9.1 Safeguarding
The diocese has a legislative duty to protect children and adults from abuse, both on and off church premises whilst they are under our care. This includes community facilities, residential centres and the homes of adult leaders and helpers. The Children’s act 1989 (and subsequent amendments) and the Care act 2014 (and subsequent amendments), both place legal obligations on staff and clergy to report abuse. Church representation rules require that a due regard be paid to the safeguarding of adults and children, failure to comply with safeguarding requirements can result in disciplinary action and may constitute an offence. The diocese has a Safeguarding Policy in place that can be located and downloaded online from the following address; lichfield.anglican.org/safeguarding_resources/.
The Policy provides information on what constitutes abuse and how to report concerns.
Diocesan personnel (paid or voluntary), who in the course of their duties are likely to have contact with children or adults with vulnerabilities, are required to have an enhanced disclosure check carried out by the Disclosure and Barring service (DBS). Staff requiring such checks will likely need to undertake safeguarding training appropriate to their role, this can be booked online via the diocese website.
9.2 Data protection
(Note that any references to staff in this section includes employees, volunteers and trustees).
Lichfield Diocesan Board of Finance (LDBF) collects and uses information (data) about people with whom it communicates. This personal information must be dealt with properly and securely however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material – and there are safeguards to ensure this in the General Data Protection Regulation (GDPR). This means that staff should ensure that all personal information is kept securely in locked filing cabinets. Papers containing personal information should not be left on desks when staff are not in the office. All IT equipment should be secured by passwords in accordance with the diocesan IT Policy and Guidelines which should be read in conjunction with this.
Personal information is key to the successful and efficient performance of the LDBF functions and the trust of those whose personal data we hold is vital. It is therefore imperative that staff adhere to the Principles of Data Protection, as set out in the General Data Protection Regulation (GDPR).
Failure to adhere to the General Data Protection Regulation (GDPR) is unlawful and could result in legal action being taken against Lichfield Diocesan Board of Finance or its staff, volunteers or trustees.
General Data Protection Regulation (GDPR) regulates the processing of information relating to living and identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems and card indexes.
All staff are expected to undertake training on Data Protection which is arranged by the diocesan Data Protection Officer (DPO).
Access is provided to staff to the diocesan database (CMS) in order that they can fulfil their roles. Training on the system is provided to all staff by the Database Manager. There are differing levels of access to CMS depending on the role that the staff member has and what information they need to access. For example only those who need to be able to see DBS information have access to it.
Staff should also take time to read the diocesan Privacy Policy and be aware of its contents. This is available on the diocesan website.
Data users must comply with the data protection principles of good practice which underpin GDPR. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
To do this LDBF follows the Data Protection Principles outlined in the GDPR, which are listed below:
1. Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Transparency is achieved by keeping the individual informed and this should be done before data is collected and where any subsequent changes are made.
LDBF must have legitimate grounds for collecting the data and tell data subjects what they are going to use it for and with whom it will be shared. This is usually done in a privacy notice.
2. Purpose limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. In other words the data can’t be used for a reason for which it was not given.
3. Data Minimisation
You can only collect the data you need for the purpose. You can’t collect data that isn’t needed for the reasons given in the privacy notice.
4. Accuracy
Personal data must be accurate and where necessary kept up to date.
5. Storage Limitation
Personal data must be kept in a form which allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed i.e. you should regularly review the data you are holding and get rid of data that is no longer needed.
6. Integrity and Confidentiality
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
It should be noted that LDBF has responsibility not just to comply with GDPR but also to be seen to comply (transparency).
The principles apply to “personal data” which is information held on computer or in manual filing systems from which they are identifiable. Lichfield Diocesan Board of Finance’s employees, volunteers and trustees who process or use any personal information in the course of their duties will ensure that these principles are followed at all times.
The following procedures have been developed in order to ensure that Lichfield Diocesan Board of Finance meets its responsibilities in terms of Data Protection. For the purposes of these procedures data collected, stored and used by Lichfield Diocesan Board of Finance falls into 2 broad categories:
- Lichfield Diocesan Board of Finance’s internal data records; Staff, volunteers and trustees
- Lichfield Diocesan Board of Finance’s external data records; Members, customers, clients.
Lichfield Diocesan Board of Finance as a body is a Data Controller under the GDPR, and the Bishop’s Council is ultimately responsible for the policy’s implementation.
Internal data records
Purposes
Lichfield Diocesan Board of Finance obtains personal data (names, addresses, phone numbers, email addresses), application forms, and references and in some cases other documents from staff, volunteers and trustees. This data is stored and processed for the following purposes:
- Managing the day to day running of the diocese and delivery of services
- Recruitment
- Equal Opportunities monitoring
- Volunteering opportunities
- To distribute relevant organisational material e.g. meeting papers
- Payroll
Accuracy
LDBF will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for 6 years after an employee, volunteer or trustee has worked for the organisation and brief details may be retained for longer (see Appendix A) only if there is a valid reason for doing so. The CEO has responsibility for destroying personnel files.
