Pastoral Services Diary
This policy is effective from 23 March 2017
1. Archbishops’ Council
The Archbishops’ Council, together with its representatives including, but not limited to Pastoral Services Diary Central Administrators and Pastoral Services Diary Support Team ("we"), are committed to protecting and respecting privacy and complying with the Data Protection Act 1998.
The Pastoral Services Diary is provided by Archbishops’ Council which is a body pursuant to section 1 (1) of the National Institutions Measure 1998 whose objects are to co-ordinate, promote, aid and further the work and mission of the Church of England. Pursuant to section 1(2) of the National Institutions Measure 1998 the Archbishops’ Council is established for charitable purposes, charity number 1074857. Archbishops’ Council is located at Church House, Great Smith Street, London, SW1P 3AZ. We are registered with the Information Commissioner, registration number Z6034304.If you would like more information about the Archbishops’ Council, please go to the following website for more information www.churchofengland.org. Our nominated representative for the purpose of the Act is Martin Kettle. You will find his contact details at the end of this policy.
• that we have in relation to the personal data we collect from you as a user of the Pastoral Services Diary (“you”) and the personal data that you supply to us in respect of third party personal data you collect from other data subjects who supply their details for in-putting into the Pastoral Services Diary
• that you have in relation to the personal data that you collect from data subjects who supply their personal data for in-putting into the Pastoral Services Diary
Where you input personal data of third parties into the Pastoral Services Diary you confirm that you have obtained their consent to do so.
Where you supply us with personal data of third parties you confirm that you have obtained their consent to do so.
Please read the following carefully to understand our views and practices, and our and your obligations, regarding privacy and personal data and how we will treat it and how you should treat third parties’ personal data held.
For the purpose of the Data Protection Act 1998 (the “Act”), the data controller is the Archbishops’ Council. The Archbishops’ Council may also be a data controller either jointly or common with other parties in respect of personal date provided.
2. Data protection generally
Data is information which is stored electronically, on a computer, or in certain paper based filing systems.
Data subjects for the purpose of this policy include all living individuals about whom we or you hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Act. We are alone or jointly or in common with you the data controller of all personal data used in relation to this site.
Data processors include any person who processes personal data on behalf of a data controller.
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, and will usually require the express consent of the person concerned.
3. Data protection principles
Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:
1. Processed fairly and lawfully.
2. Processed for limited purposes and in an appropriate way.
3. Adequate, relevant and not excessive for the purpose.
5. Not kept longer than necessary for the purpose.
6. Processed in line with data subjects' rights.
8. Not transferred to people or organisations situated in countries without adequate protection.
4. Fair and lawful processing
The Act is intended not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is (in this case it is the Archbishops’ Council who may also be Data Controller in common, or jointly with other parties) the purpose for which the data is to be processed, and the identities of anyone to whom the data may be disclosed or transferred.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases the data subject's explicit consent to the processing of such data will be required.
5. Processing for limited purposes
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Act. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs.
6. Adequate, relevant and non-excessive processing
Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place.
7. Accurate data
Personal data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed. You and we are responsible for the accuracy of the personal data supplied and this should be reviewed periodically or as notified by any data subject.
8. Timely processing
Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from our systems when it is no longer required.
9. Processing in line with data subject's rights
Data must be processed in line with the data subjects' rights. Data subjects have a right to:
• Request access to any data held about them by a data controller.
• Prevent the processing of their data for direct-marketing purposes.
• Ask to have inaccurate data amended.
• Prevent processing that is likely to cause damage or distress to themselves or anyone else.
10. Data security
All Data Controllers must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss.
The Act requires the Data Controller to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
• Confidentiality means that only people who are authorised to use the data can access it.
• Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
• Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
Security procedures include:
• Entry controls. Any stranger seen in the vicinity of a computer or private documents should be reported.
• Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
• Methods of disposal. Paper documents should be shredded. All personal data or other sensitive data stored on any medium including but not limited to DVD’s, USB memory sticks, external hard drives, the cloud or portable devices should be deleted when they are no longer required.
