DATA PRIVACY NOTICE

 

DEFINITIONS

In this privacy notice:

  • ‘we’, ‘our’ and ‘us’ refers to Edgehill Theological College;
  • ‘you’, ‘your’ and ‘yours’ refers to the individual reading this document (the data subject).
WHAT IS YOUR PERSONAL DATA?

Personal data is defined as any information from which a living individual can be identified. Identification can be by the information alone or combined with any information already held by a data controller or that which is likely to come into their possession.

WHO ARE WE?

We are a ministry of the Methodist Church in Ireland.

Alongside provision of ministerial formation training and university accredited education, we deliver a range of programmes and courses relating to ministry and service in the life of local congregations across the Church.

We will be the Data Controller under the terms of the General Data Protection Regulation (GDPR) legislation which becomes law from 25th May 2018.

A Data Controller is defined as a processor of personal data and a body that determines what data is to be processed and the purposes for which it is to be processed.

HOW DO WE PROCESS YOUR PERSONAL DATA?

Processing refers to any action undertaken which involves your personal data. This can be using your personal data to send communications, but it also includes storing, sharing, or destroying of your personal data.

We comply with our obligations under GDPR by:

1. Processing your personal data fairly and lawfully;

2. Processing your personal data for the specific and lawful purpose for which it collected that data and not further process your personal data in a manner incompatible with this purpose;

3. Ensuring that your personal data is adequate, relevant and not excessive in relation to the purpose for which it is processed;

4. Keeping your personal data accurate and, where necessary, up to date;

5. Only keeping your personal data for as long as is necessary;

6. Processing your personal data in accordance with the rights of the individual under the legislation;

7. Putting appropriate technical and organisational measures in place against unauthorised or unlawful processing of your personal data, and against accidental loss or destruction of your personal data;

8. Ensuring that none of your personal data is transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

We use personal data for the following purposes:

1. The recruitment and payment of staff;

2. Fulfilling our obligations to the Methodist Church in Ireland surrounding the training and development of the Church’s appointed persons for Ordained Ministry and the ongoing training and development of all in its ministry, to include those Ordained by the Church and its lay workers and volunteers throughout Ireland;

3. The administration and marketing of our programmes of study, training courses and events including contact with external providers and partners;

4. Student enrolment;

5. Examinations, assignments and external accreditation;

6. Recording student progress, attendance and conduct;

7. Collecting fees;

8. The administration of our student residential accommodation;

9. The administration of our membership of the Library;

10. The administration of our leases and collection of rent for its tenants;

11. Complying with our legal obligations to funding institutions and both local and national government agencies.

WHAT IS THE LEGAL BASIS FOR US PROCESSING YOUR PERSONAL DATA?

Our legal bases for processing your data are:

1. Legitimate Interests

This relates to activities associated with our everyday functioning or operations. For example, for monitoring use of the site car park.

We are able to process special categories of personal data (such as your health or religious beliefs) in the course of our legitimate activities because we are a not-for-profit body with a religious aim relating to you as a person with whom we have regular contact (for example as an appointed student by the Methodist Church in Ireland training for the Ordained Ministry).

When using legitimate interests as the legal basis for using the information you have given us, we will ensure it is for a genuine purpose, necessary for our smooth running and not invasive to your privacy.

2. Contract

We are legally obligated to process some personal data relating to staff and students. For example, for tax purposes to HMRC or safeguarding checks to Access NI.

3. Consent

For everything else not falling into the above two categories we will ask for your positive consent before processing your details. For example, mailing lists for information about courses or training events.

SHARING YOUR PERSONAL DATA

We will only share your personal data internally with those who legitimately need it to carry out specific tasks or activities.

In some circumstances, your personal data may be shared to individuals in the Methodist Church in Ireland. For example, this may be for the processing of salaries for our staff by the Central Office of the Methodist Church in Ireland or in conjunction with Church placements for students as a necessary part of your overall formation training for the ordained Ministry.

Like other organisations, we are legally obliged to share your personal data with some third parties (e.g. HMRC).

Where your personal data is shared, our policy is always the minimum personal data required shared with the minimum number of people necessary and held for no longer than is needed.

As a rule, we do not share your personal data with any other third parties and we would only ever do this with your positive consent.

In no circumstances will we ever sell any of our databases containing personal data to a third party.

HOW LONG DO WE KEEP YOUR PERSONAL DATA?

In some cases, we are legally obliged to retain your personal data for a specific period. For example, HMRC require us to retain financial records for 6 years following the completion of a tax year.

In other cases, some personal data may be retained indefinitely. For example, minutes of the Board Meetings of our Governors or Officers may contain personal data and these minutes need to be retained for legal purposes as well as historical interest.

In other cases where consent has been obtained, it may vary. For example, for a one-off course or event, personal data will be retained no longer than a calendar year after the course or event ends. However, for a validated course of study, personal data will be retained over the duration of study and afterward until the reference value has gone.

For full details, please refer to Appendix 1 of our Data Protection Policy which can be found online at www.edgehillcollege.org or a copy of which can be requested by sending an email to office@edgehillcollege.org.

YOUR RIGHTS AND YOUR PERSONAL DATA

Unless subject to an exemption under GDPR, you have the following rights with respect to your personal data held by us:

  • To request a copy of your personal data that we hold about you;
  • To request that we correct any of your personal data if it is found to be inaccurate or out of date;
  • To request your personal data is erased where it is no longer necessary for us to retain such data;
  • To withdraw your consent to processing at any time;
  • To request that we provide you (the data subject) with your personal data and, where possible, to transmit that data directly to another data controller;
  • To request a restriction on the processing of your personal data where there is a dispute in relation to the accuracy or processing of it;
  • To object to the processing of your personal data;
  • To lodge a complaint with the Information/Data Protection Commissioner’s Office
SUBJECT ACCESS RIGHT

Individuals have a right to access any personal data relating to them which are held by the College. Any individual wishing to exercise this right should either complete the Subject Access Request Form or apply in writing to the Principal.

There is no fee for data subject access requests.

Under the terms of GDPR legislation, any such requests must be complied with within 30 days.

A Subject Access Request Form can be obtained by emailing office@edgehillcollege.org.

FURTHER PROCESSING

If we wish to use your personal data for a new purpose not covered by this Data Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing processing and setting out the relevant purposes and processing conditions.

Where and whenever necessary, we will seek your prior positive consent to the new processing.

CONTACT DETAILS

If you have any queries, complaints or wish to exercise your rights under GDPR, in the first instance please contact:

Principal, Edgehill Theological College, 9 Lennoxvale, Belfast. BT9 5BY

T: 028 9066 5870     E: office@edgehillcollege.org

 

You can learn further details about Data Protection principles, your rights, and more – including making a complaint about our handling of your data from the following:

UK

Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF

T: 030 3123 1113    W: www.ico.org.uk

 

Republic of Ireland

Data Protection Commissioner (DPC), Canal House, Station Road, Portarlington, Co. Laois. R32 AP23

T: 07 6110 4800    W: www.dataprotection.ie