Data Protection Policy
The Spiritualists’ National Union (SNU) needs to keep certain information on its employees, volunteers, members, service users and trustees to carry out its day-to-day operations, to meet its objectives and to comply with legal obligations. The organisation is committed to ensuring that any personal data will be dealt with in line with the Data Protection Act 2018. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.
​
This policy covers employees, volunteers, members, service users and trustees. In line with the Data Protection Act 2018 principles, the SNU will ensure that personal data will:
• be obtained fairly and lawfully and shall not be processed unless certain conditions are met;
• be obtained for a specific and lawful purpose;
• be adequate, relevant but not excessive;
• be accurate and kept up to date;
• not be held longer than necessary;
• be processed in accordance with the rights of data subjects;
• be subject to appropriate security measures;
​
Transferring Personal Data to a country outside the EEA
The SNU may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA. The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:
1.1.1 the transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
1.1.2 the transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
​
1.1.3 the transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
​
1.1.4 the transfer is necessary for important public interest reasons;
​
1.1.5 the transfer is necessary for the conduct of legal claims
​
1.1.6 the transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
​
1.1.7 the transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register. Spiritualists’ National Union Data Protection Policy 2 The definition of ‘processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper-based personal data as well as that kept on computer.
​
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.
​
• Accountability: Those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
• Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
• Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
• Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
• Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data lifespan.
​
The SNU processes the following personal information:
Information will be kept re employee applications and references, including contact details, payroll and bank details and supervision and appraisal notes. Membership applications (Church and Individual), including contact details, applications for SNU educational services and events, bank account details as appropriate. Non-member applications for services and events, including contact and bank account details as appropriate.
​
Personal information is kept in the following forms: paper and computer-based systems
​
Groups of people within the organisation who will process personal information are:
SNU paid staff, volunteer elected members of District Councils and Churches, volunteer members of the various SNU Committees, Branches and Trustees. The needs we have for processing personal data are recorded on the public register maintained by the Information Commissioner. We notify and renew our notification on an annual basis as the law requires. If there are any interim changes, these will be notified to the Information Commissioner within 28 days.
​
Under the Data Protection Guardianship Code, overall responsibility for personal data in a not-for-profit organisation rests with the governing body. In the case of the SNU this is the National Executive Committee (NEC). The governing body delegates tasks to the Data Protection Officer.
​
The Data Protection Officer is responsible for:
• understanding and communicating obligations under the Act;
• identifying potential problem areas or risks;
• producing clear and effective procedures;
• notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes.
​
All SNU paid staff, volunteer elected members of District Councils and Churches, appointed volunteer members of the various SNU Committees, Branches and Trustees who process personal information must ensure that they not only understand but also act in line with this policy and the data protection principles. Breach of this policy will result in disciplinary proceedings for paid staff and removal from office of volunteers elected to Church or District Councils and SNU-appointed Committee & Branch members and Trustees.
​
To meet our SNU data protection policy, paid staff, volunteer elected members of District Councils and Churches, and appointed volunteer members of the various SNU Committees and Branches will:
• ensure that any personal data is collected in a fair and lawful way;
• explain why it is needed at the start;
• ensure that only the minimum amount of information needed is collected and used;
• ensure that the information used is up to date and accurate;
• review the length of time information is held;
• ensure that it is kept safely;
• ensure that the rights people have in relation to their personal data can be exercised.
We will ensure that:
• everyone managing and handling personal information is trained to do so;
• anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer, service user or Trustee, knows what to do;
• any disclosure of personal data will be in line with our procedures;
• queries about handling personal information will be dealt with swiftly and politely
​
Our churches and District Councils will be asked to ensure that data they hold is removed immediately on personal request or twelve months after lapse of membership. (This is in line with the twelve months’ period of grace allowed for membership fees to be paid.)
