Privacy Policy

HOW WE HANDLE YOUR DATA AT WELLSPRING CHURCH

General data for church members/contacts

What is ChurchSuite?

ChurchSuite Software (“the Services”) is designed to help us administer our church and provide elements of pastoral care to our members and the community. (ChurchSuite replaced iknow church software in March 2021, with a period of overlap from Jan-April 2021) Our members may be provided with access to a user account, which they can use to provide us with information (including personal information), update preferences and access options to allow the booking of events and recording attendance. The Services should bring benefits to everyone as we can stay in touch with you much more easily and you can provide us with information in a quick and efficient way.

In addition to ChurchSuite, we may also collect information from you in person or on paper forms or online forms within other systems. We have also included information about other forms of processing that we may carry out.

We use other software "services" and share data with organisations for specific purposes as detailed below under Other Third Parties.

What is the purpose of this Privacy Policy?

Wellspring Church is a “data controller” which means we have to tell you certain information when processing your personal information. We may input personal information into ChurchSuite or may ask you to do so yourself. We may collect information from you in person or we may ask you to fill in paper forms or input information into other systems that the church uses.

If you have any queries about this Privacy Policy or how we use your personal information, please contact Our Data Protection Lead at the registered address or email at data@wellspring-church.org.

This Privacy Policy relates to your use of the Services and tells you:

What personal information we collect about you when you use the Services

o   How we collect your personal information in the Services

o   How we use your personal information

o   Who we may share your personal information with

o   Any transfer of personal information outside of the EEA

o   How long we keep your personal information

o   What we do to protect your personal information

o   What choices you have in relation to your personal information

We last updated this Privacy Policy on January 2022 (previously Feb 2021)

 

Personal Information we process about you

What information we process about you
We may collect the following information about you:

o   your name and address

o   your mobile phone number

o   your email address

o   your marital status

o   your age and gender

o   information about your family

o   your education and employment

o   your skills, abilities and talents

o   your role(s) within the church (if appropriate)

o   any membership of the SLT or status as a representative for the church

o   attendance at meetings, events and training

o   your spiritual growth

o   to carry out a DBS check

o   the result of a DBS check

o   information about your use of the Services (e.g. when you have logged in, what pages you visited)

o   information we collect and record as part of pastoral care (this will include anything you tell us unless you tell us not to record it)

o   information about training undertaken for church roles both paid and voluntary

o   payment details when booking events

o   donations to the church

o   Any information you provide to us

o   Any teams or groups you are involved with

o   When you are unavailable for serving on rota

o   Dates and times that you are on a rota

Sensitive Personal Information
We may also collect, store and use the following “special categories” of sensitive personal information (if you give us this information)

o   Information about your health, including any mental or physical conditions that you notify us about

o   Your religious beliefs

o   Your racial origin, nationality and languages spoken

o   Any criminal record

Personal Information you give us
We may collect personal information from you when you attend church and speak to us in person. You may also fill in one of our paper forms, a form available in a different electronic system.

We collect personal information from you when you or we set up a user account in ChurchSuite church. If we set up an account on your behalf, then we will input personal information from you that we collected from you in person, on paper forms and from contact forms on our website. We will also collect information from you when you update your user account on ChurchSuite.

Personal Information we collect automatically
When you use the Services, we may collect certain information automatically such as:

o   IP addresses (the name your computer or smartphone uses to identify itself to us)

o   Your activity in the Services including times and dates of visits

o   Information on your location

o   other websites you may have visited

Cookies
We use cookies to collect information automatically. A cookie is a small file of data which our website places on your computer’s hard drive. The cookies give us information such details of your visits to our website and information about other websites that you visit. 

Cookies allow websites to respond to you as an individual and let us tailor our website to your needs, likes and dislikes by gathering and remembering information about you. We use cookies to help us to provide you with a better website.

Cookies that we use
Google Analytics

Facebook Analytics

YouTube

How to delete and control cookies

Most computers automatically accept cookies but you can change your settings so that you will not receive cookies and you can also delete existing cookies from your computer.

If you do change your settings, you may find that some parts of our website will not function properly. If you do not adjust your settings, you will accept cookies provided by this website.

To find out how to delete cookies or adjust their settings please visit http://www.allaboutcookies.org/.

How we use your Personal Information

Our legal basis for using your information
The law only allows us to use your personal information in certain limited circumstances. We have listed these below and what information they allow us to process.

