Data Protection Policy

The Christian Community in London and Temple Lodge Club Ltd

51 Queen Caroline Street, London W6 9QL

Policy Owner: Guest House Manager
Approved By: Board of Directors – 27/06/2025

1. Purpose

This policy sets out how The Christian Community in London and Temple Lodge Club Ltd (referred to as “we”, “our”, or “the organisation”) processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all employees, volunteers, guests, members, contractors, and third parties who handle personal data on behalf of the organisation.

2. Scope

This policy applies to all personal data processed by the organisation, including but not limited to:

  • Staff and volunteer records
  • Guest booking information
  • Member and congregant data
  • Supplier and contractor information
  • Email and communication records
  • CCTV and access data (if applicable)

3. Principles of Data Protection

We are committed to processing personal data in accordance with the following seven key principles of the UK GDPR:

  1. Lawfulness, Fairness and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  2. Purpose Limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data Minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Storage Limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Integrity and Confidentiality (Security): Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  7. Accountability: The data controller shall be responsible for, and be able to demonstrate compliance with, the above principles.

4. Roles and Responsibilities

Clear roles and responsibilities are essential for effective data protection within the organisation:

  • Board of Directors: Holds overall responsibility for ensuring the organisation’s compliance with data protection obligations and for approving this policy.
  • Chair of the Board: Responsible for approving public data protection statements and handling high-level media enquiries related to data protection.
  • Guest House Manager (Data Protection Lead):
    • Oversees day-to-day data protection practices and compliance.
    • Provides staff training and guidance on data protection.
    • Handles subject access requests and other data rights requests from individuals.
    • Reviews third-party contracts involving the processing of personal data.
    • Reports any suspected or actual data breaches and ensures appropriate remedial action is taken.
  • All Staff and Volunteers:
    • Must adhere to the principles and procedures outlined in this policy.
    • Are responsible for protecting the personal data they handle.
    • Must report any concerns or suspected data breaches immediately to the Guest House Manager.

5. Legal Bases for Processing

We will only process personal data when a lawful basis applies, as defined by the UK GDPR. These include:

  • Consent: Where the individual has given clear consent for us to process their personal data for a specific purpose (e.g., for marketing communications).
  • Performance of a Contract: Where the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract (e.g., processing booking information).
  • Legal Obligation: Where the processing is necessary for us to comply with the law (e.g., maintaining financial records for tax purposes).
  • Legitimate Interests: Where the processing is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests do not override the individual’s fundamental rights and freedoms (e.g., improving our services, preventing fraud, maintaining IT security).
  • Vital Interests: Where the processing is necessary to protect someone’s life (e.g., in a medical emergency).
  • Public Interest or Official Authority: Where the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

6. Data Security

We implement appropriate technical and organisational measures to protect personal data from accidental loss, unauthorised access, use, alteration, or disclosure. These measures include:

  • Secure Storage: Physical files containing personal data are stored in locked cabinets or secure rooms.
  • Password Protection: Use of strong, unique, and confidential passwords for all systems and devices handling personal data.
  • Software Updates: Regular software updates and robust antivirus/anti-malware protection are maintained on all IT systems.
  • Access Controls: Implementation of access controls and role-based access to ensure that only authorised personnel can access personal data relevant to their role.
  • Approved Cloud Services: Use of secure, UK GDPR-compliant cloud services where necessary, with appropriate data processing agreements in place.
  • Secure Disposal: Implementation of secure disposal methods for both physical and electronic data, such as shredding paper documents and permanent deletion or overwriting of electronic files.

7. Data Accuracy and Retention

  • Data Accuracy: Personal data must be kept accurate and up to date. Staff are responsible for verifying and updating data where appropriate and reporting any inaccuracies. Inaccurate or outdated data must be deleted or corrected promptly.
  • Data Retention: Personal data will be retained only for as long as necessary for its original purpose, or as required by law. For example, financial records are retained for 7 years to comply with legal obligations. Specific retention periods are detailed in our Privacy Notice.

8. Data Storage

  • Paper Documents: Must be stored in secure, locked locations to prevent unauthorised access.
  • Electronic Files: Must be stored on encrypted or access-controlled systems and networks.
  • Removable Media: Any removable media (e.g., USB drives) used for storing personal data must be securely stored and encrypted.
  • Approved Systems: Personal data must only be stored on systems and services approved by the organisation.
  • Backups: Regular backups of electronic data must be maintained and tested to ensure data recovery in case of loss or corruption.

9. Data Use and Access

  • Need-to-Know Basis: Only staff with a clear business need may access personal data.
  • No Informal Sharing: Personal data must not be shared informally or outside the organisation without proper authorisation and a lawful basis.
  • Screen Security: Screens displaying personal data must be locked when unattended.
  • No Personal Devices: Personal data must never be stored on personal devices (e.g., personal laptops, phones, or tablets).
  • Secure Email: Email must not be used to transmit sensitive personal data unless it is appropriately encrypted or sent via secure, approved methods.

10. Subject Access and Data Rights

All individuals have specific rights under the UK GDPR regarding their personal data:

  • Right of Access (Subject Access Request – SAR): Individuals can request a copy of the personal data we hold about them.
  • Right to Rectification: Individuals can request that inaccurate or incomplete personal data be corrected.
  • Right to Erasure (‘Right to be Forgotten’): Individuals can request the deletion of their personal data in certain circumstances.
  • Right to Restriction of Processing: Individuals can request that we limit the way we use their personal data in certain circumstances.
  • Right to Data Portability: Individuals can request the transfer of their personal data to another organisation or to themselves in a structured, commonly used, machine-readable format.
  • Right to Object: Individuals can object to the processing of their personal data where we are relying on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, individuals have the right to withdraw that consent at any time.

Requests to exercise these rights must be responded to within one month. The identity of the individual making the request must be verified before any personal data is disclosed.

11. Data Sharing and Disclosure

We only share personal data when:

  • Legally Required: For example, with HMRC, law enforcement agencies, or other regulatory bodies.
  • Necessary for Contractual Services: With third-party service providers (e.g., booking platforms, payment processors) who assist us in providing our services.
  • With Consent: When individuals have given their explicit consent for specific data sharing.

All data-sharing arrangements with third parties must be covered by a formal Data Processing Agreement (DPA) to ensure compliance with UK GDPR and the protection of personal data.

12. Data Breaches

All suspected or actual data breaches must be reported immediately to the Guest House Manager.

In the event of a data breach that poses a risk to individual rights and freedoms, it will be reported to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. Affected individuals will also be notified if the breach is likely to result in a high risk to their rights and freedoms.

13. Training and Awareness

Staff and volunteers will receive comprehensive data protection training as part of their induction process and periodically thereafter. Refresher training will be provided when regulations change or internal procedures are updated, ensuring ongoing awareness and compliance.

14. Review and Updates

This policy will be reviewed annually or following any significant changes in legislation, organisational structure, or data processing activities, to ensure its continued relevance and effectiveness.

Approved by: The Board of Directors
Date: 27/06/ 2025