Data Protection

(Note that any references to staff in this section includes employees, volunteers and trustees).

Lichfield Diocesan Board of Finance (LDBF) collects and uses information (data) about
people with whom it communicates. This personal information must be dealt with
properly and securely however it is collected, recorded and used – whether on
paper, in a computer, or recorded on other material – and there are safeguards to
ensure this in the General Data Protection Regulation (GDPR). This means that staff
should ensure that all personal information is kept securely in locked filing cabinets.
Papers containing personal information should not be left on desks when staff are
not in the office. All IT equipment should be secured by passwords in accordance
with the Diocesan IT Policy and Guidelines which should be read in conjunction with
this.

Personal information is key to the successful and efficient performance of the LDBF
functions and the trust of those whose personal data we hold is vital. It is therefore
imperative that staff adhere to the Principles of Data Protection, as set out in the
General Data Protection Regulation (GDPR).

Failure to adhere to the General Data Protection Regulation (GDPR) is unlawful and
could result in legal action being taken against Lichfield Diocesan Board of Finance
or its staff, volunteers or trustees.

General Data Protection Regulation (GDPR) regulates the processing of information
relating to living and identifiable individuals (data subjects). This includes the obtaining,
holding, using or disclosing of such information, and covers computerised records as
well as manual filing systems and card indexes.

All staff are expected to undertake training on Data Protection which is arranged
by the Diocesan Data Protection Officer (DPO).

Access is provided to staff to the Diocesan database (CMS) in order that they can
fulfil their roles. Training on the system is provided to all staff by the Database
Manager. There are differing levels of access to CMS depending on the role that
the staff member has and what information they need to access. For example only
those who need to be able to see DBS information have access to it.

Staff should also take time to read the Diocesan Privacy Policy and be aware of its
contents. This is available on the Diocesan website.

Data users must comply with the data protection principles of good practice which underpin
GDPR. To comply with the law, information must be collected and used fairly, stored
safely and not disclosed to any other person unlawfully.

To do this LDBF follows the Data Protection Principles outlined in the GDPR, which are
listed below:

  1. Lawfulness, Fairness and Transparency

    Personal data must be processed lawfully, fairly, and in a transparent manner in
    relation to the data subject.
    Transparency is achieved by keeping the individual informed and this should be
    done before data is collected and where any subsequent changes are made.
    LDBF must have legitimate grounds for collecting the data, and tell data subjects
    what they are going to use it for and with whom it will be shared. This is usually
    done in a privacy notice.

  2. Purpose Limitation

    Personal data must be collected for specified, explicit and legitimate purposes and
    not further processed in a way incompatible with those purposes. In other words
    the data can’t be used for a reason for which it was not given.

  3. Data Minimisation

    You can only collect the data you need for the purpose. You can’t collect data that
    isn’t needed for the reasons given in the privacy notice.

  4. Accuracy

    Personal data must be accurate and where necessary kept up to date.

  5. Storage Limitation

    Personal data must be kept in a form which allows identification of data subjects
    for no longer than is necessary for the purposes for which the personal data are
    processed i.e. you should regularly review the data you are holding and get rid of
    data that is no longer needed.

  6. Integrity and Confidentiality

    Personal data must be processed in a manner that ensures appropriate security of
    the personal data, including protection against unauthorised or unlawful
    processing and against accidental loss, destruction or damage.

It should be noted that LDBF has responsibility not just to comply with GDPR but also
to be seen to comply (transparency).

The principles apply to “personal data” which is information held on computer or in manual filing systems from which they are identifiable. Lichfield Diocesan Board of Finance’s employees, volunteers and trustees who process or use any personal information in the
course of their duties will ensure that these principles are followed at all times.

The following procedures have been developed in order to ensure that Lichfield Diocesan
Board of Finance and Lichfield Diocesan Board of Education meets their responsibilities in terms of Data Protection. For the purposes of these procedures data collected, stored and used by Lichfield Diocesan Board of Finance falls into 2 broad categories:

  1. Lichfield Diocesan Board of Finance’s internal data records;
    Staff, volunteers and trustees
  2. Lichfield Diocesan Board of Finance’s external data records;
    Members, customers, clients.

Lichfield Diocesan Board of Finance as a body is a DATA CONTROLLER under the GDPR,
and the Bishop’s Council is ultimately responsible for the policy’s implementation.

INTERNAL DATA RECORDS

Purposes

Lichfield Diocesan Board of Finance obtains personal data (names, addresses, phone numbers, email addresses), application forms, and references and in some cases other documents from staff, volunteers and trustees. This data is stored and processed for the following purposes:

  • Managing the day to day running of the diocese and delivery of services
  • Recruitment
  • Equal Opportunities monitoring
  • Volunteering opportunities
  • To distribute relevant organisational material e.g. meeting papers
  • Payroll

Accuracy

LDBF will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for 6 years after an employee, volunteer or trustee has worked for the
organisation and brief details may be retained for longer(see Appendix A) only if there is
a valid reason for doing so. The CEO has responsibility for destroying personnel files.

