Policy Documents

Data Privacy Policy

Purpose of this notice

This data privacy notice sets out how we will use and protect personal information provided to us. Personal information includes any information that identifies you, such as your name, address, email address, telephone number, photograph or audio recording.

St Andrews Free Church is classified as the controller of this data as we decide how it is processed and for what purposes. Contact details for us are provided below.

How we use your data

We use personal information as follows:

The legal basis for processing your data

We process your personal information in the course of our legitimate activities as a not-for-profit body with a religious aim and on the basis that our processing relates solely to members, former members, or people who have regular contact with us, and that this information is not disclosed to any third party without your consent.

We also process data where this is necessary for compliance with our legal obligations around employment, social security and social protection; where processing is necessary for our legitimate interests and such interests are not overridden by your interests or fundamental rights and freedoms; and where you have given consent to the processing of your information for a particular purpose.

Sharing your data

We will only share your personal information where this is necessary for the purposes set out above. In particular gift aid information will be shared with HMRC. Information will not be shared with any other third party without your consent unless we are obliged or permitted to do so by law.

How we protect your data

We will protect the integrity and security of your personal information by:

A copy of our data retention policy is attached to this notice.

How long we keep your data

We’ll keep the personal data for as long as it’s necessary for the purpose for which it was collected, and to comply with our legal and regulatory requirements.

Your rights

You can request details of the personal information we hold about you by contacting us using the contact details below.

Please let us know if you believe that any information that we hold about you is incorrect or incomplete. Any information found to be incorrect will be corrected as quickly as possible.

You have the right to object to our use of your personal information, or to ask us to remove or stop using your personal information if there is no need for us to keep it.  There may be legal or other reasons why we need to keep or use your data, but please tell us if you think that we should not be using it.

If we are processing your data on the basis of your explicit consent, you can withdraw your consent at any time.  Please contact us using the details below if you want to do so.

You have the right to complain to the Information Commissioner’s Office about anything relating to our processing of your personal information.  You can contact the ICO via its website at www.ico.org.uk or at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

How to contact us

For any queries or exercise any of your rights, please contact us at admin@standrewsfreechurch.co.uk.


Data Protection Policy

  1. Overview




1.1 St Andrews Free Church takes the security and privacy of personal information seriously.  As part of our activities we need to gather and use personal information about a variety of people including members, former members, regular attenders, employees, office-holders and generally people who are in contact with us



1.2 This policy explains the provisions that we will adhere to when any personal data belonging to or provided by data subjects, is collected, processed, stored or transferred on behalf of St Andrews Free Church.  



1.3 This policy has been approved by the elders who are responsible for ensuring compliance with our legal obligations.



1.4 The elders have appointed Saleem Bhatti as the Data Protection Elder to oversee data protection in St Andrews Free Church. Any questions arising from the policy should be referred to the Data Protection Elder.



1.5 It is intended that this policy is fully compliant with the Data Protection Act 2018 and the EU General Data Protection Regulation. If any conflict arises between those laws and this policy, St Andrews Free Church intends to comply with the 2018 Act and the GDPR.



1.6 We expect everyone processing personal data on behalf of St Andrews Free Church to comply with this policy in all respects. This includes elders, staff, ministry trainees, rota organisers, and anyone responsible for any area of church life.



1.7 St Andrews Free Church has a separate Privacy Notice which outlines the way in which we use personal information provided to us.  A copy can be obtained from the website.



1.8 This policy does not form part of any contract of employment or contract for services. It can be amended at any time.



1.9 Any deliberate or negligent breach of this policy by an employee of the congregation may result in disciplinary action being taken in accordance with our disciplinary procedure.  It is a criminal offence to conceal or destroy personal data which is part of a subject access request and such conduct by an employee would amount to gross misconduct which could result in dismissal.



1.10 Any deliberate or negligent breach of this policy by an office-holder or volunteer of the congregation would be a material breach of trust and may result in the person being removed as an office-holder or volunteer.


