The English Delegation of Josephites
Data Protection Policy
1. Introduction
This policy outlines the commitment of the English Delegation of Josephites to protecting the privacy and personal data of its members, volunteers, donors and all individuals with whom we
interact.
We recognise the importance of data protection and are committed to handling personal information in a lawful, fair, and transparent manner.
We are committed to complying in full with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Charity Commission guidance, Safeguarding laws and guidance, and the
requirements of Canon Law.
2. Scope
This policy applies to all personal data processed by the English Delegation of Josephites regardless of how it is collected, stored, or processed – whether in physical or electronic
format.
It applies to all those who handle personal data on our behalf.
3. Principles of Data Protection
We are committed to the adherence of the following principles of data protection:
• Lawfulness, Fairness, and Transparency: We will process personal data lawfully, fairly, and in a transparent manner. This means being clear about what data we collect, why we collect it, and what
we do with it, ensuring individuals are aware of how their data is used. We always specify the lawful basis for processing and provide clear information to data subjects.
• Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it further in a manner that is incompatible with those purposes.
• Data Minimisation: We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is intended.
• Accuracy: We will take every reasonable step to ensure that personal data is accurate and kept up to date.
• Storage Limitation: We will keep personal data for no longer than is necessary. Data is retained for defined periods (see Retention Schedule, Appendix A)
• Integrity and Confidentiality: We will process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental
or unlawful access, loss, damage or destruction.
• Accountability: We will be responsible for, and be able to demonstrate compliance with, the principles of data protection, and full compliance with data protection is regularly monitored and
documented.
4. Types of Data We Collect
We may collect and process various types of personal data, including but not limited to:
• Identifiable information: Names, addresses, email addresses, and phone numbers.
• Religious and spiritual information: Details and records related to membership, sacraments, and pastoral care. This constitutes special category data under UK GDPR Article 9(2)(d) (processing by
not-for-profit religious bodies) and is subject to stricter controls.
• Safeguarding records (including case files, disclosures, and investigation notes) are processed as special category data under UK GDPR and subject to stricter controls (Articles 9(2)(d) and
(g))
• Financial information: Donation history and bank details and other financial documentation.
• Volunteer information: Details for managing volunteers, including background checks, roles and references where required.
• Disclosure and Barring Service (DBS): DBS processing and DBS records are stored securely, destroyed according to CSSA and DBS guidance after the retention period, and used only for
safeguarding-specific vetting purposes.
• Children’s data: Details of minors engaged with Delegation activities, with parental/guardian consent and enhanced safeguarding procedures.
5. How We Use Personal Data
We use personal data for the following purposes:
• Pastoral and spiritual support: Providing sacraments, pastoral care, and communication about religious services.
• Administration: Managing membership records and volunteers.
• Financial management: Processing donations and managing finances.
• Communication: Sending updates, newsletters, and event invitations.
• Legal compliance: Fulfilling our legal and regulatory obligations.
6. Legal Basis for Processing
We will only process personal data under one or more of the following lawful bases:
• Explicit Consent: The individual has given clear consent for us to process their personal data for a specific purpose.
• Contractual Necessity: When required to deliver services agreed with individuals and the processing is necessary for a contract we have with the individual, or because they have asked us to take
specific steps before entering a contract.
• Legal Obligation: The processing is necessary for us to comply with charity law, safeguarding or financial reporting.
• Vital Interests: In cases of emergency affecting health/safety where the processing is necessary to protect someone's life.
• Legitimate Activities: As a not-for-profit, religious body under Article 9(2)(d), respecting justification for processing special category data, the processing is necessary for our legitimate
interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.
• Safeguarding Obligations: The processing is necessary to us to fulfil legal obligations for safeguarding children and vulnerable adults.
7. Individual Rights
We respect the rights of individuals regarding their personal data. Individuals have the right to:
• The Right to Be Informed: Individuals have the right to be informed about the collection and use of their personal data.
• The Right of Access: Individuals have the right to request access to their personal data (subject access requests), responded to within one calendar month.
• The Right to Rectification: Individuals have the right to have inaccurate personal data rectified or completed if it is incomplete.
• The Right to Erasure (Right to be Forgotten): Individuals have the right to request the deletion or removal of their personal data in defined circumstances.
• The Right to Restrict Processing: Individuals have the right to 'block' or suppress the processing of their personal data.
• The Right to Data Portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
• The Right to Object: Individuals have the right to object to the processing of their personal data in defined contexts.
• Rights related to Automated Decision Making and Profiling: We do not engage in automated decision-making or profiling.