• Equipment. Data users should ensure that individual monitors and other devices do not show confidential information to passers-by and that they log off from their PC when it is left unattended and that computers automatically lock after a set period of time when not used.
11. Dealing with subject access requests
A formal request from a data subject for information that the Data Controller holds about them must be made in writing. A fee is payable by the data subject for provision of this information. Any Data Controller who receives a written request should deal with it in accordance with the Data Protection Act 1998. If you have any questions about our or your obligations, please contact Martin Kettle immediately.
12. Dealing with Data Breaches
If you believe the security of any Personal Data or Sensitive Personal Data has been breached, please speak to Martin Kettle immediately.
Although not a statutory requirement the Information Commissioner believes that a serious breach of the data protection principles should be reported. In the first instance any breach should be reported to Martin Kettle. In any matter that might affect personal safety the police should be informed immediately.
13. Providing information over the telephone
Any person dealing with telephone enquiries should be careful about disclosing any personal information held by us. In particular, they should:
• Check the caller's identity to make sure that information is only given to a person who is entitled to it.
• Suggest that the caller put their request in writing if they are not sure about the caller's identity and where their identity cannot be checked.
• Refer to Martin Kettle for assistance in difficult situations. No-one should be bullied into disclosing personal information.
14. Google Analytics
We have implemented Google Analytics features based on Display Advertising (Google Analytics Demographics and Interest Reporting). We will use the data provided by Google Analytics Demographics and Interest Reporting to develop and tailor our sites, content, features, resources and direction to those who visit.
Here are some of the ways you can control the information that is shared by your web browser when you visit or interact with Google services on partners' sites across the web:
• Ads Settings helps you control the ads by Google that you see across the web. You can learn how ads are selected for you, opt out of certain categories and block specific advertisers. Learn more about advertising.
• We, like many sites across the web use Google Analytics to understand how visitors engage with their sites or apps. If you don't want Analytics to be used in your browser, you can install the Google Analytics browser add-on. Learn more about Google Analytics and privacy.
• Google makes it easy for you to make recommendations for your friends for example, by clicking the +1 button on content you like. Some of your +1s may show your name and Google+ profile photo in ads, but you can opt out if you don't want to appear in ads. You can also visit the +1 tab on your Google+ profile to review and manage all of your +1's. Learn more about how to get to your +1 tab.
• Incognito mode in Chrome allows you to browse the web without recording web-pages and files in your browser history. Cookies are deleted after you've closed all of your incognito windows and tabs, and your bookmarks and settings are stored until you delete them. Learn more about cookies.
15. Privacy and Information collected
We may collect and process the following data about the data subjects whose personal data is provided:
• Information that is provided by filling in forms on our site. This includes information provided at the time of registering to use our site and the information input about any data subject. We may also collect information about your computing environment, and/or when you contact us we may ask you for further information.
• If you contact us, we may keep a record of that correspondence.
• Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access, whether this is required for our own purposes or otherwise.
16. IP addresses
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.
We use the following cookies:
• Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log onto the secure area of our website.
• Analytical/performance cookies. These allow us to recognise and count the number of users and to see how the users move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
|Google Analytical Cookie||_ga||This is a Google analytics cookie that enables us to track an users usage and to help improve use of the website.||Opt-out of Google Analytics cookies|
|Session Cookie||diary_session||This is a session cookie which make it possible to navigate through the website. This cookie is automatically deleted after you close your web browser.|
You may block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our sites.
Information about deleting or controlling cookies is available at www.AboutCookies.org.
