Purpose of this Notice

This Privacy Notice outlines the way in which the Parish of Traprain will use personal information provided to us.  Personal information includes any information that identifies you personally, such as your name, address, email address or telephone number.

The Parish of Traprain recognises the importance of your privacy and personal information and we have therefore outlined below how we use, disclose and protect this information. The Parish of Traprain, jointly with the Presbytery of Lothian and Borders is the data controller, because we decide how your data are processed and for what purpose.  Contact details for us are provided below.

 Privacy Notice

THE PARISH OF TRAPRIAN SCOTTISH CHARITY NUMBER SCO12277

The Kirk Session of [The Parish of Traprain Scottish Charity number SCO12277 (the ‘Congregation’) is providing you with this Privacy Notice in order to comply with data protection law and to ensure transparency in the collection and use of your personal data.

Who is collecting the information

 Presbytery of Lothian and Borders Scottish Charity Number SCO40976 is the Data Controller for the Congregation. Catriona Dickson is the Data Protection Coordinator for the Congregation admin@parishoftraprain.org.uk

Why is this personal data collected and for what reason (Purpose)

This information is used to:

• administer membership records, including the Communion/Supplementary Rolls;
• enable pastoral care
• enable participation in Congregational activities
• provide you with information in relation to news, events, and activities within the Congregation or the wider Church of Scotland
• provide the services of a parish church to the local community
• fulfill legal obligations
• further charitable aims, for example through fundraising activities
• maintain accounts and records (including the processing of Gift Aid applications);
• comply with safeguarding obligations including, the protection of vulnerable groups scheme
• maintain a directory of contact details

What personal data is collected

Personal data will include only what is necessary to fulfill the purposes listed. For most members it will only include name, address and contact details supplied.

• Name
• Address
• Telephone number
• Mobile number
• Date of Birth
• Email address
• Bank details (for Gift Aid and fundraising purposes)
• Children’s data (for example, but not limited to, if required for instance for Junior Church, holiday clubs or baptism)
• Role in congregation (e.g. office-bearer information)
• Health-related information
• Photographs and videos (where applicable)
• Safeguarding information, including Covenant of Responsibilities
• Religious beliefs are collected by implication by being a church member  

The information source

The information is collected directly from you. Some data is collected via the Presbytery or the National Offices.

The lawful basis for the processing

The Congregation processes special category (sensitive) data under UK GDPR Article 9(2)(d): “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”. 

For the other processing activities, the lawful basis are:

• UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”.
• Article 6(1)(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
• Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. This is specific to safeguarding purposes and Sunday School and other related activities dealing with children. Consent will be sought from parents/guardians for processing a child’s personal data.

Who data is shared with

Your personal information will only be shared where this is necessary for the purposes set out above. Information will not be shared with any third party out with the Church of Scotland without your consent unless the Congregation is obliged or permitted to do so by law.

“The Congregation uses Microsoft 365, Sharepoint, Excel, Outlook and Mailchimp to process your personal data. There is an appropriate contract in place and data will only be processed in accordance with the instructions of the Congregation.”

How long the personal data is held for

The Congregation will keep your personal information for as long as you are a member or adherent, or have regular contact with the Congregation, or for as long as the Congregation is obliged to keep it by law or may need to do so in order to respond to any questions or complaints, or to show that the Congregation treated you fairly.   When the information is no longer needed it will be securely destroyed following church procedure.  [Further information about our retention and disposal schedule is available at https://www.parishoftraprain.org.uk/retention-policy/

Individuals’ rights in relation to this processing

Under data protection laws, individuals have a number of rights in relation to the processing of their personal data. These rights are as follows:

• The right to be informed – this privacy notice meets that right.
• The right of access – this means you have the right to have access or receives copies of personal data held by the organisation
• The right to rectification – this means you have the right to correct incomplete or inaccurate data held about you
• The right to erasure – this means you have the right to have your data deleted from an organisation’s records.
• The right to restrict processing – this means you have the right to restrict processing. This right is normally used with other rights, e.g. rectification
• The right to data portability – this means you have the right to request your data in a machine-readable format (e.g. a .csv file) and transfer this to another organisation
• The right to object – this means you have the right to object to how your data is processed
• Rights in relation to automated individual decision making, including profiling – the Church does not carry out this type of processing.

