Privacy Notice National Offices Registration Sign In Device
Church of Scotland Facilities Estates team is providing you with this information to comply with data protection law and to ensure that you are fully informed and we are transparent in how we collect and use your personal data.
Who is collecting the information?
Church of Scotland Facilities is the Data Controller. We have an appointed Data Protection Officer (DPO), Alice Wilson, who can be contacted by emailing: Privacy@churchofscotland.org.uk
Why are we collecting it and what are we doing with it (Purpose)?
The purpose is to record staff, visitor, contractor attendance within the National Offices at 121 George Street. This enables a roll call in the event of an emergency evacuation ensuring that all individuals are accounted for.
What personal data do we collect?
For staff this will be Name and Badge ID and time in and out of the building. (Please note: time management, holidays etc. are monitored through the separate ProTime system administered by HR.)
For Visitors this will be Name, Organisation, Person to be visited, Image (if provided, this is voluntary and individuals do not need to provide an image if they do not want to) and in and out time.
For Contractors this will be the same as Visitors. It will also ask key health and safety questions to acknowledge they have been briefed on H&S protocols operating in the building and RAMS (risk assessment / method statement pertaining to their work instruction) provided where necessary.
How are we collecting this information? What is the source?
Individuals must proactively activate this themselves through the device at Reception. Using either a staff pass or by typing in their name.
The IT Dept will transfer current staff information, only name and badge number, no further information is imported into the system.
The lawful basis for the processing
The lawful basis for processing this data is UK GDPR Article 6(1)(b) "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract" for the National Office staff.
However for visitors and contractors, but also the safety of our staff in an emergency, the lawful basis is UK GDPR Article 6(1)(c) "processing is necessary for compliance with a legal obligation to which the controller is subject" as we have a legal obligation under Health and Safety laws to ensure all individuals are safely evacuated and accounted for during such an event.
Who we share the information with:
The software and device is provided by Sign In App Limited (SIA). They are processors and we have an appropriate contract in place with SIA and they will only process data as instructed by the Church as controller. We select the UK as our data territory which means that all the portal data will remain in the UK, including for backups.
The visitors and contractors data is encrypted and stored in SIA data centres in UK. The retention period is set by the National Offices and we can specify for how long the visitor data is stored.
All backups are encrypted and retained for 14 days in the SIA data centre. The system is cloud based and we do not store any data on the National Offices servers.
Details of data transfers to any third countries or international organisations
We select the UK as our data territory which means that all the portal data will remain in the UK, including for backups. SIA as processors do use a number of sub-processors based in the USA. SIA have confirmed in writing that all of these sub-processors are subject to the same contract requirements that they are bound by.
How long do we hold the personal data?
The retention of staff attendance in the building are held for a period of 2 years. Following that the data is destroyed securely following Church procedures. The sign in data for all visitors and contractors are held for 2 years. Following that this data is destroyed securely following Church procedures.
Do we use automated decision making processes, including profiling?
The Church does not process data in this way
Individuals' rights in relation to this processing
Individuals have a number of rights under data protection laws. These are detailed here. Not all rights are absolute and some only apply in relation to the lawful basis for processing the data. For this processing purpose, all the rights apply except for the right to erasure, right to data portability and the right to object. If you want to exercise any of your rights please contact the DPO at Privacy@churchofscotland.org.uk