Privacy Policy

SHEFFIELD AND BALBY AREA MEETING OF THE
RELIGIOUS SOCIETY OF FRIENDS (QUAKERS)
PRIVACY POLICY

1. INTRODUCTION

1.1 PURPOSE

“Do you maintain strict integrity in your business transactions and in your relations with individuals and organisations?” Advices and Queries 36.

As Quakers, we seek to be clear and transparent and maintain strict integrity in the work that we do, including our recording and use of personal data. Our members and those who share data with us should be reassured that we will treat their data with respect, ensuring its accuracy, security and use only for the (legitimate and clearly specified) purposes for which it is needed or provided. This is also a requirement of the 2018 General Data Protection Regulation (GDPR).
The purpose of this policy is ensure that all members of our Area Meeting and others whose data we process understand what this means in practice.

1.2 SCOPE

This policy applies to, and commits to its requirements, all members of Sheffield and Balby Area Quaker Meeting of the Religious Society of Friends. This Area Meeting is the charitable organisation furthering the general religious and charitable purposes of the Religious Society of Friends (Quakers) in the Sheffield and Balby area. The Area Meeting covers, supports and works on behalf of members of the following local meetings: Sheffield Central and Nether Edge, Balby (Doncaster) and Bamford (in Derbyshire’s Hope Valley). [The Area Meeting charity number is: 1134536, and the address is: Sheffield and Balby Area Quaker Meeting, Quaker Meeting House, 10 St James Street, Sheffield S1 2EW.]
This policy also applies to all those contracted by our Area Meeting or otherwise processing personal information on our behalf.
‘Personal data’ covers any information relating to an identifiable, living person who can be directly or indirectly identified through the data. It includes peoples’ names, physical and email addresses, telephone numbers, as well as other any other personal information including, for example, marital and financial information, and photographs. The GDPR applies to such personal data held in computer databases, manual filing systems or paper or electronic listings lists (e.g. of members and attenders), and also covers minutes of meetings and electronic or personnel files for contracted personnel, lettings or other purposes.
Sheffield and Balby Area Quaker Meeting is legally responsible for this personal data, and registered with the Information Commissioner’s Office (ICO) as ‘data controller’ for this data, and for determining the purposes and means of processing this data.
We collect this data in the legitimate interests of supporting our work, and for some types of data collection for the performance of a contract. We will also ask for consent for data processing wherever this is not part of our necessary ‘legitimate interests’ or required for contractual or other legal reasons that do not require consent. When we ask for personal data we will inform the persons concerned of how we intend to manage it and what measures we will take to ensure its security.

2. HOW WE HANDLE PERSONAL DATA

2.1 HOW WE COLLECT DATA

Our Area Meeting List Secretary and Local Meeting Membership Secretaries collect names and contact details of Members and any Attenders who request this through data consent forms. These forms also provide a means for Members and Attenders to request to be put on our Area Meeting and Quakers in Yorkshire Lists of Members and Attenders that are available for the restricted use of other Members and Attenders on the lists.
Our Treasurers and Schedule Collectors collect information from Members and Attenders on their subscriptions and information in relation to bursaries from those applying for bursary support to attend courses or external meetings.
Our Trustees collect contract-related information from those employed by the Area Meeting.
Our Meeting House Managers collect information from those seeking to make Meeting House bookings, undertake contractual work, and from those wishing to receive newsletters.
Our Safeguarding Officer collects Disclosure and Barring Service (DBS) checks and other information needed from and for those working with children.
We also collect information through our website contact/enquiry/booking forms.