1) Where it is necessary for our legitimate interests

The GDPR specifically states that a church may use legitimate interests to process personal information relating to its members to administer your membership of the church. We consider that this is the most appropriate condition for us to administer your membership of the church as you would reasonable expect that we would have to process your personal information in order to provide you with membership of the church and so you can take full advantage of all our services. We have put safeguards into place to ensure that your personal information is protected and that your fundamental rights and freedoms are not overridden.

Examples of how we may use your information for administration purposes:

o    to set up your ChurchSuite church account

o    so that we can keep a record of your attendance at church and at other events and meetings

o    to provide you with pastoral care and other support that you have requested and we believe would be helpful to you

o    to organise volunteers and put together rotas

o    We may also use legitimate interests to send out our marketing materials but only where such materials relate directly to the church and you have not told us not to send you such information

 

2) Where you have consented to us using your personal information
Examples of how we may use your information with consent

o    We may ask for your consent to send marketing communications out to you, including information about our events, publications and other marketing materials

o    We may also ask for consent where you have given us information as part of our pastoral care and asked us to use it for a certain purpose.

 

3) Where we need to perform the contract we have entered into with you

Examples of how we may use your information in order to comply with a contract that we have entered into with you:

o   to buy tickets for events

o   to administer the Services (such as troubleshooting, data analysis, research)

o   to tell you about changes to our website, software or Services that will affect your use of ChurchSuite church

o   to help us (or the software developers) improve the Services

 

4) Where we need to comply with a legal obligation

Examples of how we may use your information to fulfil a legal obligation

o   keeping records for gift aid purposes

o   to prevent and detect fraud

o   to protect children and adults

o   to get your feedback on the Services

 

HOW WE USE SENSITIVE PERSONAL INFORMATION

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:

1.      In limited circumstances, with your explicit consent recorded in writing (e.g. where you tell us information in order to obtain support and pastoral care from us – for example this could relate to physical or mental health).

2.      Where we need to carry out our legal obligations (e.g. ensure DBS checking is done where appropriate)

3.      Where it is needed in the public interest and in line with our Data Protection Policy.

4.      Where it is needed in connection with our Safe Guarding Policy for Children and Adults

Less commonly, we may process this type of information where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public

What this means in practice
We may use your sensitive personal information in the following ways:

o   your mental or physical health, racial background, languages spoken or criminal record in order to provide you with support and pastoral care. We may also use this information to help you access support and benefits if appropriate and requested by you

o   your religious beliefs in order to administer your membership of our church

o   your DBS check (which may contain information relating to criminal offences or presence on a register) to decide your suitability for roles in the church

In all cases where we require consent, we will seek your written consent or record you consent in writing to allow us to process certain sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

 

Information about Children

Whilst information relating to children is not considered to be special category information, it is information that is given specific protection. Where the child is under the age of 13 we will always ask for the consent of parents before setting up an account in ChurchSuite church and ensure that the parent(s) are able to access and administer the account.

Where a child is 13 or over then we will permit the child to have their own ChurchSuite church account, but we may (if we believe it to be appropriate in the circumstances) inform the parents. We will tell the child at the time of signing up that we may inform their parents and we will only do this where it is appropriate and lawful to do so.

Sharing your Personal Information

Other Third Parties
We may share your information with certain third parties including:

o   With other members of our church so that they can provide you with support and pray for you

o   Other churches – if you request us to pass on your information either to them or from them (eg for a reference)

o   Support services and benefits providers (e.g. local authorities, your doctor)

o   Our suppliers for the performance of any contract we enter into with them or you

o   Our software providers who need to see your information in order to keep our website and other software running

o   Analytics and search engine providers who analyse information about your use of our website and help us to tailor the product and offers that we offer to you and other users

 

We work with the following organisations – see their own privacy policy on their websites:

o   ChurchSuite Ltd (data base including donations and gift aid.) www.churchsuite.com

o   Edit Websites Limited (provider of iKnow Church software – www.iknowchurch.co.uk)

o   Google (Google Drive)

o   HMRC (for claiming of Gift Aid and Payroll)

o   Stewardship (Payroll & Accounts)

o   Data Developments (Donations, Gift Aid and Accounting)

o   ExpensePlus Ltd (Accounting, Expenses, Payments, Donations)

o   STAR/myepaywindow

o   Stripe Payments Europe, Ltd (for processing of payments and donations – they may transfer and store this outside of the EEA i.e. USA)

o   Worldpay (for processing of payments and donations)

o   MailChimp

o   SendGrid (for sending emails)

o   Text Marketer (sending of text messages)

o   Ionos.co.uk (Email and website)

o   Squarespace (Website)

o   Online.church

o   Pulsant

o   Microsoft (Outlook, Teams, Office365)

o   ZOOM

o   Facebook

o   YouTube

o   Instagram

o   Twitter

o   Ihasco / OneYMCA training portal

 

Legal Requirements and Law Enforcement

We may also disclose your personal information to third parties:

o   If we are required by law, or in order to enforce or apply our terms of use. This includes exchanging information with other organisations such as law enforcement agencies.