​
Personal sensitive information will not be used apart from the exact purpose for which permission was given. The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken: lockable filing systems for paper records, password protection for computer-based records. Passwords will be changed at least annually. Removal of information ‘off site’ will only be with the authority of two of the four Officers of the SNU. Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary action or, in the case of elected volunteers or appointed Committee & Branch members or Trustees, removal from office.
​
All unauthorised disclosures will be recorded in the ledger for this purpose held at Head Office and supervised by the General Manager.
​
Anyone whose personal information we process has the right to know:
• what information we hold and process on them;
• how to gain access to this information;
• how to keep it up to date;
• what we are doing to comply with the Act.
​
They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong. Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.
​
​
Guidelines for Data Protection
PREAMBLE
25th May 2018 will see the introduction of the new General Data Protection Regulation (GDPR) of the European Union, which will replace the current British Data Protection Act 1998, and the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of GDPR in the UK. These regulations are more stringent than current legislation and will be more strenuously policed. These changes will have serious impacts on all organisations, including the SNU. The SNU is therefore, in line with other UK charities, reviewing and implementing more stringent data controls than previously in order to be ready for the new requirements. (PLEASE NOTE THAT THESE GUIDELINES TAKE IMMEDIATE EFFECT AND ARE NOT INTENDED TO COMMENCE IN MAY 2018.)
These guidelines are intended to support and help anyone and everyone involved with personal data within the SNU. This includes SNU paid staff, elected church committees and District Councils, appointed SNU Committees, volunteers and Trustees.
What is Personal Data?
Any information ‘about’ a person, from which a person may be identified, even indirectly (i.e. where there is anonymous data but the data group is so small and/or specific that an individual could be identified, even if the data is anonymous). If you hold information about individuals, either on computer or in paper records, you may be holding ‘personal data’. Personal data is data that:
• identifies an individual, either on its own or combined with other information within any organisation;
• includes opinions in regard to that individual;
• includes information which informs or influences decisions affecting an individual;
• conveys biographical information about the person – the fact that an individual attended a meeting will be personal data about that person;
• also includes any images or photographs where an individual can be easily identified.
This can include comments about an individual in an email, a paper file that contains the name of an individual, or even the contact details of someone on a post-it note.
​
As a membership organisation the SNU holds large amounts of personal data relevant to its members. That’s not just Individual Members at Head Office but also every member of every Church and Pioneer Centre, both associate and full.
​
In addition, we hold data about everyone who registers for SNU Education Courses, attends local and national training events, plus our register of trainee and approved healers.
​
What is Sensitive Personal Data? Personal sensitive data attracts higher privacy requirements for certain categories of information that have been defined in the Act as sensitive:
• racial or ethnic origin;
• political beliefs;
• religious beliefs or other beliefs of a similar nature;
• physical or mental health;
• sexual life;
• the commission or alleged commission by him/her of any criminal offence; or
• any criminal proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings.
​
You are obliged to treat sensitive personal data with the utmost of care, respect and confidentiality and must obtain consent from the individual before processing. There are other conditions, which are strictly controlled, and explicit consent should be the first consideration in your mind.
​
What is Data Protection?
The Data Protection Act 1998 and GDPR require that information about PEOPLE is collected and used fairly, stored safely and not processed unlawfully
Privacy Policy
1. What Does This Notice Cover?
This Privacy Information explains how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.
2. What is Personal Data?
​
Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
​
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
​
The personal data that we use is set out in Part 4, below.
3. What Are My Rights?
Under the GDPR, you have the following rights, which we will always work to uphold:
a) The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 10.
b) The right to access the personal data we hold about you. Part 9 will tell you how to do this.
c) The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 10 to find out more.
d) The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Part 10 to find out more.
e) The right to restrict (i.e. prevent) the processing of your personal data.
f) The right to object to us using your personal data for a particular purpose or purposes.
g) The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
h) Rights relating to automated decision-making and profiling. Part 5 explains more about how we use your personal data, including automated decision-making and or profiling.
​
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 10.
