PRIVACY NOTICE

The Auld Kirk of Ayr

Scottish Charity No SC016648

The Kirk Session of The Auld Kirk of Ayr Scottish Charity number SC016648 is providing you with this Privacy Notice in order to comply with data protection law and to ensure transparency in the collection and use of your personal data.

Who is collecting the information

The Presbytery of South West Scotland Scottish Charity Number SC020676 is the Data Controller for the Congregation. Brian McInroy is the Data Protection Coordinator for the Congregation of The Auld Kirk of Ayr.

Why is this personal data collected and for what reason (Purpose)

This information is used to:

• administer membership records, including the Communion/Supplementary Rolls;
• enable pastoral care
• enable participation in Congregational activities
• provide you with information in relation to news, events, and activities within the Congregation or the wider Church of Scotland
• provide the services of a parish church to the local community
• fulfill legal obligations
• further charitable aims, for example through fundraising activities
• maintain accounts and records (including the processing of Gift Aid applications);
• comply with safeguarding obligations including, the protection of vulnerable groups scheme
• maintain a directory of contact details
• further the prevention and detection of crime [if CCTV is not in place/used then delete this bullet point]

What personal data is collected

Personal data will include only what is necessary to fulfill the purposes listed. For most members it will only include name, address and contact details supplied.

• Name
• Address
• Telephone number
• Mobile number
• Date of Birth
• Email address
• Bank details (for Gift Aid and fundraising purposes)
• Children’s data (for example, but not limited to, if required for instance for Junior Church, holiday clubs or baptism)
• Role in congregation (e.g. office-bearer information)
• Health-related information
• Photographs and videos (where applicable)
• Safeguarding information, including Covenant of Responsibilities
• Religious beliefs are collected by implication by being a church member  
• [Please insert or delete any data which is collected]

The information source

The information is collected directly from you. Some data is collected via the Presbytery or the National Offices.

The lawful basis for the processing

The Congregation processes special category (sensitive) data under UK GDPR Article 9(2)(d): “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”. 

For the other processing activities, the lawful basis are:

• UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”.
• Article 6(1)(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
• Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. This is specific to safeguarding purposes and Sunday School and other related activities dealing with children. Consent will be sought from parents/guardians for processing a child’s personal data.

Who data is shared with

Your personal information will only be shared where this is necessary for the purposes set out above. Information will not be shared with any third party out with the Church of Scotland without your consent unless the Congregation is obliged or permitted to do so by law.

How long the personal data is held for

The Congregation will keep your personal information for as long as you are a member or adherent, or have regular contact with the Congregation, or for as long as the Congregation is obliged to keep it by law or may need to do so in order to respond to any questions or complaints, or to show that the Congregation treated you fairly.   When the information is no longer needed it will be securely destroyed following church procedure.  [Further information about our retention and disposal schedule is available on the Auld Kirk Website ayrauldkirk.co.uk

Individuals’ rights in relation to this processing

Under data protection laws, individuals have a number of rights in relation to the processing of their personal data. These rights are as follows:

• The right to be informed – this privacy notice meets that right.
• The right of access – this means you have the right to have access or receives copies of personal data held by the organisation
• The right to rectification – this means you have the right to correct incomplete or inaccurate data held about you
• The right to erasure – this means you have the right to have your data deleted from an organisation’s records.
• The right to restrict processing – this means you have the right to restrict processing. This right is normally used with other rights, e.g. rectification
• The right to data portability – this means you have the right to request your data in a machine-readable format (e.g. a .csv file) and transfer this to another organisation
• The right to object – this means you have the right to object to how your data is processed
• Rights in relation to automated individual decision making, including profiling – the Church does not carry out this type of processing.

Not all rights apply and it depends on the lawful basis as to what rights do apply.

For the processing purposes of this privacy notice, when the lawful basis is legal obligation the right of erasure, right to data portability and the right to object do not apply. All other rights do apply. For the processing purposes of this privacy notice when the lawful basis is legitimate interests, all rights apply except for data portability. If you wish to exercise any of your rights please contact the Data Protection Coordinator for The Auld Kirk of Ayr, Brian McInroy or Alice O’Sullivan, Data Protection Officer, The Church of Scotland.

If any processing is carried out on the basis of consent it is important to note that you can withdraw your consent at any time. To do this please contact Brian McInroy.

Complaints to the Church of Scotland

If you are concerned about how your personal data is being used by the Church of Scotland, please contact – in the first instance – the Data Protection Coordinator for The Auld Kirk of Ayr, Brian McInroy or Alice O’Sullivan, Data Protection Officer for The Church of Scotland at

Privacy@churchofscotland.org.uk if required.

