Data Protection Policy
Published 10 June 2020
St Albert’s Catholic Chaplaincy, Edinburgh (“the Network”) is committed to data protection by default and by design and supports the data protection rights of all those with whom it works, including, but not limited to, staff, students, visitors, alumni and parishioners. This policy sets out the accountability and responsibilities of the Network, to comply fully with the provisions of the General Data Protection Regulation (“the GDPR”) and the Data Protection Act 2018 (“the DPA”) and recognises that handling personal data appropriately and in compliance with data protection legislation enhances trust, is the right thing to do and protects the Network’s relationship with all its members.
The Network holds and processes personal data about individuals such as former students, former and current staff at Edinburgh universities, former and current parishioners, and others, defined as ‘data subjects’ by the law. Such data must only be processed in accordance with the GDPR and the DPA.
The Network has appointed our Lay Chaplain to monitor and advise on compliance with the GDPR and the DPA. However, responsibility for compliance and the consequences of any breaches cannot legally be transferred to the Lay Chaplain but instead remains with the Charity.
Purpose of Policy
This policy sets out the responsibilities of the Network to comply fully with the provisions of GDPR and the DPA.
Responsibilities under the Policy
The Network as data controller has a corporate responsibility to implement and comply with data protection legislation.
This section will set out the main requirements for compliance.
General Data Protection Regulation (GDPR)
Information about the Network’s work to implement new data protection legislation. Data protection legislation gives rights to people about whom we hold information, and gives us responsibilities regarding that information. Data protection legislation changed on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force replacing the existing Data Protection Act 1998.
The Network is currently in the process of implementing the requirements of the General Data Protection Regulation and we are currently awaiting guidance from the charitable sector regulators on how to do so.
The DPA sets out principles for handling personal data, requiring that it shall:
be processed fairly and lawfully;
be held only for specified purposes and not used or disclosed in any way incompatible with those purposes;
be adequate, relevant and not excessive;
be accurate and kept up-to-date;
not be kept for longer than necessary for the particular purpose;
be processed in accordance with the data subject’s rights;
be kept secure;
not be transferred outside the European Economic Area unless the recipient country ensures an adequate level of protection.
You can find information about the changes from the Information Commissioner's Office (ICO). The ICO is the UK regulator who oversees compliance with data protection legislation.
All users of personal data within the Network must ensure that personal data is always held securely and not disclosed to any unauthorised third party either accidentally, negligently or intentionally.
We do not and have no plans to share your personal information with others outside our organisation (unless required to do so by law, court order or other requirement); in the unlikely situation that we wished to disclose your information outside of those legal requirements, we would contact you first to ask for your explicit permission.
When the Network collects personal data from individuals, the requirement for ‘fairness and transparency’ must be adhered to. This means that the Network must provide data subjects with a ‘privacy statement’ to let them know how and for what purpose their personal data are processed.
Right to erasure, to restrict processing, to rectification and to object
In certain circumstances data subjects have the right to have their data erased. This only applies where the data is no longer required for the purpose for which it was originally collected, or where the data subject withdraws consent, or where the data is being processed unlawfully.
If personal data is inaccurate, data subjects have the right to require the Network to rectify inaccuracies. In some circumstances, if personal data are incomplete, the data subject can also require the controller to complete the data, or to record a supplementary statement.
When personal data is transferred internally, the recipient must only process the data in a manner consistent with the original purpose for which the data was collected. If personal data is shared internally for a new and different purpose, a new privacy notice will need to be provided to the data subjects.
Direct marketing does not only cover the communication of material about the sale of products and services to individuals, but also the promotion of aims and ideals. For the Network, this will include notifications about events, fundraising, selling goods or services. Marketing covers all forms of communications, such as contact by post, fax, telephone and electronic messages, whereby the use of electronic means such as emails and text messaging is governed by the Privacy and Electronic Communications Regulations 2003 (PECR).
Data Protection Breaches
The Network is responsible for ensuring appropriate and proportionate security for the personal data that it holds. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. The Network makes every effort to avoid data protection incidents, however, it is possible that mistakes will occur on occasions. Examples of personal data incidents might occur through:
Loss or theft of data or equipment
Ineffective access controls allowing unauthorised use
Unauthorised disclosure (e.g. email sent to the incorrect recipient)
Any data protection incident must be brought to the attention of the Lay Chaplain who will investigate and decide if the incident constitutes a data protection breach. If a reportable data protection breach occurs, the Network is required to notify the Information Commissioner’s Office as soon as possible, and not later than 72 hours after becoming aware of it. Any member of the Network’s community who encounters something they believe may be a data protection incident must email the Lay Chaplain immediately.
The Network will whenever individuals can be identified by their image, data protection legislation applies. In these situations, the rights of the individuals in the collection and use of their photographs must be respected – they will be informed when an identifiable image of them will be or has been captured, and a legal basis must be found before the image is used in any way.
Photographs that are submitted to the Network to be published on the internet provide ‘consent’ as our legal basis. The Network ensures that consent is validly collected and stored. We send out a photography & video consent form as an added protection for limited administrative effort.
If children under the age of 13 years are clearly recognisable in an image, we ask for consent from a parent or guardian. The consent form will be kept for the life that we hold the photo as evidence. If a data subject withdraws their consent then the consent is still deemed to have been valid up to the point of withdrawal.
Photographs of crowds or groups
If crowd shots are taken during an event and an individual is not identifiable, then there is no need for us to find a legal basis to take, display or publish the photo. This also applies to any individuals, students and staff whose images are incidental detail, such as in crowd scenes for graduation.
If the photos are taken at a conference or a talk where it is likely that individuals may be identified even in crowd scenes, then our legal basis is ‘legitimate interest’.
In both these scenarios, we will include notices at the event informing attendees of the following points:
Alerting people in the foreground of these shots who are within earshot of the photographer verbally and given the opportunity to move away if they wish.
Give a warning in writing that photography will be taking place at the event.
If we use a registration form, then this warning will be included in the form, we can also use notices displayed at events and
Include a sentence about photography in printed programmes or publicity material.
Provide a clear opt-out (e.g. speaking to the photographer, wearing a sticker /wristband, removing yourself from the photo areas, say no thank you if the photographer asks, or don't attend the event).
There are practical challenges to this and there is a point where a photo is just scene shot and no-one is particularly identifiable. Evidence will be kept of the information that we provided to the data subjects (e.g. keeping the email / the posters / the event form etc.).
If we take pictures of random groups of people, such as in general Mass scenes, and there is a possibility that individuals might be identified when the images are posted on the internet, then our legal basis will be ‘legitimate interest’. In this situation, we will not have to provide a privacy notice.
If you have any questions, please contact
St Albert’s Catholic Chaplaincy
23-24 George Square
Edinburgh EH8 9LD
Dominican Friars’ Development Office
Blackfriars St Giles
Oxford OX1 3LY
Tel: 01865 610208