Job applicant privacy notice (GDPR compliant)

Wellspring Church is aware of its obligations under the General Data Protection Regulation (GDPR) and is committed to processing your data securely and transparently. This privacy notice sets out, in line with GDPR, the types of data that we collect and hold on you as a job applicant. It also sets out how we use that information, how long we keep it for and other relevant information about your data.

Data controller details

Wellspring Church is a data controller, meaning that it determines the processes to be used when using your personal data.

Data protection principles

In relation to your personal data, we will:

o   process it fairly, lawfully and in a clear, transparent way

o   collect your data only for reasons that we find proper for the course of your employment in ways that have been explained to you

o   only use it in the way that we have told you about

o   ensure it is correct and up to date

o   keep your data for only as long as we need it

o   process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed

Types of data we process

We hold many types of data about you, including

o   your personal details including your name, address, date of birth, email address, phone numbers

o   your photograph

o   gender

o   marital status

o   whether or not you have a disability

o   information included on your CV including references, education history and employment history

o   documentation relating to your right to work in the UK

o   driving licence

How we collect your data

We collect data about you in a variety of ways including the information you would normally include in a CV or a job application cover letter, or notes made by our recruiting officers during a recruitment interview. Further information will be collected directly from you when you complete forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence.

In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.

Personal data is kept in personnel files or within the Company’s HR and IT systems.

Why we process your data

The law on data protection allows us to process your data for certain reasons only:

o   in order to perform the employment contract that we are party to

o   in order to carry out legally required duties

o   in order for us to carry out our legitimate interests

o   to protect your interests and

o   where something is done in the public interest.

All of the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data.

We need to collect your data to ensure we are complying with legal requirements such as:

o   carrying out checks in relation to your right to work in the UK and

o   making reasonable adjustments for disabled employees.

 

We also collect data so that we can carry out activities which are in the legitimate interests of the Company. We have set these out below:

o   making decisions about who to offer employment to

o   making decisions about salary and other benefits

o   assessing training needs

o   dealing with legal claims made against us

 

If you are unsuccessful in obtaining employment, we will seek your consent to retaining your data in case other suitable job vacancies arise in Wellspring Church for which we think you may wish to apply. You are free to withhold your consent to this and there will be no consequences for withholding consent.

 

Special categories of data

Special categories of data are data relating to your:

o   health

o   sex life

o   sexual orientation

o   race

o   ethnic origin

o   political opinion

o   religion

o   trade union membership and

o   genetic and biometric data

 

We must process special categories of data in accordance with more stringent guidelines. Most commonly, we will process special categories of data when the following applies:

o   you have given explicit consent to the processing

o   we must process the data in order to carry out our legal obligations

o   we must process data for reasons of substantial public interest

o   you have already made the data public.

 

We will use your special category data:

o   for the purposes of equal opportunities monitoring

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we may ask for your consent to allow us to process certain particularly sensitive data. If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.

 

Criminal conviction data

We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment should you be successful in obtaining employment. We process this data because of our legal obligation to safeguard our staff and members of the community.

If you do not provide your data to us

One of the reasons for processing your data is to allow us to carry out an effective recruitment process. Whilst you are under no obligation to provide us with your data, we may not able to process, or continue with (as appropriate), your application.

Sharing your data

Your data will be shared with colleagues within Wellspring Church where it is necessary for them to undertake their duties with regard to recruitment. This includes, for example, the HR department, those in the department where the vacancy is who responsible for screening your application and interviewing you, the IT department where you require access to our systems to undertake any assessments requiring IT equipment.

In some cases, we will collect data about you from third parties, such as employment agencies.

Your data will be shared with third parties if you are successful in your job application. In these circumstances, we will share your data in order to obtain references as part of the recruitment process or obtain a criminal record check.

We do not share your data with bodies outside of the European Economic Area, (except where stated in third party and partner organisation privacy policies. i.e. Stripe may transfer data within linked Stripe companies around the world including the USA.)

Protecting your data

As this policy has explained, we are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse.

How long we keep your data for

In line with data protection principles, we only keep your data for as long as we need it for and this will depend on whether or not you are successful in obtaining employment with us.

