[Note – October 2018 – this Policy refers to the church management system used to administer Church activities and to run the Church website, and Part 2 relates specifically to that system.  Please note that this system is in the course of implementation and is not ‘live’ yet.  An announcement will be made in the Church Newsletter and on the website as to when it will be live.]


Part 1 – Introduction

This is the Privacy Policy of the Parochial Church Council (“the PCC”) of St Michael’s Church (“the Church”) of Windhill, Bishops Stortford, Hertfordshire, CM23 2ND, UK.  Our charity registration number is 1130646.

This policy applies to –

  • any personal information which you give to or which is collected by the St Michael’s Church website,
  • any personal information which is stored in the church management system used to administer Church activities and to run the website (“the System”), and
  • any personal information which is otherwise held by or on behalf of the Church in other systems

(altogether “Church-held Personal Information”).

The PCC is the data controller in respect of all Church-held Personal Information, meaning that the PCC decides how it is processed and for what purposes.

Church-held Personal Information will be held and processed in accordance with the St Michael’s Church Privacy Policy, as further set out below, and with all the requirements of applicable law, including the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).  This means, for example, that Church-held Personal Information will be kept confidential, we will seek to keep it up to date, we will not collect data unnecessarily and we will delete it once it is no longer needed.

Church-held Personal Information will be held securely with appropriate technical and organisational security measures.

Church-held Personal Information will only be used for Church purposes and will never be given to other organizations for other purposes.  Further details of the types of information we may collect and examples of how we may use it are given below.

Part 2 – Church-held Personal Information in the System

This part of the Privacy Policy concerns Church-held Personal Information that is held in the System (as defined above).

If you are not a member of St Michael’s Church, then you will only have access to the public parts of our website (“the Public Site”).  If you are a member of St Michael’s Church and you register to use the System, then you will become a “Registered User” and you will have access to a private part of the website that is only accessible to members (“the Private Site”).  The System itself is controlled and administered via a restricted access part of the site called the “Web Office”.

Within the Church, the System is administered (via the Web Office) by the Parish Administrator and a limited number of other Church members who assist with administration and who have undertaken to keep the Church-held Personal Information in the System confidential.  The System is provided by ChurchInsight, a company based in Cambridge, and hosted securely in the UK.  Their staff may have incidental access to Church-held Personal Information in the System in the course of providing technical support for the System, but they have legal obligations to keep all such Church-held Personal Information confidential.

Church-held Personal Information collected via or otherwise on the Public Site

We do not routinely collect any personal information about visitors to the Public Site.  Like any website, the System collects general information about visitors (operating system used, pages visited, searches made etc.) but this is anonymous.

If you send us a query via the Public Site, then we will use any personal information you give us to respond to your query, including passing it on to a member of the Church where appropriate.

No Church-held Personal Information will be visible on the Public Site.  The only exception is that if you have an official role in the Church or are a group leader or contact person for a particular area of the Church’s activities, then we may put your name and photo (if we have one) on the Public Site.  If you consent, then we may put your contact details on the Public Site so that enquirers may contact you direct, but otherwise all enquiries by visitors to the Public Site will be directed via the Parish Office.

Church-held Personal Information in the Web Office or on the Private Site

If you are a member of the Church, or someone who has regular contact with the Church, then there may be Church-held Personal Information about you in the System.  This may be information that you have given us directly (e.g. name and contact details) either by filling in a paper data collection form or by registering online as a Registered User so that you can access the Private Site, or it may be information relevant to your involvement with the Church that has been added to the System by someone within the Church for Church purposes (e.g. the Parish Administrator recording via the Web Office that you are a member of the Readers rota and using this information when setting up a new rota).  In general terms, any Church-held Personal Information that we hold about you in the System will only be accessible to the System administrators via the Web Office or to other members of the Church via the Private Site on an ‘as needed’ basis.

