Grants Privacy Notice
Church of Scotland Grants Office of the Assembly Trustees is providing you with this information to comply with data protection law and to ensure that you are fully informed and we are transparent in how we collect and use your personal data.
Who is collecting the information?
Church of Scotland Office of the Assembly Trustees is the Data Controller. We have an appointed Data Protection Officer (DPO), Alice Wilson, who can be contacted by emailing: Privacy@churchofscotland.org.uk
If you have any questions in relation to the grants process, please contact the Grants Manager, David Williams, at 121 George Street, Edinburgh EH2 4YN or email him at DWilliams@churchofscotland.org.uk
Why are we collecting it and what are we doing with it (Purpose)?
This Privacy Notice outlines the way in which the Church of Scotland Office of the Assembly Trustees (for the purposes of this Privacy Notice hereafter "the Church") will use personal information provided to us in connection with grants awarded on behalf of the Church of Scotland. These cover all the grants which the Church has including, but not limited to, the Small Grants Fund, Pioneer Mission Fund, Seeds for Growth Fund and the Go For It Fund. The processing purposes are
- for the purposes of considering, reviewing and reaching decisions about grant applications – which may involve third parties.
- for assisting grant applicants in the application process
- reporting regularly on how the project, funded by the grant, is progressing and if it's achieving the aims identified in the application
- to fulfill contractual or other legal obligations and
- to further the charitable aims of the Church.
- Research on the effectiveness of grants and may share data with third party research organisations. Where this occurs appropriate safeguards will be in place to protect the data.
What personal data do we collect?
The grant application forms collect the names and contact information of grant applicants. This will include a minimum of 2 unrelated named persons for the grant application and possibly a third if there is an ecumenical partnership running the proposed project. The data includes: Name, Address, Email address, Telephone/Mobile number, Position or role in the church or project, the bank details of the appropriate account for payment of the grant.
With the type of grants available, it is likely that special category (sensitive) personal data is collected. This depends on what the applicant's project is and the links with their Church and Presbytery. It's also possible that other special category data is processed due to the type of projects the grants can fund. Therefore, the following could be processed: Racial or ethnic origin, Political opinions, Religious or philosophical beliefs, Trade union membership, Genetic data, Biometric data, Health data, Sex life or sexual orientation
Grant application forms may require the collection of personal data relating to others than those who are completing the application form and in those cases the person completing the application must have the consent of the other party to include their information, including a record of their consent. Also part of the conditions of a grant is to report regularly on progress, including whether the aims are being achieved, if the project is on budget and where possible with case studies, photographs and videos showing the project progressing. It is important for this reporting that if videos or photographs are taken and subsequently shared with the Grants team that the project team have ensured that they have a record of consent of any individual in the case studies, photographs or videos and that they are fully informed prior to consenting as to the purposes of taking photographs and videos. The project team/applicant must have a record of consents and be able to evidence these consents to the Grants team if the Grants team choose to use photographs, videos and case studies to publicise the work of the Fund.
How are we collecting this information? What is the source?
We collect the data directly from the grant applicants, using various tools, including the Small Grants Fund Platform, Office 365 software including Word for the application and Excel for the budgetary plans etc. The collection is carried out securely with appropriate safeguards in place to protect all personal data involved.
The lawful basis for the processing
The lawful basis for processing personal data is UK GDPR Article 6(1)(b) "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"
Also as special category (sensitive) personal data is involved, the lawful basis for that data is UK GDPR Article 9(2)(d) "processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects"
When we carry out research of the effectiveness of the grants, the lawful basis for processing is "processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) based on domestic law which shall be proportionate to the aim pursued and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject." The Data Protection Act 2018 includes in Schedule 1 Part 1(4) Research etc which provides the lawful basis for research using special category data.
Who we share the information with:
The Church will use and disclose the information within the Church of Scotland for the purposes of administering grants, including Presbytery oversight of applications and projects and approval of these. The Church uses third party data processors for the purposes of administering the grant application and decision process. These processors include The Scottish Council for Voluntary Organisations (SCVO) who provide the Small Grants Fund Platform. There is an SCVO privacy notice specifically for this platform. This platform uses Salesforce and FormAssembly to provide the platform. The three parties all have appropriate contracts in place for the Small Grants Fund Platform, ensuring all data is held securely. The Church also uses Microsoft for other grants, there is an appropriate contract in place between the Church and Microsoft and all third parties who provide these platforms hold the data within the UK.
Where appropriate it may be useful for applicants to be in contact with other parties who are carrying out similar projects. However, prior to making such contact the Church will contact the applicants to confirm sharing with these other parties.
When we carry out research into the effectiveness of the grants we may share the data with a third party research organisation. There will be an appropriate contract in place and measures in place to protect the data. Any this party organisation used will be stated in this privacy notice when applicable.
Details of data transfers to any third countries or international organisations
This does not apply for this processing activities.
How long do we hold the personal data?
We will keep your personal information for the period that you have contact with us through any grants process and for a period of up to seven years following the end of the purpose for which a grant is awarded. We may also keep anonymised data for statistical purposes but if so we will only use it for that purpose. When the information is no longer needed it will be securely destroyed or permanently rendered anonymous.
Do we use automated decision making processes, including profiling?
The Church does not process data in this way
Individuals' rights in relation to this processing
Individuals have a number of rights under data protection laws. These are detailed here. Not all rights are absolute and some only apply in relation to the lawful basis for processing the data. For this purpose, the only right that does not apply is the Right to Object. All other rights apply. If you want to exercise any of your rights please contact the DPO at Privacy@churchofscotland.org.uk