The Filipino International Church Data Protection Statement and Policy
We, The Filipino International Church, is committed to respect the rights and protect the personal data of its members and those other individuals whose data we collect and use. We understand the risks of having these data and we are fully responsible in handling, monitoring and keeping them secured.
Purpose of this Policy
As a church and a charity group, we collect and use personal information not only from its members but also from community ties. We process personal data in paper by having them fill up membership forms, consent forms, gift aid declarations, among others and electronically, the webpage, e-mails, disclosure and barring service site and Facebook account. We are aware that individuals can be harmed if their personal information is misused, is inaccurate, if it gets into the wrong hands as a result of poor security or if it is disclosed carelessly. We are committed to protecting personal data and information from unauthorised disclosure and ensuring its accuracy.
The purpose of this policy is to set measures, along with our safeguarding policies, safe use of social media and electronic communication in assurance of compliance to our above statement and to the UK legislation, General Data Protection Regulation (GDPR).
What is GDPR?
General Data Protection Regulation or GDPR is a UK legislation requiring any organization using both electronic and paper forms predisposing personal data of its members and ties. GDPR demands that organizations must:
- Understand the risks of exposing personal data
- Have the full responsibility of how such data are handled, monitored and secured.
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or deliberate unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Non-compliance to GDPR
Penalties to noncompliance varies. Article 83 of the GDPR addresses in detail the conditions for imposing administrative fines, and enumerated factors that are considered:
- The nature, gravity, and duration of the violation
- The categories of personal data that are affected
- Previous violations
- Intent or negligence
- Actual harm done and efforts to mitigate the damage to data subjects
- Degree of responsibility of the controller or processor
- Certifications and adherence to codes of conduct
- Reporting of the violation
- Cooperation (or lack thereof) with authorities
Development of this Policy
This policy has been approved by TFIC Board of Trustees who are responsible for ensuring that we comply with all our legal obligations. Our Data Protection Officers for our website, Facebook and paper forms are responsible for ensuring compliance with data protection law, dealing with data security breaches and with the development of this policy. Our Data Protection Officers will:
- Oversee compliance with the policy;
- Keep a record of all data security incidents or breaches and investigate in appropriate detail; and
- Provide or arrange training and guidance
Measures we put in place include:
- Security software is installed on all computers containing personal and/or confidential data
- All non-portable user devices laptops, memory sticks and portable hard drives containing personal and sensitive data will be encrypted;
- All paper documents containing personal data should be locked away in desks and cabinets and not left out overnight;
- Paper documents no longer needed shall be securely shredded. Digital storage devices should be physically destroyed when they are no longer required
- The breach must be reported within 72hrs after spotting the incident. The Data Protection Officers must keep records of personal data breaches, with:
- the facts relating to the personal data breach;
- Its effects; and
- Remedial action taken.
We use cookie technology when a person visits our website to collect and analyse anonymised data on how many people have visited, what pages they have looked at and other statistical information.
We use a pop-up banner to let users know about this on their first visit, and they can at any time disable cookies in their browser if they do not wish their (anonymised) data to be tracked.
What rights do you have?
Under the GDPR, you have the following rights over your data and its use:
- The right to be informedabout what data we are collecting on you and how we will use it
- The right of access– you can ask to see the data we hold on you
- The right to rectification– you can ask that we update or correct your data
- The right to object– you can ask that we stop using your data for a particular purpose
- The right to erasure– you can ask us to delete the data we hold on you
- The right to restrict processing– you can ask that we temporarily stop using your data while the reason for its use or its accuracy are investigated
- Though unlikely to apply to the data we hold and process on you, you also have rights related to portability and automated decision making(including profiling)
All requests related to your rights should be made to the Data Protection Officer at firstname.lastname@example.org We will respond within one month.
You can find out more about your rights on the Information Commission’s Office website
Changes to this policy
We will review this policy from time to time or as needed and reserve the right to change this policy. Any amended versions of this policy will take effect from the time they are uploaded to our website, official chat groups or e-mail.