Privacy Notice
St Bede’s Pastoral Centre
Privacy Notice for service users, beneficiaries, volunteers and website users
About this privacy notice
St Bede’s Pastoral Centre (which is a part of the Charity named Congregation of Jesus Charitable Trust) is committed to protecting and respecting your privacy. For the purposes of the UK General Data Protection Regulation (the UK GDPR) and any subsequent UK legislation covering data protection, the Charity is the controller of your personal data (which means that we determine the purposes (the why) and the means (the how) of the processing of your data).
This privacy notice covers the activities carried out by St Bede’s Pastoral Centre (for information about the wider activities of the Charity see the Congregation of Jesus Charitable Trust’s privacy notice).
This privacy notice sets out why we collect personal data, how we collect and use it and who it is shared with. It also explains the legal basis for the use of your personal data and the legal rights you have over the way it is used.
Who we are
For the purposes of the UK GDPR and the Data Protection Act (DPA) 2018, the controller of your personal data is the Congregation of Jesus Charitable Trust (the Charity) a registered charity in England and Wales (registered charity number: 298970). The Charity’s contact details are as follows:
Address: The Bar Convent, 17 Blossom Street, York, YO24 1AQ.
Telephone number: 01904 643238
Email: info@barconvent.co.uk
The Data Protection contacts for the Charity are either James Foster, who may be contacted via jamesfoster@barconvent.co.uk or Hannah Thomas, who may be contacted via hthomas@barconvent.co.uk.
What type of personal data we collect
The type and amount of personal data we collect depends on the purposes for which we will need to use it and will include:
• Personal details and key identifiers such as: names, address, telephone numbers, email address, date of birth.
• Bank account details and credit card details.
Certain categories of personal information are regarded by data protection law as more sensitive than others. Known as ‘special category personal data’, this relates to information about your health, racial or ethnic origin, details of sexual life, sexual orientation, religious beliefs, political opinions or any genetic or biometric data that is used to identify you. This information, and any information about criminal offences / convictions and related security measures, warrants a higher level of protection under data protection law.
Given the nature of our work, the Charity may process special category data about you, including:
• Information relating to your health and wellbeing (including details of disabilities and medical conditions, health and sickness records, and details of accidents in the workplace).
• For roles that require a disclosure and barring service (DBS) check we may collect information about criminal offences and convictions.
We will only collect and process information about criminal offences and convictions where it is necessary and lawful for us to do so.
When we collect this type of information about you, we will always make it clear what special category personal data or criminal offence data we are collecting and why.
When we collect your personal data
We may collect personal data from you whenever you contact us or have any involvement with us, for example when you:
• visit our website and contact us or book onto an event;
• donate to us;
• enquire about our activities or services;
• attend a meeting with us and provide us with information;
• contact us in any way including online, email, phone, SMS, social media or post;
• visit St Bede’s as we need to keep details of people using the buildings in connection with Fire Health and Safety;
• hold a key to any of our buildings;
• visit our buildings and your image is captured on CCTV;
• purchase goods from us;
• book courses, events or rooms with us;
• work with us as a tutor or assistant tutor on one of our courses;
• work with us as a speaker or facilitator or collaborator on an event or short course or other elements in the delivery of our programme;
• apply for funding assistance from the Bill Broderick Fund in connection with one of our courses or events;
• apply for a fee reduction or waiver in connection with one of our courses or events;
• claim and collect an item of lost property from us;
• sign up to our mailing list;
• sign up to our online library;
• enter your details into our prayer request book;
• purchase a gift voucher from us or a gift voucher is purchased for you from us by a third party (just person’s name);
• leave a voicemail message on our answer machine;
• leave a message with one of our staff;
• make a payment over the telephone;
• give feedback on any of our events or courses;
• sign up for spiritual accompaniment with a member of the St Bede’s spirituality team;
• apply for spiritual accompaniment with a member of YISAN (York Ignatian Spiritual Accompaniment Network);
• Apply to become a member of YISAN.
How we collect your personal data
We collect your personal data in the following ways:
• Information you give us directly: for example, you may provide your details to us when you ask us for information or donate, attend our events or contact us for any other reason.
• Information shared by known third party organisations: we may receive information about you from third party partners with whom you have an interest or for whom you have provided services or for safeguarding purposes, for example the Religious Life Safeguarding Service (RLSS). This may include information such as your name, contact information, reference information or the results of a DBS check.
• Information collected when you use our website: when you use our website, some limited information about you is recorded and temporarily stored. The website uses “Cookies” to collect data and you will be asked if you are happy to give permission for this when you use the website.
• Information available publicly: for example, we may include in our newsletters some information obtained from social media or from articles/newsletters.