Not all rights apply and it depends on the lawful basis as to what rights do apply.

For the processing purposes of this privacy notice, when the lawful basis is legal obligation the right of erasure, right to data portability and the right to object do not apply. All other rights do apply. For the processing purposes of this privacy notice when the lawful basis is legitimate interests, all rights apply except for data portability. If you wish to exercise any of your rights please contact the Data Protection Coordinator for THE PARISH OF TRAPRAIN  CATRIONA DICKSON at admin@parishoftraprain.org.uk

If any processing is carried out on the basis of consent it is important to note that you can withdraw your consent at any time. To do this please contact admin@parishoftraprain.org.uk

Complaints to the Church of Scotland

If you are concerned about how your personal data is being used by the Church of Scotland, please contact – in the first instance – the Data Protection Coordinator for PARISH OF TRAPRAIN CATRIONA DICKSON   OR the Data Protection Officer for the Church of Scotland at Privacy@churchofscotland.org.uk, if required. 

Complaints to the Information Commissioner’s Office (ICO)

If you are not satisfied with the outcome of your complaint to the Church of Scotland, a referral can be made to the UK regulator of data protection, the Information Commissioner’s Office (ICO). 

The ICO has guidance on their website: https://ico.org.uk/your-data-matters/raising-concerns/

The ICO can be contacted by email casework@ico.org.uk or by telephone on 0303 123 1113.

Alternatively, their postal address is:

Customer Contact

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Further information

If you would like further information in relation to this Privacy Notice please contact the Church of Scotland Data Protection Officer at Privacy@churchofscotland.org.uk. 

This Privacy Notice may be updated from time to time to reflect changes in legal requirements or other operational reasons. The latest version will always be available from the pNSERT PRESBYTERY OF LOTHIAN AND BORDERS Scottish Charity Number: SCO40976  Catriona Dickson is the Data Protection Coordinator for the Congregation admin@parishoftraprain.org.uk

Privacy Notice

THE PARISH OF TRAPRAIN SCOTTISH CHARITY NUMBER SCO12277

The Kirk Session of The Parish of Traprain Scottish Charity Number SCO12277 (the “Congregation”) is providing you with this Privacy Notice in order to comply with data protection law and to ensure transparency in the collection and use of your personal data.

Who is collecting this information

Presbytery of Lothian and Borders Scottish Charity Number SCO12277 is the Data Controller for the Congregation. Catriona Dickson is the Data Protection Coordinator for the Congregation admin@parishoftraprain.org.uk

Why this personal data is collected and for what reason (Purpose)

The congregation collects and processes your personal data for employment purposes. Processing employee data allows the Congregation to:

• run recruitment processes including promotion processes
• maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency) and records of employee contractual and statutory rights
• operate and keep a record of disciplinary and grievance processes in order to ensure acceptable conduct within the workplace
• operate and keep a record of employee performance and related processes in order to plan for career development, succession planning and workforce management
• operate and keep a record of absence and absence management procedures in order to allow effective workforce management and ensure that employees are receiving pay or other benefits to which they are entitled
• obtain occupational health advice in order to ensure compliance with duties in relation to individuals with disabilities, comply with health and safety law and ensure that employees are receiving  pay or other benefits to which they are entitled
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave) in order to allow effective workforce management, ensure compliance with duties in relation to leave entitlement and to ensure that employees are receiving pay or other benefits to which they are entitled;
• ensure effective business administration
• provide references on request for current or former employees
• respond to and defend against legal claims and
• maintain and promote equality in the workplace.

What personal data is collected

The Congregation collects and process a range of information about you. This includes:

• name, address, date of birth, gender and contact details (including email address and telephone number);

• the terms and conditions of your employment
• your qualifications, skills, experience and employment history including start and end dates of previous employment and employment within the organisation
• information about remuneration, including entitlement to benefits such as pensions, childcare vouchers or insurance cove
• your bank account and national insurance number
• information about your marital status, next of kin, dependants and emergency contacts;
• information about your nationality and entitlement to work in the UK
• information about any criminal record you may have
• details of your schedule (days of work and working hours) and attendance at work
• details of periods of leave taken by you including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
• details of any disciplinary or grievance procedures in which you have been involved including any warnings issued to you and related correspondence
• assessments of your performance including appraisals, performance reviews/ratings, training you have participated in, performance improvement plans and related correspondence
• information about medical or health conditions including whether or not you have a disability for which the organisation needs to make reasonable adjustments
• details of trade union membership and
• equal opportunities monitoring information including information about your ethnic origin, sexual orientation, health and religion or belief.

