GDPR Policy

Trust of St. Benedict’s Abbey, Ealing 

Data Protection Policy 

1. General Statement of duties 

1.1. The Trust of St. Benedict’s Abbey, Abbey is required to process relevant personal data regarding the monastic community, parishioners, employees, volunteers, students at the Benedictine Institute, users of the Guesthouse and clients at Ealing Abbey Counselling Service as part of its operation. 

1.2. The Trust will take the utmost care in processing the data we collect and in particular will take reasonable steps to ensure: 

 we have a clear legal basis to hold and process data; 

 we are transparent with data subjects about why we hold their data and how we process it; 

 we take the utmost care to hold personal data securely and avoid releasing it to anyone who should not have access to it; and 

 we have in place clear procedures to check the accuracy of data we hold and to ensure that we do not hold data for longer than we reasonably need to. 

1.3. The Trust includes: 

 The Parish of St. Benedict, Ealing Abbey 

 Benedictine Community of Ealing Abbey 

 Benedictine Institute 

 Ealing Abbey Counselling Service (EACS) 

 Ealing Abbey Guest House 

 Ealing Abbey Choir 

1.4. This policy should be read in conjunction with: 

• Child Protection (Safeguarding) Policy 

• Employee Handbook – ICT Acceptable use 

• In the event of any conflict between this policy and any other that concerns the use of personal data, then this policy will take precedence. 

The Parish of St. Benedict’s Ealing Abbey is additionally included in the Data Protection Policy of the Diocese of Westminster. In this case, if there is any conflict between this policy and the Diocesan Data Protection Policy, the Diocesan policy takes precedence. 

1.5. This policy applies to anyone who works for, or acts on behalf of, the Trust (including members of the monastic community, staff, volunteers, committee members and service providers). Where personal data is being passed to third parties, including IT hosting companies, the Lay Bursar should be consulted to ensure that our contracts are robust enough to ensure that our policy can be enforced. 

2. Data Protection Responsibility 

2.1 The Trust will act as the Data Controller. It is the responsibility of the Data Controller to ensure that all personal data is processed in compliance with this Policy and the General Data Protection Regulations. 

2.2 Day-to-day decision making on what constitutes compliance with this policy and the regulations will be taken by the Lay Bursar. 

2.3 Each database or main instance of paper records will have an assigned data owner. It is the day-to-day responsibility of the data owner to ensure that this policy is followed. The Lay Bursar will ensure that there are periodic audits of the data we hold and how it is used to ensure that there is compliance with the policy. Appendix 1 includes a list of all major data owners. 

2.4. All those who work for, or act on behalf of, the Trust have a responsibility to ensure that they take reasonable steps to ensure that data is held securely and processed only in accordance with the privacy notices that have been issued to data subjects. 

3. ICO (Information Commissioners Office) Registrations 

The Parish is included in the registration of the Diocese of Westminster. 

The remainder of the Trust is not required to register with the ICO under exemptions for not for profit organizations. 

4. What is “Personal Data”? 

3.1. Personal data is data relating to a living individual who can be identified from the data or from other information held by, or likely to come into the possession of the Trust. It includes names, birth dates, addresses, telephone numbers and email addresses. 

3.2 The Trust holds a range of personal data about parishioners, staff, members of the Monastic Community, Students at the Benedictine Institute, Choristers, guests, Clients at Ealing Abbey counselling Service, volunteers and donors. This data may be held in a range of formats including in databases, electronic records, such as Microsoft documents or on paper. 

3.3 Sensitive personal data is information like racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical/mental health or condition, sexual life, criminal offences and sentences imposed and includes bio metric data and genetic data. The Trust holds a range of such data and all such data needs to be carefully managed and controlled. 

5. Overarching compliance with the data principles 

5.1. The General Data Protection Regulations contain six key principles which must be followed when processing data. 

5.2. We will broadly comply with these principles as follows: 

Principle  Compliance statement 
Data is processed lawfully, fairly and in a transparent manner in relation to individuals;  Where we hold personal data we will clearly document the reasons for doing so. 

We will have a preference to hold personal data because we have a contract with the individual (or their parent) or we have their consent to do so. 

We will only rely on legitimate interest as a basis to hold data where the Trust agrees this is necessary. Where we rely on legitimate interest as a basis for holding data then we will not contact these individuals by phone or email for development, marketing or fundraising purposes. 

Appendix Two to this policy statement lists the legal basis on which we hold all main sources of personal data and the current agreed list of personal data held on a legitimate interest basis. 

We will have Data Privacy Notices, written in plain English, for all main sources of personal data that we hold and regularly share these with the data subjects. These Data Privacy Notices need to be approved by the Lay Bursar. 

Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes  It will be the responsibility of data owners to ensure that all those with access to data for which they are the owner are aware of what it says in the Data Privacy Notice and follow it. 

It will be the responsibility of the Lay Bursar to ensure that there are periodic audits of compliance with Data Privacy Notices. 

We will only pass data to third parties where there is a clear business need or legal obligation to do so. Examples of this include prospective employers, police, auditors, pension providers. 

We will not pass personal data to a third party where the third party is paying us to do so. 

Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed  We will only collect data that we can demonstrate that we need to undertake our business. 

We will only share data within the Trust with those that have a demonstrable operational or business need to have access to the data. 

We will adopt the clear practice of not holding data that we consider would cause us embarrassment or harm if we had to tell the data subject that we hold it. 

Data is accurate and where necessary kept up to date.  We will tell all data subjects annually or, on a three year cycle, what data we hold on them and give them the opportunity to correct it. 

We will delete data that we hold under the Legitimate Interest or Consent reason where the individual tells us they do not want us to hold it.