National Church Institutions privacy notice

Our privacy notices explain what to expect the NCIs collects your personal information. In this notice the following NCIs are separate data controllers as defined by Data Protection legislation. The NCIs comprises seven separate legal entities. They are:

The Archbishops' Council, The Church Commissioners for England, The Church of England Pensions Board, Church of England Central Services, The National Society (Church of England) for Promoting Religious Education
Church House
Great Smith Street
London
SW1P 3AZ

The Archbishop of Canterbury (in their corporate capacity)
The Office of the Archbishop of Canterbury
Lambeth Palace
SE1 7JU

The Archbishop of York (in their corporate capacity)
The Office of the Archbishop of York
Bishopthorpe Palace
Bishopthorpe
York
YO23 2GE

Read more about the NCIs.

Personal information is collected to enable the NCIs to provide a range of services to carry out their many functions supporting the mission and ministry of the Church of England. Legislation requires and sometimes empowers the NCIs to provide goods and services to the wider Church. This includes:

• Promoting and supporting the mission and ministry of the Church of England
• Provision of cultural and religious events
• Provision of training and education
• Provision of safeguarding services
• Provision of retirement housing
• Provision of pensions
• Provision of payroll and benefits
• Provision of governance and financial management of Church of England assets
• Administering and supporting the governance of the Church of England
• Administering and supporting the parliamentary duties of the Church of England
• Managing property
• Publishing resources and reports
• Administering the assessment and collection of taxes and other revenue including benefits and grants
• Corporate administration and all activities we are required to carry out as a data controller
• Undertaking research and statistical analysis
• Monitoring diversity in order to identify or keep under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained
• Promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations
• Internal financial support and corporate functions
• Managing archived records for historical and research reasons, including the management of administration of access to our collections
• Maintaining our own accounts and records
• Promoting the services we provide
• Supporting and managing our employees
• Supporting clergy to undertake their mission
• Managing the information technology network and infrastructure for the NCIs

We collect and use information under one or more of the following legal bases.

• Consent – we need your permission to use your information. Where we require consent to use your information we will make it clear when we ask for consent and explain how to go about withdrawing your consent.
• Legal obligation – we need to process your information to comply with the law.
• Public task – we need to process your information to exercise official authority or carry out tasks in the public interest.
• Contract – we need to process your information as part of a contract such as a contract of employment.
• Vital interest – we need to process your information to protect someone’s life in an emergency.
• Legitimate interest – we need to process your information in order to undertake tasks and duties related to members of the Church of England.

Special category and criminal conviction data

We collect and use information under one or more of the following conditions:

• Explicit consent – we need your permission to use your information. Where we require consent to use your information we will make it clear when we ask for consent and explain how to go about withdrawing your consent.
• Employment law - carrying out the obligations and exercising specific rights in relation to employment law
• Vital interest - we need to process your information to protect someone’s life in an emergency.
• Legitimate activity - processing is carried out in the course of our legitimate activities with appropriate safeguards
• Processing relates to personal data which are manifestly made public by the data subject;
• Legal claims - where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• Substantial public interest, in accordance with the Data Protection Act 2018, Schedule 1, Part 2
• Occupational health - processing is necessary for the purposes of preventive or occupational medicine
• Archival or research purposes – where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

We may only use your personal data for the uses and purposes set out above unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original use and purposes.

Specific data processing activities carried out by the NCI's may have their own Privacy Notices.

The types of information we process include:

• personal details
• contact information
• family details
• lifestyle and social circumstances
• financial details
• employment and education details
• pensions details
• housing needs
• visual images
• licenses or authorisation held
• training records
• case file information
• committee and trustee membership details

We also process ‘special' categories of information that may include:

• race;
• ethnic origin;
• religion;
• trade union membership;
• health;
• sex life; or
• sexual orientation
• criminal allegations, proceedings or convictions.

We process personal information about:

• prospective, current and retired clergy
• customers
• suppliers
• current past and prospective employees, persons contracted to provide a service
• claimants
• tenants
• professional advisers and consultants
• children and parents
• students and pupils
• carers or representatives
• landlords
• recipients of benefits
• representatives of other organisations

Where necessary or required we collect from or share information with:

• parishes, dioceses, bishop’s offices and cathedrals
• representatives of customers and employees
• relatives or emergency contacts
• employees
• legal representatives
• trade unions
• current past and prospective employers
• healthcare, social and welfare organisations
• educators and examining bodies
• educational institutions
• financial institutions
• governance bodies and committees
• providers of goods and services
• 3rd party data processors
• local and central government
• both houses of parliament and members of parliament
• regulatory bodies
• credit reference agencies
• press and the media
• law enforcement and prosecuting authorities
• courts and tribunals
• landlords and tenants
• charitable, religious and voluntary organisations
• survey and research organisations
• social housing providers
• statutory, public or regulatory inquiries

Once your information has been collected by an NCI it may be used by other NCI's, where necessary, to provide a complete service to you. It is for this reason that we link your information together, for example, to save you providing your information more than once.

The NCIs do not share your information with third countries outside of the UK or EEA without the safeguards being in place that are complaint with the UK GDPR or the EU GDPR.

There’s often a legal and/or business reason for keeping your information for a set period, as stated in our retention schedules. These are available on request.

Security

We are committed to ensuring that your personal data is secure. To prevent unauthorised access or disclosure, we have put appropriate technical and organisations measures in place to safeguard your information. The NCIs assure this by complying with relevant security best practice standards.

If a data breach does occur, we will do everything in our power to limit the damage and comply with the Information Commissioner’s guidance. In the case of a high-risk data breach, and depending on the circumstances, we will inform you about the remedial actions to prevent any further damage. We will also inform the Information Commissioner’s Office of qualifying data breaches.

The procedures and related standards we apply include limiting access to data on a need to know basis and regularly testing and auditing our security practices and technologies.

Employees and temporary workers are required to follow policies and procedures and complete mandatory annual training to understand data protection and information security.

Your personal data will not be used for any automated decision making without access to human intervention.

You have the following rights regarding your personal data, unless exempt:

• The right to be informed about any personal information we collect and use about you;
• The right to access and request a copy of your personal information which we hold about you;
• The right to withdraw your consent at any time (where applicable);
• The right to request that we correct any personal information if it is found to be inaccurate, incomplete or out of date;
• The right to request your personal information is erased where it is no longer necessary for us to keep such information;
• The right to request a restriction is placed on further processing, for example where there is a dispute in relation to the accuracy or processing of your personal information;
• The right to object to the processing of your personal information;
• The right to obtain and reuse your personal information to move, copy or transfer it from one IT system to another. (only applicable for data held online)

If you wish to exercise these rights, please use this form.