Illyrian Gospel Trust Charity

Data Protection and

Information Security Policy

Manual

March 2018

Charity Registration Number 1120467

Date:

Signed:-

Change History

Date of Change

Old Issue

Change

Contents

The Policy Manual5

Definitions5

The Trustee Overseeing Data Protection5

Introduction and Scope6

Personal data must be processed lawfully7

GDPR Application7

GDPR Compliance8

Registration of the Trust as a Data Controller8

Fair and transparent processing8

The right to be informed9

The right of access9

The right to data portability10

Personal data can only be collected for specified, explicit and legitimate purposes10

Trust or personal contacts and the application of GDPR10

Legal basis for collecting data10

Gaining consent11

Children under 16 years of age12

Data collected by the Trust web site12

Transitioning to GDPR12

The right to restrict processing13

The Right to object to processing data based on Legitimate Interest13

Personal data must be adequate, relevant and limited to what is necessary

for processing14

Personal data must be accurate and kept up to date14

Collection of accurate data14

Maintaining the accuracy of data15

The right to rectification15

The right to erasure/ the right to be forgotten15

Personal data retention must be limited16

Storage of data and records security16

Personal data must be processed in a manner that ensures its security.17

Automated decision making17

Rights in relation to automated decision making and profiling17

Processing requests to exercise rights17

Register of data holders17

The Policy Manual

This manual contains the various policies necessary for the Trust to comply with the EU General Data Protection Regulations (GDPR) and UK Acts of Parliament which enshrine the regulations in Law. (At the time of writing the Data Protection Act, which will supersede the Data Protection Act 1998) is currently passing through Parliament.)

These policies apply to the Illyrian Gospel Trust Charity Registration Number 1120467

IMPORTANT

The content of this policy manual is focused on the application of the GDPR to Illyrian Gospel Trusts normal situation. Should it not provide sufficient guidance in a particular circumstance then please refer to the Information Commissioners Office website for further information. https://ico.org.uk/

WARNING

The signed current master versions of the policy documents are held by the Trust Secretary and unsigned soft copies of the current versions are maintained on the Trust web site. Comment by Michael Wilcock: We need o think through how we do this or even if the web site is the right place to hold this.

If you hold a copy of a policy document, then please ensure it is current before you use it.

DefinitionsTrustees

The Trustees of the Illyrian Gospel Trust are those listed on the Charity Commission web site.

The Trustee Overseeing Data Protection

The Trustee overseeing data protection for The Illyrian Gospel Trust is:

In his absence please refer to the Trust Secretary

Introduction and Scope

The EU General Data Protection Regulations (hereafter GDPR) aims to restore the ownership of personal data to the individual and ensure its protection.

As Christians we seek to live out Gods love in the world. In the context of GDPR it means that we respect the individuals right to have control over their personal data and how it is used and seek to be GDPR compliant. Transparency in this area, will build trust and confidence with our supporters and the community at large.

What is Personal Data?

Personal data is information relating to a living individual who can be identified from that data. Personal data and personal Information are synonymous terms and include but are not limited to items such as:

Names

Addresses

Telephone numbers

Photographs

Email addresses (for internet based interactions)

IP address

National Insurance numbers for those on our payroll

In the case of Illyrian Gospel Trust the people for whom we store and process such personal data includes but is not limited to: Comment by Michael Wilcock: I cannot at the moment think of any others. The churches who support us will have there own policy.

Supporters

Trustees

Contacts

Employees

Gift Aid donors

Personal data relating to representatives of organisations with which the Trust has a relationship does not necessarily fall within the scope of the GDPR.

In storing personal data relating to supporters, employees and other individuals, the Trust will be processing that data i.e. obtaining, storing, using, disclosing and destroying the data.

A Trust may also be processing a special class of data referred to as sensitive personal data/special categories of data if it keeps data about a persons religious beliefs or sexual orientation.

