This page contains data protection and information security policies and privacy notices for Oxford Diocesan Board of Finance and for Diocesan Trustees (Oxford) Ltd. These documents describe the way we process personal data in different situations: the personal data we process, what we do with it, how we store it and what happens when we finish processing it.
The Data Protection Officer for the diocese is the Diocesan Secretary, who can be contacted via the Data Protection Co-ordinator, Fiona McGrady. Contact the DPO by email.
General Privacy Notice for Oxford Diocesan Board of Finance (ODBF)
DownloadThis privacy notice explains how ODBF processes personal data in our general day-to-day work. It should be read in conjunction with additional privacy notices which explain our handling of personal data in specific circumstances (for specific activities or groups of people).
Confidential Declaration Form and Privacy Notice
Download the Confidential Declaration Form Download the Privacy NoticePrivacy Notice for Clergy and LLMs
Download the Privacy Notice Download the Clergy and LLMs Data Collection FormPrivacy Notice for Parish Office Holders (Churchwarden, PCC secretary, treasurer, Deanery Synod rep, safeguarding officer)
DownloadWe are grateful for the support of all those who serve the diocese. It helps the diocese to help you if we have all your contact details from the start. It will ensure that you receive appropriate diocesan information and mailings.
Website privacy policy
DownloadThis policy explains when and why we collect personal information about people who visit our website, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
This policy relates to oxford.anglican.org, its subdomains, and other official Diocese of Oxford websites, including earthingfaith.org, thamespilgrimway.org.uk, and youthblog.org. It does not apply to sites the Diocese of Oxford may host for affiliated organisations.1. How do we collect information from you?
We obtain limited information about you when you use the website - for example, when you contact us or subscribe to our newsletter.2. What type of information is collected from you?
Newsletters: If you voluntarily subscribe to eNews or other emails from us we save:- Your email address (required)
- Your name (optional)
- The archdeaconry where you worship (optional)
- Your name
- Email address
- IP address
- Date and time
- Message subject and content including attachments
3. Cookies
4. How is my information used?
We may use your information to:- improve the website by understanding which pages are most visited and in what order;
- send you notifications that you have requested (more about browser notifications);
- put you in touch with someone you need to contact;
- remember your login details if you are one of our website editors.
5. Your choices
The accuracy of your information is important to us. If your email address or any of the other information we hold is inaccurate or out of date, please let us know. You can update your details on the newsletter by following the "Update My Preferences" link in the email. You have the right to ask for a copy of the information we hold about you on our website.6. Security precautions in place to protect the loss, misuse or alteration of your information
When you give us personal information, we take steps to ensure that it’s treated securely. We do not collect sensitive information (such as credit or debit card details) on this website. You do not need to register to use this website unless you are a staff editor. Our website is SSL secured so all passwords etc are encrypted however non-sensitive details (your email address etc) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.7. Links to other websites
Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website. In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.8. Transferring your information outside of Europe
All our web servers are located in the EU However, as part of the services offered to you through this website, the information which you provide to us may be transferred to countries outside the European Union (“EU”). For example, when you subscribe to a newsletter, a browser notification, or when our sites are backed-up. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy.9. Review of this Policy
We keep this policy under regular review. This policy was last updated in May 2018.
Privacy Notice for Members of Oxford Diocesan Synod and Associated Boards and Councils
We are grateful for the support of all those who serve the diocese. It helps the diocese to help you if we have all your contact details from the start. It will ensure that you receive appropriate diocesan information and mailings.
Privacy Notice for candidates applying for vacancies with Oxford Diocesan Board of Finance (ODBF)
DownloadPrivacy Notice for those seeking to discern a call to Licensed Lay Ministry within the Oxford Diocese
DownloadWe are grateful to those who wish to explore their sense of calling to licensed lay ministry within this diocese. It helps the diocese to help you if we have all your contact details from the start. It will ensure that you receive appropriate diocesan information and mailings.
Privacy Notice for those seeking to discern a call to ordained ministry within the Oxford Diocese
DownloadWe are grateful to those who wish to explore their sense of calling to ordination within this diocese. It helps the diocese to help you if we have all your contact details from the start. It will ensure that you receive appropriate diocesan information and mailings.