2.2 WHY WE COLLECT DATA

We collect data from our Members to carry out necessary administration of our area and local meetings on their behalf on the legal basis of the ‘Legitimate Interests’ of our meetings. This includes membership and nominations administration, pastoral care through eldership and oversight, fundraising and processing of donations, and for contacting people as needed for the efficient operation of our meetings. For child members, this requires authorisation by a parent or guardian.
As part of the ‘Legitimate Interests’ of our meetings, a permanent register of Members, with basic membership information and contact information, is created regularly by each meeting and archived for permanent preservation. (This is separate from the more widely distributed membership lists requiring the member’s permission.)
Long-term Attenders may, if they wish, have their contact details processed on the same basis as if they were members.
Information held on our employees, contractors and those renting our premises is processed on the legal basis of fulfilling contractual requirements, whilst safeguarding-related data such as the DBS check are a legal requirement.
Our Area Meeting puts together lists of Members and Attenders that are available to all members and attenders on the list within the Area Meeting. This list is also sent to Quakers in Yorkshire for their biennial listing on the same basis for the old county of Yorkshire. The list operates on the legal basis of consent: Members and Attenders can ask to have their names, and if they wish, their contact details shared through these lists. On the same legal basis of consent, Members and Attenders and other interested persons can request to receive copies of our newsletters.
If we need to obtain other information or use the data for other purposes those concerned will be informed beforehand.

2.3 HOW WE PROCESS DATA

The personal data that we process in accordance with our Legitimate Interests or contractual and legal obligations will be kept to the minimum required for these purposes and handled only by our relevant post-holders.
Apart from archived material, personal data will be kept only for as long as it is remains correct and necessary to achieve these purposes, or until the person asks us to no longer keep it
Members’ personal data, minutes and other documents will be archived securely for historical and research purposes, but will not be used in connection with decisions affecting particular individuals or in a way that is likely to cause damage or distress.
When we ask for personal data for other purposes, we will outline how we will use and manage it and, where appropriate, ask for the individual’s consent to do so on this basis.
We will not use this personal data for other purposes without asking permission of the persons concerned.
When sending emails to a number of members (and attenders agreeing to be treated on the same basis) we will use blind-copy procedures to prevent email addresses being circulated to other recipients. [One way of doing this is for the sender to create an email address called ‘Undisclosed Recipients’, send the email to be circulated to this address, then put all other intended recipients into the Blind Copy (Bcc) line.] No personal information will be used on mailings with mechanisms such as Google Groups.
We will not pass personal data to other organisations, except on the legal bases described in 2.2 above, or for other legally required reasons sanctioned under GDPR such us for people’s protection or police investigations.
We will not use or allow third parties, including Quakers in Yorkshire, to process data without taking reasonable steps to ensure they comply with the GDPR.
We will never sell personal data to third parties or allow it to be used other than in accordance with the GDPR.

2.4 HOW WE PROTECT DATA

Personal data will be held by office holders in electronic and paper form as appropriate, only for as long as necessary and with appropriate password or other security measures and protected against misuse. The central repository for data will be the electronic and paper filing systems and archiving facilities at Sheffield Meeting House. Increasing use will be made of password-protected cloud storage.
Except for securing archiving of Members’ personal data, minutes and other documents, we will not keep information for longer than necessary to fulfil the uses set out in section 2.2. For example, once information on individuals’ annual contributions have been used to collect gift aid and produce annual reports, the means of personally identifying the sources of the financial data will be destroyed. Data in paper form will be held securely in locked rooms, drawers and cabinets, and will be shredded when no longer needed, including for example old copies of Members and Attenders lists (apart from one archived copy of each).

3. PROTECTING ACCESS RIGHTS

Anyone wishing to make a subject access request to view their personal data held by the Area Meeting can do so through the ‘Contact us’ form on our website: (http://www.sheffieldandbalbyareaquakers.org.uk/contact) , by post using our registered address (see section 2.2 above) or by phoning 0114 275 7390
Anyone wishing to withdraw permission for use of their data or to update the data held on them by the Area Meeting can do so using the same means of contact.
The same means of contact can be used for anyone having any queries about this policy.
In the case of emailed copies of newsletters and other circulated material on Quaker issues, those no longer wishing to receive these can at any time use the unsubscribe response on the email where this exists, or inform the sender accordingly.