There are six principles set out in the GDPR:

1. Personal Data must be processed lawfully, fairly and transparently.

2. Personal Data can only be collected for specified, explicit and legitimate purposes.

3. Personal Data must be adequate, relevant and limited to what is necessary for processing.

4. Personal Data must be accurate and kept up to date.

5. Personal Data must be kept in a form such that the data subject can be identified only as a long as is necessary for processing.

6. Personal Data must be processed in a manner that ensures its security.

GDPR provides 8 rights to individuals concerning their personal data:

1. The Right to be Informed about how their data is processed. This is usually achieved through a privacy notice.

2. The Right of Access allowing individuals to obtain confirmation that their data is being processed according to the GDPR and to have access to their data as set out in the GDPR.

3. The Right to Rectification meaning that individuals are entitled to have any inaccurate or incomplete personal data rectified.

4. The Right to Erasure/ The Right to be Forgotten which, under certain circumstances, allows individuals to request the deletion of personal data where there is no compelling reason for its continued processing.

5. The Right to Restrict Processing. This allows individuals to exercise the right to prevent the continued processing of personal data. It may continue to be stored.

6. The Right to Data Portability. Although this is unlikely to ever apply to a Charitable Trust, it is designed to enable easy transfer of data for consumers. Comment by Michael Wilcock: Not too sure about this issue. We may find it useful to have data on a laptop or other portable device.

7. The Right to Object which allows individuals, under certain circumstances to object to the processing of their data based on Legitimate Interests.

8. Rights in Relation to Automated Decision Making and Profiling. Although this is unlikely to ever apply to the Trust, it is designed to be a safeguard against potentially damaging decisions being taken without human intervention.

Personal data may only be processed by an organisation when it has specific consent or lawful basis for doing so, in our case a Legitimate Interest. Legitimate Interests include things like using personal data to enable supporters to remain informed and able to participate in the any activities. We also have a contractual basis allowing us to process payroll and taxes for employees.

Personal data must be processed lawfully

GDPR Application

Illyrian Gospel Trusts data protection and information security policy and practice will comply with the 6 GDPR principles and facilitate the 8 individual rights in as much as they apply. How the Trust will comply is set out in this policy manual.

GDPR Compliance

Periodically, and at least annually, the Trustee overseeing data protection will review the Illyrian Gospel Trusts practices to ensure compliance with this policy and the requirements of the GPDR. This will enable the Trust to demonstrate that it lawfully processes data.

The findings and recommendations will be reported to the trustees at a minuted meeting.

Registration of the Trust as a Data Controller

A charitable trust comes within the definition of data controller in the legislation, as a body, which determines the purposes and means of the processing of personal data.

As a data controller Illyrian Gospel Trust is required to maintain registration with the Information Commissioners Office in accordance with the legal requirements of the current Data Protection Act, unless an exemption exists. This will be carried out by the trustee assigned responsibility for data protection, or if no one is assigned, to the Trust Secretary.

Fair and transparent processing

Privacy Notice(s)

When we collect personal data from an individual we will provide the individual with a Privacy Notice. The following privacy Notice content covers the circumstances of the Illyrian Gospel Trust at the time this policy manual was prepared/updated.

Our Identity

How we will use the personal data provided

The lawful basis for processing the data

The retention period for the data

Third parties to whom we pass data, if applicable.

The right to object to the processing of their data on the basis of Legitimate Interest

The right to complain to the Information Commissioners Office if there is a problem with how we handle their personal data.

How to contact the trust concerning any queries or concerns regarding our processing of personal data.

Privacy Notice updates

If the way we process personal data changes or we are collecting additional or new data, the privacy notice may need to be updated. Please refer to the Information Commissioners Office web site for definitive guidance on its content.

Publishing the Privacy Notice

The Privacy Notices will be posted on

The Trust web site

A notice board at any Trust public event.Comment by Michael Wilcock: My thinking here is that we may need to have this at the Quiz Night and any subsequent Prayer Conferences. We will also need to ask Joan Meneely to have one at any events she holds on our behalf.

