National Church Institutions safeguarding privacy notice

Our privacy notices explain what to expect the NCIs collects your personal information. In this notice the following NCIs are separate data controllers as defined by Data Protection legislation. The NCIs comprises seven separate legal entities. They are:

The Archbishops' Council, The Church Commissioners for England, The Church of England Pensions Board, Church of England Central Services, The National Society (Church of England) for Promoting Religious Education
Church House
Great Smith Street
London
SW1P 3AZ

The Archbishop of Canterbury (in his corporate capacity)
The Office of the Archbishop of Canterbury
Lambeth Palace
SE1 7JU

The Archbishop of York (in his corporate capacity)
The Office of the Archbishop of York
Bishopthorpe Palace
Bishopthorpe
York
YO23 2GE

Read more about the NCIs.

Personal information is processed for the following purposes:

Promoting a safe environment

• promote and maintain a safe culture and environment within the Church of England (the Church) and protect and promote the welfare of children, young people and vulnerable adults as required by “Promoting a Safer Church”.

Risk assessment and management

• to identify people who may pose a risk to others and, where possible, to apply and implement risk assessment and management policies, processes and procedures.
• to put in place support arrangements, in order to enable early interventions or to prevent the escalation of risk in collaboration with the relevant statutory agencies and in accordance with relevant law.
• to coordinate and implement effective and efficient responses to every safeguarding concern or allegation, including liaising, sharing information and working closely with other departments with the National Church Institutions and other Church Bodies to ensure that, where thresholds are reached, matters are appropriately investigated, and the appropriate procedures (e.g. disciplinary procedures) are applied.
• to report all suspicions, concerns, knowledge or allegations, that reach the relevant threshold, to the appropriate statutory authorities.
• to co-operate with the local authority and the police in providing any relevant information to determine whether an individual is being drawn into terrorism.
• to maintain a list of approved risk assessors.

Managing correspondence

• to review and respond to emails, telephone calls and other correspondence sent to the NCIs which may be shared with and/or delegated to an appropriate church officer or employee of a relevant church body.

Complaints

• to raise or support a disciplinary complaint against a church officer
• to respond to a complaint from an individual relating to safeguarding practice or procedure in accordance with the NCIs Service Complaints Policy

Information sharing

• to share information in accordance with the Church of England Information Sharing Framework to ensure that Church bodies protect individuals from abuse within the Church and ensure their safety, welfare and wellbeing.
• To share information with the Police in accordance with the National Police Data Sharing Agreement; and with other statutory bodies as required.

Providing support/responding well

• to offer care and support to all those who are known to have been abused or alleged abuse or are considered to be vulnerable to abuse to help people access support.
• to offer care and support to those who are the subject of safeguarding allegations or investigations and help people to access support.
• to process bank details to providing funding or other payments.

Undertaking investigations

• to undertake investigations to inform safeguarding decisions and actions (which may involve processing the personal data relating to family members).

Recording information

• to record all safeguarding work and maintain records and case files regarding safeguarding incidents and/or investigations.

Providing advice

• to provide advice to Church bodies regarding safeguarding incidents and cases.

Improving practice

• to maintain and improve good practice in safeguarding, by understanding failings in particular cases or safeguarding practice through safeguarding practice reviews and both internal and external audits.

Training

• to train church officers to care for and support children, young people and vulnerable adults, including recognising and responding to abuse and identifying low-level concerns that may reveal people at risk of abuse.
• to maintain training records for anyone with any responsibility relating to children, young people and vulnerable adults.

Professional supervision and quality assurance

• to discuss safeguarding casework in order to provide professional supervision by the National Safeguarding Team to persons with operational responsibility for safeguarding in the Church, where possible this data will be fully anonymised prior to sharing.
• to maintain a written supervision record ensuring that any casework data is fully anonymised.

Reporting

• to anonymise data for reporting, research or publication.
• to provide reports to local, national, public, regulatory or statutory bodies (including legal and independent reviews and inquiries), local authorities and courts and tribunals.
• to publish and archive resources, reports and reviews.

Professional support

• to liaise with internal and external advisers in connection with data protection, or for the establishment, exercise or defence of legal claims including seeking advice, litigation, dispute resolution, or an insurance claim.
• to liaise with and seek advice from internal and external advisers and church bodies in connection with safeguarding for the purpose of scrutiny, governance and best practice which may affect the processing of personal data.

Research

• to undertake research and statistical analysis to quality assure safeguarding practice and inform strategic planning, policy or practice improvement.

