THE DIOCESE OF DERRY PRIVACY NOTICE

THE DIOCESE OF DERRYPRIVACY NOTICE OVERVIEW The Diocese of Derry recognises that the greatest of care must be taken when processing personal data about our parishioners and we understand that this is not a purely administrative task. The records we hold can have profound pastoral significance. Personal information is directly relatable to the dignity of human life, and the respect that every individual deserves must extend to information we hold about that individual. The law provides 6 legal bases for processing data:

1) Consent of the Individual 2) Contractual Necessity 3) Compliance with Legal Obligations 4) Vital Interests of the Data Subject 5) Performance of a Task in the Public Interest 6) Legitimate Interests Further conditions apply when processing ‘Special Category’ personal data, which includes data revealing religiousor philosophical beliefs. In the majority of instances, the information which we collect and store is of a basic, biographical nature such ascontact details- name, address and telephone number but the work of the Church is wide-ranging and there areinstances when additional information is necessary. This notice sets out how we collect personal information about you, how we use, store and share it and how you caninteract with us about it.

1. Who is the Data Controller?• Legal responsibility for all decisions regarding the purpose and means of processing personal data rests withthe ‘Data Controller’. • The Diocese of Derry and more specifically the Derry Diocesan Trust is the Data Controller including whenprocessing is carried out by its curial offices, Parishes and committees. It is important to note that Parishes form part of the Diocese and are not separate legal entities. • Derry Diocesan Trust is a registered charity, (registration no. NIC105256).• If you require any further information on this notice or data protection within the Parish please contact: -Executive Director Diocesan Office, St Eugene’s Cathedral, Francis Street, Derry BT48 9AP Tel: 028 71262302Email: office@derrydiocese.org

Page 2

Diocese of Derry Privacy Notice Version 1 2018/192. Why is personal data processed? The work of the Parish Priest, parish staff, volunteers and clergy involves interacting with Parishioners on a daily basis. We have carefully considered the information that we hold and have sub-divided our processing activities bysubject matter. The table below provides an overview of our processing activities and explains why processing is necessary.

Subject Matter Examples Legal Basis for Processing Sacramental Records Baptism, Marriage, First Holy Communion & Confirmation Registers When we collect personal data relating to the celebration of a sacrament and maintain records on parish activities, we do so in the legitimate interests of our Church and its members. Collecting information pertaining to the celebration of our faith is an essential part of the fulfilment of our spiritual and charitable purpose to advance the Catholic religion. We also process information in compliance with our legal obligations and as part of a wider task in the public interest, for example when officiating at a wedding. Records pertaining to the celebration and participation in Mass, events, pilgrimages and services List of Eucharistic Ministers, Readers, Choir & Musicians, contact information and requests relating to visits to the housebound, information for the Parish newsletter, audio and visual recordings & photographs, Death Registers The congregation plays an integral role in all religious services. It is important for us to be able to communicate with you in relation to news about activities and events taking place within the Church and local community including seeking feedback and informing you of any changes to our pastoral plans or ministry. Processing this data is necessary to fulfil our legitimate interests as a Church and to fulfil our spiritual and charitable purpose. Pastoral Care, Safeguarding, Health & Safety CCTV/webcam, Accident Log, volunteer information, training records, Access NI or National Vetting Bureau applications/clearance, record of complaints This information is of pivotal importance for legal and pastoral reasons and is processed in accordance with our legal obligations, our public tasks and our legitimate interests in contributing to the advancement of our faith in the local community. Finance & Governance including Fundraising & Donations Gift Aid declarations, parish envelopes, minutes of committee meetings, tender documents, use of facilities, parish draws The Diocese is a registered charity and we are required to hold information on finance and governance to comply with our legal obligations under charity and tax law. General church administration including information on our employees Parish diary and telephone directory, routine correspondence, visitation papers, contracts, timesheets, personnel files, miscellaneous information obtained relating to the operation of our website including cookies This category of data is varied, and processing is based on both contractual necessity and our legitimate interest in achieving our charitable objects of advancing and maintaining the Catholic religion. Statistical and historical information Parish census and surveys Processing information of a wider statistical and historical nature is consistent with the performance of a task in the public interest.