Standardised forms for collecting data

Where data is collected using a form, versions of the privacy statement tailored to the specific situation will be used. Where possible the individual who has completed the form will be given a copy of the privacy notice to keep.

For this reason, as far as is possible, a set of standardised forms will be used. This will apply to

Supporters request for information form

Gift Aid declarations.

Candidate Application form.

The right to be informed

The individuals right to be informed about how their data is processed is addressed by the preparation and use of the Privacy Notices

The right of access

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

An individual may request confirmation that their personal data is being processed; access to their data; and other supplementary information this largely corresponds to the information that should be provided in a privacy notice.

The request should be made to the Trustee overseeing data protection or the Trust secretary.

The requested information should be provided in a reasonable format by reasonable means.

Response time

Information must be provided without delay and at the latest within one month of receipt.

Where requests are complex or numerous the period may be extended to 2 months. If this is the case, we must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Excessive or Unfounded Requests

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we are allowed to:

charge a reasonable fee taking into account the administrative costs of providing the information; or

refuse to respond.

Where we refuse to respond to a request, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

The right to data portability

This is unlikely ever to apply to Illyrian Gospel Trust. If a situation arises when it does, please refer to the Information Commissioners Office websiteComment by Michael Wilcock: Not very sure about this. At the moment we do not hold data on portable devices. It may be that Will has some information on his lap top. We will need to look into this. I also have information about supporters on our Chromebook. As most of us will have information about supporters on our mobile devices we will have to address this in some way. See my previous note. MW3

Personal data can only be collected for specified, explicit and legitimate purposesTrust or personal contacts and the application of GDPR

Two factors come together to raise a question on when personal data is Trust related or private.It is possible that a Trustee may have details of a supporter as they are personal friends.

The policy that we will need to apply is as follows:

If a Trustee of the Trust uses personal data in their possession for the administration of the Trust, then the requirements of GDPR should apply, even where the person concerned is a friend of longstanding. Thus this policy applies.

Legal basis for collecting data

The GDPR requires that the Trust has a lawful basis for collecting and processing personal data. The factors that apply to Illyrian Gospel Trust are:

1. The processing is necessary for the performance of a contract (e.g. for staff the contract of employment)Comment by Michael Wilcock: Not too sure how we deal with Will and Doreta. I think technically Willis self-employed but we do have a contract of employment for him, Doreta and Monda.

2. The processing is necessary for the purposes of Legitimate Interests pursued by the Trust (including commercial benefit) unless this is outweighed by harm to the individuals rights and interests.

Most of the processing of personal data carried out by the Trust should fall under this condition as the data is necessary for the Trust to carry out its functions on behalf of its staff, trustees, supporters, and other contacts.

a. Fulfilling the obligations of the Trusts charitable purpose, namely the advancement of the Christian religion.

b. To administer the Gift Aid scheme on behalf of donors.

c. To keep supporters informed about Trusts activities.

d. To keep informed those who have shown an interest in the Trust and its activities. (in GDPR terms this is equivalent to direct marketing)

3. Where the first two conditions (1 & 2) above do not apply it is preferable to avoid consent by finding a different lawful basis for processing the personal data. Only if this is not possible or practicable should we fall back on the consent of the individual (the Data Subject).

Gaining consent

The GDPR sets a very high bar for consent to be valid. It must be specific, clear and unambiguous.

1. Consent must be opt-in, be clearly documented and the consent document must be set out simply and obviously. It should state:

the name of our organisation Illyrian Gospel Trust;

the name of any third party controllers[footnoteRef:1] who will rely on the consent;Comment by Michael Wilcock: The footnote on this needs some careful review. It may be that we, by linking with AEM, for example, need some words on this topic. [1: A third party controller is another organisation which relies upon the information we collect and we pass the information to them, for instance HMRC for employees. When we seek consent it is unlikely that we will be involving a third party, but it is possible. For instance if we included Scripture Union in a childrens work we might pass contact details to them to send a gospel book to children.]

why we want the data;

what we will do with it;

how long we will keep the data; and

that individuals can withdraw consent at any time

1. The use of pre-ticked boxes and opt-out approaches (i.e. We will process your data unless you explicitly tell us not to) is specifically excluded by the GDPR.