Archiving

• to archive records for historical and research purposes.

The information we collect and process for these purposes may include:

• Name
• Title
• Marital status
• Gender
• Nationality
• Job title/position
• Employment or work history
• Dates (birth, joined, ordination, education, death, licensed or commissioned etc)
• Contact information – work and personal (addresses; phone numbers; email addresses)
• Financial details
• Honours
• Family names and biographical details, including wider family networks
• Lifestyle (including living conditions, daily habits, interests/hobbies, attitudes and behaviour and social circumstances)
• Family history details
• Previous and current safeguarding concerns
• Socio-economic details
• Employment and appointments
• Education and qualification details
• Training attendance/certification
• Misconduct and unlawful acts e.g. the nature of any allegations

We also process “special categories” of information that may include:

• race
• ethnic origin
• religion
• health
• sex life or
• sexual orientation.

In addition, we will process criminal offence data where required:

• criminal allegations, proceedings or convictions, including DBS or other criminal records checks

We collect and use personal data under the following lawful bases:

Personal data (see section 2 above)

Consent (Art 6(1)(a)):

• for the sharing of data for the purpose of providing pastoral or therapeutic support;
• for requesting data from the police where consent is required;
• consent to include identifiable data in a published report;
• to make referrals to social care services where the threshold for child or adult protection is not met.

Legal obligation (Art 6(1)(c)):

• The Safeguarding and Clergy Discipline Measure 2016
• Church of England Canon C30 “Of Safeguarding”
• Safeguarding (Clergy Risk Assessment) Regulations 2016
• Diocesan Safeguarding Advisors Regulations 2016
• Safeguarding (Code of Practice) Measure 2021
• Amending Canon No. 42 (Safeguarding)
• UK GDPR Article 38(1) and (2)
• The Charities Act 2011 and the Charity Commission Guidance
• The Care Act 2014 (Section 45) (Section 7.1
• The Children Act 2004; Section 16(h)(1) and (2))

Vital interest (Article 6(1)(d)): processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Public task (Article 6(1)(e)): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller:

• House of Bishops’ Safeguarding Guidance
• Canon C30 “Of Safeguarding”
• Safeguarding (Clergy Risk Assessment) Regulations 2016
• Canon C7 “Of examination of holy orders” – discernment process which requires sharing of information between the DDO and Bishop and Ministry Development
• Canon C8 “Of ministers exercising their ministry” paragraph 8, sub-para 1 and 2 – requirement to undertake training – allows for training completion to be checked and shared
• Canon C10 “Of admission and institution” paragraph 3(a) (safeguarding risk assessment/investigation)
• Canon C26 “Of the manner of life of clerks in holy orders” paragraph 2 (applying safeguarding requirements)
• Canon E6 “Of the licensing of readers”; paragraphs 5(2) (training), 6(1) and (7) (safeguarding provisions)
• Canon E8 “Of the admission and licensing of lay workers”, paragraphs 7(1) (training), 8(1) and (9) (safeguarding provisions)
• Canon C17 “Of archbishops” (appointment of Lead Bishop and Deputies and their terms of reference)
• The Churchwardens Measure 2001; paragraphs (2(1A), 2(2) and 6(A) (safeguarding provisions)
• The Church Representation Rules (2021) made under the Synodical Government Measure 1969 (PCC members provisions, Part 7, Rules 68 and 69 (safeguarding provisions)
• The Synodical Government Measure 1969 (Schedule 2, paragraph 6)
• National Safeguarding Steering Group Terms of Reference
• National Safeguarding Panel Terms of Reference
• The National Institutions Measure 1998 (Schedule 1)
• National Church Institutions (NCIs) Service Complaints Policy 2023
• Multi-Agency Public Protection Arrangements (MAPPA Guidance Updated November 2021); Criminal Justice Act 2003
• The Children Act 2004 (Section16(e)(1)(b))
• The Mental Capacity Act 2005 and Code of Practice
• Working Together 2023 Chapter 2 Multi-Agency Safeguarding Arrangements, Chapter 4 Organisational Responsibilities
• Counter Terrorism and Security Act 2015 as amended (Section 38)

Legitimate Interests (Art 6(1)(f))

a) to anonymise data for the purposes of sharing or publishing reports.

Legitimate Interests Assessment

Because we consider that we have a legitimate interest in processing your personal data, we have undertaken Legitimate Interests Assessments which sets out why we consider such processing is justified.

