Data Retention Policy

Data Retention Policy June 2018

Introduction

DATA RETENTION POLICY

THE CONGREGATION OF URRAY & STRATHCONON OF THE FREE CHURCH OF SCOTLAND
IN THE PRESBYTERY OF INVERNESS, LOCHABER & ROSS

This Data Retention Policy outlines how long various categories of personal data are retained by the congregation. It should be read in conjunction with our Data Protection Policy and our Privacy Notice, copies of both of which are available on the internal church noticeboard and website and by asking for a copy from the Session Clerk.

Congregations process various types of personal information, also called personal data. Personal data is any information, whether held in hard copy or electronic form, relating to an individual who can be identified, directly or indirectly, from that data. Processing is anything that is done with that information – it includes the collecting, editing, storing/holding/retaining, disclosing/ sharing, viewing, recording, listening, erasing/deleting etc. of personal information.

Examples of the types of personal information processed by congregations are set out in the Schedule to this policy and include, but are not limited to, membership lists; baptismal records; information relating to employees and volunteers; financial records, including in relation to payroll and Gift Aid administration; information relating to counselling and pastoral care; information regarding individuals attending churches and participating in church events and activities, including children and young people; and information relating to the management of properties, including sales, purchases and leases.

Personal information may be retained by congregations in various ways and places – these include, but are not limited to, minutes of meetings of the Kirk Session or Deacons’ Court/ Finance Committee; employment contracts; congregational register of individuals working with children and/or protected adults; registration and/or consent forms for church activities; congregational newsletters; and letters and email correspondence.

In certain circumstances it will be necessary and appropriate to retain personal information, either in hard copy or electronic form, depending on the purposes for holding the information. However, it is not appropriate or practical for congregations to retain all records indefinitely. Records should only be retained in accordance with data protection principles, which require that personal information is limited to what is relevant and necessary, is accurate, and is kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which it was obtained. Ensuring that personal information is erased or anonymised when no longer required will reduce the risk of it becoming irrelevant, excessive, inaccurate or out of date, and the risk of it being processed in error. It is therefore important that congregations have in place systems for the timely and secure disposal of documents that are no longer required or that they are no longer entitled to retain.

It is permissible to retain personal information beyond when it is required for the original purposes, if such further retention is only for public interest archiving, scientific or historical research, or statistical purposes. Any personal data that congregations need to keep for public interest archiving etc. should be clearly identified by them.

Retention of records

Data protection law does not set specific time limits for the retention of different types of personal information. It is up to data controllers to set their own retention periods, which will depend on how long the information is required in relation to the specified purposes for which it is held.

Suggested retention periods set out in the Schedule to this policy, and decisions relating to the retention (and disposal/erasure) of personal information should be taken with reference to the Schedule. However, congregations should also bear in mind the general rule that they must always be able to justify why they keep personal information in a form that permits the identification of individuals.

In all cases where the retention period recommended in the Schedule for specific types or items of personal information has expired, a review should be carried out prior to disposal, and consideration should be given as to the most appropriate method of secure erasure or disposal.

Disposal/erasure of records

Documents containing personal information should be disposed of confidentially and securely either by shredding or by using confidential waste bins or sacks. Such documents may include, but are not limited to, those containing names and contact details, health-related information, information relating to pastoral matters and financial information.

Electronic communications including email, Facebook pages, twitter accounts etc. and all information stored digitally should also be reviewed regularly and if no longer required should be closed and/or permanently deleted. It is understood that the word “deletion” can mean different things in relation to electronic data, and that it is not always possible to erase all traces of it. The key issue is to put the data beyond use. Therefore, it will normally be sufficient simply to delete the information, with no intention of it ever being used or accessed again by anyone. In addition to deleting personal information from a live system, it should also be deleted from any back-up of the information on that system.

Retention of records for archiving, research or statistical purposes

Personal information can be kept indefinitely if held only for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes. There must be appropriate safeguards in place to protect individuals - for example, in some cases pseudonymisation may be appropriate. If retaining personal information for archiving purposes, it must not be used for any other purposes. In cases where archiving is considered appropriate the Assembly Clerks’ Office should be consulted for advice.

This Data Retention Policy was adopted on 11 July 2018. The charity trustees will be responsible for the implementation of this Policy in the Congregation.

Click here for Data Retention Schedule (also shown below)