(United Dioceses of Cashel, Ferns, Leighlin, Lismore, Ossory & Waterford)

DIOCESE OF CASHEL, FERNS AND OSSORY

(Church of Ireland)

DATA PRIVACY POLICY

1. INTRODUCTION
The Bishop and United Diocese of Cashel, Ferns and Ossory (their officers, employees and sub-committees) are committed to the proper processing of data in a manner consonant with the Data Protection Acts 1988, and 2003, and the General Data Protection Regulation (the “GDPR”) (together the “Legislation”).
Members of the Church of Ireland are mutually bound by consensual contract with each other and to the laws of the Church of Ireland in accordance with the Irish Church Act 1869 (section 20).

2. POLICY
This Data Privacy Policy (“Policy”) has been developed to ensure our parishioners or any other persons whose personal data the Diocese may hold feel confident about the privacy and security of personal data and to meet our obligations under the Legislation. Under the Legislation, ‘personal data’ is information that identifies you as an individual or is capable of doing so.
The Diocese as a ‘data controller’, must comply with the data protection principles set down in the Legislation and this Policy applies to all personal data collected, processed and stored by the Diocese in the course of their activities. The purpose of this Policy is to set out the procedures that are to be followed when dealing with personal data and to outline how the Bishop and the Diocese will collect and manage personal information in accordance with all relevant legislation and standards. The procedures set out herein must be followed at all times by the Diocese, its employees, agents, contractors, volunteers, office holders or other parties working on behalf of the Bishop and the Diocese.
This policy extends to all personal data whether stored in electronic or paper format. The Bishop of Cashel, Ferns and Ossory has responsibility for the implementation of this policy.

3. DATA PROTECTION PRINCIPLES
Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data, in both paper and electronic format. The Legislation sets out strict rules about the way in which personal data and sensitive personal data is collected, accessed, used and disclosed. The Legislation also permits individuals to access their personal data on request, and to have personal data amended if found to be incorrect.
The Legislation establishes seven core principles for compliance which require that the Bishop and the Diocese, as a data controller must:

  1. Obtain and process personal data fairly, lawfully and in a transparent manner;
  2. Collect the personal data only for one or more specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3.  Keep the personal data adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Keep the personal data accurate and up-to-date;
  5. Retain the personal data no longer than is necessary for the purpose for which the data is processed;
  6. Process the data in a manner that is safe and secure;

The Diocese shall be responsible for and be able to demonstrate compliance with the above principles.

4. HOW DOES THE DIOCESE PROTECT PERSONAL INFORMATION ABOUT ME?
The Diocese will take all reasonable steps to ensure that appropriate security measures are in place to protect the confidentiality of both electronic and manual data. Security measures will be reviewed from time to time, having regard to the technology available, the cost and the risk of unauthorised access.
All data is kept securely in designated areas of the Diocesan Office, the Diocesan Accounts’ Office, the Bishop’s Office or the secure room in the Bishop’s House to which only authorised personnel have access. Computers and relevant computer files are password protected.

5. DOES THE BISHOP OR THE DIOCESE DISCLOSE INFORMATION ABOUT ME TO ANYONE ELSE?
Personal data may be disclosed internally within the Diocese in accordance with the data protection principles and this Policy. Under no circumstances will personal data be passed to any department or any individual within the Diocese that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed.
No data is disclosed to a third party, other than that required by the central administrative purposes of the Church of Ireland, or when a reference is required from a subject. All other disclosures will be made only with prior permission, or when there is a legal or statutory obligation to do so.
Whenever we disclose information to third parties, we will only disclose that amount of personal information necessary to meet the administrative or legal requirement. Third parties that receive personal data from the Diocese must satisfy us as to the measures taken to protect the personal data they receive.
Appropriate measures will be taken to ensure that all such disclosures or transfers of personal information to third parties will be completed in a secure manner and pursuant to contractual safeguards.
The Diocese may provide information, when legally required to do so and in response to properly made requests, for the purpose of the prevention and detection of crime, and the apprehension or prosecution of offenders. The Diocese may also provide information for the purpose of safeguarding national security. In the case of any such disclosure, the Diocese will do so only in accordance with the Legislation.
The Diocese may also provide information when required to do so by law, for example under a court order.
The Bishop or the Diocese may also transfer data to legal counsel where same is necessary for the defence of legal claims.

6. ACCURACY
Every reasonable effort is made to ensure that data is accurate, complete and up-to-date in accordance with the purpose for which it was collected.
As a data subject, you are responsible for informing the Diocese of any changes in your personal details. We endeavour to ensure personal information held is up to date and accurate.

7. WHAT DATA DOES THE DIOCESE HOLD?
The Diocese holds personal data that is directly relevant to its dealings with the data subject. Data will be collected, held, and processed in accordance with the data protection principles and with this Policy in a reasonable and lawful manner.
In the case of data subjects, the following data may be processed (but only where relevant in each case):
• Surname
• Christian Name/s
• Title/s
• Date of Birth
• Address including Eircode
• Telephone and/or fax number/s,
• Numbers or addresses for contact by WhatsApp or similar applications where this has the prior agreement of the participants
• E mail address/es
• Information about grant assistance given
• Bank account details (to facilitate electronic payment of expenses and grants)
Where they are relevant to our mission, or where you provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependants;
Where you make donations or pay for activities, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers;
The data we process is likely to constitute sensitive personal data because, as a church, the fact that we process your data at all may be suggestive of your religious beliefs. Where you provide this information, we may also process other categories of sensitive personal data, such as racial or ethnic origin, sex life, mental and physical health, details of injuries, medication/treatment received, political beliefs, labour union affiliation, genetic data, biometric data, data concerning sexual orientation and criminal records, fines and other similar judicial records together with such formal correspondence as may occur with the data subject from time to time
In the case of workers in the Diocese who work with children or vulnerable adults or in a healthcare setting the following additional information may be kept:
• Information received, including date and serial number of vetting, from the National Vetting Bureau
• Record of having attended child and adult safeguarding training

