Privacy Policy

This document describes the policy adopted by Holiday Bible Week (HBW) to comply with the requirements of the General Data Protection Regulation (GDPR)

Awareness

We will ensure that all committee members are aware of their responsibilities under GDPR, by discussing this at least annually in committee.

We will ensure that Tent Leaders, and others who have access, are aware of their responsibilities by reminding them both before and after the event of how to treat the data they have.

Data Register

We will maintain a register of the data we hold, describing what the data is used for, the basis for processing the data, who holds the data, who processes the data, the security controls in place and the retention period.

Privacy Notices

We display privacy notices on our application forms. We will include privacy notices on our website. Unless we have specific permission or there is a legal requirement, we will not share any data outside HBW.

Data Access, Provision and Deletion

Access to data, provision of individual data and deletion of data on request will be handled in the first instance by our secretary. Contact information will be provided in our Privacy Notice on the website. We will provide, amend or delete information within one month.

Lawful Basis

The lawful basis for processing the data will be recorded in the Data Register.

For the most important data (on Children’s Registration and Adult Registration), the lawful basis is ‘Legitimate Interest’.

Where Legitimate Interest is the lawful basis, we will conduct a Legitimate Interest Assessment.

The lawful basis for other categories of data will be agreed with the Data Holder, in association with the Data Protection Member.

Special Category Data

We hold Special Category Data, in that we hold Health and Special Educational Needs data for children and adults, and data on Religion for helpers.

For Health and Special Educational Needs, we will ask for specific permission to share this data with Tent Leaders and First Aiders as part of the application process. We will make it clear that this data will not be shared outside of HBW.

For Religion, we will process this data as a not-for-profit body with a religious aim, the data belonging to members, and will not disclose the data outside of HBW.

Children

We are aware that we hold data on children.

The children attending HBW are under 13, and the data we hold has been entered by their parent or carer, who will have seen the Privacy Notices associated with the data. Although the lawful basis remains Legitimate Interest, this is equivalent to the parent or carer giving their consent to our use of the data.

For young helpers aged 13-18, we process this data on the same basis as adult data. We will review the wording of the associated Privacy Notices to ensure that they are age appropriate.

In any case, we require the consent of the parent on the young helper’s application.

HBW holds the information provided on the application form in order to contact you about the event, allocate children to tents, and to provide for the safety and well-being of your child (including emergency contact information).

We hold this information on the basis of our legitimate interest in it, as it would otherwise not be possible to run the event.

The information will only be used within HBW. We will not pass this information to any other organisation without your explicit permission, unless we are required by law, or in order to enforce our terms of use. (For example, if there is a Child Protection issue).

Where you have provided Health information, this will be shared with the appropriate Tent Leader and with our First Aid team. This information will not be provided outside HBW.

Where you have provided information about Special Needs or Requirements, this information will be shared with the appropriate Tent leader, and with our Special Needs coordinator. This information will not be provided outside HBW.

We will hold this information for up to two years.

You have the right to access the data we hold from you, the right to rectify any errors in the data, and the right to have the data erased. Note that if the data is erased before the event, it will not be possible for your child to attend the event.

You have the right to restrict our processing of the data in certain circumstances. The Information Commissioner’s Office has further information on this right.

If you wish to inspect the information we hold, to rectify it or delete it, please contact our Secretary (gdpr@holidaybibleweek.co.uk) and we will make the necessary arrangements.

Helpers

HBW holds the information provided on the application form in order to contact you about the event, to ensure your suitability to help at HBW, and in order for us to allocate people to the most suitable roles. We will also use this information to contact you about HBW in future years.

We hold this information on the basis of our legitimate interest in it, as it would otherwise not be possible to run the event.

The information will only be used within HBW. We will not pass this information to any other organisation without your explicit permission, unless we are required by law, or in order to enforce our terms of use. (For example, if there is a Child Protection issue). As stated on the form, we will contact your minister for confirmation that you are suitable to help at HBW.

Where you have provided Health information, this will be shared with the appropriate Tent Leader and with our First Aid team. This information will not be provided outside HBW.

If you have indicated that you have a criminal conviction, this information will be shared only with the Committee and our Child Protection Officer, except under compulsion of law.

We will hold your information for up to five years.

You have the right to access the data we hold from you, the right to rectify any errors in the data, and the right to have the data erased. Note that if the data is erased before the event, it will not be possible for you to attend the event.

You have the right to restrict our processing of the data in certain circumstances. The Information Commissioner’s Office has further information on this right.

If you wish to inspect the information we hold, to rectify it or delete it, please contact our Secretary (gdpr@holidaybibleweek.co.uk) and we will make the necessary arrangements.

Data Breaches

Data breaches are incidents that affect the confidentiality, integrity or availability of personal data.

Unauthorised access to computers belonging to committee members or tent leaders could result in a data breach. Access to the main storage (Google Drive), apart from via unauthorised access to computers, is unlikely, and may be noted and reported by Google

Other data breaches, such as the accidental sharing or deleting of data, would be noticed by those processing the data.

When a data breach is observed, this should be reported to the committee member responsible for data protection, via the secretary if appropriate.

They will review the incident and determine whether or not the data breach is likely to result in any damage to the individuals whose data has been breached. They may involve the Chair in reaching a decision on this matter. If damage is deemed likely, they will inform the ICO within 72 hours of becoming aware of it, following the guidance on the ICO website.

In any case they will prepare a report for the Committee, including the nature and timing of the breach, the individuals whore records have been breached, their assessment of the likely damage to these individuals, whether or not this was reported to the ICO, whether or not the individuals were informed of the breach, and the steps taken to mitigate the breach and to prevent recurrence.

Data Protection Member

We do not require a Data Protection Officer as defined by the ICO, as our data processing is small in scale.

We will appoint a committee member with special responsibility for Data Protection. The responsibilities of this member are:

  • To maintain the Data Register.
  • To check annually that our Privacy Notices are up to date and available.
  • To assist in the determination of Lawful Basis, where required.
  • To remind Committee and Tent Leaders about their responsibility to handle data with care, and to delete when no longer required.
  • To be the point contact for any Data Breaches.
  • To report annually to the Committee on GDPR, and to ensure that the committee continue to be aware of this when considering other business.

Data Protection Impact Assessments (DPIA)

We will complete a Data Protection Impact Assessment Checklist for each major category of data, to determine whether or not a DPIA is required, and will document the results of this checklist. We will complete a DPIA Checklist for any new systems. We will perform a DPIA only for systems where this is deemed necessary.

Data Protection Fee

We are exempt from paying the data protection fee, as we are a not-for-profit organisation, and hold and process the data only to provide and administer activities for individuals who are members of HBW or have regular contact with us.

Email

For small groups, such as the committee or individual tents, there is a legitimate interest in email addresses being shared, so emails may be sent to the group. Emails to parents, to all helpers, or to other large groups must be sent either to individual recipients, using the bcc function or Mailchimp in order to avoid distributing email addresses.