  1. Data Protection Principles, Definitions and Legal Bases


Data protection principles



2.1 Personal data will be processed in accordance with the ‘Data Protection Principles’. It must:


  • be processed fairly, lawfully and transparently;
  • be collected and processed only for specified, explicit and legitimate purposes;
  • be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
  • be accurate and kept up to date;
  • not be kept for longer than is necessary for the purposes for which it is processed; and
  • be processed securely.


We are accountable for these principles and must be able to demonstrate compliance.


Definition of personal data



2.2 “Personal data” means information which relates to a living person (a ‘data subject’) who can be identified from that data on its own, or when taken together with other information which is likely to come into the possession of the data controller.



2.3 As well as including factual information (for example a name, address or date of birth), it also includes photographs and any expression of opinion or intention about the person.



2.4 This policy applies to all personal data whether it is stored electronically, on paper or on other materials.



2.5 We use one or more of the following legal bases to process personal data


  • is necessary for the purposes of the congregation’s legitimate interests;
  • is necessary for us to comply with a legal obligation; and
  • is with the explicit consent of the person.



Definition of special categories of personal data



2.6 “Special categories of personal data” are types of personal data consisting of information revealing:


racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health; sex life and sexual orientation; and any criminal convictions and offences.



2.7 A significant amount of personal data held by the congregation will be classed as special category personal data, either specifically or by implication, as it could be indicative of a person’s religious beliefs.



2.8 Special category personal data is particularly sensitive information and can only be processed under strict conditions. Unauthorised disclosure of this information is likely to have a material effect on an individual’s right to privacy.



2.9 We use one or more of the following legal bases to process special category personal data


  • is necessary for the purposes of the congregation’s legitimate interests as a not-for-profit religious body; and
  • is with the explicit consent of the person.


Definition of processing



2.10 “Processing” means any operation which is performed on personal data, such as collection, recording, organisation, structuring or storage; adaption or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; and restriction, destruction or erasure.


Use of consent to process data


2.11 Where consent is used as the legal basis for processing, we will clearly set out what we are asking consent for, including why we are collecting the data and how we plan to use it.



2.12 Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a genuine choice whether or not to provide us with their data.



2.13 Where consent is used to process personal data of children aged 13 or over, consent will be obtained from both the child and their parent or guardian.



2.14 Consent should normally be captured on a digital consent form and this should be stored securely. 



2.15 In exceptional circumstances, consent may be received orally rather than in writing. In such circumstances, this fact should be recorded in writing. Any proposed use of oral consent should be discussed with the Data Protection Elder.



2.16 Consent can be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent.


  1. Data Protection in Practice


    1. Everyone who processes data on behalf of St Andrews Free Church has responsibility for ensuring that the data they collect and store is handled appropriately, in line with this policy and our privacy notice.




    1. At the point of collecting personal data, we will provide the individual with information in writing on how we will use their data. The individuals will also be informed in writing that they can obtain our privacy notice from the website.


Limitation of purpose


    1. Personal data should be used only for the specified lawful purposes for which it was obtained.


    1. Advice must be sought from the Data Protection Elder if you are considering using personal data collected for one purpose or activity, for another church related purpose.


    1. In particular, when processing personal data under consent, we will use the data only for the explicit purpose for which consent was given.


Data minimisation


    1. We will only collect and use sufficient personal data that is needed for the specific purposes it is required. We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later.




    1. We will take every reasonable step to ensure that the personal data held is accurate and, where appropriate, kept up to date.


Data retention


    1. We will not keep personal data longer than is necessary for the purposes for which it was collected, except to comply with our legal and regulatory obligations.


    1. Personal data should be held in such a way that it can be deleted when there is no longer any reason to keep it.


    1. Personal data will be disposed of securely when it is no longer needed.


    1. Guidelines on data retention are in section 5.




    1. We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.


    1. We will restrict access to personal data to those who need it for their specific role at St Andrews Free Church.


    1. Personal data should not be shared with those who are not authorised to receive it, either within the church or externally. Requests for data should be referred to the main holder of the data and not shared informally.