If your application is not successful and we have not sought consent or you have not provided consent upon our request to keep your data for the purpose of future suitable job vacancies, we will keep your data for 6 months once the recruitment exercise ends.

If we have sought your consent to keep your data on file for future job vacancies, and you have provided consent, we will keep your data for 12 months once the recruitment exercise ends. At the end of this period, we will delete or destroy your data, unless you have already withdraw your consent to our processing of your data in which case it will be deleted or destroyed upon your withdrawal of consent.

If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for employees, which will be provided to you.

Automated decision making

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

 

Your rights in relation to your data

The law on data protection gives you certain rights in relation to the data we hold on you. These are:

o   the right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice

o   the right of access. You have the right to access the data that we hold on you. To do so, you should make a subject access request

o   the right for any inaccuracies to be corrected. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it

o   the right to have information deleted. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it

o   the right to restrict the processing of the data. For example, if you believe the data we hold is incorrect, we will stop processing the data (whilst still holding it) until we have ensured that the data is correct

o   the right to portability. You may transfer the data that we hold on you for your own purposes

o   the right to object to the inclusion of any information. You have the right to object to the way we use your data where we are using it for our legitimate interests

o   the right to regulate any automated decision-making and profiling of personal data. You have a right not to be subject to automated decision making in way that adversely affects your legal rights.

Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.

If you wish to exercise any of the rights explained above, please contact the Chair of Trustees.

Making a complaint

The supervisory authority in the UK for data protection matters is the Information Commissioner (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO.

Third Party Privacy Policies

The Services may contain links to websites owned by other organisations. If you follow a link to another website, these websites they will have their own privacy policies. We suggest that you check the policies of any other websites before giving them your personal information as we cannot accept responsibility for any other website.

Keeping your Personal Information

How we store your personal information
The security of your personal information is important to us.

We use appropriate technical and organisational measures to safeguard personal information and encryption technology where appropriate to enhance privacy and help prevent information security breaches.

Any personal information that we provide to you will be held within the EEA.

All third parties who provide services to us or our software provider are required to sign a contract requiring them to have appropriate technical, administrative and physical procedures in place to ensure that your information is protected against loss or misuse.

All information you provide to us is stored on our secure servers or on secure servers operated by a third party. Information on our third-party providers can be found above.

 

Retention of Information
We only hold your personal information for as long as necessary for the purposes for which we collected your information.

We have a retention policy which lays down timescales for the retention of information. The Retention Policy can be provided on request from data@wellspring-church.org.

We have set these timescales in accordance with any applicable legislation and where none exists then we will keep your information for the duration of any contract that you have entered into with us and then for a period of 6 years after which time it will be deleted.

Emails
If you chose to send us information via email, we cannot guarantee the security of this information until it is delivered to us.

Your rights

Access to Information
You have the right to access information that we hold about you. If you wish to receive a copy of the information that we hold, please contact at data@wellspring-church.org or write to us at the registered address.

Changing or deleting your information
You can ask us at any time to change, amend or delete the information that we hold about you or ask us not to contact you with any further marketing information. You can also ask us to restrict the information that we process about you.

You can request that we change, amend, delete your information or restrict our processing by emailing us at data@wellspring-church.org.

Right to prevent Automated decision making
You have a right to ask us to stop any automated decision making. We do not intentionally carry out such activities, but if you do have any questions or concerns we would be happy to discuss them with you and you can contact us at data@wellspring-church.org.
Transferring Personal Information
You have the right to request that your personal information is transferred by us to another organisation (this is called “data portability”). Please contact us at data@wellspring-church.orgwith the details of what you would like us to do and we will try our best to comply with your request. If may not be technically feasible, but we will work with you to try and find a solution.

Complaints
If you make a request to us under this Privacy Policy and you are unhappy with the response, you can ask for the request to be reviewed under our internal complaints procedure. Our internal complaints procedure allows your request to be reviewed by Alex Lee (Trustee) who will do their best to try and resolve the issue.

If you have been through the internal complaints procedure and are still not happy with the result, then you have the right to complain to the Information Commissioner’s Office. They can be contacted as follows:

Website: www.ico.org.uk

Telephone: 03031231113

Address: Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Changes to our Privacy Policy
We review our Privacy Policy on a frequent basis to check that it accurately reflects how we deal with your information and may amend it if necessary. You should check this page regularly to see the most up to date information.

How to Contact us
We welcome questions, comments and requests regarding this Privacy Policy which can be sent to data@wellspring-church.org.

Adapted from Policy developed by © Probert Legal Limited 2018 for iknow Church Software and adapted with advice from our HR Consultant and ChurchSuite in 2021.