How we use your personal data
We will use your personal data for various purposes consistent with the legal basis we rely on to process your data. These purposes include:
• providing you with the information or services you have asked for;
• processing donations you make, including processing for gift aid purposes;
• sending you communications with your consent that may be of interest, including marketing information about our services and activities, campaigns and appeals asking for donations and other fundraising activities and promotions for which we seek support;
• seeking your views on the services or activities we carry on so that we can make improvements;
• maintaining our organisational records and ensuring we know how you prefer to be contacted;
• processing payments you make to us including payments for courses, events and room bookings
• keeping in touch with you in connection with events and courses for which you have signed up or in which you have shown an interest
• maintaining records of attendance on longer courses which run over one or more academic years.
We do not use your personal data for automated decision-making (including profiling). If that changes, we will notify you in writing.
Failure to provide personal data
When we collect personal information, we will make it clear whether you are required by law, or under a contract, to provide your personal data, and what will happen if you do not provide that data.
Our legal basis for processing your information
Data protection law requires us to have a lawful basis for processing your personal data. Depending on the purposes for which we use your data, we may rely on one or more of the following lawful bases:
• Consent: Where you have provided your consent for us to use your personal data. For example, if you sign up to receive marketing communications from us. You may withdraw consent at any time by emailing us at admin@stbedes.org.uk. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
• Performance of a contract: It may be necessary for us to use your information to carry out our obligations under a contract entered into with you or to take steps you ask us to take prior to entering into a contract.
• Vital interests: It may be necessary for us to use your information to protect the vital interests of you or another individual. For example, providing your details to a medical professional in the case of a medical emergency.
• Legal obligations: It may be necessary for us to use your information to comply with our legal obligations. For example, if we are legally required to hold transaction details for gift aid or accounting/tax purposes.
• Legitimate interests: It may be necessary for us to use your personal data for the purposes of “legitimate interests” pursued by the Charity or a third party (as long as those legitimate interests are not overridden by your rights and freedoms). Examples include:
– where we need to provide information or services to you, we may rely on the fact that it is necessary for our legitimate interests to provide the information or service requested, and given that you have made the request, we would presume that there is no prejudice to you.
If you want to contact us about your marketing preferences, please contact the Centre Administrator on admin@stbedes.org.uk.
We will only process special category data where we have also identified an appropriate condition for doing so in accordance with Article 9 of the UK GDPR:
• You have provided explicit consent (such consent may be withdrawn at any time by emailing admin@stbedes.org.uk)
• The processing is necessary in order to protect the your or another person’s vital interests where that person is physically or legally incapable of giving consent (for example, providing your details to a medical professional in a medical emergency);
• The processing relates to personal data which is manifestly made public by the data subject (for example, where you publish information about yourself in the public domain);
• The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (for example, providing information to a court where a claim has been made);
• The processing is necessary for reasons of substantial public interest, in accordance with Part 2, Schedule 1 of the DPA 2018 (for example, where this is necessary for the purposes of protecting the physical, mental or emotional wellbeing of an individual).
The Charity will only process criminal offence data where it has identified an appropriate lawful basis for processing and appropriate policy and safeguards are implemented in accordance with Article 10 of the UK GDPR and the DPA 2018.
How we keep your personal data safe
We understand the importance of security of your personal data and take appropriate steps to safeguard it.
We understand how important it is to protect your personal data and take appropriate steps to safeguard it.
We implement adequate technical and organisational measures to ensure a level of security appropriate to the potential risks. We have an internal Information Security Policy, which governs how we protect your personal data. For example:
• All persons authorised to access personal data are required to undergo appropriate training and must comply with organisational and technical measures that we have put in place.
• We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We always ensure that access to your personal data is restricted on ‘need to know basis’, i.e. to those members of our staff, volunteers and contractors who need to access personal data to fulfil their roles. All authorised persons are appropriately trained and commit to ensuring confidentiality and security of your data.
Your personal data when held on the Charity’s website is fully protected and encrypted. Other electronic records are held:
• via a secure encrypted platform eg Dropbox
• on Charity computers which are password protected and kept in locked offices.
Hard copy data is in locked cabinets in locked rooms solely used by the Charity.
We always ensure that only authorised persons have access to your personal data, which means only those members of our staff, volunteers and contractors who need to access your data to fulfil their roles. Everyone who has access to personal data is appropriately trained and aware of their obligations to ensure confidentiality and security of your data.
Please note, we interact via the internet and email, and no external data transmission over the internet can be guaranteed to be 100% secure. So, while the Charity strives to safeguard your personal data, we cannot guarantee the security of any information you provide online and you do this at your own risk.
Who has access to your personal data?