Privacy Notice for the Parents/Carers of Attendees of Yellow Braces Camp
DownloadWe are grateful to those who wish to explore their sense of calling to ordination within this diocese. It helps the diocese to help you if we have all your contact details from the start. It will ensure that you receive appropriate diocesan information and mailings.
Privacy Notice for the Staff of Yellow Braces Camp
DownloadPrivacy Notice for Members & Trustees of Diocesan Trustees (Oxford) Ltd [DT(O)L]
DownloadWe are grateful for the support of all those who serve in the diocese. If we have all your contact details from the outset it will ensure that you receive appropriate information and mailings.
Privacy Notice for DT(O)L Financial Trust Work
DownloadPrivacy Notice for DT(O)L Trust Work Property Transactions
Download1. Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in our possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR and the Data Protection Act 2018, (the “DPA 2018”).
2. How do we process your personal data?
We comply with obligations under the GDPR and DPA 2018 by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes:
- To exercise our responsibilities as the organisation you are volunteering through in line with legislation, best practice and our policies and procedures. In addition to our general oversight of your volunteering work, we are responsible for assessing your qualifications, experience and memberships, your criminal background (for specific volunteering roles only) and your ongoing suitability for the volunteering role within the diocese.
3. What is the legal basis for processing your personal data?
Processing of data in relation to your volunteering work is based on consent.
In so far as any personal data relates to “special categories of personal data” or criminal conviction or offence, the processing of data is also a legitimate activity; in order to assess suitability for a volunteer role and monitor diversity. It is not shared externally outside the institutional bodies that comprise the Church of England without your consent.
4. Sharing your personal data
Your information will be shared internally and seen by authorised ODBF staff for the purposes of managing the volunteer relationship. This will include members of HR, your assigned manager and members of senior management if access to the data is necessary for performance of their roles.
ODBF will share your data with third parties in order to obtain pre-employment checks required for the volunteering role. This includes your referees and other organisations such as those that obtain checks through the Disclosure and Barring Service if required for the role.
We don’t use your data for any other reason, nor do we sell it to any third parties or use it to contact you about any unrelated services.
5. How long do we keep your personal data?
We keep your personal data for the duration of your volunteering work with us, plus an additional six years after the relationship has come to an end. It is your responsibility to inform us of any changes to your information, for example if you move to a new house.
6. Your rights and your personal data
Unless subject to an exemption under the GDPR or DPA 2018, you have the following rights with respect to your personal data: -
- The right to request a copy of your personal data which ODBF holds about you;
- The right to request that ODBF correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for us to retain such data;
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable). The right to lodge a complaint with the Information Commissioners Office.
7. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
8. Contact details
To exercise all relevant rights, queries or complaints please in the first instance contact the Data Protection Officer, Church House Oxford, Langford Locks, Kidlington, Oxford, OX5 1GF. Tel: 01865 202243. Email: dpo@oxford.anglican.org.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
1. Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in our possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation 2016/679 (the “GDPR and the Data Protection Act 2018, (the “DPA 2018”).
2. How do we process your personal data?
We comply with obligations under the GDPR and DPA 2018 by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes:
- To assess your suitability to provide services to ODBF. This may include reviewing your work history or education, checking qualifications, memberships, insurance, right to work in the UK documentation, taking up references, applying for criminal record clearance, driving licence checks, health screening or checking company/self-employed status, as applicable for the services to be provided.
- To establish and maintain the contract of services between both parties, including the monitoring of assignment outcomes and compliance with the contract of services agreement.
- To process invoices for payment
3. What is the legal basis for processing your personal data?
The processing of your data is necessary in order for us to fulfil our obligations set out in the contract for services.
In so far as any personal data relates to “special categories of personal data” or criminal conviction or offence, the processing of data is also a legitimate activity; in order to assess suitability for a proving a service and to monitor diversity. It is not shared externally outside the institutional bodies that comprise the Church of England without your consent.
4. Sharing your personal data
Your information will be shared internally and seen by authorised ODBF staff for the purposes of managing the contract of services. This will include members of HR, Finance your manager and members of senior management if access to the data is necessary for performance of their roles and fulfilment of the contract of services.
