This document sets out our commitment to protecting all personal data and explains what that means in how we collect, store and use personal data. ECCR strives to protect all data that it holds and to use it responsibly, fairly and in compliance with the General Data Protection Act.
We understand personal data to be information that relates to the identity of a natural person and can identify them directly or indirectly.
We will only collect data when consent is specific and verifiable. As such it will have an associated written record, which can be made available on request. ECCR will always require an affirmative action to collect data. Our principal data collection points are the website (newsletter sign up) and the process of joining ECCR (membership, volunteer, staff member). Other instances might be when you make a donation, ask to receive one of our emails, request materials or information, enter into correspondence, or sign up for an event, we collect the information you provide.
If you donate to ECCR via BTMyDonate and consent to share your details with us, we receive those details.
If you are at one of our events, we may take your picture or record a session in which you participate. Under GDPR, we will always note that we are taking pictures and recording events, and will give you the option not to be part of group pictures. If we take pictures of you outside a group context or if you are presenting a talk and we would like to record it, under GDPR we will always ask your permission in advance.
ECCR requires any third party data processors (printers, caterers etc) to demonstrate their compliance with GDPR.
No personal data will be retained longer than necessary. We will retain data pertaining to membership records for 24 months since the lapsing of membership. Beyond that point we will anonymise membership records for our archive records.
ECCR will ensure that individuals are able to exercise their right for data held on them to be
deleted, sometimes referred to as the right to be forgotten.
ECCR recognises that the following categories of data require special care:
1. Racial and Ethnic origin
2. Political Opinion
3. Religious/philosophical beliefs
4. Trade union membership
5. Genetic or biometric data
7. Sexual activity/sexual orientation
As such we will minimise the collection of this data and ensure extra care will be taken if it has
to be recorded.
If you contact ECCR in the capacity of a member of a church or other religious body and this information is provided to us we will use it to enable us to respond and interact with you appropriately.
Material provided to ECCR for publication
We often publish material sent to us by our members or other network members. All material sent to us is subject to approval by ECCR before being used. By sending us material, you are automatically agreeing to ECCR editing; we will, however, ask your consent before using any edited material unless the editing is minimal (eg cropping a photo for use on Twitter). This agreement is lifelong and royalty free.
By submitting material you agree that ECCR has the right to share the material with any third party involved in the submission and receipt of the material as well as any third parties which ECCR uses to act on their behalf.
Material must not violate any copyright laws, the rights of any third party or any other laws. Photographs and videos must have been taken with the knowledge of the subjects, or where the subjects are under 18, with the permission of their parent or guardian. All identifiable subjects must have given permission for the material to be used by ECCR. ECCR will only publish material that does not contravene any copyright laws.
Under certain laws and regulations ECCR might be required to disclose information to government agencies or employees. By submitting material you authorise ECCR to do this without having to give you prior notice. ECCR will use any material in accordance with our own data protection policy and Data Protection Act 1988.
Protocol in the event of a data breach
A data breach is understood to be a security incident that has affected the confidentiality, integrity or availability of personal data.
Examples of a data breach would be:
• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a controller or processor;
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of personal data without permission; and
• loss of availability of personal data.
A data breach will be reported to the SIRO who will make a decision on likelihood and severity of the resulting risk to people’s rights and freedoms and as such whether the individuals concerned need to be informed and whether it should be reported to the Information Commissioner’s Office (ICO). These decisions and the details of the breach will be recorded.
Analytics and aggregated data
ECCR uses a number of social media platforms (Facebook, twitter, YouTube) in addition to our website. We gather certain information such as the number and frequency of visitors to these platforms, clicks and openrates. This information is aggregated and not linked to personal data. Use of buttons on our social media platforms (for example, “Like” and/or “Share” buttons), content from our Platforms may be sent back to those sites and, depending on your privacy settings, may be privately or publicly visible (for example, to friends, followers or generally to anyone who has access to your profile page).
If you wish to contact ECCR at any time regarding your personal data records or to update your contact preferences you are encouraged do so. Our registered address is:
1 Deepdene Park Road Dorking, RH5 4AL, UK •
+44 (0)78 8043 7131