2. Specific consent for each separate processing activity is required. If we wish to carry out a number of activities then the individual must explicitly consent to each of them. For example, if we wish to communicate with them via our choice of text message, email, phone call, and post they must consent to each individually e.g. there would be four tick boxes.

We must keep records to demonstrate consent i.e. who consented, when, what they were told at the time, how they have consented

Children under 16 years of ageComment by Michael Wilcock: Not sure if we need to cover this. LBC document includes this as children come to church activities. This is the only area we may have children under 16 is Team Albania. I think the onus will be on those organising the visit. We do not hold data on children.

Data collected by the Trusts web site

The Trust website does not explicitly collect personal data. If it uses Google Analytics this will be configured to collect only anonymised data which cannot be used to identify an individual. See Googles description of how this works.Comment by Michael Wilcock: This does need to be checked.

Transitioning to GDPR

Where existing personal data held by Illyrian Gospel Trust are GDPR compliant we need do nothing. However, given the small quantity of personal data we hold it will be easiest to assume that we need to take steps to bring it all under the banner of the Legitimate Interests set out above. Where these do not apply, we need to establish additional Legitimate Interests or (re)gain GDPR compliant consent.

Supporters, Employees and Trustees

We will provide supporters and employees with a copy of our Privacy Notice notifying them of the Trusts Legitimate Interest (condition 2 in Legal basis for collecting data above) in processing their personal data and notifying them of their rights under GDPR.

The right to restrict processing

Individuals have a right to block or suppress processing of personal data when the data is inaccurate, they object to Trusts Legitimate Interests as a reason for processing their data, the processing is unlawful or the data is no longer needed.

When processing is restricted, the Trust is permitted to:

Store the personal data, but not further process it.

Retain just enough information about the individual to ensure that the restriction is respected in future.

A request to restrict processing should be made to the Trustee overseeing data protection. The request should be acknowledged within one week and addressed within one month.

The Right to object to processing data based on Legitimate Interest

Individuals have the right to object to their data being processed on the basis of Legitimate Interest, which is a key legal basis for Illyrian Gospel Trust. This right extends to other reasons which are unlikely to be applicable to the Trust, apart from perhaps direct marketing. This is not covered in our legal basis for processing data and is therefore not included in our privacy notice.

The individuals objection must be on grounds relating to his or her particular situation and the church must stop processing the personal data unless we can demonstrate:

compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or

the processing is for the establishment, exercise or defence of legal claims.

To fulfil this right the Trust must inform individuals of their right to object at the point of first communication and in our privacy notice. This must be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Personal data must be adequate, relevant and limited to what is necessary for processing

This principle requires that only the minimum amount of data necessary to achieve the purpose in hand should be collected and retained.

To aid with this standard data collection forms will be used (see Standardised forms for collecting data above) unless there is a specific need for different data. For instance in order to serve Trust supporters, the collected data would normally be limited to name, address, phone number and email address. National Insurance Numbers would only be required in the event of the Trust having an employee who paid UK tax.Comment by Michael Wilcock: At the moment this is not a requirement as we do not have anyone who is paid by the Trust who has to pay UK tax. Bob is looking into Wills position.

Where data additional to the standard forms is required this should be discussed with the Trustee overseeing data protection.

Personal data must be accurate and kept up to dateCollection of accurate data

In order to facilitate data collection that is compliant with the principles of the GDPR, standardised collection forms shall be used, see Standardised forms for collecting data above. This will also facilitate the accuracy of the collected data.