ODBF may share your data with third parties in order to obtain checks to verify your suitability to provide services. This includes referees and other organisations such as professional bodies necessary to complete checks. Medical checks from our Occupational Health Provider and criminal records checks, obtained from the Disclosure and Barring Service by a third-party organisation, may be required dependant on the services you will be providing. You will be informed before any such checks are applied for.
We don’t use your data for any other reason, nor do we sell it to any third parties or use it to contact you about any unrelated services.
5. How long do we keep your personal data?
We keep your personal data for the duration of the contract for services, plus an additional six years after the agreement has come to an end. It is your responsibility to inform us of any changes to your information, for example if you move to a new house.
6. Your rights and your personal data
Unless subject to an exemption under the GDPR or DPA 2018, you have the following rights with respect to your personal data: -
- The right to request a copy of your personal data which ODBF holds about you;
- The right to request that ODBF correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for us to retain such data;
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data, (where applicable). The right to lodge a complaint with the Information Commissioners Office.
7. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
8. Contact details
To exercise all relevant rights, queries or complaints please in the first instance contact the Data Protection Officer, Church House Oxford, Langford Locks, Kidlington, Oxford, OX5 1GF. Tel: 01865 202243. Email: dpo@oxford.anglican.org.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
About this policy
8.5.1 Our IT and communications systems are intended to promote effective communication and working practices. This policy outlines the standards you must observe when using these systems, when we will monitor their use, and the action we will take if you breach these standards.
This policy applies to all ODBF employees, contract/temporary staff and any other individuals with access to the ODBF’s IT systems.
8.5.2 Breach of this policy may be dealt with under our Disciplinary Procedure and, in serious cases, may be treated as gross misconduct leading to summary dismissal.
Equipment security and passwords
8.5.3 You are responsible for the security of the equipment allocated to or used by you, and you must not allow it to be used by anyone other than in accordance with this policy. You should use passwords on all IT equipment, particularly items that you take out of the office. You should keep your passwords confidential and change them regularly, at least every 3 months. Your password should be a hard-to-guess combination, at least 8 characters (including upper and lower case letters and a numerical digit), and should not include your name. A strong numerical passcode, that is not easy to guess, should be set on mobile phones or tablets used for work purposes.
8.5.4 You must only log on to our systems using your own username and password. You must not use another person's username and password or allow anyone else to log on using your username and password, without the permission of IT and your Departmental Head.
8.5.5 If you are away from your desk you should log out or lock your computer. You must log out and shut down your computer at the end of each working day
Systems and data security
8.5.6 You should not delete, destroy or modify existing systems, programs, information or data (except as authorised in the proper performance of your duties).
8.5.7 You must not download or install software or any application from external sources without authorisation from your line manager and the IT department. Downloading unauthorised software or apps may interfere with our systems and may introduce viruses or other malware.
8.5.8 We monitor all e-mails passing through our system for viruses. You should exercise particular caution when opening unsolicited e-mails from unknown sources. If an email looks suspicious do not reply to it, open any attachments or click any links in it.
8.5.9 Inform your line manager immediately if you suspect your computer may have a virus.
8.5.10 Networked drives (R: drive and U: drive) and Microsoft OneDrive are provided for you to save documents used in the performance of your role (files saved in these locations are automatically backed up). To maintain the highest levels of security and resilience it is recommended that documents are not saved onto your local computer hard disc drive. Other cloud storage solutions, such as Dropbox, are not recommended.
Documents should only be stored onto a USB device where necessary. Sensitive information stored should always be password protected. If you require regular use of a USB storage device, you should consider encrypting it.
Use of your own devices
8.5.11 If you access your work emails or data on a personal device (PC, tablet, etc.), documents should not be stored on that device. We recommend you access Office 365 using a web browser, which provides access to your work without storing files permanently on the local device. See the Information Security policy for more details on the use of your own devices for work purposes.
8.5.12 Adopt a professional tone and observe appropriate etiquette when communicating with third parties by e-mail.
8.5.13 Remember that e-mails can be used in legal proceedings and that even deleted emails may remain on the system and be capable of being retrieved.
