We, the Select Vestry of St Mary’s (Church of Ireland) Killarney [herein called “the parish”], are committed to protecting the privacy rights of individuals in relation to the processing of their personal data and confer rights on individuals as well as responsibilities on those processing personal data. This policy outlines our approach to compliance with the General Data Protection Regulation (GDPR) and all other relevant data protection legislation. This policy is effective as and from 1 January 2020.
The scope of this policy. This policy applies to all personal data created or received in the course of our work in all formats, across all time periods. This may be in paper, physical and electronic formats or communicated verbally in conversation or over the telephone. It applies to all locations where personal data is held by the parish and its data processors.
ROLES & REPSONSINBILITIES
The parish is a data controller. The parish commits to acting in a transparent manner and is responsible for determining the purposes and means of all data processing undertaken by and on behalf of: The Clergy; General Vestry; Select Vestry [aka the Trustees]; Employees, Contractors and volunteers. The Rector is responsible for answering questions in relation to this data protection policy and the parish’s approach to privacy. For any questions about this policy, including any request to exercise legal rights, please contact: the Rector by phone on (064) 663 1832 or using our info@... email address.
Definitions of Personal Data. Personal data is any information that can identify an individual either directly or indirectly in conjunction with other information. This includes a name, location data or a postal address, images or anything relating to the physical, religious or social identity of a person. Special categories of data can only be processed under specific circumstances and appropriate safeguards must be in place to protect this data. The parish may collect, use, store and transfer different kinds of personal information and use it for a variety of different purposes. This personal information may include: Address, email address, telephone numbers; Name, date of birth, PPSN, marital status, nationality; Occupation; Information concerning marital and family status; Information on physical or mental health, religious beliefs, criminal convictions / offences; Images from CCTV cameras in and surrounding premises the church building.
Data Protection Principles. The parish is responsible for complying with the following principles. Personal data should be: Processed lawfully, fairly and in a transparent manner; Collected for specified, explicit and legitimate purposes only; Adequate, relevant and limited to what is necessary; Accurate and, where necessary, kept up to date; Kept in a form which enables identification of data subjects for no longer than is necessary; Kept safe and processed in a manner that ensures appropriate security of the personal data.
Lawfulness of processing. The parish collects and uses personal information for a number of purposes and relies on a number of different legal bases to do this.
To enter into and perform a contract. The parish uses personal information to carry out our obligations arising from any contracts entered into between two parties or to take the necessary steps prior to entering into a contract including: To administer employment, financial or legal contracts; To pay for the services professionally provided to us; To provide other services as necessary.
To comply with our legal obligations. The parish is required to process personal information to comply with certain legal obligations which they are subject to including: Providing information to An Garda Siochana, the Revenue Commissioners and other Government bodies or agencies when required to do so by law; To verify personal information and to meet legal and compliance obligations; To carry out a statutory audit/inspection; Where a person has exercised one of their data rights, we will retain a copy of all correspondence to demonstrate our compliance with data protection legislation. Where a person has exercised one of their data rights and asked us not to contact them by email at a particular email address, for example, we will need to retain a copy of that email address in order to comply with the no-contact request.
For legitimate business interests. Where the parish processes personal information for our legitimate interests, the parish will ensure that there is a fair balance between their legitimate interest and the data subject’s fundamental rights and freedoms.
The parish may use personal information to manage the day to day running of the parish, including accounting, internal reporting needs, to ensure appropriate IT security and to prevent fraud, in our legitimate interest. Our legitimate interest is the effective management of the administrative functions of the parish. The parish may use personal information to communicate with a data subject, to update them on developments within the parish, diocese or wider Church of Ireland and invite data subjects to events that we feel may be of interest to them. Our legitimate interest is to connect with and update data subjects on services provided by the parish. The parish may process personal information, which includes the processing of special categories of personal data, where processing is carried out in the course of their legitimate activities on condition that the processing relates solely to data subjects who are members, former members or whom have previously been involved with the parish or are an employee and/or contracted staff member. The parish may use personal information to contact people who are in regular contact with them in connection with their purposes. The legitimate interests of the parish do not override a data subject’s interest. A data subject has the right, free of charge, to object to the parish using their personal information for legitimate interests. Objections should be made to the Rector by letter to The Rectory, Rookery Close, Killarney, V93 DPC3 or using our info@... email address.
For the establishment, exercise or defence of legal claims. The parish occasionally processes personal information, including sensitive personal information, such as information concerning health, religious or philosophical beliefs, criminal convictions / offences where it is necessary for the establishment, exercise or defence of legal claims.