Some of this data is special category (sensitive) personal data and therefore additional safeguards are put in place to protect this data further. Special category data is defined as racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, genetic data, biometric data, sex life, sexual orientation.

The information source

The information is collected in a variety of ways. Some information is collected directly from you. Other sources can include third parties for references, PVG checks with Disclosure Scotland, application forms, CVs or resumes, passport or other identity documents such as driving licence, from forms completed by you at the start of or during employment, correspondence with you or through interviews, meetings or other assessments.

The Congregation may also collect personal data about you from third parties, such as references supplied by former employers and, where applicable, information from criminal records checks permitted by law.

The lawful basis for processing

The lawful basis for processing for employment purposes is UK GDPR Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

There are some aspects of processing where the lawful basis is UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”. This is in relation to checking employee’s right to work in the UK, tax deduction, health and safety and criminal records check/PVG to ensure that individuals are permitted to undertake the role in question.

Where special category (sensitive) personal data is involved, the lawful basis for processing is UK GDPR Article 9(2)(b)”processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”

Who the information is shared with:

Your information will be shared internally, including with members of the Kirk Session your line manager, Presbytery and the National Office.

The Congregation may share your data with third parties in order to obtain pre-employment references from other employers and obtain necessary criminal records checks from Disclosure Scotland.

The Congregation uses [Microsoft 365, Sharepoint, Excel, Outlook and Mailchimp to process your personal data for payroll purposes. There is an appropriate contract in place and the data will only be processed in accordance with the instructions of the Congregation.

How long the personal data is held for

The Congregation will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are set out in the Retention and Disposal Schedule available here [insert link].

Individuals’ rights in relation to this processing

Under data protection laws, individuals have a number of rights in relation to the processing of their personal data. These rights are as follows:

• The right to be informed – this privacy notice meets that right.
• The right of access – this means you have the right to have access or receives copies of personal data held by the organisation.
• The right to rectification – this means you have the right to correct incomplete or inaccurate data held about you.
• The right to erasure – this means you have the right to have your data deleted from an organisation’s records.
• The right to restrict processing – this means you have the right to restrict processing. This right is normally used with other rights, e.g. rectification.
• The right to data portability – this means you have the right to request your data in a machine-readable format (e.g. a .csv file) and transfer this to another organisation.
• The right to object – this means you have the right to object to how your data is processed.
• Rights in relation to automated individual decision making, including profiling – the Church does not carry out this type of processing.

Not all rights apply and it depends on the lawful basis as to what rights do apply. For the processing purposes of this privacy notice the right to object does not apply. All other rights do apply. If you wish to exercise any of your rights please contact the Data Protection Coordinator for The Parish of Traprain at admin@parishoftraprain.org.uk

Complaints to the Church of Scotland

If you are concerned about how your personal data is being used by the Church of Scotland, please contact – in the first instance – the Data Protection Coordinator for Parish of Traprain. Catriona Dickson and the Church of Scotland Data Protection Officer at Privacy@churchofscotland.org.uk, if required. 

Complaints to the UK Information Commissioner’s Office (ICO)

If you are not satisfied with the outcome of your complaint to the Church of Scotland, a referral can be made to the UK regulator of data protection, the Information Commissioner’s Office (ICO). 

The ICO has guidance on their website: https://ico.org.uk/your-data-matters/raising-concerns/

The ICO can be contacted by email casework@ico.org.uk or by telephone on 0303 123 1113.

Alternatively, their postal address is:

Customer Contact

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Further information

If you would like further information in relation to this Privacy Notice please contact the Church of Scotland Data Protection Officer at Privacy@churchofscotland.org.uk. 

This Privacy Notice may be updated from time to time to reflect changes in legal requirements or other operational reasons. The latest version will always be available from Presbytery of Lothian and Borders Scottish Charity Number SCO40976.  Catrioina Dickson  is the Data Protection Coordinator for Parish of Traprain, admin@parishoftraprain.org.uk