We will not share your personal data with third parties without your consent unless the law allows us to. We may disclose your personal data to the following third parties, to enable us to provide our services, fulfil our charitable objectives or comply with our legal obligations:
• we may share your information with partner organisations assisting us with financial transactions for example our bank or Worldpay or HMRC for gift-aid purposes;
• we may share your information with any third-party training providers;
• we share your information with certain service providers, such as event speakers/organisers;
• we may share your information for safeguarding purposes with RLSS or the Catholic Safeguarding Standards Agency (CSSA);
We also need to disclose your data to companies who provide services for us, for example our legal advisors, appointed accountants, insurance providers, our IT services provider and parties providing mailing and marketing services, for example mailchimp. We select all third-party service providers with care and provide them with the minimum amount of information necessary to provide their service. We always have an appropriate agreement in place that requires them to protect personal data to the same standard as we do.
Keeping your information up to date
We really appreciate it if you could let us know if your contact details change. You can do so by contacting us at admin@stbedes.org.uk.
Transfers of your personal data to other countries
Due to the nature of our charitable objectives and work, we may transfer your information to countries or territories outside the UK, which are subject to different data protection laws. We may do this where for example, we use suppliers in a third country or data is stored on servers outside the UK.
We meet the UK GDPR requirements by ensuring that personal data is protected as if it were being held in the UK. This will usually be because the country to which we transfer data either benefits from an adequacy determination or we have entered into a contract with the third party which contains EU standard contractual clauses recognised as a valid data transfer mechanism in the UK.
If you would like more information about how we protect your personal data if it is transferred outside the UK please contact admin@stbedes.org.uk.
How long we keep your personal data for
We will hold your personal data for as long as it is necessary for the relevant activity. By way of example, we normally hold records of donations you make for at least six years so we can fulfil our statutory obligations for tax purposes. Our Records Retention Policy sets out appropriate retention periods, a copy of which is available from admin@stbedes.org.uk If you would like further information about our retention periods for specific types of information, please contact admin@stbedes.org.uk in the first instance
Where we rely on your consent to contact you for direct marketing purposes eg e-newsletters we will treat your consent as lasting only for as long as it is reasonable to do so. This will usually be until you unsubscribe from the service. We may periodically ask you to renew your consent. If you ask us to stop contacting you with marketing materials, we will remove you from our mailing list.
Your rights
Data protection law provides individuals with various legal rights, which may be exercised in certain circumstances. You have the following legal rights over your personal data:
• The right of access (commonly referred to as a “subject access request” or “SAR”): This right enables you to obtain a copy of the personal data we hold about you as well as other information about how we are processing your personal data.
• The right to rectification: This right enables you to require us to correct the personal data we hold about you if it is inaccurate or incomplete.
• The right to erasure (also known as the right to be forgotten): In certain circumstances, you have the right to request that personal information we hold about you is erased (such as where we no longer need your personal data for the purpose it was originally collected for).
• The right to restrict processing of your personal data: You may ask us to restrict the use of your personal data in certain circumstances (such as where you believe your personal data is incorrect and we need to verify the accurate of the personal data we hold)
• The right to object: You may object to our processing of your personal data in certain circumstances, such as where we are processing your personal data on the basis of “legitimate interests”. Please note, you always have the right to object to processing of your personal data for direct marketing purposes.
• The right to data portability: This right allows you to request that we transfer your personal data to you or another third party in a commonly used, machine-readable format. Please note, this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you.
• The right to withdraw consent: Where we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time, and may do so by contacting us via admin@stbedes.org.uk. If you decide to withdraw your consent, that does not mean that our use of your personal data before you withdrew your consent is against the law.
Please note, some of your legal rights are subject to safeguards, limitations or exemptions.
If you wish to exercise your rights, please contact one of the two Data Protection contacts either James Foster who may be contacted via jamesfoster@barconvent.co.uk or Hannah Thomas who may be contacted via hthomas@barconvent.co.uk. and we will respond within the time limits set out in data protection law.
Complaints
If at any time you are not happy with how we are processing your personal information then you may raise the issue with one of the Data Protection contacts in the first instance.
If you are not satisfied with the handling of your issue, you may raise a complaint with the Information Commissioner’s Office, which regulates and enforces data protection law in the UK.
Details of how to do this can be found at https://ico.org.uk/make-a-complaint/.
We will update and change this privacy notice from time to time to reflect changes to the way we handle your personal data or changing legal requirements. If we make any significant changes we will advertise this on our website or contact you directly with the information. Please check this document each time you consider giving your personal information to us.
Date of last review: 27 March 2024
Period of review: 2 years
Date of next review: 27 March 2026
Owner: Charity CEO
Version number: 2