• Safeguarding Processes: We provide privacy notices to those involved in safeguarding processes (victims, alleged perpetrators, witnesses) describing how their data will be handled and rights under
data protection law.
Requests should be emailed or posted to the Data Protection Officer with sufficient identification. Escalation is available if dissatisfied, including a right to lodge a complaint with the
Information Commissioner’s Office.
8. Data Security
We are committed to ensuring the security of personal data. We have implemented appropriate technical and organisational measures to protect personal data from unauthorised access, accidental loss,
damage, or destruction. These measures include:
• Access controls: Limiting access to personal data to only those who need it and to those who are authorised personnel/processors.
• Physical Security: Securing physical files in locked cabinets.
• Electronic Security and Data encryption: Password protection, multi-factor authentication, encrypted storage for sensitive data, and secure cloud solutions.
• Safeguarding Data: Access to safeguarding data is strictly limited to those with direct safeguarding responsibility or specific legal requirement. All internal review of safeguarding files are
logged and audited for compliance.
• Training: Providing annual GDPR training to all members, volunteers and staff who handle personal data on our data protection obligations. We will also provide annual safeguarding and data
protection training for all trustees, staff, and volunteers who handle safeguarding information. Training logs will be maintained.
• Regular reviews: Periodically reviewing our security practices.
• Data breach protocol: A clear plan for responding to and reporting data breaches.
9. Data Breaches
All breaches are logged. In the event of a data breach, we will take immediate action to assess the risk, contain the breach, and, where required by law, notify the relevant supervisory
authority and affected subjects immediately.
If the risk is high, we will notify the Information Commissioner’s Office (ICO) within 72 hours and inform the affected subjects immediately.
10. Third-Party Processors
Where we use third-party service providers (e.g., email services, or database management), contracts are reviewed for compliance, and data sharing agreements are maintained.
With respect to external transfer and case management for Safeguarding matters, safeguarding concerns are escalated and transferred to diocesan, CSSA, or statutory agencies and the Delegation acts as
a data processor/controller in this context, ensuring robust protocols for secure transfer and appropriate record holding.
11. Retention of Data
We will only retain personal data for as long as necessary to fulfil the purposes for which it was collected, including any legal, accounting, or reporting requirements. Personal data is kept only
for the period specified in the Data Retention Schedule (Appendix A), after which it is securely deleted unless required by law or canon law (e.g., canonical sacramental registers held in perpetuity
in compliance with Canon 535).
Safeguarding records are securely disposed of (shred physical files, delete digital files) at the end of retention period, and we have an annual review/audit to ensure compliance with CSSA
standards.
12. Children’s Data
Consent and documentation from parents or guardians are required for any data collected from or about minors. Extra protections are enforced – data is only shared with safeguarding authorities
or upon parental request.
13. Canon Law Considerations
Sacramental and pastoral data are processed according to Canon Law (Canon 220, Canon 535). Disclosure shall only occur with appropriate ecclesiastical authorization and in line with civil
law.
14. Regulatory and Safeguarding Links
This Policy operates alongside Charity Commission best practice (CC8, Data Protection Guidance) and the Catholic Safeguarding Standards Agency guidance.
15. Data Protection Officer (DPO)
For compliance, we have designated a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and its implementation.
16. Contact Information
If you have any questions about this policy or our data protection practices, or if you wish to exercise your rights, please contact our Data Protection Officer who is Designated Safeguarding Trustee
of the English Delegation of Josephites:
• Name: John Lewin
• Title: Data Protection Officer and Designated Safeguarding Trustee
• Email: johnmlewin@hotmail.com
• Phone: 07725 240418
17. Policy Review
This policy will be reviewed by the Board of Trustees at least every year
This policy is owned by the secretary to the Trustees of the Delegation of the Josephites who is the Data Protection Officer of the Delegation of Trustees.
It was last reviewed on 10 August 2025
It will next be reviewed on 04 September 2026 or whenever there are significant changes to our processing activities or to relevant laws and guidance, to ensure it remains accurate and compliant with
the law.
Appendix A: Data Retention Schedule
• Membership records: 7 years post leaving
• Pastoral/sacramental records: Perpetuity (Canon Law)
• Volunteer/staff records: 7 years post leaving
• Finance records: 6 years post transaction (Charity Commission)
• Grievance/disciplinary records: 7 years after closure
CSSA Record Retention Schedule for safeguarding files:
• Safeguarding records about adults: 7 years from case closure.
• Safeguarding records about children: retain until the subject reaches age 24 (7 years after reaching majority).
Serious safeguarding matters may require extended retention for legal or canonical purposes. Legal advice will be sought in such cases.
Print 