Data Protection Policy

East Caithness

Church of Scotland

East Caithness Church of Scotland

Scottish Charity No. SC 001291

Argyle Square

Wick

KW1 5AL Lybster

Caithness

KW3 6BN

East Caithness Church of Scotland Data Protection Policy

1. Overview

East Caithness Church of Scotland (the “congregation”) takes the security and privacy of personal

information seriously. As part of our activities, we collect, process, store, and share personal data

about members, adherents, employees, office bearers, vol unteers, and others who interact with us.

This policy outlines how the congregation complies with the UK General Data Protection Regulation

(UK GDPR) and the Data Protection Act 2018 , ensuring that personal data is collected, used, and

safeguarded responsibly.

The congregation’s Data Protection Coordinator is [insert name and contact details]. Any queries

regarding data protection should be directed to them , or failing that , the Session Clerk .

2. Data Protection Principles

Personal data will be processed in accordance with the six Data Protection Principles , meaning it

must:

1. Be processed lawfully, fairly, and transparently.

2. Be collected for specified, explicit, and legitimate purposes.

3. Be adequate, relevant, and limited to what is necessary.

4. Be accurate and kept up to date.

5. Not be kept for longer than necessary.

6. Be processed securely to maintain integrity and confidentiality.

Additionally, the congregation must demonstrate compliance with these principles

(“Accountability”).

3. Definition of Personal Data

“Personal data” refers to any information relating to an identifiable person. This includes names,

addresses, phone numbers, email addresses, and financial details.

Special category data includes details about religious beliefs, health, ethnicity, and criminal records,

which require additional protection.

ECCOS Data Protection Policy (continued)

East Caithness Church of Scotland

Scottish Charity No. SC 001291

4. Lawful Basis for Processing Personal Data

We process personal data under the following lawful bases:

  • Legitimate interests (e.g., maintaining membership records).
  • Consent (e.g., including details in a church directory).
  • Legal obligation (e.g., safeguarding concerns).
  • Contractual necessity (e.g., employment contracts).
  • Vital interests (e.g., emergency medical situations).
  • Religious or charitable activities (for members and regular contacts only).

Special category data will only be processed where explicit consent is given or under exemptions for

religious organizations, safeguarding, or legal obligations.

5. Collection and Processing of Personal Data

  • Personal data will be collected only for specific, stated purposes.
  • Data will be accurate and kept up to date .
  • Data will not be shared outside the congregation without consent, unless legally required.
  • Records will be managed in accordance with the congregation’s Records Retention &

Disposal Schedules .

A Privacy Notice outlining our data practices is available on the church website and noticeboard.

6. Security of Personal Data

The congregation will take appropriate security measures, including:

  • Physical security: Paper records will be stored in locked cabinets.
  • Electronic security: Password -protected access to digital records.
  • Email security: Use of BCC when emailing groups; encryption for sensitive data.
  • Device security: Church email accounts should not be accessed on shared devices.
  • Data minimization: Only necessary personal data will be retained.

ECCOS Data Protection Policy (continued)

East Caithness Church of Scotland

Scottish Charity No. SC 001291

7. Sharing Personal Data

Personal data may be shared:

  • Within the Church of Scotland (e.g., Presbytery, safeguarding teams).
  • With third parties (e.g., payroll services, insurers), where required by law or under contract.
  • With statutory authorities (e.g., Police, Social Services) when legally required.

A Data Sharing Agreement will be in place where necessary.

8. Data Security Breaches

In the event of a data breach , the Presbytery Clerk must be notified immediately. If the breach

poses a risk to individuals’ rights and freedoms, the Information Commissioner’s Office (ICO) will be

informed within 72 hours .

9. Subject Access Requests & Data Subject Rights

Individuals have the right to:

  • Access their personal data.
  • Rectify inaccurate data.
  • Request deletion (subject to legal retention requirements).
  • Restrict processing where applicable.
  • Object to processing in certain cases.
  • Data portability (where processing is based on consent or contract).
  • Not be subject to automated decision -making without human oversight.

Requests should be directed to the Data Protection Coordinator and will be responded to within

one calendar month .

10. Data Protection in Employment

  • Employee data will be used only for employment -related purposes.
  • Payroll and pension information will be shared with relevant providers under strict

confidentiality agreements.

  • Records will be retained only as long as necessary, following legal guidelines.

ECCOS Data Protection Policy (continued)

East Caithness Church of Scotland

Scottish Charity No. SC 001291

11. Contracts with Third Parties

Where personal data is processed by an external organization (e.g., IT services, payroll providers), a

Data Processing Agreement will be put in place.

12. Responsibilities

  • The Kirk Session oversees data protection compliance.
  • The Data Protection Coordinator ensures operational compliance and provides training.
  • All staff and volunteers must adhere to this policy and complete relevant training.

13. Policy Review

This policy will be reviewed annually or as needed to comply with legal updates. The latest version

will be available on the congregation’s website and noticeboard.

Adopted by East Caithness Church of Scotland on [date]

Signed: Iain A Maclean , Session Clerk

Signed : Rev Linda Broadley, Interim Moderator Minister

Scroll to Top