‘As needed’ means that your Church-held Personal Information in the System will only be accessible to those Church members who need to have access to it for Church purposes, for example the Parish Office and Ministry team and, if you are a member of a group or rota, other members of that group or rota.

The following are examples of how we may use your Church-held Personal Information in the System for Church purposes –

  • Maintaining membership records (mainly name and contact details – address, phone, email), including recording family relationships amongst Church members
  • Organising rotas of Church duties for Sunday services and other activities
  • Organising group meetings and activities (e.g. Home Groups, bible study groups, Mothers Union meetings)
  • Informing you of Church news and events, activities and services taking place at the Church or being organized by the Church (you can choose whether or not you wish to receive the weekly Church email newsletter)
  • Providing you with an interactive website where content on the Private Site is restricted to Church members or to certain groups within the Church, and where email is used to communicate with those groups
  • Helping to maintain the Church Electoral Roll (see further below)
  • Recording responses to requests and attendance at meetings (we do not record attendance at services, except for those who are parents seeking a place for their child at a church school such as St Michael’s School on the basis of regular church attendance)
  • Recording attendance by children and young people at Junior Church sessions and events and Youth Group meetings and events
  • Complying with our obligations under Child Protection and Safeguarding laws (e.g. if you are a Junior Church helper, recording that you have been ‘DBS’ checked and that you have attended any necessary training courses)
  • Asking you to help with Church activities as a volunteer, either on a one-off basis or by joining a rota, and administering those activities
  • Administering the activities of the Choir or Parish Praise Orchestra if you are a member
  • Creating an online gallery of photos of Church members, visible only to Registered Users, so that people can get to know each other more easily
  • Keeping a ‘skills and experience’ record so that we can ask relevant people for help with Church projects
  • Recording any involvement with local community organisations and groups that you tell us about (to help in our vision of being a Church that serves our community)
  • Recording other information that may help to build cohesion and Christian fellowship within the Church (e.g. the fact that you are a car driver willing to help take elderly people to Church or to hospital, or the fact that you have recently moved into the area so may need help getting to know people)
  • As part of our stewardship efforts, recording whether you are a member of the Church Giving Scheme and inviting you to review your contribution from time to time or inviting you to join if not (but note that all financial information about the Church Giving Scheme – donations made and banking details etc. – is held securely in a separate system accessible only to the Church Treasurer, Chair of Finance and the Giving Scheme Administrator, and is not held in the System – see further below)
  • Contacting you in connection with other specific fundraising efforts (see further below)
  • Contacting you if there is any privacy, security or administrative issue with the System
  • Using your Church-held Personal Information within the Church community in any other reasonable way to promote the work and life and mission of the Church.

We do not use the System to store any medical or health information, except that we may store allergy information or dietary information if you have provided that information to us, and in the case of children and vulnerable adults we will store any information required for safeguarding purposes.  We do not use the System to store any pastoral information (see further below).

Registering to use the System

If you register as a Registered User to access the Private Site, then you will be asked to accept certain user terms that apply to use of the System, including agreeing that you will only use the System for Church purposes.  The minimum information needed to register as a Registered User is first and last name and a password.

If you do register online to access the Private Site, then as a Registered User you will be able to manage your Church-held Personal Information further, for example by –

  • Updating your contact details as required
  • Choosing whether to receive the Church newsletter and news about other Church events by email and changing these settings from time to time
  • Seeing what rota duties you may have
  • Setting whether you wish to receive email reminders of forthcoming rota duties and other Church events
  • Seeing information and photos on the Private Site, including the private calendar of events.

What else you should know about privacy in respect of the System

If you are a Registered User, please remember to close your browser when you have finished your user session.  This is to ensure that others cannot access your personal information and correspondence if you share a computer with someone else or are using a computer in a public place like a library or internet cafe.  You as an individual are responsible for the security of, and access to, your own computer, and for maintaining the secrecy of your usernames and passwords and any account information relating to the System.

