Reading Gateway Church: Data Protection Policy

Primary Responsibility:	The PCC of Reading Gateway Church
Status:	v2
Review Period:	2 years
Next Review Date:	2nd quarter 2028
Date Agreed By PCC	2/6/26

 

1. Purpose of this Policy

Reading Gateway Church (“RGC”) is committed to protecting personal data and handling it responsibly, securely and transparently in accordance with:

• the UK General Data Protection Regulation (“UK GDPR”);
• the Data Protection Act 2018;
• the Privacy and Electronic Communications Regulations (PECR);
• safeguarding legislation and guidance;

• applicable Church of England requirements and guidance.

This policy explains how RGC processes personal data in the course of church ministry, worship, pastoral care, administration, safeguarding, communications and community engagement.

The purpose of data protection legislation is to ensure that personal information is:

• processed lawfully, fairly and transparently;
• kept accurate and secure;
• only used for legitimate purposes;
• retained only as long as necessary;

• protected from misuse, unauthorised access or disclosure.

This policy applies to:

• PCC members;
• clergy;
• employees;
• volunteers;
• ministry leaders;
• contractors handling church data;
• anyone processing personal information on behalf of RGC.

2. Data Protection Principles

RGC will comply with the UK GDPR principles by ensuring personal data is:

1. Processed lawfully, fairly and transparently
2. Collected only for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and kept up to date
5. Kept only for as long as necessary
6. Processed securely and confidentially
7. Processed with accountability and appropriate governance

RGC recognises that some information processed by the church may constitute “special category” data, including information relating to:

• religious belief;
• health;
• safeguarding matters;
• children and vulnerable adults;
• pastoral support.

Such information will only be processed where lawful and necessary.

3. Lawful Basis for Processing

RGC processes personal data under one or more lawful bases provided by UK GDPR, including:

Legitimate Interests

Including:

• church administration;
• pastoral care;
• ministry organisation;
• volunteer coordination;
• maintaining contact lists;
• safeguarding;
• communications relating to church life and activities.

Legal Obligation

Including:

• safeguarding duties;
• employment obligations;
• financial and Gift Aid records;
• electoral roll requirements;
• parish register obligations under Canon Law.

Contract

Including:

• employment arrangements;
• hall hire agreements;
• contractor relationships;
• event bookings.

Consent

Where appropriate, RGC will obtain explicit consent, particularly for:

• optional communications;
• photography and video use;
• promotional materials;
• some children’s activities;
• media and publicity content.

Consent may be withdrawn at any time.

Religious Organisations Provision

As a religious organisation, RGC may process information relating to religious belief or church involvement where this relates to church membership, regular contact, pastoral care or church activities.

4. Personal Data We Process

RGC may process:

• names, addresses, telephone numbers and email addresses;
• dates of birth and family relationships;
• attendance and participation records;
• financial information and Gift Aid records;
• employment and volunteer records;
• safeguarding information;
• DBS and confidential declaration information;
• photographs and video recordings;
• pastoral support records;
• records relating to baptisms, weddings and funerals;
• communications and correspondence.

5. Processing and Use of Personal Data

RGC uses personal data for:

• administering church activities;
• worship and ministry;
• pastoral support;
• safeguarding;
• communication regarding church services and events;
• volunteer and employee management;
• maintaining financial records;
• Gift Aid administration;
• hall hire and facilities management;
• publicity and community engagement;
• livestreaming and digital ministry activities;
• legal and regulatory compliance.

RGC will not use personal data for purposes incompatible with those for which it was collected.

6. Digital Communications, Photography and Media

RGC uses:

• email;
• ChurchSuite and other church management systems;
• Microsoft 365 / SharePoint;
• messaging applications;
• social media;
• livestreaming platforms;

• photography and video recordings

for ministry, administration, communication and outreach purposes.

Where appropriate:

• consent will be sought before using identifiable photographs or recordings;
• special care will be taken regarding children and vulnerable adults;
• individuals may withdraw consent for optional publicity or promotional use.

RGC recognises that some systems may store or process data outside the United Kingdom. Appropriate safeguards will be used where international data transfers occur.

7. CCTV

RGC operates CCTV systems on church premises for:

• safeguarding;
• protection of individuals;
• prevention and detection of crime;
• protection of church property.

CCTV recordings will only be accessed by authorised individuals and retained only for an appropriate period unless required for investigation purposes.

8. Data Security

RGC will take appropriate technical and organisational measures to protect personal data, including:

• password-protected systems and devices;
• restricted access permissions;
• secure cloud storage;
• multi-factor authentication where available;
• secure disposal of paper and digital records;
• encryption and secure transfer where appropriate;
• staff and volunteer confidentiality expectations.

Personal data must not be:

• shared inappropriately;
• stored on unsecured personal devices;
• transferred to unauthorised systems or external media.

Only authorised individuals may access sensitive or confidential information.

