Privacy Policy

NATIONAL CATHOLIC SAFEGUARDING COMMISSION (NCSC)

GENERAL PRIVACY NOTICE

  1. ABOUT THIS DOCUMENT
    1. During the course of our activities we process personal data (which may be held on paper, electronically, or otherwise), and we recognise the need to process such data lawfully, fairly and in a transparent manner. The purpose of this notice is to make you aware of how we will do so.
  2. DETAILS ABOUT US
    1. The National Catholic Safeguarding Commission is an independent body, mandated by the Catholic Bishops’ Conference of England and Wales, which is the permanent assembly of Catholic Bishops and Personal Ordinaries in the two-member countries.   The legal entity for the Catholic Bishops’ conference of England and Wales is the Catholic Trust for England and Wales (“CaTEW”), incorporated on 15 April 2003 under company no. 04734592 and registered as a charity on 12 May 2003 under charity no. 1097482.  CaTEW supports the legal, financial and charitable activities of the Bishops’ Conference and its departments, agencies and offices.
    2. The current legislation that applies to our processing of personal data is the Data Protection Act 2018 (“DPA”) and the EU General Data Protection Regulation 2016 (“GDPR”). This notice aims to comply with both the DPA and the GDPR along with guidance issued by the Information Commissioner’s Office, and these laws and guidance are together referred to in this policy document as the “Data Protection Legislation”.
    3. CaTEW is responsible for ensuring compliance with the Data Protection Legislation and with this notice. CaTEW is the data controller for the purpose of the Data Protection Legislation. Any questions about the operation of this notice or any concerns that the notice has not been followed should be referred in the first instance to CaTEW’s data protection officer (details available at the end of this notice).
    4. Our general contact details are: 39 Eccleston Square, London, SW1V 1BX.  Telephone 0207 901 1920. Email ncsc@catholicsafeguarding.org.uk
  3. PERSONAL DATA WE MAY COLLECT AND PROCESS
    1. In connection with developing strategy to support the provision of safeguarding services to and for driving improvements within dioceses, religious congregations, catholic organisations and other individuals who may contact the NCSC, we will collect and process the categories of personal data set out in the Schedule to this notice. This may include data we receive direct from you or from any person working in the name of the Catholic Church in England and Wales and other jurisdictions, including outside of the EEA (this includes employees, volunteers and office holders), members of the public or from other sources as well as governmental and regulatory or other authorities.
    2. ”Personal data” means recorded information we hold about you from which you can be identified. It may include contact details, other personal information, photographs, expressions of opinion about you, or indications as to our intentions about you and special category data which includes information about race, ethnic origin, political opinions, religion, philosophical beliefs, trade union membership, genetics, biometrics (where used for ID purposes), health, sexual behaviour or sexual orientation. It may also include information relating to criminal convictions and offences. “Processing” means doing anything with the data such as accessing, disclosing, destroying or using the data in any way.
    3. By using our website, we may collect personal data about individuals including their IP address and other information collected using cookies and similar technology. For details of our cookies policy please see here /cookie-policy/.
  4. LAWFUL BASES FOR PROCESSING
    1. We must have a lawful basis to process your personal data. The legal basis on which we do so will vary according to purposes for which we process personal data but the lawful bases include:
      1. where you have given us your consent to process it for one or more specific purposes;
      2. where it is necessary for the performance of a contract to which you are party or in order to take steps at your request to enter into a contract;
      3. to protect your vital interests or those of another individual;
      4. for the performance of a task in the public interest or the exercise of official authority vested in CaTEW;
      5. for compliance with a legal obligation to which we are subject; or
      6. for the purposes of the legitimate interests pursued by CaTEW or by a third party, provided such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
    2. The basis on which we will usually process personal data relating to people contacting the NCSC (based on paragraph 4.1 above) is set out in the Schedule to this notice, in each case by reference to the processing purpose; in the case of personal data processed for the purposes of the legitimate interests pursued by the NCSC, it sets out what those interests are.
    3. We will only process special categories of data about ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientations where a further basis is also met. Processing of information relating to criminal convictions and offences must also only take place where a further basis is met.
    4. The purposes for which we process special category personal data and the legal basis on which we do so, will vary according to the category of personal data concerned but the lawful bases include:
      1. you have given your explicit consent for CaTEW to process it for one or more specific purposes;
      2. the processing is necessary for the purposes of performing our obligations as the data controller or to enable you to exercise your rights as the data subject under the laws relating to employment, social security or social protection;
      3. to protect your vital interests or those of another individual where you are incapable of giving consent;