Facebook and Twitter Feeds

Please note that if you use Facebook or Twitter or any other social media service and ‘like’ or ‘follow’ the St Michael’s Public Site, then any postings that you make to those services and which may appear on the Public Site’s Facebook or Twitter feeds will be governed by the user terms and privacy policies of the respective social media sites.

Deleting an account

If, having registered online as a Registered User, you are no longer a member of St Michael’s Church and you wish to delete your account, then you should make a request to the Parish Administrator via the ‘contact us’ page; however, please note that some Church-held Personal Information, primarily your name and email details, may remain in our records to the extent necessary to protect our legal interests or to document compliance with regulatory requirements.  The Church also reserves the right to delete your Registered User account if we consider that you are no longer a member of St Michael’s Church (for example if we know that you have moved away from the area).

Part 3 – Church-held Personal Information held by the Church in other systems or records

This part of the Privacy Policy concerns Church-held Personal Information that is held by the Church in other systems or records.  The other systems and records in which Church-held Personal Information is held by or on behalf of the Church are as follows –

Electoral Roll

The Electoral Roll is the official register of church members that the Church has to keep by law.  You can be on the Electoral Roll if you are resident in the Parish of St Michael’s or if you regularly worship at St Michael’s.  Being on the Electoral Roll entitles you to attend and vote at the Church’s Annual Parochial Church Meeting (APCM) which is usually held in April.  Maintaining the Electoral Roll is the responsibility of the Electoral Roll Officer.  The Electoral Roll is renewed (and everyone on the list has to reapply) every 6 years, and as part of this process it is made public in the Church.  There are other laws governing the Electoral Roll.

Parish Registers

The Church has legal obligations to maintain the Parish registers of baptisms, confirmations, marriage banns and marriages, and funerals.  These records are kept in hard copy book form and are kept permanently.

Giving Scheme and Gift Aid Donations

If you are a member of the Church Giving Scheme and give via standing order (with or without a gift aid declaration) or if you give via text or online, then Church-held Personal Information about you and the donations you have made is kept securely in records maintained by our Giving Scheme and Gift Aid Coordinator and accessible only to that person and to the Treasurer and Chair of Finance of the PCC.  This information may include name and address, bank details, gift aid declarations, tax reclaimed in respect of donations you have made etc.  If you have made a ‘gift aid’ donation to the Church by completing a gift aid envelope, then details of individual envelope donations are seen by those counting the collections, and relevant information is passed on to the Giving Scheme and Gift Aid Coordinator.  This Church-held Personal Information is only used to administer the Giving Scheme and the Gift Aid system.

Other specific fundraising

From time to time the Church may run specific fundraising campaigns for particular Church-related projects (e.g. the Bells Renovation project).  In such cases, the System may be used for making initial contact with you as a potential donor, but if you choose to participate, any further records about the campaign will not be held in the System but in separate secure records accessible only to those running the campaign, and will only be used for the purposes of the campaign.

Parish Office Contacts and Administration

Whilst most of the contact and other details of the members of the Church will be held in the System, some other contact details of individuals with an association with the Church or who provide services to the Church, or whose companies provide such services, are held in the Parish Office email system and used by the Parish Administrator for the purposes of administration and maintenance.  The Parish Office and the Vicar also hold other administrative details relating to those employed by the Church, such as the Parish Administrator.  The PCC Secretary holds the minutes of PCC and APCM meetings, which may contain references to individuals.


The Church Treasurer holds certain financial and other administrative details about those to whom payments are made out of Church funds (fees for services provided, reimbursement of expenses etc.).

Director of Music and Organist

The Director of Music and the Organist keep contact details of Choir members (and parents’ details for child Choir members) and use them to administer the Choir and to record attendance by child Choir members at rehearsals and services and events.  They also keep contact details of organ scholars and deputy organists.  The Director of Music keeps contact details of members of the Parish Praise Orchestra.