​
Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau. If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
4. What Personal Data Do You Collect?
We may collect some or all of the following personal data (this may vary according to your relationship with us
• Name;
• Date of birth;
• Gender;
• Address;
• Email address;
• Telephone number;
• Business name;
• Job title;
• Profession;
• Payment information;
• Information about your preferences and interests;
5. How Do You Use My Personal Data?
Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data [may be used for one of the following purposes:
​
• Providing and managing your account.
• Supplying our products and/or services to you. Your personal details are required in order for us to enter into a contract with you. • Personalising and tailoring our products and or services for you.
• Communicating with you. This may include responding to emails or calls from you.
• Supplying you with information by email and/or post that you have opted-in to (you may unsubscribe or opt-out at any time by writing to us.
​
With your permission and/or where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email, telephone, text message or post with information, news, and offers on our products and/or services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.
6. How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods. (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
​
• Individual Membership – 2 years after lapsed but please be aware for historical/statistical analysis your SNU IM number, date information and information of any SU awards gained will be retained. None of this information will be traceable to you as an individual.
• Church membership - 2 years after lapsed, you will be asked to sign an agreement for this.
• Church Roll Book – Permanently
• Healing Records – 7 years after last contact For additional information refer to the SNU ‘Document Retention Policy’.
7. How and Where Do You Store or Transfer My Personal Data?
If a UK Resident
We will only store or transfer your personal data in the UK. This means that it will be fully protected under the GDPR.
If a non UK Resident
We share your data within the group of which we are a part. Where this involves the transfer of personal data outside the EEA, our group ensures that personal data is protected, by requiring all branches/departments within the group to follow the same rules with respect to personal data usage. These are known as “binding corporate rules”. More information on binding corporate rules is available from the European Commission.
8. Do You Share My Personal Data?
We will not share any of your personal data with any third parties for any purposes, subject to one important exception.
​
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
or
We may share your personal data with other SNU Branches/Departments in our group for information.
​
We may sometimes contract with third parties to supply products and/or services to you on our behalf. These may include payment processing, delivery, and marketing. In some cases, those third parties may require access to some or all of your personal data that we hold.
• Spiritualists’ National Union Trust in relation to financial processing on behalf of SNU.
If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above in Part 7.
​
If any personal data is transferred outside of the EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR, as explained above in Part 7. In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
9. How Can I Access My Personal Data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
​
All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 10.
​
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
​
We will respond to your subject access request within in not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
10. Changes to this Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. Any changes will be made available on the SNU website. Members, churches and District Councils will be informed in writing by post.
​
By submitting your personal data you:
(1) declare that you have read, understood and accepted the statements set out in this data protection clause;
(2) are declaring that the information given in the application is complete and true to the best of your knowledge, and understand that deliberate omissions and incorrect statements could lead to your application being rejected; and
(3) are giving your consent to the processing of the information submitted in relation to membership or services. Your confirmation of acceptance of this policy will be obtained by requesting you sign an acceptance document.
General Data Protection Regulation (UK)
-
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
-
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
-
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
-
used fairly, lawfully and transparently
-
used for specified, explicit purposes
-
used in a way that is adequate, relevant and limited to only what is necessary
-
accurate and, where necessary, kept up to date
-
kept for no longer than is necessary
-
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
-
There is stronger legal protection for more sensitive information, such as:
-
race
-
ethnic background
-
political opinions
-
religious beliefs
-
trade union membership
-
genetics
-
biometrics (where used for identification)
-
health
-
sex life or orientation
-
There are separate safeguards for personal data relating to criminal convictions and offences.
-
Your rights
-
Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:
-
be informed about how your data is being used
-
access personal data
-
have incorrect data updated
-
have data erased
-
stop or restrict the processing of your data
-
data portability (allowing you to get and reuse your data for different services)
-
object to how your data is processed in certain circumstances
-
You also have rights when an organisation is using your personal data for:
-
automated decision-making processes (without human involvement)
-
profiling, for example to predict your behaviour or interests