Complaints to the Information Commissioner’s Office (ICO)

If you are not satisfied with the outcome of your complaint to the Church of Scotland, a referral can be made to the UK regulator of data protection, the Information Commissioner’s Office (ICO). 

The ICO has guidance on their website: https://ico.org.uk/your-data-matters/raising-concerns/

The ICO can be contacted by email casework@ico.org.uk or by telephone on 0303 123 1113.

Alternatively, their postal address is:

Customer Contact

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Further information

If you would like further information in relation to this Privacy Notice please contact the Church of Scotland Data Protection Officer at Privacy@churchofscotland.org.uk. 

This Privacy Notice may be updated from time to time to reflect changes in legal requirements or other operational reasons. The latest version will always be available from the Presbytery of the South West Scottish Charity Number SC020676. The main contact for queries in relation to this processing is Alice O’Sullivan, Data Protection Officer for The Church of Scotland.

Privacy Notice – Employees

The Auld Kirk of Ayr

Scottish Charity No SC016648

The Kirk Session of The Auld Kirk of Ayr, Scottish Charity Number SC016648 is providing you with this Privacy Notice in order to comply with data protection law and to ensure transparency in the collection and use of your personal data.

Who is collecting this information

The Presbytery of the South West, Scottish Charity Number SC020676 is the Data Controller for the Congregation. Brian McInroy is the Data Protection Coordinator for the Congregation of The Auld Kirk of Ayr.

Why this personal data is collected and for what reason (Purpose)

The congregation collects and processes your personal data for employment purposes. Processing employee data allows the Congregation to:

• run recruitment processes including promotion processes
• maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency) and records of employee contractual and statutory rights
• operate and keep a record of disciplinary and grievance processes in order to ensure acceptable conduct within the workplace
• operate and keep a record of employee performance and related processes in order to plan for career development, succession planning and workforce management
• operate and keep a record of absence and absence management procedures in order to allow effective workforce management and ensure that employees are receiving pay or other benefits to which they are entitled
• obtain occupational health advice in order to ensure compliance with duties in relation to individuals with disabilities, comply with health and safety law and ensure that employees are receiving  pay or other benefits to which they are entitled
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave) in order to allow effective workforce management, ensure compliance with duties in relation to leave entitlement and to ensure that employees are receiving pay or other benefits to which they are entitled;
• ensure effective business administration
• provide references on request for current or former employees
• respond to and defend against legal claims and
• maintain and promote equality in the workplace.

What personal data is collected

The Congregation collects and process a range of information about you. This includes:

• name, address, date of birth, gender and contact details (including email address and telephone number);

• the terms and conditions of your employment
• your qualifications, skills, experience and employment history including start and end dates of previous employment and employment within the organisation
• information about remuneration, including entitlement to benefits such as pensions, childcare vouchers or insurance cove
• your bank account and national insurance number
• information about your marital status, next of kin, dependants and emergency contacts;
• information about your nationality and entitlement to work in the UK
• information about any criminal record you may have
• details of your schedule (days of work and working hours) and attendance at work
• details of periods of leave taken by you including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
• details of any disciplinary or grievance procedures in which you have been involved including any warnings issued to you and related correspondence
• assessments of your performance including appraisals, performance reviews/ratings, training you have participated in, performance improvement plans and related correspondence
• information about medical or health conditions including whether or not you have a disability for which the organisation needs to make reasonable adjustments
• details of trade union membership and
• equal opportunities monitoring information including information about your ethnic origin, sexual orientation, health and religion or belief.

Some of this data is special category (sensitive) personal data and therefore additional safeguards are put in place to protect this data further. Special category data is defined as racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, genetic data, biometric data, sex life, sexual orientation.

The information source

The information is collected in a variety of ways. Some information is collected directly from you. Other sources can include third parties for references, PVG checks with Disclosure Scotland, application forms, CVs or resumes, passport or other identity documents such as driving licence, from forms completed by you at the start of or during employment, correspondence with you or through interviews, meetings or other assessments.

The Congregation may also collect personal data about you from third parties, such as references supplied by former employers and, where applicable, information from criminal records checks permitted by law.

The lawful basis for processing

The lawful basis for processing for employment purposes is UK GDPR Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

There are some aspects of processing where the lawful basis is UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”. This is in relation to checking employee’s right to work in the UK, tax deduction, health and safety and criminal records check/PVG to ensure that individuals are permitted to undertake the role in question.