Clergy Pastoral Records

Clergy and other members of the Ministry team may maintain their own personal and private pastoral records to help them in providing pastoral care to members of the Church and those having an association with the Church (e.g. those attending baptisms, weddings or funerals), but these are not accessible to anyone else and are not ‘controlled’ by the PCC.


The Church operates a CCTV system in the main Church building which is used for the prevention and detection of crime.

Part 4 – General Information

Legal Basis for processing Church-held Personal Information

In most cases, the legal basis on which we hold and process Church-held Personal Information about you will be –

  • that the processing is carried out by the Church (as a not-for-profit body with a religious aim) for its legitimate interests of administering Church activities, provided the processing relates only to members or former members of the Church (or those who have regular contact with the Church in connection with those purposes), and there is no disclosure to a third party without consent; or
  • that you have given your explicit consent for us to do.

In limited cases, the legal basis on which we hold and process Church-held Personal Information may be that the processing is necessary for the performance of a contract with you (e.g. if you are providing paid services to the Church) or for carrying out obligations under employment, social security or social protection law (safeguarding), or a collective agreement (e.g. in relation to our Parish Administrator) or for compliance with a legal obligation (in particular our obligation to maintain the Electoral Roll and the Parish Registers).

Transfers of Church-held Personal Information

Where any Church-held Personal Information of the kind described in Part 3 is held in Google-provided or Microsoft-provided systems (such as Gmail, Hotmail, Outlook, Office365 etc.), then this may involve the transfer of such information to servers in the USA.  Google and Microsoft are both certified under the ‘Privacy Shield’ arrangements which provide protection for such transfers.

Data Retention Periods

We keep Church-held Personal Information in accordance with the guidance set out in the guide “Keep or Bin: The Care of Your Parish Records” which is available from the Church of England website:

Church-held Personal Information in the System is held for so long as we believe you to be a member of the Church (see also the ‘Deleting an account’ section in Part 2).  We retain Electoral Roll data while it is still current; gift aid declarations and associated paperwork are kept for up to 6 years after the calendar year to which they relate; and Parish Registers (baptisms, marriages, funerals) are kept permanently.

Your rights and your Church-held Personal Information

Unless subject to an exemption under the GDPR, you have the following rights with respect to any Church-held Personal Information about you: –

  • The right to request a copy of whatever Church-held Personal Information the Church holds about you;
  • The right to request that the Church corrects any Church-held Personal Information if it is found to be inaccurate or out of date;
  • The right to request that your Church-held Personal Information is erased where it is no longer necessary for the Church to retain such data;
  • The right, where the legal basis of the Church processing your Church-held Personal Information is that you have given your consent to the processing, to withdraw your consent to such processing at any time;
  • The right, where there is a dispute in relation to the accuracy or processing of your Church-held Personal Information, to request that a restriction is placed on further processing;
  • The right to object to the processing of your Church-held Personal Information (where applicable);
  • The right to lodge a complaint with the Information Commissioners Office.

Further processing

If we wish to use your Church-held Personal Information for a new purpose, not covered by this Policy, then we will provide you with a new policy explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.  Where and whenever necessary, we will seek your prior consent to the new processing.

Contact Details

The Church may be contacted via the Parish Office: email, phone 01279 654416, address St. Michael’s Church, Windhill, Bishop’s Stortford, Hertfordshire, CM23 2ND.


If you think there is a problem in the way that the Church is dealing with your Church-held Personal Information, then you may raise this with the Parish Office or with one of the clergy team, but if you are still not satisfied then you have the right to complain to the Information Commissioners Office (ICO).   You can contact the ICO on 0303 123 1113 or via email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Changing this Policy

This Policy may be changed from time to time to keep it up to date and compliant with the law.  If we make any significant changes, we will publicise these changes on the Public Site and will contact Registered Users directly.


Version approved by PCC and adopted on 10 Sept 2018

Printer friendly PDF