Maintaining the accuracy of data

In order to maintain the continued accuracy of personal data stored and processed by the Trust the individuals concerned will be sent copies of their personal data and be requested to notify the church of any required changes as follows:

Annually in May of each year:Comment by Michael Wilcock: Perhaps we should have an AGM as do CIS. If so this could be the time to carry out this activity.

Supporters

Employees

Gift Aid Donors.

Trustees.

The right to rectification

This right means that individuals are entitled to have any inaccurate or incomplete personal data rectified. The above process is intended to address this need. However, circumstance might arise when an individual discovers an inaccuracy in the personal data or there is a change to the personal data that we store and process. In which case they are entitled to ask for the inaccuracy to be rectified.

The required response time is one month.

If the personal data in question has been disclosed to others, they must be informed of the rectification - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients. This applies to data that is corrected through the processes described in Maintaining the accuracy of data above

The right to erasure/ the right to be forgotten

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

This is allowed when:

The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.

The individual withdraws consent.

The individual objects to the processing and there is no overriding Legitimate Interest for continuing the processing.

The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).

The personal data has to be erased in order to comply with a legal obligation.

There are circumstances where the Trust could legitimately refuse to comply with a request to erase data although it is unlikely that we would call upon them. Please refer to the Information Commissioners web site for guidance.

We should acknowledge a request to erase data with one week and respond within one month.

Personal data retention must be limited

One of the 6 principles within the GPDR is that personal data must be kept in a form such that the data subject can be identified only as a long as is necessary for processing. In other words data may not be kept indefinitely and should be erased when there is no further need to store and process it.

Storage of data and records security

1. All data and records will be stored in accordance with the security requirements of the Data Protection Legislation and in the most convenient and appropriate location having regard to the period of retention required and the frequency with which access will be made to the record.

See also Appendix 2 Information Security Policy

2. Data and records which are active should be stored in the most appropriate place for their purpose commensurate with security requirements.

3. Data and records which are no longer active, due to their age or subject, should be stored in the most appropriate place for their purpose.

4. The degree of security required for file storage will reflect the sensitivity and confidential nature of any material recorded.

5. Any data file or record which contains personal data of any form can be considered as confidential in nature.

6. Data and records should not be kept for longer than is necessary. This principle finds statutory form in the Data Protection Legislation, which requires that personal data processed for any purpose "shall not be kept for longer than is necessary for that purpose". All groups are required to have regard to the Appendix 1 - Guidelines for retention of personal data .

7. Any data that is to be disposed must be safely disposed of for example by shredding.

8. Special care must be given to disposing of data stored in electronic media. Guidance will be given by the Trustee overseeing data protection to any one which has stored personal data relating to its supporters on, for example, personal computers which are to be disposed of.

For details of retention periods for different kinds of information please refer to Appendix 1 - Guidelines for retention of personal data and Appendix 3 - Data Breach Procedure regarding procedures when a data breach is suspected or has occurred.

Personal data must be processed in a manner that ensures its security.

The Trust is obliged to ensure appropriate security of the personal data it stores and processes. This applies to data stored both electronically and in hard copy. Information security involves preserving confidentiality, preventing unauthorised access and disclosure, maintaining the integrity of information, safeguarding accuracy and ensuring access to information when required by authorised users.

In addition to complying with this policy, all users must comply with the Data Protection Legislation and the Data Protection Policy.

Information security is the responsibility of everyone using Trust data.

Please refer to Appendix 2 Information Security Policy

Automated decision making

Illyrian Gospel Trust does not employ processes in which a computer system will make automated decision based on personal data. If circumstances change so this does apply then this policy will require review and significant modification.

Rights in relation to automated decision making and profiling

This does not apply to the current circumstances of Illyrian Gospel Trust.