    1. Hard copy personal data should be stored securely in lockable storage when not in use.  Such storage should be locked with the keys removed. Care must be taken to ensure that hard copy personal data is not left where unauthorised people could see them, including in the home.


    1. All electronic personal data relating to St Andrews Free Church ministries should be stored on St Andrews Free Church cloud servers.


    1. Automatic logins to electronic personal data should only be used on encrypted or password protected devices to which only the authorised individual has access. This includes email accounts.


    1. Passwords should be kept secure, should be strong, changed regularly and not written down or shared with others.


    1. Personal data transferred by email must be encrypted or password protected. The password must be communicated separately.


Sharing of data


    1. Personal data should never be shared out with St Andrews Free Church without explicit permission from the Data Protection Elder.


    1. We will only share personal data with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the data being shared in our privacy notice, unless legal exemptions apply to informing data subjects about the sharing.


    1. We will only appoint other parties to process personal data on our behalf on the basis of a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing, and compliance with the contract, throughout the duration of the contract.


Data subject rights


    1. We will process personal data in line with data subjects' rights, including their right to


      • request access to any of their personal data held by us (known as a Subject Access Request);
      • ask to have inaccurate personal data changed;
      • request the erasure of their personal data, in certain circumstances; and
      • withdraw consent when we are relying on consent to process their data.


    1. Any request from an individual that relates or could relate to their data subject rights should be forwarded immediately to the Data Protection Elder.


Privacy by design


    1. Whenever a change to a ministry, activity or system is being considered, and this may have an impact on personal data, we will consider conducting a Data Protection Impact Assessment at the start and throughout the process. This will be completed in line with the guidelines from the Information Commissioner’s Office.


  1. Data Breaches


    1. A data breach occurs where there is accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.


    1. In any circumstances where a data breach appears to have occurred, this must be reported immediately to the Data Protection Elder.


    1. Similarly, any actual or suspected breach of this data protection policy must be reported immediately to the Data Protection Elder.


    1. The Data Protection Elder will instigate an investigation into the nature and cause of the breach and the extent of the harm to individuals that could result. This will also establish whether there is anything that can be done to recover any losses and limit the potential damage. The investigation will follow the Information Commissioner’s Office (ICO) guidelines.


    1. We will report all data breaches which are likely to result in a risk to any person’s rights and freedoms. Reports will be made to the ICO within 72 hours from when someone in the church becomes aware of the breach.


    1. In situations where a personal data breach causes a high risk to any person’s rights and freedoms, we will also inform data subjects whose information is affected without undue delay.


    1. We will keep records of personal data breaches, even if we do not report them to the ICO.



  1. Data Retention Guidelines


    1. Everyone who processes personal data for St Andrews Free Church must follow the data retention guidelines in the table below.


    1. Exceptions to these guidelines must be agreed with the Data Protection Elder.


    1. Advice should be sought from the Data Protection Elder if it is considered that there may be legal, regulatory or potential litigation reasons to retain the personal data beyond the retention guidelines.


    1. Personal data may be held in lots of formats including on paper, on computers, on mobile phones, in emails, and on social media.


    1. Disposal of hard copy personal data will be by shredding. Digitally stored personal data will be deleted so as to put beyond use. This does not include archiving.


    1. Elders, staff, ministry associates, ministry leaders and rota organisers will be required to annually confirm that they have reviewed all the personal data they hold and have followed the data retention guidelines.


Personal data relating to

Retention guideline

Personnel management

7 years after work with church ends


Successful candidate: 7 years after employment ends

Unsuccessful candidate: 6 months after recruitment ends, 5 years after recruitment ends for name and contact details.

Donations and gift aid

7 years after donation has been made or gift aid reclaimed

Membership or regular attendance

3 years after no longer a member / regular

General church emails

Until opt-out or 1 year post-regular attendance

Internal rota administration

Until opt-out or is no longer involved in area

Ministry administration

End of relationship or after 1 year of non-attendance


Until opt-out or indefinite

Pastoral care

Pastoral Care

3 years after to cease to be a member

3 years post-attendance or opt-out


1 year post-regular contact

Formal church records