Data Protection Policy

Saint Paul’s Hammersmith Church is committed to protecting and respecting privacy. This statement explains when and why the church collects personal information about people who visit, connect with us on social media or through our website, how we use it, the conditions under which it may be disclosed to others and how it is kept securely.  

The church will review/update this statement if necessary. By using our website, attending on Sundays or connecting with the church through any other available touchpoint the church takes this as an implicit agreement to be bound by this statement and data protection policy. 

Who are we? 

Saint Paul’s Church is a church in Hammersmith, London. It is a member of the Church of England, in the Diocese of London.  

The collection of personal information 

Personal information is obtained when someone engages with the website, signs up for an event or group, registers a child for a kids group, gives financially or applies for a paid or volunteer position with the church.  

What type of information is collected?

The personal information gathered by the church will usually include:  

  • first and last names 

  • DOB 

  • postal address 

  • email address 

  • phone / mobile numbers 

  • attendance information at events, groups and meetings 

  • IP address 

  • Marital status 

  • Demographic information 

Using management information tools on ChurchSuite, we may analyse personal information to understand demographics of those within the church, including address information. We do this to ensure that the charitable objectives of the church are being met and that what we provide is relevant for all types of people. 

How is the information used?

As a church, we hold records of the people in our congregation, volunteers, guests and service users and use this information to coordinate church activities and to keep people informed of things happening in the life of the church.   

Saint Paul’s Hammersmith Church collects and processes information for the following reasons: 

  • To enable us to meet all legal and statutory obligations (which include maintaining and publishing our Electoral Roll in accordance with the Church Representation Rules); 

  • To carry out comprehensive safeguarding procedures in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments; 

  • To minister to you and provide you with pastoral and spiritual care (such as visiting you if you are gravely ill or bereaved) and to organise and perform ecclesiastical services for you, such as baptisms, confirmations, weddings and funerals; 

  • To deliver the Church’s mission to our community, and to carry out any other voluntary or charitable activities for the benefit of the public as provided for in the constitution and statutory framework of each data controller; 

  • To administer the parish, deanery, archdeaconry and diocesan membership records; 

  • To fundraise and promote the interests of the Church and charity; 

  • To maintain our own accounts and records; 

  • To process a donation that you have made (including Gift Aid information); 

  • To seek your views or comments; 

  • To notify you of changes to our services, events and role holders; 

  • To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other fundraising activities; 

  • To process a grant or application for a role; 

  • To enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution; 

  • Our processing also includes the use of CCTV systems for the prevention and prosecution of crime. 

Who has access to the information?

This Privacy Notice is provided to you by the Parochial Church Council (PCC) of Saint Paul’s Hammersmith, which is the data controller for your data. The Church of England is made up of a number of different organisations and officeholders who work together to deliver the Church’s mission in each community. The PCC works together with: 

  • the incumbent of the parish (that is, our vicar) 

  • the bishops of the Diocese of London 

  • the London Diocesan Fund, which is responsible for the financial and administrative arrangements for the Diocese of London. 

As the Church is made up of all of these persons and organisations working together, we may need to share personal data we hold with them so that they can carry out their responsibilities to the Church and our community. The organisations referred to above are joint data controllers. This means we are all responsible to you for how we process your data. 

Each of the data controllers have their own tasks within the Church and a description of what data is processed and for what purpose is set out in this Privacy Notice. This Privacy Notice is produced by the PCC on our own behalf and on behalf of each of these data controllers. In the rest of this Privacy Notice, we use the word “we” to refer to each data controller, as appropriate. 

All employed staff and essential volunteers at the church have access to the personal information held in the church’s contact management systems. They have all been made aware of the legal requirements of General Data Protection Regulation (“GDPR”) and will abide by them when dealing with the personal information collected by the church. 

Managing debit and credit card information

Third party service providers

We may pass your information to a third party associated organisation for the purposes of completing tasks and providing services to you on our behalf. However, when we use third party service providers, we disclose only personal information that is necessary to deliver the service. The church will not release information to third parties, unless it has been requested, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime. 

One-off and regular donations and event ticketing

If a donation is made or a ticket purchased (by completing a gift envelope, when using the online payment system or when purchasing event tickets) card information is not held by the church. It is collected by third-party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions.  

Gift Aid declarations, attendance and children’s registration

The church is legally required to hold some types of information to fulfil our statutory obligations. 

In order for the church to be able to claim Gift Aid on donations, the church is required to keep a record of the information and permission granted by the giver. This information is held on ChurchSuite and is only accessible by a limited number of employees of the church.  

The church also takes a weekly count of the number of people (including children) in attendance and this information is stored electronically. This is anonymous and names are not recorded.  

16 or Under

The church registers all children whose parents have opted in to involve them in the children’s ministry. This process forms part of the church’s safeguarding policy and we will hold this information on the system as long as is necessary according to the Diocese of London. Parents can ask for their child’s details to be removed from the database at any point.  

We are committed to protecting the privacy of children aged 16 or under. Parents/guardians must grant permission whenever personal information is provided. 

ChurchSuite – data management system

ChurchSuite is the data management system used by the church to host and process all personal information of guests and members of the church upon receipt of a completed Connect Card, sign-up to an event or sharing of information online or in person.  

ChurchSuite is a cloud-hosted, web-based management system which complies with the principles of GDPR. 

Below is a section of the ChurchSuite privacy policy: 

“Maintaining the security of your data is one of our highest priorities, and to this end, all access to ChurchSuite is over an SSL (https://) connection, which provides 256-bit military grade encryption to ensure that all data in transit between your web browser and ChurchSuite is fully encrypted. 

Where we are required to store any usernames or passwords for third-party integrations, such as social media or communication channels, we will always encrypt these details before they are stored on our servers. 

Once we have received any data and stored it on our servers, we make commercially reasonable efforts to ensure its security on our system. To this end, we have chosen to host our ChurchSuite servers in a data centre that meets some of the strictest of industry security requirements, and is classified as a Tier 2 data centre. 

Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure, so whilst we strive to protect your personal information, unfortunately we cannot warrant the security of any information you transmit to us.” 

Your legal rights

You have the right to: 

1.The right to access information we hold on you 

  • At any point you can contact us to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your request we will respond within one month. 

  • There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee. 

2. The right to correct and update the information we hold on you 

  • If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated. 

3.The right to have your information erased 

  • If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold. 

  • When we receive your request we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because we need it for our legitimate interests or regulatory purpose(s)). 

4.The right to object to processing of your data 

  • You have the right to request that we stop processing your data. Upon receiving the request we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with your other rights or to bring or defend legal claims. 

5.The right to data portability 

  • You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request. 

6.The right to withdraw your consent to the processing at any time for any processing of data to which consent was sought. 

  • You can withdraw your consent easily by telephone, email, or by post (see Contact Details below). 

7.The right to object to the processing of personal data where applicable. 

8.The right to lodge a complaint with the Information Commissioner’s Office.

Transfer of Data Abroad

Any electronic personal data transferred to countries or territories outside the EU will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas. 

COntact Details

To contact us with any questions about this Privacy Notice or the information we hold about you or to exercise all relevant rights, queries or complaints email parish@sph.org

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF