Data Retention Policy

Under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), St Peter’s is required to make sure that the data we process is adequate, relevant and limited’.

This means that staff and volunteers who process personal data on behalf of St Peter’s must have processes in place to review regularly the data they keep to make sure it is up to date, accurate and is kept no longer than is necessary for the purposes for having the data.

People who have their personal data stored by St Peter’s have a right to know how their data will be used and for how long their data will be kept for. These are known as data retention periods.

Below are details of how long St Peter’s will retain personal data.

Data Audits 

The Church Coordinator will conduct an annual audit of what personal data is held by St Peter’s, where it is held and who is responsible for it. This audit also records where we share data with third parties (e.g. ChurchSuite) and how we evidence both parties’ compliance with GDPR.

Membership Data (ChurchSuite) 

St Peter’s has a legitimate interest to store the names and contact details of members of its congregation (save that explicit consent must be given to use these contact details for direct marketing purposes, e.g. weekly newsletters).

St Peter’s will retain and may use such data until:

·      The person requests that their contact with St Peter’s ceases, or

·      St Peter’s becomes aware that the contact information is no longer accurate

In these cases, St Peter’s will delete their personal and contact data within 12 months (unless it falls into one of the other categories below)

The Church Coordinator will ensure that there is a review twice a year of all data held on ChurchSuite and that all people whose personal data is kept on ChurchSuite are encouraged to review and update their details themselves.

To aid this process, all staff should regularly review the sections of ChurchSuite that they are responsible for to ensure that data is being kept up to date.

Financial Records 

We have a legal obligation to hold and process certain financial data to comply with financial auditing regulations. These require retention of this data for a minimum of six full tax years. St Peter’s will retain this data for 7 years to ensure that data is retained for transactions that fall across the end of a tax year.

Examples of data with financial contact include:

·       Accounting records

·       Gift aid forms and other pledge forms

·       Payroll information including income tax and NI returns/correspondence with HMRC

Any questions relating to the processing of financial data should be directed to the Church Coordinator.

Human Resources and Health & Safety Records 

We have a legal obligation to hold and process certain data for the purposes of employment and Health & Safety.

·      Accident books, accident records/reports: 3 years from the date of the last entry (or, if the accident involves a child or young adult, until the person reaches the age of 21)

·      Statutory Maternity Pay records, calculations, certificates or other medical evidence: 3 years after the end of the tax year in which the maternity period ends

·      Wage/salary records: 7 years

Where there is no statutory retention period, we will retain these categories of data for the following periods:

·      Application forms and interview notes (for unsuccessful candidates): 6 months

·      Parental leave records: 18 years from the birth of the child

·      Personnel files and training records (including disciplinary records): 7 years after employment ceases

·      Redundancy details: 7 years from the date of redundancy

·      Statutory sick pay records, calculations, certificates: 7 years after employment ceases

Any questions relating to the processing of employment data should be directed to the Church Coordinator.

Baptism, Marriage and Funeral records 

We are required by law to hold permanent records of baptisms, marriage and funerals. If information about baptisms and marriages is published anywhere other than these records, then we require the consent of the individuals involved and this should be recorded as part of the application process.

Where there is a request to view family baptism and marriage records this should be treated like any other request for data by a third party. No data should be released unless we have the consent of the individual(s) named on the record, or the consent of the parents if the individual is under 13.

Please note that GDPR only applies to living persons.

Safeguarding data  

The safeguarding policy of the Diocese of Southwark, A Safe Church, stipulates that we maintain the following retention periods:

·      Confidential declarations of offences should be retained until a renewal declaration is obtained and then the old version destroyed;

·      Correspondence related to DBS disclosures e.g. letters confirming a clear disclosure, should be retained indefinitely.

·      Records of any allegations should be retained until the person the allegation is against has reached normal retirement age or ten years from the date of the allegation, whichever is the greater.

It is illegal for the parish to retain a copy of a person's DBS disclosure.