DATA PRIVACY STATEMENT
St Luke’s is committed to protecting and respecting your privacy.
This statement explains when and why we collect personal information about people who visit us, our website, or connect with us on social media. It also explains how we use it, the conditions under which we may disclose it to others and how we keep it secure.
By using our website, or connecting with us on any other available touchpoint, you’re agreeing to be bound by this statement and our data protection policy.
The data protection officer for St Luke’s Kentish Town is Luke Jones. Any questions regarding your data, this Statement and our privacy practices should be sent by email to email@example.com, or by writing to St Luke’s Parish Office, 7 Dowdney Close, London, NW5 2BP.
What is your personal data?
“Personal data” is any information about a living individual which allows them to be identified (e.g. a name, photographs, videos, email address, or address). Identification can be by the information alone or in conjunction with any other information. The processing of personal data is governed by the Data Protection Act 2017, the General Data Protection Regulation 2016/679 (“GDPR”) and other legislation relating to personal data and rights such as the Human Rights Act 1998.
Who are we?
We are St Luke’s Kentish Town (hereafter St Luke’s), Registered Charity no. 1145026. St Luke’s is also a member of the Church of England, in the Diocese of London. St Luke’s is the data controller.
How do we collect information from you?
We obtain information about you when you fill in a Hello, Hub, Serve or Give card, when you sign up for any of our events or groups on ChurchSuite, make a donation, register a child with us for a kids group through ChurchSuite, when you use our website, or when you apply for a paid or volunteer position with the church.
What type of information is collected from you?
The personal information we collect might include your name, address, email address, phone number, attendance information at events, financial information, groups and meetings, IP address, and information regarding what pages are accessed and when. We may also take photographs or film at our events. The use of these is governed under the lawful bases outlined below. If you make a purchase from us, for example for the purpose of purchasing event tickets, your card information is not held by us, it is collected by our third party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions, as explained below.
How is your information used?
St Luke’s collects and processes information so that we can:
Send you communications which fall within the scope of the objectives of the church, and for the purpose of developing the congregation at St Luke’s.
Manage, administer and promote the life and mission of the church.
Administer financial transactions: donations, ticket purchases, product purchases, and similar. Records of donations are kept and regularly updated, and gift aid is claimed with your written permission.
Administer our Sunday services, courses and events. We may need to use your contact information to notify you of details, updates and changes.
Ensure that children attending a St Luke’s group or event are safely registered and accounted for.
To enable the clergy to undertake pastoral care duties as appropriate.
To manage our employees, volunteers and contractors. We will process data about individuals for legal, HR, administrative and management purposes and to enable us to meet our legal obligations.
Manage our websites and social media accounts. This may involve the use of images or clips taken of you during one of our events or services.
Prevent and detect crime.
Carry out comprehensive safeguarding procedures in accordance with best safeguarding practice.
Process an application for a job or volunteer position.
Meet all legal and statutory obligations (which include maintaining and publishing our electoral roll in accordance with the Church Representation Rules).
Lawful basis for processing your data
The GDPR requires specification in the Privacy Notice of the lawful basis for processing personal data. Below are the lawful bases which are relevant for how we process your information.
Legitimate interest, or the legitimate interests of a third party.
Where consent has been obtained.
Compliance with a legal obligation.
Performance of a contract, or to take steps to enter into a contract.
To protect a person’s vital interests.
Religious organisations are also permitted to process information which reveal a person’s religious beliefs, to administer membership or contact details.
Your rights and your personal data
You have the following rights with respect to your personal data:
To access information we hold on you – you can contact us in writing at any time.
To correct and update the information we hold on you - we will make relevant changes.
To have your information erased - you can request deletion.
To restrict the processing of your data – you can object to your data being used.
To moving your data (data portability) – you can request data transfer.
To withdraw your consent, where consent was sought – this can be at any time.
To object to the processing of personal data where applicable.
To lodge a complaint with the Information Commissioners Office.
When exercising any of the rights listed above, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.
How can you access and update your information?
St Luke’s uses ChurchSuite to host and process all personal information of guests and members of the church, upon receipt of a completed Connect Card. Members of the congregation are invited to download and access ChurchSuite for the purpose of adapting their communication preferences.
Alternatively, you can contact the church office at using the details given above at any time with a request. You can also manage your contact preferences through any email you have received through ChurchSuite.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Security of your data
“Maintaining the security of your data is one of our highest priorities, and to this end, all access to ChurchSuite is over an SSL (https://) connection, which provides 256-bit military grade encryption to ensure that all data in transit between your web browser and ChurchSuite is fully encrypted. Where we are required to store any usernames or passwords for third-party integrations, such as social media or communication channels, we will always encrypt these details before they are stored on our servers.
Once we have received any data and stored it on our servers, we make commercially reasonable efforts to ensure its security on our system. To this end, we have chosen to host our ChurchSuite servers in a data centre that meets some of the strictest of industry security requirements, and is classified as a Tier 2 data centre.
Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure, so whilst we strive to protect your personal information, unfortunately we cannot warrant the security of any information you transmit to us.”
This final paragraph applies to the transmission of data over the internet from any St Luke’s email account too.
How long do we keep your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Sharing your information
Your personal data will be treated as strictly confidential.
Third party service providers:
We will never sell your information onto third parties. We may pass your information to a third party associated organisation for the purposes of completing tasks and providing services to you on our behalf (for example to register you with an external event like Focus). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service. Please be reassured that we will not release your information to third parties beyond St Luke’s, unless you have granted us permission to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
When you are using our secure online donation pages, your donation is processed by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
We will only pass your information onto other individuals within and outside of the church at your written permission.
Transfer of data abroad:
In general we do not transfer personal data abroad. However, where this does occur, any electronic personal data transferred to countries or territories outside the EU will only be placed on systems complying with measures giving broadly equivalent protection of personal rights either through international agreements or contracts approved by the European Union.
Use of 'cookies'
It is possible to switch off cookies by setting your browser preferences. Turning cookies of may result in a loss of a personalised functionality when using our website.
For the purpose of keeping web stats and analysing how people interact with our website – for the purpose of improving it and making it fit for purpose, we may use software that allows us to track IP addresses and ‘click’ interaction with the website.
16 or under
We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian’s permission beforehand whenever you provide us with personal information.
We keep this statement under regular review. This statement was last updated in June 2018.
Luke Jones, June 2018