Where special category (sensitive) personal data is involved, the lawful basis for processing is UK GDPR Article 9(2)(b)”processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by domestic law or a collective agreement pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”

Who the information is shared with:

Your information will be shared internally, including with members of the Kirk Session, your line manager, Presbytery and the National Office.

The Congregation may share your data with third parties in order to obtain pre-employment references from other employers and obtain necessary criminal records checks from Disclosure Scotland.

How long the personal data is held for

The Congregation will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are set out in the Retention and Disposal Schedule available on the Auld Kirk website ayrauldkirk.co.uk

Individuals’ rights in relation to this processing

Under data protection laws, individuals have a number of rights in relation to the processing of their personal data. These rights are as follows:

• The right to be informed – this privacy notice meets that right.
• The right of access – this means you have the right to have access or receives copies of personal data held by the organisation.
• The right to rectification – this means you have the right to correct incomplete or inaccurate data held about you.
• The right to erasure – this means you have the right to have your data deleted from an organisation’s records.
• The right to restrict processing – this means you have the right to restrict processing. This right is normally used with other rights, e.g. rectification.
• The right to data portability – this means you have the right to request your data in a machine-readable format (e.g. a .csv file) and transfer this to another organisation.
• The right to object – this means you have the right to object to how your data is processed.
• Rights in relation to automated individual decision making, including profiling – the Church does not carry out this type of processing.

Not all rights apply and it depends on the lawful basis as to what rights do apply. For the processing purposes of this privacy notice the right to object does not apply. All other rights do apply. If you wish to exercise any of your rights please contact the Data Protection Coordinator for the Auld Kirk of Ayr, Brian McInroy OR the main contact for queries in relation to this processing, Alice O’Sullivan, Data Protection Officer for the Church of Scotland accordingly.

Complaints to the Church of Scotland

If you are concerned about how your personal data is being used by the Church of Scotland, please contact – in the first instance – the Data Protection Coordinator for the Auld Kirk of Ayr, Brian McInroy OR the Church of Scotland Data Protection Officer at Privacy@churchofscotland.org.uk, if required. 

Complaints to the UK Information Commissioner’s Office (ICO)

If you are not satisfied with the outcome of your complaint to the Church of Scotland, a referral can be made to the UK regulator of data protection, the Information Commissioner’s Office (ICO). 

The ICO has guidance on their website: https://ico.org.uk/your-data-matters/raising-concerns/

The ICO can be contacted by email casework@ico.org.uk or by telephone on 0303 123 1113.

Alternatively, their postal address is:

Customer Contact

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Further information

If you would like further information in relation to this Privacy Notice please contact the Church of Scotland Data Protection Officer at Privacy@churchofscotland.org.uk. 

This Privacy Notice may be updated from time to time to reflect changes in legal requirements or other operational reasons. The latest version will always be available from the Presbytery of the South West, Scottish Charity Number SC020676. The main contact for queries in relation to this processing is the Church of Scotland Data Protection Officer at Privacy@churchofscotland.org.uk

The Auld Kirk of Ayr
Scottish Charity No SC016648

DATA RETENTION POLICY

1. Introduction
   1.1. Church of Scotland congregations gather personal information from individuals and external organisations as well as generating a wide range of personal data, all of which is recorded in documents and records, both in hard copy and electronic form.
   1.2. Examples of the types of information accumulated and generated are set out in Appendix 1 of this policy and include but are not limited to minutes of Kirk Session meetings; membership rolls; baptismal information; employment records; newsletters and other communications such as letters and emails.

1.3. In certain circumstances it will be necessary to retain documents to meet legal requirements and for operational needs. Document retention is also required to evidence agreements or events and to preserve information.

1.4. It is however not practical or appropriate for congregations to retain all records. Additionally, data protection principles require information to be as up to date and accurate as possible. It is therefore important that congregations have in place systems for the timely and secure disposal of documents that are no longer required.

1.5. This Data Retention Policy was adopted by the Congregation on [insert date] and will be implemented on a day to day basis.

2. Roles and Responsibilities

2.1. Congregational office bearers and those involved with safeguarding will adopt the retention and disposal guidance at Appendix 1 of this policy and strive to keep records up to date.

2.2. Advice will be obtained from the Law Department or Safeguarding Department of the Church Office at 121 George Street if there is uncertainty about retention periods.

3. Retention and Disposal Policy

3.1. Decisions relating to the retention and disposal of data should be guided by:-

3.1.1. Appendix 1 – Document Retention Schedule – Guidance on the recommended and statutory minimum retention periods for specific types of documents and records.

3.1.2. Appendix 2 – Quick Guide to document retention.

3.2. In circumstances where the retention period for a specific document or category of documents has expired, a review should be carried out prior to disposal and consideration should be given to the method of disposal.