For a copy of the full Legitimate Interests Assessments, please contact the National Safeguarding Team whose contact details are set out in Section 10.

b) Legitimate Interests (Art 6(1)(f)) – safeguarding audits

c) Legitimate Interests (Art 6(1)(f)) – to establish, exercise or defend legal claims

Special category data (see Section 2 above)

Explicit consent (Art 9(2)(a)):

• for the sharing of data for the purpose of providing pastoral or therapeutic support
• for requesting data from the police where consent is required
• consent to include identifiable data in a published report
• to make referrals to social care services where the threshold for child or adult protection is not met.

Vital interest (Art 9(2)(c) - processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

Legitimate Activity (Art 9(2)(d) – processing of titles revealing religious belief (enrolment in training and training records); other special category data (professional supervision; seeking internal and external advice) is carried out in the course of the Church’s legitimate activities which is not shared outside the body of the institutional Church.

Legal claims (Art 9(2)(f)) - processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity, obtaining legal advice.

Substantial Public interest (Art 9(2)(g)):

Data Protection Act 2018 s. 10(3) and Schedule 1:

• Necessary for the exercise of a function conferred on a person by an enactment/rule of law (Schedule 1, Part 2 (6)):
  • The Safeguarding and Clergy Discipline Measure 2016
  • Church of England Canon C30 “Of Safeguarding”
  • Safeguarding (Clergy Risk Assessment) Regulations 2016
  • Safeguarding (Code of Practice) Measure 2021 and House of Bishops’ Guidance
  • Canon C7 “Of examination of holy orders” – discernment process which requires sharing of information between the DDO and Bishop and Ministry Development
  • Canon C8 “Of ministers exercising their ministry” paragraph 8, sub-para 1 and 2 – requirement to undertake training – allows for training completion to be checked and shared
  • Canon C10 “Of admission and institution” paragraph 3(a) (safeguarding risk assessment/investigation)
  • Canon C26 “Of the manner of life of clerks in holy orders” paragraph 2 (applying safeguarding requirements)
  • Canon E6 “Of the licensing of readers”; paragraphs 5(2) (training), 6(1) and (7) (safeguarding provisions)
  • Canon E8 “Of the admission and licensing of lay workers”, paragraphs 7(1) (training), 8(1) and (9) (safeguarding provisions)
  • Canon C17 “Of archbishops” (appointment of Lead Bishop and Deputies and their terms of reference)
  • Amending Canon No. 42 (Safeguarding)
  • The Churchwardens Measure 2001; paragraphs (2(1A), 2(2) and 6(A) (safeguarding provisions);
  • The Church Representation Rules (2021) made under the Synodical Government Measure 1969 (PCC members provisions, Part 7, Rules 68 and 69 (safeguarding provisions)
  • Multi-Agency Public Protection Arrangements (MAPPA Guidance Updated November 2021); Criminal Justice Act 2003
  • UK GDPR Article 38(1) and (2)
  • The Charities Act 2011 and the Charity Commission Guidance
  • The Care Act 2014 (Section 45)
• Preventing or detecting unlawful acts (Schedule 1, Part 2 (10))
• Protection the public against dishonesty etc (Schedule 1, Part 2 (11))
• Regulatory requirements (Schedule 1, Part 2 (12))
• Safeguarding of children and individuals at risk (Schedule 1, Part 2 (18))
• Insurance (Schedule 1, Part 2 (20))
• Archiving, research and statistics (Art 9(2)(j)

Criminal Offence data (see Section 2 above)

Data Protection Act 2018 s 10(5) and Schedule 1:

• Necessary for the exercise of a function conferred on a person by an enactment/rule of law (Schedule 1, Part 2 (6))
• Preventing or detecting unlawful acts (Schedule 1, Part 2 (10))
• Protecting the public against dishonesty etc (Schedule 1, Part 2 (11))
• Regulatory requirements (Schedule 1, Part 2 (12))
• Safeguarding of children and individuals at risk (Schedule 1, Part 2 (18))
• Legal claims (Schedule 1, Part 3 (33)

Extension of conditions in Part 2 of this Schedule referring to substantial public interest (Schedule 1, Part 3 (36))

Where necessary (or required), we collect from or share information with:

• data subjects
• parishes e.g. Parochial Church Councils (PCCs) and relevant PCC members
• diocesan bodies, bishops’ offices and cathedrals
• National Church Institutions (Archbishops’ Council, Church Commissioners for England; Church of England Central Services; Church of England Pensions Board, Archbishop of Canterbury (in his corporate capacity); Archbishop of York (in his corporate capacity))
• Safeguarding governance bodies and individuals (lead safeguarding bishops, National Safeguarding Panel, National Safeguarding Steering Group
• members of the public
• parishioners
• candidates, prospective employees, employees or other staff members (including contractors, agency workers, consultants and volunteers, including members of any safeguarding risk management meetings
• prospective, current or retired clergy
• internal and external legal and data protection advisors. consultants and insurers
• parties and individuals involved in or connection with legal claims, inquiries, reviews and dispute resolution (including mediation and arbitration)
• healthcare, social and welfare or advocacy and support organisations or providers
• educational institutions
• governance bodies and committees
• 3rd party data processors (independent reviewers; transcription services; technology suppliers; TES (National Safeguarding Case Management System); People System Support Team (National Safeguarding Case Management System support)
• local and central government
• regulatory and statutory bodies
• law enforcement and prosecuting authorities
• courts and tribunals and providers of legal services
• charitable, religious and voluntary organisations
• survey and research organisations
• statutory, public, regulatory or other legal or independent reviews or inquiries, including any “lessons learned” reviews
• independent safeguarding organisations
• the Church of England Interim Support Scheme (ISS)

A National Safeguarding Information Sharing Agreement (ISA) has been signed by Church of England bodies and the Church in Wales under the Church of England Information Sharing Framework.

A National Safeguarding Data Sharing Agreement (DSA) has been signed by the Church of England bodies, the Church in Wales and the National Police Chiefs Council.

Your personal data once received may be transferred between the UK, the Isle of Man, Jersey, Guernsey and the European Union, and is protected by adequacy arrangements with those jurisdictions.   

Where your data is transferred to countries where adequacy arrangements are not in place, the transfer shall be made in such a way as to ensure that the level of protection offered to natural persons by Data Protection Law is not undermined, using EU Standard Contractual Clauses and the international data transfer agreement or addendum (IDTA) where relevant.

Your data will be kept in accordance with the Church of England Safeguarding Retention Schedule.

We commit to ensuring that your personal information is secure. We limit access to personal information on a need-to-know basis and test our security practices and technologies. We require employees and temporary workers to follow policies and procedures and complete mandatory annual training to understand the importance of protecting personal information and information security.

We have contractual agreements with all our advisers and external suppliers which set out how they keep personal information secure and destroy or return it safely.

If the security of your personal information is breached, we will endeavour to limit the damage. In the case of a high-risk breach, and depending on the circumstances, we will tell you about the breach and any remedial actions to prevent further damage. We will report any qualifying breaches to the Information Commissioner’s Office.

You have the following rights regarding your personal data:

• The right to be informed about any data we hold about you.
• The right to request a copy of your personal data which we hold about you.
• The right to withdraw your consent at any time (if applicable).
• The right to request that we correct any personal data if it is found to be inaccurate or out of date.
• The right to request your personal data is erased where it is no longer necessary for us to retain such data.
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
• The right to object to the processing of your personal data (if applicable).
• The right to obtain and reuse your personal data to move, copy or transfer it from one IT system to another (if applicable).
• To exercise these rights please contact the Data Protection Team.

If you have any queries regarding how your data is processed, please contact SafeguardingEO at [email protected].

If you have any concerns or queries about how the NCIs handle your personal data, please contact the Data Protection Team at [email protected], call 020 7898 1344 or use the webform below.

You have the right to make a complaint at any time to the Information Commissioner online or by phone on 0303 123 1113 (local rate).

• All the existing House of Bishops’ Safeguarding Guidance is currently available from the Church of England Safeguarding Policy and Guidance page.
• The Safeguarding e-manual contains the Safeguarding Code of Practice and any Guidance in force
• Personal Files Relating to Clergy

This section relates to other Privacy Notices within the NCIs where safeguarding related data is processed.

National Safeguarding Team

The National Safeguarding Team also collects and processes personal data for other purposes, which are listed in their specific Privacy Notices, or are contained with specific policies: 
 

• Training: Safeguarding Training Portal
• Survivor Engagement: Survivor Engagement Privacy Notice
• Interim Support Scheme
• Safer Recruitment and People Management Guidance (Confidential Declaration)

Safe Spaces

The charitable company ‘Safe Spaces England and Wales’ (SSEW) has contracted First Light to deliver the Safe Spaces service.

Pensions Board Housing

To enable the Pensions Board Housing service to put in place safeguarding risk management or support arrangements (with other agencies and Diocesan safeguarding teams as necessary) in relation to any criminal convictions you may hold.