, on balance, the Oaks will assume “legitimate interest” for: –

  • Communications regarding matters pertaining to church or “church membership”
  • Processes or communications regarding requests & applications
  • Registers
  • Agendas, minutes and notes
  • Feedback and evaluations
  • Policies

Where there is genuine difficulty in applying or interpreting the Balance Test, or where the result creates concern, the Oaks will err on the side of “consent” rather than “legitimate interest”.


Processes covered, personal data required, the data longevity:

This privacy notice covers the five data “systems” of the Oaks, and there are a number of processes undertaken in order to effectively administer the church. These are summarised in the table below, along with the personal data requirements, how long that data will be held, and the legal basis determined for holding that data as judged by the balance test:

System #1: General Administration
Process Data requirements Data longevity Legal basis
Church directory Title

Name

Address

Telephone #

Mobile #

Email address

Household

Indefinite Consent

(Dual consent for those aged 16-18yr)

Meeting agendas Name Indefinite Legitimate interest
Minutes of meetings Name Indefinite Legitimate interest
Attendance registers Name

(DoB & Emergency contact mobile # for minors (<18yr old))

Indefinite Legitimate interest
Conflicts of Interest

&

Register of Interests

Name

Interest/Conflict

 

Name

Interests

Indefinite (on minutes)

 

Duration of interest + 1yr

Legitimate interest

 

Legitimate interest

DBS self-declaration form Name

Address

Conviction, Police investigation, allegation or cause for concern regarding conduct declaration

Until DBS results +1mth Legitimate interest
DBS results Name

DBS certificate number

3 years + 1mth Consent
Safeguarding notes Name

Gender

Indefinite Legitimate interest
Approved drivers Name

Driving licence photocopy

Car insurance details

Until approval period concluded(1yr max)+1mth Legitimate interest
Booking forms Name

DoB

Address

Telephone #

Mobile #

Email address

Until event concluded +1mth Legitimate interest
Accident forms Name

Address

DoB

Gender

Details of accident

Treatment administered

21 years Legitimate interest
Activity Permission forms for minors (<18yr old) Name

Address

DoB

Parental name

Telephone #

Mobile #

Authorised collectors

Details of regular medication, disability or illness

Email address

Until event concluded +1mth Consent
Medical information for minors (<18yr old) Name

Address

DoB

Gender

GP name

GP address

GP Telephone #

NHS #

Relevant medical details

Parental name

Address

Telephone #

Mobile #

Email address

Until event concluded +1mth Consent
Image consents for adults & minors (<18yr old) Name

DoB

Parental name

1yr +1mth Consent
Image storage for adults & minors (<18yr old) Name

DoB

Date of image

Image

Indefinite Consent
Pastoral notes Name

Address

Mobile #

Email address

Church of attendance

Until episode concluded +1mth Legitimate interest
SMT notes Name

Address

Mobile #

Email address

Church of attendance

Until SMT concluded +1mth Legitimate interest
Mentorship notes Name Until mentorship concluded +1mth Legitimate interest
Feedback forms Name Until event concluded +1mth Legitimate interest
Evaluation forms Name Until event concluded +1mth Legitimate interest
Policies Name

Position

Telephone #

Mobile#

Email address

Indefinite Legitimate interest
System #2: Finances
Process Data requirements Data longevity Legal basis
Donations and gifts Name

Amount

Purpose

Current financial year + 7 years Legitimate interest
Gift Aid declarations Name

Address

Indefinite Legitimate interest
Gift Aid claims to HMRC Name

Address

Amount

Date

Current financial year + 7 years Legitimate interest
Legacies Name

DoB

Executor’s name, address, telephone #,mobile # & email address.

Indefinite, until legacy received +1yr Legitimate interest
Reimbursements Name

Amount

Bank & sort code&

A/C#

Current financial year + 7 years Consent
System #3: Demographics & Metrics
Process Data requirements Data longevity Legal basis
Group membership Name

Email address

Indefinite Consent
Group attendance registers Name

Apologies/reason

Indefinite Consent
Team rotas Name

Email address

Indefinite Consent
Location Name

Address

Indefinite Consent
System #4: Communications
Process Data requirements Data longevity Legal basis
Notices Name

Address

Telephone #

Email address

Until event concluded +1mth Legitimate interest
Prayer requests & updates Name

Details

Until event concluded +1mth Consent
Letters Name

Title

Address

Household

Additional details: –

Donations (incl. Gift Aid)