Page 3

Diocese of DerryPrivacy NoticeVersion 1 2018/193. How is personal data collected? The majority of the personal data which we process is collected directly from you by completing forms or in other communications which may be verbally in person, in writing, by telephone or via the internet. On rare occasions,we will gather information from third parties including references or checks for safeguarding purposes.Failure to provide us with information which is required to comply with a legal/statutory obligation may restrict ourability to administer a sacrament or engage in pastoral activities as well as your ability to volunteer or participate inservices, events or activities.4. Who has access to your data?Your information can only be accessed by authorised personnel within the Parish and the Diocese. None of your data is subject to any direct marketing, automated decision making or profiling. 5. Do we share or transfer your data?The Diocese will only share your personal information with third parties if we believe it is necessary and consistent with our legitimate interests. Sometimes sharing information is necessary for pastoral reasons for example, if aschool requires information to assist in preparation for the celebration of a sacrament. On other occasions, the Diocese will consult with third parties such as IT consultants to assist us in administrative tasks, or professional advisers to advise us on legal or technical matters. There are also instances when there will be a specific legal requirement to share information, for example in order to perform essential safeguarding tasks such as checks against criminal records from Access NI/National Vetting Bureau, liaison with the Police and other law enforcement agencies, insurers or tax, charity or immigration authorities.If we share your data, we will ensure that satisfactory controls are in place to allow your information to be transmitted safely and will engage with third party service providers so that we can be satisfied that they comply with data protection laws. In the ordinary course of our routine processing activities, your data will be processed within the Diocese and willnot be transferred to countries outside the European Economic Area (EEA). However, if such action is necessary,for example, a parishioner is getting married outside the EEA or information is required by the Vatican, we will ensure that processing is carried out in accordance with government guidance and with an adequate level ofprotection for personal data. 6. How do we protect your data?The Diocese takes the security of your data seriously and has internal policies and controls in place to protect yourinformation. The steps we take have been developed as part of a risk assessment and reflect our practical, ‘commonsense’ and proactive approach to data protection such as making sure paper documents are securely locked awaywhen not in use; using passwords and encryption when processing soft copies of documents, limiting record-keepingon portable electronic devices and removable storage, shredding documents when being disposed of and regularlymonitoring our IT security systems.7. Do any additional safeguards apply?Given the context in which processing occurs, it is inevitable that a high percentage of the data we process willeither explicitly or implicitly include an individual’s religion which is ‘special category’ data. When this is the case,processing will only occur if one of the following conditions is met, in addition to the stated legal basis: –

Page 4

Diocese of DerryPrivacy NoticeVersion 1 2018/19• Processing is carried out in the course of our legitimate activities as a non-profit making organisation with a religious aim. Appropriate safeguards are in place and the processing relates solely to the members or to former members of the Parish and personal data is not disclosed externally without your consent;• Data is manifestly made public by you as the data subject;• It is necessary for handling legal claims;• There is a substantial public interest for processing in accordance with the law;• Archiving is in the public interest/necessary for research & statistics;• Your explicit consent.8. How long do we keep your data?One of the fundamental principles of lawful data processing is that any data held is accurate and, where necessary,kept up to date and erased without delay. Personal data may be stored for longer periods if the data is processed solely for archiving purposes in the public interest for historical research purposes or statistical purposes. The subject matter of the record will determine how long the information is retained within the Diocese. We considersome of the personal data we hold to be of wider historical or genealogical significance, which justifies retaining itfor longer periods than would typically be associated with business transactions. There may also be instances wherethe sensitive or legal nature of the record itself requires us to store the information for an extended period. For example, all records pertaining to safeguarding are maintained for 100 years. The table below provides a quick reference for each subject matter, but if you require specific information on a retention period please contact theExecutive Director.

Subject Matter Retention Period Sacramental Records Permanently Records pertaining to the celebration and participation in Mass, events, pilgrimages and services Routine information such as rotas and contact details will be checked intermittentlyand by the Parish Office on an informal basis and formally reviewed every 5 years to ensure that the data remains relevant/accurate and that processing is still necessary. Safeguarding This information is sensitive and is held for 100 years. Finance & Governance including Fundraising & DonationsDetermined by Company, Charity & Tax LawSpecifically, we retain Gift Aid declarations and associated paperwork for up to sevenyears after the year to which they relate.General church administration including information on our employees Determined by Employment Law otherwise routine information such as diaries and time sheets will be checked intermittently by the Parish Office on an informal basis and formally reviewed every 5 years to ensure that the data remains relevant/accurate and that processing is still necessary.Statistical and historical information Permanently

Page 5

Diocese of DerryPrivacy Notice Version 1 2018/19

9. Your Rights You can make a subject access request in writing to the Diocese at any time, free of charge. Please contact ourExecutive Director using the contact details on page 1 of this notice. If you believe that the information which wehold is incorrect or incomplete, you can inform us and ask us to update the records held.You are entitled to ask us to erase, limit or stop processing your data. We may ask you to explain your reasons forthe request. If we are processing your data in compliance with a legal obligation, contractual necessity, fulfilmentof a public task or in pursuit of overriding, legitimate interests, it may not be possible for us to agree to your request but if this is the case, we will explain the reason for our decision. As stated above, none of your data is subject to automated decision making or profiling and therefore, the rights associated with type of processing do not apply.

10. How can I make a Complaint?If you believe that the Diocese has not complied with your data protection rights, you can complain to the Information Commissioner (NI) or the Data Protection Commissioner (ROI). Further information on this process can be found online by accessing the relevant websites.In Northern Ireland:- https://ico.org.uk/global/contact-us/ In the Republic of Ireland:-https://www.dataprotection.ie

CONCLUSION Data Protection is a complex and evolving legal issue. This notice will be reviewed on an annual basis. The Diocese,through its Parishes, is committed to compliance with the six data protection principles set out in the General Data Protection Regulation which provides that Personal Data must be:• Processed fairly, lawfully and in a transparent manner;• Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes;• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;• Accurate and, where necessary, kept up to date;• Kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes forwhich the personal data is processed; and• Processed in a way that ensures its security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational security measures.

The General Data Protection Regulation provides the following rights for individuals:•The right to be informed•The right of access•The right to rectification•The right to erasure•The right to restrict processing•The right to data portability•The right to object•Rights in relation to automated decision making and profiling.These rights are not absolute and your ability to exercise these rights will depend on the legal basis for processing.

Contacts

Find out how to get in touch.

Sacraments

Births, Marriages and Deaths.