4. PROCESS FOR HANDLING CONSENT FORMS

It is our policy that all Members and Attenders should complete the current consent form. An Attender is defined for the purposes of this policy as a person who attends meeting for worship and perhaps participates in other parts of the life of a meeting, and might wish to be included on lists of members and attenders or receive Quaker communications; it does not include occasional visitors.
A form should be completed for each child of a member aged under 18, and for children of those attenders who so wish, against the signature of a parent or guardian. This process should be repeated for new Members and Attenders joining the local meeting, and the process repeated and the information updated within a reasonable time period (say 3 years), although the membership secretaries and overseers will ensure that the lists are updated as soon as there are know changes in members’ information.
Everyone whose data we collect through this form or otherwise on the legal basis of consent must see the privacy notice to know what data we collect and why we collect it, to see their rights to check and be able to update the data we have on them.
The consent form provides the following options:
• For long term attenders to decide whether they want their data to be treated in the same way as for members;
• To decide what, if any, of their personal data to put on the issued lists of members and attenders;
• For parents/guardians, to decide on the options they want to apply for their children.
The Area Meeting Data Protection Coordinator (DPC) will email to the clerk of each local meeting the consent form format and privacy notice. The local meeting Membership Secretary, or Clerk of the local meeting where there is no Membership Secretary will arrange for the forms to be printed, signed by all members and attenders in that area meeting (normally with the help of Overseers and in the large Sheffield Central meeting, volunteers), and used by the Local Meeting Membership Secretaries or Clerks to check and correct as necessary the local meeting membership lists. Local meeting membership secretaries will also notify the Area Meeting List Secretary of any changes in contact data and option requests.
The completed consent forms will be sent to the Area Meeting List Secretary to be checked and stored at Sheffield Meeting House office.

h3. 5. RISK ANALYSIS AND ACTION ON ANY SECURITY BREACH

The risk matrix in the attached annex shows our assessment of our key data security risks and how we are protecting ourselves against a security breach.

If, despite precautions, a security breach does occur, then the following will apply.
1. Immediately anyone is aware of a security breach, whether or not it is serious, it must be reported to at least one of the following, with details, who would then inform the other two: the relevant Local Meeting Clerk or co-clerks, the DPC, and the Clerk of Trustees.
2. The DPC, or Clerk of Trustees in the DPC’s absence, should obtain advice on the seriousness of the leak in terms of likely damage to individuals.
3. If not deemed to be sufficiently serious to be of likely detriment to any individuals, then this will be recorded by the DPC, and notified to and minuted by Trustees at the time of the annual report.
4. If it is serious, the ICO will be immediately notified within 72 hours of the breach along with any individuals placed in jeopardy by the leak. An investigation will be undertaken, with recommended action on the breach and steps to be put in place to avoid a future breach. The outcome will be sent to the ICO and to the affected individuals.

6. MONITORING AND UPDATING THE POLICY

Our local meeting clerks will complete the annual monitoring form on policy implementation, which will be sent to them each year by the DPC. The completed form will be returned to the DPC who will compile a statement for the Area Meeting Trustees.
We will review and update this policy and annexes in line with best practice and changes in legislation.

ANNEX: DATA PROTECTION RISK ANALYSIS

Making public or passing to an unauthorised third party the bank details or other financial details of a member of attender Data used towards identity theft High Low Details held only by Treasures, kept on secure, password-protected computers and
Accidentally or deliberately leaking sensitive data Data used by third party use for targeted/fraudulent emails or phone calls High Low Details held only by relevant post-holder(s), kept on secure, password-protected computers and
Loss of a member’s or attender’s data Problems in having to request the information again. Individual’s loss of trust in and support from Quakers. Medium Medium Data held by meetings as well as by the AM List Secretary, stored on MH computers and paper
Member or Attender uses the data for personal business purposes Breaking the law by being contrary to the GDPR. Reputational damage. High Medium Ensuring all Members and Attenders understand the GDPR and AM policy
Contractual information leaked to a third party Data used by a rival. Individual’s loss of trust in and support from Quakers. High Low Details held only by relevant post-holder(s), kept on secure, password-protected computers
Poor implementation of data protection policy Data not held securely, allowed to pass to unauthorised individuals, data consent forms not fully issued, collected or stored Medium High Annual monitoring