Data Protection Policy
The Congregation of Jesus Charitable Trust (‘the Trust’) comprises CJ Communities in York, London and Cambridge and Norwich together with St Bede’s Pastoral Centre and St Joseph’s Infirmary in York.
The Trust collects a limited amount of personal data from individuals to enable it to provide a range of services including courses and events, spiritual direction, meeting facilities and news updates to its supporter base.
This Policy sets out why we collect personal information about individuals and how we use that information. It explains the legal basis for this and the rights you have over the way your information is used.
Please be assured that when you provide your personal data, the Trust will keep your information confidential, will only ask for enough information to enable us to provide the service you have requested and will explain to you when you give us the information what we will do with it and only use it in this way. At all times the Trust adheres to the core principles of the General Data Protection Regulation 2018 (GDPR) in that the data that we collect is ‘Adequate, Relevant and Limited’ for the purposes that we collect it. If your information is ever inaccurate and you would like us to amend it or you would like us to change how we use it, then please let us know and we will do so immediately.
We never share your data with others or use it outside of the United Kingdom and, after fulfilling the purpose that we originally collected it for, we will confidentially dispose of your data within an appropriate time period.
Contacts for Data Protection matters
The CJ Trust is the Data Controller for the purposes of the GDPR. The contacts for Data Protection matters at the Trust are James Foster, Chief Operations Officer: Telephone: 01904 643238 or Email: email@example.com and Hannah Thomas, Special Collections Manager: Telephone 01904 643238 or Email:firstname.lastname@example.org
Track and Trace
In order to help reduce the risk of a local outbreak of coronavirus, we are taking contact details of all users of the centre, as well as recording times entering and leaving our premises. In line with guidance issued by the Department for Health and Social Care, we will keep your details for 21 days. We will share them with Test and Trace personnel, if asked, in the event of a fellow customer or staff member testing positive for coronavirus. Data will be handled according to GDPR, security and ethical standards at every stage of the process – from its collection and storage by us and if needed, to its transfer and use by NHS Test and Trace. NHS Test and Trace will handle all data according to the highest ethical and security standards and it will be used only for NHS care, management, evaluation and research.
The Trust fully supports ‘the spirit and the letter’ of GDPR. In more detail, this is how the Trust has adopted GDPR principles:
- Data Collection Is ‘Adequate, Relevant and Limited’ – at each point of data collection it is the Trust’s policy to advise you (the data subject) of: what information we are collecting and why; what we intend to do with it; how we hold it and for how long; and, how you can amend it, change its use or gain access to it as necessary.
- Used For Specific Processing Purposes – your personal data will only be used for the express purposes that were stated to you at the point that you supplied it.
- Processed Lawfully, Fairly and Transparently – the Trust operates a clear and transparent approach to obtaining and processing data (without any hidden objective or motive) while complying with the law at all times.
- Stored For No Longer Than Necessary and Securely – all personal data is held within the Trust for the minimum amount of time to enable the stated processing purposes to be performed. Electronic and hard copies of personal data are only available to authorised Trust employees to perform these tasks. All personal data is held securely requiring key access and/or electronic password access using industry standard software. Computer systems comply with the Trust’s ICT security standards, and consumer payment systems comply with the industry’s PCI DSS compliance standards. Backups of essential personal data will be completed at regular intervals with a copy retained in fireproof reciprocals or held securely off site.
- Right to Access Or Amend Your Personal Data – you have the right, on written request (and without charge), to receive an electronic copy of the information that the Trust holds about you. You also have the right to demand that any inaccurate data be corrected and to apply any processing restrictions to it. Any of these rights can be exercised by contacting the Trust’s Data Protection Contacts.
- The Right to Be Forgotten – a data subject has the right ‘to be forgotten’ at any time. This means that you have the right to have your information securely destroyed at anytime unless another superior legal or contractual obligation takes precedent. We have set standard retention periods for different kinds of personal data (see our Data Retention Policy) and if you do not make a ‘request to be forgotten’ when the relevant retention period is reached your information will be routinely deleted. Printed copies of any information will be confidentially shredded or if in a larger volume, it will be sent away for confidential disposal (using a commercial secure disposal service) and a certificate of destruction will be retained by the Data Protection Officer.