External data records
Purposes
Lichfield Diocesan Board of Finance obtains personal data (such as names, addresses, and phone numbers) from members/clients. This data is obtained, stored and processed solely to assist staff and volunteers in the efficient running of services. Personal details supplied are only used to send material that is potentially useful. Most of this information is stored on the organisation’s database known as CMS.
Lichfield Diocesan Board of Finance obtains personal data and information from clients and members in order to provide services. This data is stored and processed only for the purposes outlined in the agreement and service specification signed by the client/ member. Explicit consent should be obtained before sending any materials which could be considered marketing (e.g. diocesan Bulletin emails).
Consent
Personal data is collected over the phone and using other methods such as email. During this initial contact, the data owner is given an explanation of how this information will be used. Written consent is not requested as it is assumed that the consent has been granted when an individual freely gives their own details.
Personal data will not be passed on to anyone outside the organisation without explicit consent from the data owner unless there is a legal duty of disclosure under other legislation, in which case the Director will discuss and agree disclosure with the Chair/ Vice Chair. Contact details held on the organisation’s database may be made available to groups/ individuals outside of the organisation. Individuals are made aware of when their details are being collected for the database and their verbal or written consent is requested.
Accuracy
Lichfield Diocesan Board of Finance will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for as long as the data owner/ client/ member uses our services and normally longer. Where an individual ceases to use our services and it is not deemed appropriate to keep their records, their records will be destroyed or deleted according to the schedule in Appendix A.
If a request is received from an organisation/ individual to destroy their records, we will remove their details from the database and request that all staff holding paper or electronic details for the organisation destroy them. This work will be effected by the Data Protection Officer. If a member of staff receives a request for deletion from an individual/organisation they should notify the DPO immediately.
This procedure applies if Lichfield Diocesan Board of Finance is informed that an organisation ceases to exist.
Disclosure and Barring Service
Lichfield Diocesan Board of Finance will act in accordance with the DBS’s code of practice.
Copies of disclosures are not kept. Details of DBS checks (date and certificate number only) are held on the diocesan database.
Both internal and external data records
Access
Only the organisation’s staff, volunteers and trustees have access to personal data. All staff, volunteers and trustees are made aware of the Data Protection Policy and their obligation not to disclose personal data to anyone who is not supposed to have it.
Information supplied is kept in a secure filing, paper and electronic system and is only accessed by those individuals involved in the delivery of the service.
Information will not be passed on to anyone outside the organisation without their explicit consent, excluding statutory bodies e.g. the Inland Revenue.
Individuals including Staff, volunteers and trustees will be supplied with a copy of any of their personal data held by the organisation if a request is made.
All confidential post must be opened by the addressee only.
Storage
Personal data may be kept in paper-based systems and on a password-protected computer system. Paper-based data are stored in organised and secure (lockable) systems.
LDBF operates a clear desk policy at all times – this means that no personal data will be left on unattended desks.
Use of Photographs
Where practicable, Lichfield Diocesan Board of Finance will seek consent of members/ individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the organisation will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisation’s website or in Spotlight.
Responsibilities of staff, volunteers and trustees
During the course of their duties with Lichfield Diocesan Board of Finance, staff, volunteers and trustees will be dealing with information such as names/addresses/phone numbers/email addresses of members/clients/volunteers. They may be told or overhear sensitive information while working for Lichfield Diocesan Board of Finance. The GDPR gives specific guidance on how this information should be dealt with. In short to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, paid or unpaid, must abide by this policy.
To help staff, volunteers, trustees meet the terms of the GDPR, a Data Protection policy has been produced. Training on data protection is provided for all staff.
Compliance
Compliance with GDPR is the responsibility of all staff, paid or unpaid. LDBF will regard any unlawful breach of any provision of the Act by any staff, paid or unpaid, as a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy statement should in the first instance be referred to the line manager.
Retention of Data
No documents will be stored for longer than is necessary. For guidelines on retention periods see the Data Retention Schedule (Appendix A).
All documents containing personal data will be disposed of securely in accordance with the Data Protection principles.
How this relates to your job
- Do not let unauthorised persons have access to personal data - or even a glimpse of your screen;
- Keep your passwords secure;
- Do not leave your computer without logging-off;
- Lock away any storage media, print-outs etc. when you leave your office unattended.
- Do not take home computer print-outs as 'scrap';
- If you receive a request for personal data to be provided under GDPR you should clearly establish the identity of the person making the request, if necessary by asking for the caller's name, position, and telephone number, and by referring the matter to the DPO before disclosing the information requested.
- Under GDPR Individuals can request a copy of the personal data which LDBF holds for them. Any such requests should be forwarded to the DPO immediately on receipt so that LDBF can meet the strict deadlines which apply to such subject access requests.
- All work should be saved on the appropriate servers and not on C or local drives.
9.3 Relationship with the media
The diocese treats its relationship with the local and national media very seriously; to support this it has appointed a specialist diocesan officer to be its primary spokesperson. People receiving requests for information or comment on Church issues from members of the media (newspapers, radio, television and the like) should in the first instance, therefore, direct all such requests to Director of Communications.
If queries arise from requests from the media due say to the lack of availability of the Communications Director, these should be directed to the CEO. Under no circumstances should employees make any comment to the media without express permission of either the Communications Director or CEO.