Current year + 7 years Legitimate interest
Emails Name

Email address

Current year + 7 years Legitimate interest
Texts & other apps Name

Mobile #

Current year + 7 years Legitimate interest
Dropbox Name

Email address

Indefinite Legitimate interest
Recording of sermons Name

Date

Title of Sermon

Indefinite Legitimate interest
References to 3rd parties Name

Title

Address

DoB

Gender

Attendance

Indefinite Legitimate interest
System #5: Employer functions
Process Data requirements Data longevity Legal basis
Personnel files Name

Title

Address

Telephone #

Mobile #

Email address

DoB

NoK

NI #

Tax code

For duration of employment + 1 year Legitimate interest
Attendance Name

Attendance

For duration of employment + 1 year Legitimate interest
PAYE Name

NI #

HMRC reference#

Tax code

For duration of employment + 1 year Legitimate interest
Salary Name

Bank

Sort code

A/C #

For duration of employment + 1 year Legitimate interest
Appraisals Name

Date

For duration of employment + 1 year Legitimate interest
Medical information Name

Address

DoB

NoK

Relevant medical details

For duration of employment + 1 year Consent
Employment checks Name

Address

DoB

Passport #

Passport DoI/DoE

Place of issue

Further documents &/or details as required

Professional certificates & qualifications

For duration of employment + 1 year Legitimate interest
Interview of candidates Name

Gender

Address

Referees

Mobile #

Email address

Application details

References

Interview notes

Until appointment +1mth Legitimate interest
Staff referencesfrom 3rd parties Name

Title

Address

DoB

Gender

For duration of employment + 1 year Legitimate interest

pexels-photo-221164

FAQs

Q1: Why is some personal data held indefinitely?

A1: Because there may be a legal requirement to maintain records (e.g. Directors minutes), it provides legal protection (e.g. policies) or evidence in legal processes (e.g. safeguarding notes). In other cases, there is a historical interest or record (e.g. images).


Q2: Then why are my personal details preserved indefinitely on the Church database?

A2: Because while ever you attend this church we need those details, and should you leave, we’d like to stay in touch and keep you informed of events and so forth.


Q3: What if I don’t want to be contacted after I leave?

A3: You are at liberty to exercise your right to “be forgotten”, i.e. ask the Oaks to permanently erase you from the record.


Q4: What if I don’t want to be erased from the record, but just don’t want to be contacted?

A4: You have the right to allow us to hold your personal data but not use it. Simply let us know.


Q5: What happens if my personal details change? (E.g. email address, mobile number or address, for instance?)

A5: We have a duty to keep your data up to date, but in order to fulfill that duty, we do rely on individuals updating us on changes. Simply write to us at 2-4, Lea Road, Dronfield, Derbyshire, S181SB or drop us an email at adminstaff@oakscc.org.uk


Q6: What if I suspect you hold incorrect personal data? What can I do about it?

A6: You can check this out with the office where this regards simple personal data items (e.g. email address, mobile number, bank account details, etc.)


 Q7: What if I want to know more about what information you hold on me, not simply personal data items?

A7: You can ask us to provide you with the personal information we hold. This is known as a Subject Access Report (SAR). Simply request in writing the information you require, any date ranges this applies to or any subject it relates to, and we will be able to give you an electronic report of your request. We need to clarify your identity initially, but should provide you with the report within 30 days of receiving your request.


Q8: Why do we need to give consent for all the ChurchSuite functions?

A8:Because this data is held on an outside server within the UK, and although the Oaks are confident of its integrity and security, we do not control this. We therefore feel that individuals should sign a consent acknowledging this qualitative difference.


Q9: Will the Oaks always treat my personal data as confidential?

A9:The Oaks will treat all your personal information as private and confidential and not disclose any data about you to anyone other than the leadership and ministry overseers/co-ordinators of the church on a strictly need-to-know basis in order to facilitate the administration and day-to-day ministry of the church.  All Oaks staff and volunteers who have access to Personal Data arerequired to adhere to the Data Protection Policy, and the Confidentiality Policy of the church.


Q10: Can the Oaks disclose my personal data without my consent? If so, in what circumstances?

A10: There are 3 exceptional circumstances where information may be disclosed to outside bodies as permitted by law:

  1. Where the Oaks are legally compelled to do so.
  2. Where there is a duty to the public to disclose.
  3. Where disclosure is required to protect the interest of the individual concerned.

Q11: Where can I get more detail on all of the above?

A11: You can request a copy of the Oaks’ Data Protection and Confidentiality policies from the office. Simply check out the Our Policies page of our website or email adminstaff@oakscc.org.uk requesting the policies you require.


Q12: Where can I get a copy of the Oaks General Data Consent form?

A12: You can find a copy of our general consent form here, but please read our Privacy Notice in full before signing and returning to the Oaks office: Oaks General Data Consent form