8.5.14 You must not send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, pornographic or otherwise inappropriate e-mails.
8.5.15 You should not: (a) send or forward private e-mails at work which you would not want a third party to read; (b) send or forward chain mail, junk mail, cartoons, jokes or gossip; (c) contribute to system congestion by sending trivial messages or unnecessarily copying or forwarding e-mails to others who do not have a real need to receive them; or (d) send messages from another person's e-mail address (unless authorised) or under an assumed name.
8.5.16 Do not use your own personal e-mail account to send or receive e-mail for the purposes of our organisation. Only use the e-mail account we have provided for you.
Using the internet
8.5.17 Internet access is provided for organisation purposes. Occasional personal use may be permitted as set out in paragraph 8.5.20 and 8.5.21
8.5.18 You should not access any web page or download any image or other file from the internet which could be regarded as illegal, offensive or immoral. Even web content that is legal in the UK may fall within this prohibition. As a general rule, if any person (whether intended to view the page or not) might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of this policy. If such access is necessary for work purposes, written approval must be granted in advance by your Head of Department, in consultation with the IT team.
8.5.19 We may block or restrict access to some websites at our discretion.
Personal use of our systems
8.5.20 We permit the occasional use of our systems to send personal e-mail, browse the internet and make personal telephone calls subject to certain conditions. Personal use is a privilege and not a right. It must not be overused or abused. We may withdraw permission for it at any time or restrict access at our discretion.
8.5.21 Personal use must meet the following conditions: (a) it must be minimal and take place substantially outside of normal working hours (that is, during your lunch break, and before or after work); ; (b) it must not affect your work or interfere with the organisation; (c) it must not commit us to any marginal costs; and (d) it must comply with our policies including the Equal Opportunities Policy, Antiharassment and Bullying Policy, Data Protection Policy, Social Media and Disciplinary Procedure.
Monitoring
8.5.22 Our systems enable us to monitor telephone, e-mail, voicemail, internet and other communications. For organisational reasons, and in order to carry out legal obligations in our role as an employer, your use of our systems including the telephone and computer systems (including any personal use) may be continually monitored by automated software or otherwise.
8.5.23 We reserve the right to retrieve the contents of e-mail messages or check internet usage (including pages visited and searches made) as reasonably necessary in the interests of the organisation, including for the following purposes (this list is not exhaustive): (a) to monitor whether the use of the e-mail system or the internet is legitimate and in accordance with this policy; (b) to find lost messages or to retrieve messages lost due to computer failure; (c) to assist in the investigation of alleged wrongdoing; or (d) to comply with any legal obligation.
8.5.24 Only the Diocesan Secretary has the authority to approve action under 8.5.23 above
Prohibited use of our systems
8.5.25 Misuse or excessive personal use of our telephone or e-mail system or inappropriate internet use will be dealt with under our Disciplinary Procedure. Misuse of the internet can in some cases be a criminal offence.
8.5.26 Creating, viewing, accessing, transmitting or downloading any of the following material will usually amount to gross misconduct (this list is not exhaustive): (a) pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature); (b) offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our clients; (c) a false and defamatory statement about any person or organisation;
(d) material which is discriminatory, offensive, derogatory or may cause embarrassment to others (including material which breaches our Equal Opportunities Policy or our Anti-harassment and Bullying Policy); (e) confidential information about us or any of our staff or clients (except as authorised in the proper performance of your duties); (f) unauthorised software; (g) any other statement which is likely to create any criminal or civil liability (for you or us); or (h) music or video files or other material in breach of copyright.
Lost or stolen equipment
8.5.27 Any lost or stolen IT equipment, either issued to you by ODBF or a personal device that you use to access ODBF’s data and systems, must be reported to our IT provider and your line manager as soon as possible, even if this is outside of normal office hours. Immediate notification is imperative, since this constitutes a data breach under data protection law. IT can be contacted on: 07770 382452.
8.5.28 Once you have discovered your device is missing you should use an alternative device to log on to Office 365 (using your computer login credentials) and change your password immediately, in case your account password has been compromised. IT will initiate a remote wipe of any mobile device to remove all data.