18. Where we store personal data
All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access our site, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
19. How we use the information we collect/store
We use information held about you and the information you provide in relation to third party personal data, in the following ways:
• to ensure that our websites are presented in the most effective manner for those who visit and use them and for their computer or internet connected device
• to provide the features and functions of our sites (and their related services) to those who visit and use them
• to make contact for the purposes of the administration, support, and continued operation of this website
• to monitor and evaluate statistics and changing patterns in the work of the Church of England, those who are in touch with the Church, and with whom the Church is in touch, and the ways in which our Users interact with our websites. These statistics may be used in press releases and other public documents, or otherwise put into the public domain, in a form in which personal data is anonymised, in order to promote the work of the Church of England
• to help develop and tailor ours sites, content, features, resources, functionality, and direction to those who visit our sites and use our products and resources
• to provide information about the products, initiatives, and resources which have been, are, or will be coming to the Church Support Hub, Church Print Hub, Pastoral Services Diary, and/or are part of the wider work of the Church of England
• to provide information about other products, initiatives, resources, and/or news stories to which we wish attention to be drawn
• to request opinions, input, and/or feedback regarding the Church Support Hub, Church Print Hub, Pastoral Services Diary, and/or the wider work of the Church of England, including, but not limited to, resources, products, and initiatives
• to provide information about website and service downtime, errors, issues, changes, updates related to the Church Support Hub, Church Print Hub, Pastoral Services Diary, and/or the wider work of the Church of England
• to send additional periodic e-newsletters where they have been requested
20. Disclosure of information
By providing your information you give consent that we may disclose it to such other Church related entities as may be necessary to provide you with our services.
We may also disclose your personal information to other parties without seeking your prior consent provided that the disclosure would not be in breach of the Act, for the purpose of law enforcement, or when we:
• are subject to a legal obligation to disclose the information;
• believe it is necessary to protect your vital interests
• believe it is necessary to protect our rights, property or the safety of our staff
21. Access to information
You may ask for a copy of the information that we hold about you by writing to us at: Martin Kettle, Church House, Great Smith Street, London, SW1P 3AZ or call 020 7898 1000.
Please note that we may charge a statutory fee of up to £10 for providing this information, and we may also charge you for postage.
In order to be sure that your personal information is not disclosed improperly we may require you to provide us with proof of identity before the information is provided to you.
Once you have paid the statutory fee (if requested) and ID has been confirmed your request will be dealt with within 40 calendar days.
You may also ask us to correct the information that we hold about you, or to delete or stop using such information, by writing to the same address.
22. Data retention
The Act does not specify the period of time for which personal information should be held, it simply states that it should not be kept longer than is necessary for the purpose for which it processed. If the personal data is no longer required for the purpose for which it was processed, then it should be deleted.
23. Confidentiality and reporting
• You shall hold in strict confidence all information concerning the business, information and affairs of The Archbishops’ Council and information relating to or about other users and the data subjects regardless of the nature or source of the information or of the fact that others may share the knowledge, and shall not divulge any such information unless disclosure is explicitly authorised by The Archbishops’ Council, or is required by law or by a court.
• You shall ensure that disclosures of information are made only to persons entitled to that information.
• You shall take all reasonable steps to ensure the privacy, security and safekeeping of all confidential and personal information.
• Even after termination or natural conclusion of your account on the Pastoral Services Diary, you shall continue to treat the data and information relating to the Archbishops’ Council, other users and the data subjects as strictly confidential.
• You understand that compliance with these confidentiality requirements is a condition of use of the Pastoral Services Diary, our systems and resources and that failure to comply may result in termination of your account, with prejudice, by The Archbishops’ Council in addition to legal action.
• Data Protection Act breaches, where serious, must be reported to the Information Commissioner’s Office in accordance with the Information Commissioner’s guidance on good practice.
• In addition to reporting a serious Data Protection Act breach to the Information Commissioner’s Office, the Data Protection Act breach must also be reported to The Archbishops’ Council within 24 hours of discovery.
• You shall, at all times, ensure strict compliance to the Data Protection Act 1998.
25. Contact and further information
Martin Kettle can be contacted at Church House, Great Smith Street, London, SW1P 3AZ, or call 020 7898 1000.
Independent advice about data protection, privacy and access to information, is available from the
Information Commissioner’s office at:
The Data Protection Act (1998)