Processing requests to exercise rights

Illyrian Gospel Trust does not maintain a single, central database of personal data. The data we hold is a combination of electronic and hard copy records. These are held by some of the Trustees. E.g. Secretary and Treasurer

Register of data holders

A register of data holders within for the Illyrian Gospel Trust shall be maintained by the Trustee responsible for data protection. This will facilitate:

Responding to requests made by individuals to exercise their rights over their data

GDPR compliance checks

Responding to requests

Requests for information and instructions concerning the processing of the personal data of the individual concerned will be passed to the data holders.

The data holders will return a list of the information that may be held in their records regarding the individual concerned and, if appropriate, an acknowledgement that they have applied the request to rectify, erase or restrict the processing of the data.

On completion of the action the Trustee responsible for data protection will respond appropriately to the individual concerned.

For details of the actions required and associated response times please refer to the sections of this manual relating to the specific rights.

Appendix 1 - Guidelines for retention of personal data

If you have any queries regarding retaining or disposing of data please contact the Trustee overseeing data protection for Illyrian Gospel Trust.

Types of Data

Suggested Retention Period

Personnel files

including training records and notes of disciplinary and grievance hearings.

6 years from the end of employment

Application forms / interview notes

Maximum of one year from the date of the interviews for those not subsequently employed. If employed, retain in personnel file.

Information relating to children

Check for accuracy or renew once a year

Record that child was a member of the group permanent

Secure destruction of personal data other than name and fact of membership two years after they cease to be a member.

Trust supporters information

Check for accuracy or renew once a year

Record that adult was a member permanent

Secure destruction of personal data other than name and fact of membership three years after cease to be a supporter

Church group member informationComment by Michael Wilcock: I do not think this applies to us.

Check for accuracy once a year

Record that adult was a member of group permanent

Secure destruction of personal data other than name and fact of membership two years after the individual ceases to be a member

Income Tax and NI returns, e-filing returns and correspondence with tax office

At least 6 years after the end of the financial year to which the records relate

Statutory Maternity Pay records and calculations

As Above

(Statutory Maternity Pay (General) Regulations 1986)

Statutory Sick Pay records and calculations

As Above

Statutory Sick Pay (General) Regulations 1982

Wages and salary records

6 years from the tax year in which generated

Accident books, and records and reports of accidents

(for Adults) 3 years after the date of the last entry

(for children) three years after the child attains 18 years (RIDDOR 1985)

Health records

6 months from date of leaving employment

(Management of Health and Safety at Work Regulations)

Health records where reason for termination of employment is connected with health, including stress related illness

3 years from date of leaving employment

(Limitation period for personal injury) claims)

Student records, including academic achievements, and conduct

At least 6 years from the date the student leaves in case of litigation for negligence

Appendix 2 Information Security Policy

Information security involves preserving confidentiality, preventing unauthorised access and disclosure, maintaining the integrity of information, safeguarding accuracy and ensuring access to information when required by authorised users.

In addition to complying with this policy, all users must comply with the Data Protection Legislation and the Data Protection Policy.

Trust data means any personal, sensitive or confidential data processed by or on behalf of the Trust.

Information security is the responsibility of every member of staff, trustee and supporter using Trust data on but not limited to the Trust information systems. This policy is the responsibility of the Trustee overseeing data protection who will undertake supervision of the policy.

Trust owned IT systems may only be used for authorised purposes.

Computer security

Computers used to process church data shall be protected by current and up-to-date security systems:

At a minimum anti-virus and firewall software shall be installed.

They shall be operated behind a router or other device which includes a firewall and intrusion detection.

Vendor originated updates to operating systems, software and routers shall be applied as they are made available.

Do not use unsecured wifi to process Trust data.

In addition, computers used for processing Trust data and which remain in a fixed location shall use the following security methods (Note: these requirements also apply to computers used in homes):

They shall be password protected to ensure that only authorised users can access Trust data.

They shall have individual password protected accounts if they are used by more than one user. Passwords should not be shared or left on notes near the computer.