8. PROCESSING PERSONAL DATA
Any and all personal data collected by the Diocese from you is collected as it is necessary for our legitimate interests or collected with your consent. The Diocese may also use personal data in meeting certain obligations imposed by law. Data is collected and processed for the internal purposes of the Church, the Bishop, and the Diocese (together with its committees and delegated structures).
These purposes include:
• The ministry and work of the Diocese within the Church of Ireland and Anglican Communion;
• Compliance with the requirements of the law of the State and the internal law of the Church of Ireland;
• Provision of pastoral and spiritual care and to organise and perform ecclesiastical services, such as baptisms, confirmations, weddings and funerals;
• To notify of changes to our services, events and role holders;
• To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals and other fundraising activities;
• To process donations;
• To process a grant;
• To pay expenses or make similar payments;
• the maintenance of accurate records concerning

  • o the administration of the Diocese;
    o the financial records of the Diocese and Parishes;
    o appointment of teachers and special needs assistants in the schools of the Diocese;
    o Boards of Management of schools under the Bishop’s patronage, and the work of the Bishop in fulfilling his legal role as Patron;
    o Education administration within the Diocese;
    o the officers and members of committees of Diocesan organisations and charities;
    o church workers and volunteers who come within the Episcopal supervision of the Bishop;
    o those engaged in hospital and school chaplaincy;
    o the implementation of Church of Ireland Safeguarding Trust Policy, which includes both Children and Adults and the National Vetting Bureau process;
    o statistical analysis and strategic review of the work within the Diocese;
    o Confirmation records.

• the maintenance of a record of correspondence received and sent by the Diocese, its employees and any Diocesan committees;
• the provision of necessary administrative support, training, or other services within the Diocese;
• and such other work and ministry stemming from the law of Ireland or from the law of the Church of Ireland.
Personal data is not collected from third parties, except by way of confidential reference in respect of referees at the time of appointment to diocesan positions or in fulfilment of the Constitution of the Church of Ireland or the law generally of the Church of Ireland.

9. HOW LONG DOES THE DIOCESE KEEP PERSONAL INFORMATION?
The period for which the Diocese retains information varies according to the use of that information. In some cases, there are legal requirements to keep data for a minimum period of time. Unless specific legal requirements dictate otherwise, the Bishop or the Diocese will retain information no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
For example, data of all those who have been confirmed is kept – as a register – indefinitely as such information is frequently sought by the data subject him/herself when preparing for ordination or marriage in another church.
Data collected and relevant retention periods are in accordance with the Diocesan Retention Policy.

10. HOW CAN I EXERCISE MY RIGHTS IN RESPECT OF PERSONAL INFORMATION THE DIOCESE HOLDS ABOUT ME?
The Bishop and the Diocese shall vindicate all your rights under the Legislation. These rights are as follows:
• your right to request from the Bishop or the Diocese access to personal data, and to have any incorrect personal data rectified;
• your right to the restriction of processing concerning you or to object to processing;
• your right to have your personal data transferred to another employer;
• your right to have personal data erased (where appropriate); and
• information on the existence of automated decision-making, if any, as well as meaningful information about the logic involved, its significance and its envisaged consequences.
Vindication of your rights shall not affect any rights which the Diocese may have under the Legislation.
If you want to know what personal information the Diocese holds about you or exercise any of the above rights, you can do so by making your specific request in writing to the Diocese at the following address:
Diocesan Office
Palace Coach House
Church Lane
Kilkenny
R95 AO32
The Diocese will process your request within 30 days of receipt, unless there is a significant amount of information at which point we might need to extend the period for a further 2 months. If the information the Diocese holds about you is inaccurate, the Diocese requests that you advise it so that it can make the necessary amendments and confirm that these have been made within 30 days of receipt of your request.

11. HOW CAN I MAKE A COMPLAINT TO THE DIOCESE ABOUT THE USE OF MY PERSONAL DATA?
Complaints on the use, retention and disposal of personal data can be submitted in writing to the Diocese. As a data subject you also have the right to lodge a complaint with the Data Protection Commissioner.
Data Protection Commisioner (Ireland)
Canal House
Station Road
Portarlington
Co. Laois
R32 AP23
or via email infro@dataprotection.ie or by phone on +353 (0761) 104800.

12. TRANSFERS OF DATA ABROAD
Any electronic personal data transferred to countries or territories outside the European Union will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union.

13. CCTV MONITORING
A closed-circuit camera is used for the security of property and protect against damage or theft. Access to the recorded material will be strictly limited to authorised personnel.

14. REVIEW
This policy will be reviewed and updated from time to time to take into account changes in the law and the experience of the policy in practice.

The Diocesan Office
The Palace Coach House
Church Lane
KILKENNY

Tel: 056 7761910
Email: palacecoachhouse@gmail.com
Website: www.cashel.anglican.org