9. Safeguarding Information

Safeguarding records and confidential declarations will be stored securely with strictly limited access.

Such information may be shared with safeguarding officers, statutory agencies or diocesan safeguarding teams where necessary and lawful.

Safeguarding information will be retained in accordance with Church of England safeguarding guidance and legal obligations.

10. Data Retention and Disposal

RGC retains records in accordance with:

• UK GDPR requirements;
• safeguarding requirements;
• employment law;
• HMRC requirements;
• Church of England guidance including Keep or Bin: Care of Your Parish Records.

Examples include:

• financial and Gift Aid records: minimum 6–7 years;
• safeguarding records: in accordance with safeguarding guidance;
• unsuccessful recruitment records: generally 12–24 months;
• employee and volunteer records: appropriate employment retention periods;
• parish registers: permanently where legally required.

Data no longer required will be securely deleted, shredded or destroyed.

11. Data Subject Rights

Individuals have the right to:

• request access to personal data;
• request correction of inaccurate information;
• request erasure where appropriate;
• restrict processing in certain circumstances;
• object to processing;
• withdraw consent;
• request portability of data where applicable;
• complain to the Information Commissioner’s Office (ICO).

Requests should be made to the Data Protection Lead.

Proof of identity may be required before requests are processed.

12. Data Breaches

Any actual or suspected personal data breach must be reported immediately to the Data Protection Lead or Incumbent.

RGC will:

• investigate all breaches;
• maintain a breach log;
• assess risks to individuals;
• notify the ICO where legally required;
• notify affected individuals where there is a high risk to rights and freedoms.

Reportable breaches must normally be notified to the ICO within 72 hours.

13. Responsibilities

The PCC is ultimately responsible for ensuring compliance with this policy.

The Data Protection Lead is responsible for:

• monitoring compliance;
• reviewing procedures;
• overseeing breach management;
• supporting staff and volunteers;
• advising the PCC on data protection matters.

All staff and volunteers handling personal data are responsible for:

• maintaining confidentiality;
• following this policy;
• completing relevant safeguarding or data protection training;
• reporting concerns or breaches promptly.

14. Monitoring and Review

This policy will be reviewed every two years or sooner if:

• legislation changes;
• church practices materially change;
• safeguarding or operational requirements require amendment.

15. Contact Details

Reading Gateway Church
Parish Office, St Agnes Church
Northumberland Avenue
Reading RG2 8DE

Telephone: 0118 987 4448
Email: parishoffice@readinggateway.church

Data Protection Lead: Revd Nick Hill

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
www.ico.org.uk

16. RGC Data Protection Procedures

1. Personal data is collected at the point of first contact and during subsequent interactions with Reading Gateway Church, including through church activities, employment, volunteering, pastoral support, events and communications. Data is collected only where necessary for the purposes outlined in this policy and the RGC Privacy Notice.
2. Where consent is relied upon as the lawful basis for processing, consent will be obtained clearly and transparently. Online systems such as ChurchSuite will make clear how personal information is stored, used and, where relevant, shared within church activities.
3. Confidential declarations, safeguarding records and DBS-related information are stored securely within restricted-access folders on RGC’s SharePoint or other approved secure systems. Access is limited to authorised personnel such as the Incumbent, Operations Manager, Parish Administrator and Safeguarding Officers where appropriate.
4. Employee and volunteer recruitment records, references and interview assessments are stored securely and retained in accordance with employment law, safeguarding requirements and Church of England guidance. Records for unsuccessful applicants will normally be retained for up to 24 months before secure destruction unless legal considerations require longer retention.
5. All systems and databases containing personal information must be password protected and managed with appropriate security controls. Multi-factor authentication should be used where available.
6. Sensitive personal information, including safeguarding information and pastoral support records, will be stored securely either in locked physical storage or restricted-access digital systems. Access is strictly limited to those authorised and requiring access for legitimate ministry, safeguarding or operational purposes.
7. Staff and volunteers with access to personal information will receive appropriate guidance regarding confidentiality, safeguarding and data protection responsibilities and are expected to comply with this policy and related procedures.
8. Personal data must only be stored on authorised systems and devices approved by RGC. Personal information should not be transferred to unauthorised locations, personal storage devices or unsecured external media.
9. Personal data shared electronically must be transferred securely and only where necessary for legitimate church purposes.
10. Any actual or suspected data breach must be reported immediately to the Data Protection Lead, Incumbent or Operations Manager in accordance with RGC’s breach reporting procedures.

17. Monitoring and Review

The PCC retains overall responsibility for oversight of data protection compliance within Reading Gateway Church.

Day-to-day monitoring of this policy may be delegated to the Operations Manager and/or Data Protection Lead, who will:

• oversee implementation of this policy;
• maintain breach and compliance records;
• support staff and volunteers;
• review operational procedures;
• report significant matters to the PCC as appropriate.

The operation of this policy will be reviewed regularly and reported to the PCC at least annually, including through APCM reporting where appropriate.