This policy is effective from 15th October 2015
The Church of England together with its representatives including, but not limited to soul[food] Administrators and soul[food] Support Team and its Print Partner for the soul[food] resources site: Christian Publishing & Outreach Ltd ("we") are committed to protecting and respecting privacy and complying with the Data Protection Act 1998.
soul[food] is an initiative based at The Church of England - Birmingham. Please go to the following website for more information soul[food], please visit www.soulfood.me.
Christian Publishing & Outreach Ltd (CPO), Garcia Estate, Canterbury Road, Worthing, West Sussex, BN13 1BW is the nominated Print Partner for soul[food]. CPO operate the servers; website; customer service (telephone, email and postal); order taking, processing, delivery and all related administration.
Christian Publishing & Outreach is registered charity (Charity Number 221462) and a limited company registered in England & Wales (Company Number 588731) VAT number: GB 860 2193 41. CPO are registered with the Information Commissioner, registration number Z9128713.
Your purchase through soul[food] will appear on your credit card/bank statement as Christian Publishing and Outreach (CPO).
- that we have in relation to the personal data we collect from you as a user of the soul[food] resources site (“you”) and the personal data that you supply to us in respect of third party personal data you collect from other data subjects who supply their details for inputting into the shop.soulfood.me
- that you have in relation to the personal data that you collect from data subjects who supply their personal data for inputting into the shop.soulfood.me
Please read the following carefully to understand our views and practices, and our and your obligations, regarding privacy and personal data and how we will treat it and how you should treat third parties personal data held.
For the purpose of the Data Protection Act 1998 (the “Act”), the data controller is the Birmingham Diocesan Board of Finance, 1 Colmore Row, Birmingham B3 2BJ. You will be a data controller jointly or in common for any third party personal information you add.
Birmingham Diocesan Board of Finance is registered with the Information Commissioner, registration number Z6925923. Our nominated representative for the purpose of the Act is Andrew W Halstead.
Data protection generally
Data is information which is stored electronically, on a computer, or in certain paper based filing systems.
Data subjects for the purpose of this policy include all living individuals about whom we or you hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion.
Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Act. We are alone or jointly or in common with you the data controller of all personal data used in relation to this site.
Data processors include any person who processes personal data on behalf of a data controller.
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, and will usually require the express consent of the person concerned.
Data protection principles
Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:
- Processed fairly and lawfully.
- Processed for limited purposes and in an appropriate way.
- Adequate, relevant and not excessive for the purpose.
- Not kept longer than necessary for the purpose.
- Processed in line with data subjects' rights.
- Not transferred to people or organisations situated in countries without adequate protection.
Fair and lawful processing
The Act is intended not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of you and the data subject. The data subject must be told who the data controller is (in this case you and the Diocese of Birmingham) the purpose for which the data is to be processed, and the identities of anyone to whom the data may be disclosed or transferred.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases the data subject's explicit consent to the processing of such data will be required.
Processing for limited purposes
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Act. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs.
Adequate, relevant and non-excessive processing
Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place.
Personal data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed. You are responsible for the accuracy of the personal data you supply and you should review this periodically or as notified by any data subject.
Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from our systems when it is no longer required.
Processing in line with data subject's rights
Data must be processed in line with your and data subjects' rights. You and data subjects have a right to:
- Request access to any data held about them by a data controller.
- Prevent the processing of their data for direct-marketing purposes.
- Ask to have inaccurate data amended.
- Prevent processing that is likely to cause damage or distress to themselves or anyone else.
We and you must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss.
The Act requires you and us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who are authorised to use the data can access it.
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
Security procedures include:
- Entry controls. Any stranger seen in the vicinity of your computer or private documents should be reported.
- Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
- Methods of disposal. Paper documents should be shredded. All personal data or other sensitive data stored on any medium including but not limited to DVD», USB memory sticks, external hard drives, the cloud or portable devices should be deleted when they are no longer required.
- Equipment. Data users should ensure that individual monitors and other devices do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
Dealing with subject access requests
A formal request from you for information that we hold about them must be made in writing. A fee is payable by the data subject for provision of this information. Anyone who receives a written request should deal with it in accordance with the Data Protection Act 1998. If you have any questions about our obligations please contact firstname.lastname@example.org immediately.
Dealing with Data Breaches
If you believe the security of any Personal Data or Sensitive Personal Data has been breached please speak to Martin Kettle immediately.
Although not a statutory requirement the Information Commissioner believes that a serious breach of the data protection principles should be reported. In the first instance any breach will be reported to email@example.com. In any matter that might affect personal safety the police will be informed immediately.
Providing information over the telephone
Any person dealing with telephone enquiries will be careful about disclosing any personal information held by us. In particular we will:
- Check the caller's identity to make sure that information is only given to a person who is entitled to it.
- Suggest that the caller put their request in writing if they are not sure about the caller's identity and where their identity cannot be checked.
- Refer to firstname.lastname@example.org for assistance in difficult situations. No-one should be bullied into disclosing personal information.
Privacy and Information collected
We may collect and process the following data about you and the data subjects whose personal data you provide:
- Information that you provide by filling in forms on our site. This includes information provided at the time of registering to use our site and the information you input. We may also ask you for information when you report a problem with our site.
- If you contact us, we may keep a record of that correspondence.
- Details of your visits to our site including, but not limited to, traffic data, location data, web-logs and other communication data, and the resources that you access, whether this is required for our own purposes or otherwise.
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.
Where we store personal data
All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access our site, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
How we use your information
We use your information to:
- ensure that content from our sites is presented in the most effective manner for you and for your computer or internet connected device
- to provide you with the features and functions of our sites (and their related services) which we feel may assist you
- take process, and deliver your order and for all related administration
- to monitor and evaluate statistics and changing patterns in the services we provide. These statistics may be used in press releases and other public documents, or otherwise put into the public domain, in order to promote the work of the Church of England
- to develop and tailor ours sites, content, features, resources and direction to those who visit our sites
Disclosure of information
We may disclose your personal information to church related entities where necessary for such matters as disciplinary issues.
Access to information
The Act gives you and other data subjects the right to access their own personal data. The right of access for you and other data subjects can be exercised in accordance with the Act. Any access request may be subject to a fee of £10.
The Act does not specify the period of time for which personal information should be held, it simply states that it should not be kept longer than is necessary for the purpose for which it processed. If the personal data is no longer required for the purpose for which it was processed then it should be deleted.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log onto the secure area of our website.
- Analytical/performance cookies. These allow us to recognise and count the number of users and to see how the users move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
Like many sites on the web, we use Google Analytics to collect anonymous usage information about how visitors engage with our website. Learn more about Google Analytics and privacy.
The Data Protection Act (1998)
The Information Commissioner's Office