      4. the processing is necessary in the course of CaTEW’s legitimate interests as a religious not-for-profit body with appropriate safeguards in place and where we do not disclose personal data outside CaTEW without your consent;
      5. you have made the data public;
      6. the processing is necessary for the establishment, exercise or defence of legal claims;
      7. the processing is necessary for reasons of substantial public interest. UK law has determined that this includes processing for the following purposes: functions conferred on CaTEW by law; administration of justice; equality and diversity monitoring; preventing or detecting unlawful, dishonest or fraudulent acts; counselling; safeguarding; and insurance;
      8. the processing is necessary for reasons of health or social care or public health; and/or
      9. the processing is necessary for archiving purposes in the public interest or for scientific or historical research or statistical purposes.
    5. Information about criminal convictions that we receive in the course of our general activities will be processed in accordance with a substantial public interest condition set out in the DPA. Such conditions are extensive but typical examples for our general activities include processing:
      1. with the specific consent of the individual;
      2. in connection with functions conferred on CaTEW by law or for the administration of justice;
      3. for equality and diversity monitoring;
      4. in relation to preventing or detecting unlawful, dishonest or fraudulent acts;
      5. providing confidential counselling, advice or support;
      6. undertaking safeguarding work;
      7. in connection with insurance purposes;
      8. necessary to protect your or another’s vital interests where you are not capable of giving consent;
      9. necessary in the course of CaTEW’s legitimate interests as a religious not-for-profit body with appropriate safeguards in place and where we do not disclose personal data outside CaTEW without your consent; and/or
      10. in connection with any legal proceedings, legal advice, legal rights or court or tribunal activities.
  5. DISCLOSURE AND SHARING OF PERSONAL INFORMATION
    1. We may disclose personal data we hold to third parties:
      1. if we are under a duty to disclose or share a data subject’s personal data in order to comply with any legal obligation; or
      2. in order to enforce or apply any contract with the data subject or other agreements; or
      3. to protect our rights, property, or safety of our employees, customers, or others, including exchanging information with other companies and organisations for the purposes of fraud protection, in which case the processing would be necessary for the purposes of the legitimate interests pursued by the NCSC, namely in order to achieve those ends;
      4. for the purposes of the legitimate interests pursued by the NCSC, as set out in the Schedule;
      5. who have been appointed by CaTEW as data processors to provide us with specific services such as specialist IT services or support; and/or
      6. where we are otherwise permitted to under the Data Protection Legislation e.g. working with your elected representative such as a local MP.
    2. We will ensure that personal data will only be transferred to data processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the Data Protection Legislation and ensures the protection of the rights of the data subjects, and under a written contract with CaTEW that sets out (amongst other things) the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of our organisation as data controller.
    3. In the course of processing personal data, or disclosing it to the recipients referred to above, CaTEW may transfer it to countries which are outside the European Economic Area (EEA) (e.g. to the Vatican), some of which may not have laws which provide the same level of protection to personal data as laws inside the EEA. In such cases, CaTEW will take steps to ensure that the transfers comply with the Data Protection Legislation and that the personal data is appropriately protected. These measures may include:
      1. putting in place a contract with the recipient that means they must protect the personal information to the same standards as is required in the EEA;
      2. transferring it to a non-EEA country with privacy laws that give the same protection as the EEA;
      3. transferring it to organisations that are part of Privacy Shield (or any successor or replacement scheme). This is a framework that sets privacy standards for data sent between the US and EU countries to ensure that those standards are similar to what are used within the EEA;
      4. transferring it to organisations or countries that have other approved certification schemes or codes in place; or
      5. relying on another appropriate ground under Data Protection Legislation.
    4. If you have questions in relation to any specific transfers that we make, please contact CaTEW’s data protection officer (details available at the end of this notice).
  6. DATA PROTECTION PRINCIPLES – OUR OBLIGATIONS
    1. We will ensure that your personal data is:
      1. processed fairly and lawfully and in a transparent manner;
      2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
      3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
      4. accurate and, where necessary, kept up to date;
      5. kept in a form which permits identification of data subjects for no longer than necessary for the purpose;
      6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
      7. not transferred to people or organisations situated in countries without adequate protection, unless there are appropriate safeguards in place, and enforceable data subject rights and effective legal remedies for data subjects are available.
    2. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
