Privacy notice - Guest user access on Insite
Privacy Notice for Nominations process for the Membership of the Standing Committees of the General Assembly
Church of Scotland Office of the Assembly Trustees is providing you with this information to comply with data protection law and to ensure that you are fully informed and we are transparent in how we collect and use your personal data.
Who is collecting the information?
Church of Scotland Office of the Assembly Trusteesis the Data Controller. We have an appointed Data Protection Officer (DPO), Alice Wilson, who can be contacted by emailing: Privacy@churchofscotland.org.uk.
Why are we collecting it and what are we doing with it (Purpose)?
We are collecting the data to enable us to provide you with guest access to the Church of Scotland's intranet site, Insite.
What personal data do we collect?
We will be collecting your name, email address and role within the Church. As we are collecting detail as to your role within the Church, we are collecting special category data, religious beliefs, there will be additional safeguards in place to protect your data.
How are we collecting this information? What is the source?
The department/team within the Church of Scotland that you are regularly in contact with due to your role within the Church will provide us with your email address which will allow the system to check the email address and role within the Church against the information that you provide.
The lawful basis for the processing
The lawful basis for processing for this purpose is UK GDPR Article 6(1)(a) "the data subject has given consent to the processing of his or her personal data for one or more specific purposes." As we do collect what your role in the Church is, we are by implication, collecting special category data, religious beliefs. The lawful basis for processing special category data is Article 9(2)(d) "processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects."
Who we share the information with:
The data will be shared with Microsoft. However Microsoft are our processors and there is an appropriate contract in place to ensure they only process data on our instructions. We also use Akari, a Microsoft Partner, for this processing. They too are processors and there is an appropriate contract in place to ensure they only process data on our instructions.
Details of data transfers to any third countries or international organisations
There is a data transfer outside of the UK. However, this is held within the EU and the data is a back up for disaster recovery/business continuity purposes only.
How long do we hold the personal data?
You will receive an email every 6 months asking if you still require guest access to Insite. If you do not require access, or you do not respond to the email, you will be removed. If you still require access your personal data will be held for a further 6 months. If you no longer require access, the data held about you for access to Insite will be deleted securely following Church procedures.
Individuals' rights in relation to this processing
Under data protection law individuals have a number of rights. These are detailed here. Not all rights are absolute and it depends on the lawful basis as to whether the rights apply. For this processing all rights apply, except for the right to object. If you wish to exercise any of your rights please contact the DPO at Privacy@churchofscotland.org.uk and your request will be processed accordingly.
As the lawful basis is consent, it's important to note that you can withdraw your consent at any time. To do this please contact intranet@churchofscotland.org.uk including the email address that you originally signed up with and your request will be processed accordingly.