Also data files containing Trust data shall be individually password protected or encrypted. This file password or encryption key may be shared between users of the data as necessary.

Portable computers and mobile devices, including but not limited to laptops, tablets, smart phones, USB memory sticks, which are used to store, process or move church personal data shall be protected as follows:

They shall be password protected to ensure that only authorised users can use them.

They shall have individual password protected accounts if they are used by more than one user. Passwords should not be shared or left on notes near the computer.

They shall use encryption to protect Trust data files. Encryption keys may be shared between authorised individuals if necessary.

Mobile devices, such as Android and Apple tablet and phones, have the ability to encrypt the whole device

Apps are available to encrypt specific files.

On-line securityCloud storage

Cloud Storage used for storing and backing up confidential Trust data shall be protected as follows:

Cloud storage accounts shall be password protected. Where multiple users use the stored data individual accounts will be employed or secure sharing/collaboration mechanisms will be used to share data.

Trust data stored in cloud storage facilities shall be encrypted in addition to any security or encryption employed by the service host.

Cloud storage services hosted outside the EU must comply with the EU Privacy Shield agreements. Note: Google, Drop Box and Microsoft are certified as compliant with the EU-US Privacy Shield agreement.

Email

Personal and confidential data files which are emailed should be at least password protected and preferably encrypted. The password or encryption key should be conveyed independently of the email to which the file is attached. Gmail is an inherently encrypted system and Microsoft Outlook allows emails to be encrypted.

Contact databases and address books

Contact databases and address books which contain personal data related to the operation of the Trust should be secured in the same way as any other Trust data is secured.

On mobile devices (tablets and phones and laptops) they should be encrypted preferably with device level encryption.

On static computers they should be password protected.

Stored in the cloud they should be encrypted. Note: Googles Gmail services and contacts databases are securely encrypted by Google. Note: Tablets and Smart Phones download contact data. If this contact data contains church related personal data then device level encryption should be used.

Hard Copy Security

Personal data kept in hard copy, for example reports, completed forms, registers and journals shall be kept secure as follows:

They shall be kept under lock and key when not in use and away from public areas unless their use is necessary, e.g. registration forms at an activity or meeting.

If kept at home they should not be left in areas where visitors would have easy access.

Normal home security shall be considered sufficient to class as being under lock and key.

It is extremely difficult to secure hard copies under transit, but reasonable care must be taken to keep them secure

Breaches of Security

Actual, potential or suspected breaches of computer and physical security should be reported immediately to the Trustee overseeing data protection for Illyrian Gospel Trust.

There are regulatory obligations regarding the Trusts response to breaches that compromise personal data. Please see Appendix 3 - Data Breach Procedure

Password Security

To facilitate good password security use reputable password management software which secures and encrypts password information behind a master password.

If you need to list password and log-on details encrypt the file

If you have a suspicion that your password has been compromised you must change it.

Disposal of equipment

Equipment, whether personally owned or Trust owned, that has been used to store Trust related personal data must be disposed of securely. Please consult the Trustee overseeing data protection for Illyrian Gospel Trust for guidance.

Appendix 3 - Data Breach ProcedureIntroduction

Illyrian Gospel Trust holds and processes personal data which needs to be protected. Every care is taken to protect the data we hold. Compromise of information, confidentiality, integrity or availability may result in harm to individuals, reputational damage and detrimental effect on service provision, legislative non-compliance and financial penalties.

Purpose

This policy sets out the procedure to be followed to ensure a consistent and effective approach throughout the Trust.

Scope

The policy relates to all personal data held by Illyrian Gospel Trust, regardless of format. It applies to anyone who handles this personal data, including those working on behalf of the Trust. The objective of the policy is to contain any breaches, to minimise the risks associated with the breach and to consider what action is necessary to secure personal data and prevent any further breach.

Types of breach

An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to data subjects.

