THE PARISH OF WATH WITH BRAMPTON BIERLOW
PCC DATA PROTECTION POLICY 2024
(To be signed by PCC members, vergers and others who process data on behalf of the PCC)
- Background – The Parish of Wath with Brampton Bierlow (‘the Parish’) needs to collect
personal information about people with whom it deals in order to carry out its business,
meet its objectives and comply with legal obligations. These people include supporters,
employees, volunteers, parishioners (present, past and prospective). The information we
collect may be personal and /or sensitive in nature. No matter how it is collected, recorded
and used (e.g. on a computer or other digital media, on hard copy, paper or images
(including video or photographic) this information will be dealt with properly to ensure
compliance with the EU General Data Protection Regulation (GDPR). As an organisation we
are registered as a Data Controller with the Information Commissioner.
- Aims of this Policy – The aim of this policy is to ensure that everyone handling data is fully
aware of the requirements and acts in accordance with principles set out in GDPR.
- Scope – The scope of this policy includes employees, PCC members, and those with
designated roles to support the work of the PCC and, in some circumstances (e.g.
- Principles – In line with GDPR the Parish will comply with the following principles relating
to processing of personal data:
a. Processed lawfully, fairly and in a transparent manner.
b. Collected for specified, explicit and legitimate purposes and not further processed
in a manner that is incompatible with those purposes.
c. Adequate and relevant
d. Accurate and kept up to date
e. Kept in a form which only identifies the data subject for no longer than is
necessary for the purposes for which the personal data is required.
f. Processed in a secure manner.
g. The Controller shall be responsible for compliance.
- PCC Member Responsibilities – The PCC have ultimate responsibility but may delegate
key tasks to individuals. The Data Controller is the vicar as a member of the PCC.
- Delegated Responsibility – The PCC with delegated responsibility must ensure they:
a. Understand and communicate obligations under GDPR
b. Undertake a training needs analysis and provide training on this subject where
c. Provide clear lines of report and supervision for compliance.
d. Monitor compliance
e. Review the policy on a biennial basis.
f. Produce clear and effective procedures.
g. Carry our regular checks to monitor and assess new processing of personal data.
h. Set up computer systems to allow restricted access to certain areas.
- Employee and PCC members responsibilities – Those covered in the scope of this policy
must ensure not only that they understand this policy but that they comply with it by:
a. Observe all forms of guidance about data processing
b. Understand fully the purposes for which the Parish collects and uses personal
c. Collect and process appropriate information and only in accordance with the
purposes for which it is to be used by the Parish to meet its legal/service
d. Ensure the information is destroyed when no longer required
e. Be aware of the procedure for dealing with a Subject Access Request (SAR)
f. Not send any information outside the UK without the authority of the Data
g. Understand that breaches of the policy may result in penalties.
- Distribution Plan – This policy will be circulated to all new and existing employees, PCC
members and those with designated roles; they will be expected to read, understand and
sign acceptance of this policy.
- Procedure – Any personal and sensitive information will be treated as confidential, used
only for the purpose it was intended, stored securely and kept up-to-date where possible.
The following measures will be taken to ensure that personal information kept is accurate:
- Explain why it is needed and how their data is processed.
- By using reminders (Parish magazine, mailings, thank you letters) to people to ask
them to check their details.
- By encouraging people to tell us about changes to their details and providing a
telephone number, email address and website where changes can be
communicated. Information may take the form of hard (paper) and digital
(computer based) copies and includes (but not limited to):
- Registers of those involved with committees and groups
- Personnel records; PCC nomination forms
- Photographs, slides and videos
- Digital media (e.g. USB disc drives, removable memory sticks, website and other
- Gift aid records and bank data
- Lists (parish newsletter, parish register)
- Computerised records
- Data Security – The organisation will take steps to ensure that personal data is kept
secure at all times against unauthorised or unlawful loss or disclosure. The following
measures will be taken:
a. All paper copies covered within the scope of this policy will be stored in a locked
filing cabinet or cupboard with restricted access; on no account will paper records be
left in the vestry or other public places.
b. Passwords must be kept strictly confidential.
c. Electronic records will be stored on PCs/ laptops with appropriate virus guards.
Personal data to be emailed will be password protected.
d. If data is to be taken offsite electronically files must be transported on a password
protected encrypted data stick.
e. Use of shredder for all data to be disposed of.
f. If leaving the computer unattended with personal data on the screen, the PC will
be put in password-protected mode.
g. Report any breaches in this policy as soon as they occur to the Data Controller who
will decide on what action will be taken.
- Identifying Data Breaches – In accordance with ICO guidance data breach is defined as a
breach of security leading to accidental or unlawful destruction, loss, alteration,
unauthorised disclose of, access to, personal data. This includes breaches that are the result
of both accidental and deliberate causes. Personal data breaches can include:
- Access to data by an unauthorised third party
- Deliberate or accidental action (inaction) by a data controller
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost stolen
- Alteration of personal data without permission
On notification of a possible or actual data breach the Data Controller will take steps to stop
the breach if still happening, assessment of the severity of the breach and plans about
The Data Controller may decide a report to the ICO is necessary.
A decision should also be taken as to whether to notify the data subject of the breach.
- Subject Access Request – Anyone whose personal information we process has the right
- What information we hold
- How we process it
- What we are doing to comply with GDPR
Any person wishing to exercise this right should notify the Data Protection Officer, Mr
Jonathon Henthorn via email at email@example.com or by post C/o The
Vicarage, Christchurch Road, Wath upon Dearne, Rotherham. S63 6NW.
Further information on rights to access your data are provided through the Church of
England website at National Church Institutions data protection – click here.
A copy of this document is held with the master copy in the policy file.
The new Health and Safety policy on the Diocese of Sheffield website (January 2022) makes
reference to ensuring that the accident report book complies with Data protection rules.
‘Recording Full details of all accidents, disease and dangerous occurrences should be
recorded using the Data Protection compliant HSE Accident Book. This is necessary for
monitoring purposes and is also a requirement of RIDDOR, as well as the Social Security
(Claims and Payments) Regulations 1979 and Social Security Administration Act 1992.’
We will ensure that the Parish has, and uses, the required HSE Accident book.
Signed ……John Campbell………………………………….
Date ………7th January 2024…………………….
Position on PCC ……Safeguarding Officer, Wath All Saints
This policy has been reviewed by Rev C Burton (Vicar) Jan ‘24
Next review date Feb ‘25