4. Disposal

4.1. Documents containing confidential or personal information should be disposed of either by shredding or by using confidential waste bins or sacks. Such documentation is likely to include financial details, contact lists with names and addresses and pastoral information.

4.2. Documents other than those containing confidential or personal information may be disposed of by recycling or binning.

4.3. Electronic communications including email, Facebook pages, twitter accounts etc and all information stored digitally should also be reviewed and if no longer required, closed and/or deleted so as to be put beyond use. This should not be done simply by archiving, which is not the same as deletion. It will often be sufficient simply to delete the information, with no intention of ever using or accessing it again, despite the fact that it may still exist in the electronic ether. Information will be deemed to be put beyond use if the Congregation is not able, or will not attempt, to use it to inform any decision in respect of any individual or in a manner that affects the individual in any way and does not give any other organisation access to it.

4.4. Deletion can also be effected by using one of the following methods of disposal:-
• Using secure deletion software which can overwrite data;
• Using the function of “restore to factory settings” (where information is not stored in a removeable format);
• Sending the device to a specialist who will securely delete the data.

Appendix 1
Data Retention Schedule

This Schedule is provided as a guide to common types of documents but is not exhaustive.
NOTE: There may be an historic interest in the Congregation’s records. Kirk Session minutes are archived after 50 years. If you think that archiving other records is preferable to destruction, you should be in touch with the Department of the General Assembly, which will organise archiving where appropriate.
Avoid retaining information if there is no reason for doing so. Consult with the Law Department if you are unsure.

RECORD RETENTION PERIOD
Minutes of meetings 6 years
Kirk Session meetings 50 years – permanent. After 50 years pass the minutes to the principal clerk’s office, who then liaise with the National Records of Scotland for archiving.

Pre-employment enquiries/applications/notes/letters/references 6 months after completion of recruitment (unless data to be retained for a future similar opportunity, in which case 1 year)

Safeguarding – Service confirmation of advice, emails, letters 100 years
Safeguarding – Confidentiality Agreements 100 years
Safeguarding – Covenants of Responsibility (managing those who pose a risk) 100 years
Safeguarding – Risk Assessments 100 years
Safeguarding – Complaints concerning people 100 years
Safeguarding – Audit for Congregations and Presbyteries 100 years
Congregational Roll 100 years
Certificates of Transference/Lines 100 years
Employee/appointments records including: contracts, time records etc Duration of employment + 7 years
Volunteer records Duration of placement + 7 years
Databases for mailing lists/distribution Reviewed annually, delete out of date information
Miscellaneous contact information Delete once there is no longer a requirement to hold such information
Arranged accommodation/placements (e.g. overseas visitors) 3 years following end of event/placement
Documents relating to litigation or potential litigation Until matter is concluded plus 7 years
Hazardous material exposures 30 years
Injury and Illness Incident Reports (RIDDOR) 5 years
Pension plans and retirement records Permanent
Salary schedules; ranges for each job description 2 years
Payroll Records Minimum, 7 years. No maximum
Contracts 7 years following expiration
Construction documents Permanent
Fixed Asset Records Permanent
Application for charitable and/or tax-exempt status Permanent
Sales and purchase records 5 years
Resolutions Permanent
Audit and review workpapers 5 years from the end of the period in which the audit or review was concluded
OSCR filings 5 years from date of filing
Records of financial donations 7 years
Accounts Payable and Receivables ledgers and schedules 7 years
Annual audit reports and financial statements Permanent
Annual plans and budgets 2 years
Bank statements, cancelled cheques, deposit slips Minimum of 7 years
Business expense records 7 years
Cash/cheque receipts 7 years
Electronic fund transfer documents 7 years
Employee expense reports 7 years
General ledgers Permanent
Journal entries 7 years
Invoices 7 years
Petty cash vouchers 7 years
Tax records Minimum 7 years
Filings of fees paid to professionals 7 years
Environmental studies Permanent
Insurance claims/ applications Permanent
Insurance disbursements and denials Permanent
Insurance contracts and policies (Directors and Officers, General Liability, Property, Workers’ Compensation) Permanent
Leases 7 years after expiration
Property/buildings documentation (including loan and mortgage contracts, title deeds) Permanent
Warranties Duration of warranty + 7 years
Records relating to potential, or actual, legal proceedings Conclusion of any tribunal or litigation proceedings + 7 years

Appendix 2
General guidance for documents NOT included in the retention schedule.
On-going business use is subjective, but generally refers to documents still required for on-going projects, or documents that may still need to be referred to for on-going activities.