EXTERNAL DATA RECORDS

Purposes

Lichfield Diocesan Board of Finance obtains personal data (such as names, addresses, and phone numbers) from members/clients. This data is obtained, stored and processed solely to assist staff and volunteers in the efficient running of services. Personal details supplied are only used to send material that is potentially useful. Most of this information is stored on the
organisation’s database known as CMS.

Lichfield Diocesan Board of Finance obtains personal data and information from clients and
members in order to provide services. This data is stored and processed only for the purposes outlined in the agreement and service specification signed by the client/ member. Explicit consent should be obtained before sending any materials which could be considered
marketing (e.g. Diocesan Bulletin emails).

Consent

Personal data is collected over the phone and using other methods such as e-mail. During
this initial contact, the data owner is given an explanation of how this information will be
used. Written consent is not requested as it is assumed that the consent has been granted
when an individual freely gives their own details.

Personal data will not be passed on to anyone outside the organisation without explicit consent from the data owner unless there is a legal duty of disclosure under other legislation, in which case the Director will discuss and agree disclosure with the Chair/Vice Chair. Contact details held on the organisation’s database may be made available to groups/ individuals outside of the organisation. Individuals are made aware of when their details are being collected for the database and their verbal or written consent is requested.

Accuracy

Lichfield Diocesan Board of Finance will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for as long as the data owner/ client/ member uses our services and normally longer. Where an individual ceases to use our services and it is not deemed appropriate to keep their records, their records will be destroyed or deleted
according to the schedule in Appendix A.

If a request is received from an organisation/ individual to destroy their records, we will remove their details from the database and request that all staff holding paper or electronic details for the organisation destroy them. This work will be effected by the Data Protection Officer. If a member of staff receives a request for deletion from an individual/organisation they should notify the DPO immediately.

This procedure applies if Lichfield Diocesan Board of Finance is informed that an
organisation ceases to exist.

Disclosure and Barring Service

Lichfield Diocesan Board of Finance will act in accordance with the DBS’s code of practice.

Copies of disclosures are not kept. Details of DBS checks (date and certificate number only)
are held on the diocesan database.

BOTH INTERNAL AND EXTERNAL DATA RECORDS

Access

Only the organisation’s staff, volunteers and trustees have access to personal data. All staff,
volunteers and trustees are made aware of the Data Protection Policy and their obligation not to disclose personal data to anyone who is not supposed to have it.
Information supplied is kept in a secure filing, paper and electronic system and is only accessed by those individuals involved in the delivery of the service.

Information will not be passed on to anyone outside the organisation without their explicit
consent, excluding statutory bodies e.g.the Inland Revenue.

Individuals including Staff, volunteers and trustees will be supplied with a copy of any of
their personal data held by the organisation if a request is made.

All confidential post must be opened by the addressee only.

Storage

Personal data may be kept in paper-based systems and on a password-protected
computer system. Paper-based data are stored in organised and secure (lockable) systems.

LDBF operates a clear desk policy at all times – this means that no personal data will be left on unattended desks.

Use of Photographs

Where practicable, Lichfield Diocesan Board of Finance will seek consent of members/ individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo),the organisation will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisation’s website or in Spotlight.

Responsibilities of staff, volunteers and trustees

During the course of their duties with Lichfield Diocesan Board of Finance, staff, volunteers and trustees will be dealing with information such as names/addresses/phone numbers/e-mail addresses of members/clients/volunteers. They may be told or overhear sensitive information while working for Lichfield Diocesan Board of Finance. The GDPR gives specific guidance on how this information should be dealt with. In short to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, paid or unpaid, must abide by this policy.

To help staff, volunteers, trustees meet the terms of the GDPR, a Data Protection policy has
been produced. Training on data protection is provided for all staff.

Compliance

Compliance with GDPR is the responsibility of all staff, paid or unpaid. LDBF will regard any
unlawful breach of any provision of the Act by any staff, paid or unpaid, as a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross
misconduct. Any such breach could also lead to criminal prosecution.

Any questions or concerns about the interpretation or operation of this policy statement should in the first instance be referred to the line manager.

Retention of Data

No documents will be stored for longer than is necessary. For guidelines on retention periods
see the Data Retention Schedule (Appendix A).

All documents containing personal data will be disposed of securely in accordance with the Data Protection principles.

How this relates to your job

  • Do not let unauthorised persons have access to personal data – or even a
    glimpse of your screen;
  • Keep your passwords secure;
  • Do not leave your computer without logging-off;
  • Lock away any storage media, print-outs etc. when you leave your office
    unattended.
  • Do not take home computer print-outs as ‘scrap’;
  • If you receive a request for personal data to be provided under GDPR you should
    clearly establish the identity of the person making the request, if necessary by
    asking for the caller’s name, position, and telephone number, and by referring the
    matter to the DPO before disclosing the information requested.
  • Under GDPR Individuals can request a copy of the personal data which LDBF
    holds for them. Any such requests should be forwarded to the DPO immediately on receipt so that LDBF can meet the strict deadlines which apply to such subject access requests.
  • All work should be saved on the appropriate servers and not on C or local
    drives.