An incident includes but is not restricted to:

Loss or theft of personal data or the equipment on which the data is stored e.g. laptop, memory stick, smartphone, or paper record

Failure of equipment on which personal data is stored

Unauthorised use of or access to personal data

Attempts to gain unauthorised access to personal data

Unauthorised disclosure of personal data

Website defacement

Hacking attack

Reporting an incident

Any person using personal data on behalf of Illyrian Gospel Trust is responsible for reporting data breach incidents immediately to the Trustee overseeing data protection or in his or her absence the Trust Secretary. The report should contain the following details:

Date and time of discovery of breach

Details of person who discovered the breach

The nature of the personal data involved

How many individuals data is affected

Containment and recovery

The Trustee overseeing data protection, or delegate, will first ascertain if the breach is still occurring. If so, appropriate steps will be taken immediately to minimise the effects of the breach. An assessment will be carried out to establish the severity of the breach and the nature of further investigation required. Consideration will be given as to whether the police should be informed. Advice from appropriate experts will be sought if necessary. A suitable course of action will be taken to ensure a resolution to the breach.

Investigation and risk assessment

An investigation will be carried out without delay and where possible within 24 hours of the breach being discovered. The Trustee overseeing data protection or delegate will assess the risks associated with the breach, the potential consequences for the data subjects, how serious and substantial those are and how likely they are to occur.

The investigation will take into account the following:

The type of data involved and its sensitivity

The protections in place (e.g. encryption)

What has happened to the data

Whether the data could be put to illegal or inappropriate use

Who the data subjects are, how many are involved, and the potential effects on them

Any wider consequences

Notification

The Trustee overseeing data protection will decide, with appropriate advice, who needs to be notified of the breach. Every incident will be assessed on a case by case basis. Consideration will be given to notifying the Information Commissioner if a large number of people are affected or the consequences for the data subjects are very serious. Guidance on when and how to notify the ICO is available on their website www.ico.org.uk/media/1536/breach_reporting.pdf

Notification to the data subjects whose personal data has been affected by the incident will include a description of how and when the breach occurred, and the nature of the data involved. Specific and clear advice will be given on what they can do to protect themselves and what has already been done to mitigate the risks.

The Trustee overseeing data protection will keep a record of all actions taken in respect of the breach.

Evaluation and response

Once the incident is contained, the Trustee overseeing data protection, or delegate, will carry out a review of the causes of the breach, the effectiveness of the response, and whether any changes to systems, policies or procedures should be undertaken. Consideration will be given to whether any corrective action is necessary to minimise the risk of similar incidents occurring.

Appendix 4 Data protection Enquiries and Complaints Procedure

At Illyrian Gospel Trust (we) take your privacy concerns seriously. If you have any concerns or queries about the way your information is being handled, please contact the Trustee overseeing data protection for Illyrian Gospel Trust without delay.

The elder overseeing data protection for Letchworth Baptist Church can be contacted as follows:

Name:

Phone number

Email address

We will acknowledge enquiries concerning your data protection rights as soon as possible and notify you of our expected response time which typically will be within 30 days. Where action is required on our part we will tell you what we have done or plan to do

We will carefully investigate and review all complaints and take appropriate action in accordance with Data Protection Legislation. We will keep you informed of the progress of our investigation and the outcome. If you are not satisfied with the outcome, you may wish to contact the Information Commissioners Office at https://ico.org.uk/concerns/

Any complaint received by us must be referred to the Trustee overseeing data protection for Illyrian Gospel Trust who will arrange for an investigation as follows:

1. A record will be made of the details of the complaint.

2. Consideration will be given as to whether the circumstances amount to a breach of Data Protection Legislation and action taken in accordance with the Data Breach Procedure.

3. The complainant will be kept informed of the progress of the complaint and of the outcome of the investigation.

4. At the conclusion of the investigation the Trustee overseeing data protection for Illyrian Gospel Trust will reflect on the circumstances and recommend any improvements to systems or procedures.

Page 1