Our Legal Bases for Collecting and Processing Personal Data
The type and amount of information we collect depends on why you are providing it. The Trust complies with the legal bases set out in the GDPR as relevant and as legally obligated which set out a number of different reasons for an organisation to legitimately collect and process data. You will always be made aware of these reasons when we collect and process your data.
These bases include:
- Explicit Consent – where personal data is collected (e.g. when you sign up to receive a newsletter) in a non contractual context, the Trust prefers to provide clear information enabling you to sign up by ‘ticking’ a box in agreement, then collecting your personal data in a familiar way.
- Contractual – to enable us to book courses or meeting facilities we require your infomation to maintain contact to enable us to make arrangements, process payment and for a period thereafter for tax and legal purposes. We collect this in a contractural form, providing clear information in a prominent position in booking processes and terms and conditions. Your agreement to this is recognised by your signature or online booking confirmation.
What, How and Where We Collect Personal Data
We collect personal data from you:
- When you explicitly consent to it for specific purposes e.g. to receive a newsletter.
- When we are required to fulfill a contract we have with with you e.g. as an employer or for supplying room hire.
- When it is our legal duty e.g. supplying accounting information to HMRC, or serious incident reports to HSE.
- When it is in our legitimate interest i.e. when there is a clear reason to use your data that doesn’t unfairly impact what is right and best for you. Whenever we rely on our legitimate interest, we will tell you what it is e.g. course tutor’s contact details may be given to course participants as well as used for individual contact purposes.
- We have supplementary documentation which outlines in detail all the ways we collect and use your data which can be made available on request.
Who Has Access To Your Information
Unless we have a legal obligation otherwise, only trained staff members, volunteers or supporting religious sisters process your personal information.
In certain specified circumstances, where your explicit consent is given, your personal data may also be processed and held by approved training course tutors, spiritual directors, prayer guides and supervisors.
Where we have a legal duty and obligation to do so, your data may be required to be shared with relevant statutory bodies.
How We Keep Your Information Safe
Trust staff members are trained to be compliant with GDPR guidelines by adopting the following procedures:
- We only confirm confidential personal data to ‘data subjects’ after completing verification checks. We do not provide information to family members of the ‘data subject’ without the data subject’s explicit (i.e. in writing) and verifiable consent.
- Our staff members are very aware that fraud and deception methods are used in order to gain access to personal data and under certain circumstances may choose to send information directly to the contact details that the Trust holds on file.
- Personal data is only e-mailed if a secure network (e.g. that incorporates encryption technology) is in place.
- Our online booking systems are professional industry standard software systems that use encryption solutions to protect your personal information and identity.
- Our staff members are trained to securely and respectfully process your data and keep it confidential at all times. All staff have confidentiality clauses in their contracts and would be subject to disciplinary procedures if any personal data was divulged whatsoever.
- When discussing information of a sensitive nature with you, a staff member may suggest you continue your conversation in a private room.
- All personal data is kept securely, either locked away if paper based, or if computerised, behind industry standard password protected systems. We do not leave personal data unattended on desks or in unlocked offices unattended.
Keeping Your Information Up To Date
We welcome your help in keeping your details up to date.
We are pleased to have supporters of all ages and occasionally receive students on educational placements below the age of 16. Where appropriate we ask for consent from a parent or guardian to collect information about any relevant health or dietary issues which may be important for the well being of a student on placement.
How Long We Keep Your Information
Our approach is to hold your information for as short a time as possible. However, for contact and taxation reasons, where we have legal obligations, this will be usually for as long as the relevant activity requires it. For example, for donations we have a statutory obligation to retain information for 6 years for tax purposes.
Making A Complaint
If you are unhappy with the way in which we have processed or dealt with your information then please contact the Data Protection Contacts who will seek to rectify your complaint immediately. You can also complain to the Information Commissioners Office – click here to go to the ICO website or call on 0303 123 1113.