    3. We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required. The Schedule to this notice sets out the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period, and when it will be erased.
    4. We will process all personal data in line with the data subjects’ rights.
    5. We will process all personal data that we hold in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measure.
  7. YOUR RIGHTS AS A DATA SUBJECT
    1. As a data subject, you have certain enforceable rights under the Data Protection legislation, including:
      1. the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed; and
      2. if so, access to the personal data, plus a copy of the personal data undergoing processing (“right of access“).
    2. As part of the right of access, you also have the right to ask for information as to:
      1. the purposes of the processing of your personal data;
      2. the categories of personal data concerned;
      3. the recipients or categories of recipient of the data;
      4. the envisaged period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
      5. where the personal data was not collected from yourself as the data subject, any available information as to their source; and
      6. where personal data is transferred to a third country or international organisation, the safeguards relating to the transfer.
      7. This information is, in the main, set out in this notice.
    3. In addition, as a data subject you have:
      1. the right (“right of rectification”) to obtain from us as the controller without undue delay the rectification of inaccurate personal data concerning yourself and (taking into account the purposes of the processing) the right to have incomplete personal data completed;
      2. the right (“right of erasure”) to obtain from us as the controller the erasure of personal data concerning yourself without undue delay, in various circumstances which includes where:
        1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or
        2. the processing is based on your consent as the data subject, and you withdraw that consent (and there is no other legal basis for processing); or
        3. the processing is based on its being necessary for our legitimate interests as the data controller or those of a third party, and you as the data subject object to the processing, unless we demonstrate that the processing is based on compelling legitimate grounds which override your interests, rights and freedoms as the data subject, or that it is for the establishment, exercise or defence of legal claims; or
        4. we have unlawfully processed your personal data;
      3. the right (“right of restriction”) to obtain from us as the controller the restriction of processing where the data is inaccurate, unlawfully processed, no longer required except for the establishment, exercise or defence of legal claims, or pending the verification whether we have legitimate grounds as the controller which override your rights as the data subject;
      4. the right (“right of portability”) to receive the personal data concerning yourself, which you have provided to us as the data controller, in a structured, commonly used and machine-readable format, and to transmit the data to another controller, where the processing is based on consent or carried out by automated means;
      5. the right (“right to object”) to object to processing based on our legitimate interests as the data controller, where these are outweighed by your interests, rights and freedoms as the data subject, unless the processing is required for the establishment, exercise or defence of legal claims. You also have the absolute right to object to processing for marketing or profiling purposes;
      6. the right not to be subject to a decision based solely on automated processing, including profiling (although we do not currently carry out any automated processing or profiling in relation to the activities covered by this notice);
      7. the right to withdraw your consent or explicit consent, where the processing is based on that lawful basis; and
      8. the right to make a complaint to the supervisory authority (the Information Commissioner’s Office at http://www.ico.org.uk ).
    4.  These rights may be limited in some situations – for example, where CaTEW can demonstrate that it has a legal requirement to process your personal data. Also, CaTEW may need you to provide us with proof of identity for verification and data security purposes before you can exercise your rights.
    5. Rights may only be exercised by the individual whose information is being held by CaTEW or with that individual’s express permission. Children from around 12 years upwards are entitled to make their own requests (where the CaTEW is of the reasonable view that they have an appropriate understanding of the request they are making) and parents / guardian / family members do not have an automatic right to see information about their child or prevent their child from making a request to CaTEW.
    6. For further information about your rights as a data subject or to exercise any of them, please contact the CaTEW Data Protection Officer or review https://ico.org.uk/your-data-matters/ .
  8.  Changes to this policy
    1. We may make changes to this notice from time to time as our organisational practices and/or applicable laws change.  We will not make any use of your personal data that is inconsistent with the original purpose(s) for which it was collected or obtained (if we intend to do so, we will notify you in advance wherever possible) or otherwise than is permitted by Data Protection Legislation.
  9.  Contact Details
    1. If you have any questions, require further information about how we protect your personal data, if you wish to exercise any of the above rights or if you would like to provide feedback or make a complaint about the use of your information, please contact the CaTEW Data Protection Officer:

      Karen O’Connor, Data Protection Officer,

      CaTEW, 39 Eccleston Square, London. SW1V 1BX

      0207 630 8220

      Karen.Oconnor@CBCEW.org.uk

 

Sche Data processing activities

(Scroll left to right to see more of this table)

Data Subject(s)

Type or category of Personal Data

Type of processing

Purpose of processing

Legal basis of processing

Specific Category / Criminal Info legal basis

Transfers to third party recipients (including outside EEA)?

Retention period

Individuals who have contacted dioceses and religious congregations in relation to safeguarding matters

Anonymised data provided annually, or otherwise as required, by each diocese and religious commission.

Some individuals might be recognisable in relation to other case information held by the NCSC.

Data produced from paper and electronic records of individual data returns and aggregated spreadsheets held and produced by CSAS

Gathered for the purpose of inclusion in the NCSC annual report or other specific reports.

Legitimate interests of the NCSC performing its role in developing strategy to support the provision of safeguarding services and for driving improvements.

Necessary to retain as part of the NCSC’ public interest tasks within the Catholic Church in England and Wales.

Necessary for archiving purposes in the public interest, historical research and statistical purposes

Necessary for the establishment, exercise or defence of legal claims or to obtain legal advice.

Necessary for substantial public interest condition of undertaking safeguarding activities.

Data may be provided to a researcher for the specific purpose of analysis on behalf of the Catholic Church in England and Wales

Indefinitely

Diocesan Staff,

Religious,

Catholic organisations

Various Contact lists which include names, telephone numbers, email addresses, business addresses

electronic

Contact relating to work, inviting to relevant conferences & events, sharing relevant information and updates

Legitimate interests of the NCSC performing its role in developing strategy to support the provision of safeguarding services and for driving improvements.

Legitimate interests of CaTEW in processing information relation to members of the Catholic Church in England and Wales and to those with regular contact with it.

No

Indefinitely- updated regularly

Victims/survivors of abuse; complainants; persons accused of abuse or about whom concerns have been raised

Case related records e.g. case log, letters, emails, reports, referral information.

Information is provided by self-referral, from agents within church structures, by statutory agencies and by other agencies/organisations.  Information will include name, date of birth, address, gender, other sensitive information.

Electronic

For purpose of keeping a record of case related advice and actions taken on a case. 

Consent (if appropriate in the circumstances)

Legal obligations to which CaTEW is subject in relation to safeguarding.

Legitimate interests of the NCSC performing its role in developing strategy to support the provision of safeguarding services and for driving improvements.

Necessary to retain as part of the NCSC’ public interest tasks within the Catholic Church in England and Wales.

For further information, please see our Information Sharing Protocol

Explicit consent (if appropriate in the circumstances)

Necessary for the establishment, exercise or defence of legal claims or to obtain legal advice.

Necessary for substantial public interest condition of undertaking safeguarding activities.

Necessary for the prevention or detection of unlawful acts.

Necessary to protect the public against dishonesty.

For further information, please see the national Information Sharing Protocol

Internal – Shared with HR within CaTEW with individuals who require the information to allow them to fulfil their professional responsibilities; members of the CSAS team; the

External:

Specific dioceses, religious congregations or Catholic organisations who require the information to allow them to fulfil their professional responsibilities.

Organisations such as police, social care, probation for the purpose of public protection.

Organisations commissioned to undertake investigations or assessments where the information is required to enable them to fulfil the terms of the Agreement.

For clergy and religious, 85 years from date of birth, or date of death if later.  At the end of these retention periods, a summary record of the case file will be retained indefinitely. 

For all other church roles e.g., volunteers, office holders, 25 years from the date their role ceases.  At the end of these retention periods, a summary record of the case file will be retained until the 85th birthday of the accused person.

Sensitive information such as victim witness statements, psychological or psychiatric reports on witnesses should only be retained for as long as they have a purpose e.g. duration of criminal, civil or internal church investigation.  Records should be destroyed 3 years after the end of the last such process to conclude.  Summary details of the allegations, including status of victim and context, should be retained beyond this period but should be included in general case file information in any event.