Consent. The parish will, in certain circumstances, rely on explicit consent to process personal data, including sensitive personal data. Where we do, the data subject has the right to withdraw their consent at any time by letter to The Rectory, Rookery Close, Killarney, V93 DPC3 or using our info@... email address.
Vital Interest. The parish may, in certain circumstances, use personal data where the processing is necessary to protect someone’s life.
Public Interest. The parish may, in certain circumstances, use personal data for the performance of a task carried out in the public interest. CCTV is in operation at St Mary’s (Church of Ireland) Killarney for security and safety purposes. CCTV notices are on display outside the premise to inform individuals that CCTV is in operation and give advance notice of any recording.
Rights of data subjects. Data subjects have a number of rights under data protection law in relation to how the parish use their personal information. They have the right, free of charge, to: Request a copy of the personal information the parish hold on the data subject in a structured, commonly used and machine readable format; Rectify any inaccurate personal information the parish hold about the data subject; Withdraw their consent where the parish has relied upon consent to process their information; Request that the parish erase the personal information held about the data subject to certain exceptions; If technically feasible, request to have their personal information transmitted to another data controller in a machine readable format; Restrict processing of their personal information in certain circumstances
Object to the parish’s use of their personal information for our legitimate interests; Not be subject to a decision which is based solely on automated processing where the decision significantly affects the data subject; Lodge a complaint with the appropriate data protection authority if the data subject has any concerns about how we process their personal data. These rights are, in some circumstances, limited by data protection legislation. If a data subject wishes to exercise any of these rights please contact the Rector by letter to The Rectory, Rookery Close, Killarney, V93 DPC3 or using our info@... email address. The parish will take measures to verify the identity of the data subject, which will be by reference to copies of acceptable identification documentation. The parish will endeavour to respond to the request within a month. If the parish is unable to deal with the request within a month we may extend this period by a further period of two months and we will provide an explanation for this.
Information Technology and Data Protection. The parish is responsible for implementing appropriate technical and organisational measures to demonstrate that processing is performed in accordance with GDPR.
The parish will retain personal information for as long as needed to fulfil the purposes for which it was collected. The parish will retain and use personal information for no longer than is necessary to comply with accounting, reporting or legal obligations. How long certain information is stored depends on the nature of the information we hold and the purpose for which it is processed.
Managing data breaches. A personal data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by us in any format. The parish is required to report serious data breaches to the Data Protection Commissioner within 72 hours of becoming aware of the data breach. Where it is determined that the breach is unlikely to result in a risk to the rights and freedoms of natural persons, then the supervisory authority will not be notified. Unless it is determined that there is a high risk to the rights and freedoms of natural persons then the data subject(s) may not be notified. The parish will keep an internal record of the details, the means for deciding there was no risk, who decided there was no risk and the risk rating that was recorded. The parish will respond promptly and appropriately to data security breaches, including all relevant reporting obligations.
When and how personal information is shared. The parish may share personal data between the Church of Ireland’s joint data controllers and their respective data processors. The four data controllers are: Representative Church Body & General Synod, Diocesan Council, the Bishops and the parish. The parish may share personal information with third party providers that perform services and functions at their direction and on our behalf, such as accountants, auditors, IT providers, printers, solicitors and providers of security and administrative services. The parish does not sell any personal information and will only share it with third parties who are facilitating the delivery or fulfilment of a service or who are working on behalf of the parish. The parish will contractually require that all suppliers protect such information from unauthorised access, use and disclosure. The parish may transfer personal data outside the European Economic Area (EEA), especially with the part of the Church of Ireland in Northern Ireland (post-BREXIT). However, these countries do not always afford an equivalent level of privacy protection and in such circumstances the parish will take specific steps, in accordance with data protection law, to protect personal information.
Principles to be followed by data processors. A strong data protection culture is essential to advance the mission and ministry of the Church of Ireland. The parish commit to: Understanding their responsibilities in relation to the acquisition, processing and safeguarding of personal data; Adhering to all Data Protection policies and procedures; Adhering to the retention guidelines and committing to keeping personal data to a minimum; Continually assessing the personal data collected and understand any relevant risk associated with this; Informing the Data Protection Representative of any data subject requests; Reporting any concerns or risks to the Data Protection Representative particularly if it is suspected that anyone is being asked to act in a way which is contrary to the data protection regulations
Reporting any data breaches to the Data Protection Representative; Treating personal information confidentially and ensure it is locked away at the end of the day; Attending data protection training and refresher events as requested; Assisting the parish to demonstrate compliance during a data protection audit or inspection.