This policy is effective from 1 March 2017
1. Archbishops' Council
The Archbishops’ Council together with its representatives including, but not limited to Church Print Hub Administrators and Church Print Hub Support Team and its Print Partner for the Church Print Hub: Christian Publishing & Outreach Ltd ("we") are committed to protecting and respecting privacy and complying with the Data Protection Act 1998.
The Church Print Hub is provided by the Archbishops’ Council which is a body pursuant to section 1 (1) of the National Institutions Measure 1998 whose objects are to co-ordinate, promote, aid and further the work and mission of the Church of England. Pursuant to section 1(2) of the National Institutions Measure 1998 the Archbishops’ Council is established for charitable purposes, charity number 1074857. Archbishops’ Council is located at Church House, Great Smith Street, London, SW1P 3AZ. The Archbishop’s Council is registered with the Information Commissioner, registration number Z6034304. If you would like more information about the Archbishops’ Council, please go to the following website for more information www.churchofengland.org. Our nominated representative for the purpose of the Act is Martin Kettle. You will find his contact details at the end of this policy.
Christian Publishing & Outreach Ltd (“CPO”), Garcia Estate, Canterbury Road, Worthing, West Sussex, BN13 1BW is the nominated Print Partner for the Archbishops’ Council’s Church Print Hub. CPO operate the servers; website; customer service (telephone, email and postal); order taking, processing, delivery and all related administration. CPO is registered charity (Charity Number 221462) and a private limited company registered in England & Wales (Company Number 588731) VAT number: GB 860 2193 41. CPO is registered with the Information Commissioner, registration number Z9128713.
Your purchase through The Church Print Hub will appear on your credit card/bank statement as Christian Publishing and Outreach (CPO).
Please read the following carefully to understand our views and practices, and our and your obligations, regarding privacy and personal data and how we will treat it.
For the purpose of the Data Protection Act 1998 (the “Act”), the data controller is the Archbishops’ Council.
2. Data protection generally
Data is information which is stored electronically, on a computer, or in certain paper based filing systems.
Data subjects for the purpose of this policy include all living individuals about whom we or you hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Act. We are the data controller of all personal data used in relation to this site.
Data processors include any person who processes personal data on behalf of a data controller.
Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, and will usually require the express consent of the person concerned.
3. Data protection principles
Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:
- Processed fairly and lawfully.
- Processed for limited purposes and in an appropriate way.
- Adequate, relevant and not excessive for the purpose.
- Not kept longer than necessary for the purpose.
- Processed in line with data subjects' rights.
- Not transferred to people or organisations situated in countries without adequate protection.
4. Fair and lawful processing
The Act is intended not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting your rights as the data subject. The data subject must be told who the data controller is (the Archbishops’ Council) the purpose for which the data is to be processed, and the identities of anyone to whom the data may be disclosed or transferred.
For personal data to be processed lawfully, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, more than one condition must be met. In most cases the data subject's explicit consent to the processing of such data will be required.
5. Processing for limited purposes
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Act. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs. We only process your data for the purpose of fulfilling your orders, requests or queries.
6. Adequate, relevant and non-excessive processing
Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place.
7. Accurate data
Personal data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed. You are responsible for the accuracy of the personal data you supply and you should let us know if the personal data you supply to us needs updating.
8. Timely processing
Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from our systems when it is no longer required.
9. Processing in line with data subject's rights
Data must be processed in line with your rights. You have a right to:
- Request access to any data held about you by a data controller.
- Prevent the processing of your data for direct-marketing purposes.
- Ask to have inaccurate data amended.
- Prevent processing that is likely to cause damage or distress to you or anyone else.
- 10. Data security
We must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss.
The Act requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor if the data processor agrees to comply with those procedures and policies, or if the data processor puts in place adequate measures itself.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who are authorised to use the data can access it.
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
Security procedures include:
- Entry controls. Any stranger seen in the vicinity of a computer or private documents should be reported.
- Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
- Methods of disposal. Paper documents should be shredded. All personal data or other sensitive data stored on any medium including but not limited to DVD, USB memory sticks, external hard drives, the cloud or portable devices should be deleted when they are no longer required.
- Equipment. Data users should ensure that individual monitors and other devices do not show confidential information to passers-by and that they log off from their PC when it is left unattended and that computers automatically lock after a set period of time when not used.
11. Dealing with subject access requests
A formal request from you for information that we hold about them must be made in writing. A £10 fee is payable by the data subject for provision of this information. Any data controller who receives a written request for personal date should deal with it in accordance with the Data Protection Act 1998. If you have any questions about our obligations, please contact Martin Kettle immediately.
12. Dealing with Data Breaches
If you believe the security of any Personal Data or Sensitive Personal Data has been breached, please speak to Martin Kettle immediately.
Although not a statutory requirement the Information Commissioner believes that a serious breach of the data protection principles should be reported. In the first instance any breach will be reported to Martin Kettle. In any matter that might affect personal safety the police will be informed immediately.
13. Providing information over the telephone
Any person dealing with telephone enquiries will be careful about disclosing any personal information held by us. In particular, we will:
- Check the caller's identity to make sure that information is only given to a person who is entitled to it.
- Suggest that the caller put their request in writing if they are not sure about the caller's identity and where their identity cannot be checked.
- Refer to Martin Kettle for assistance in difficult situations. No-one should be bullied into disclosing personal information.
14. Google Analytics
We have implemented Google Analytics features based on Display Advertising (Google Analytics Demographics and Interest Reporting). We will use the data provided by Google Analytics Demographics and Interest Reporting to develop and tailor our sites, content, features, resources and direction to those who visit.
Here are some of the ways you can control the information that is shared by your web browser when you visit or interact with Google services on partners' sites across the web:
- Ads Settings helps you control the ads by Google that you see across the web. You can learn how ads are selected for you, opt out of certain categories and block specific advertisers. Learn more about advertising.
- We, like many sites across the web use Google Analytics to understand how visitors engage with their sites or apps. If you don't want Analytics to be used in your browser, you can install the Google Analytics browser add-on. Learn more about Google Analytics and privacy.
- Google makes it easy for you to make recommendations for your friends for example, by clicking the +1 button on content you like. Some of your +1s may show your name and Google+ profile photo in ads, but you can opt out if you don't want to appear in ads. You can also visit the +1 tab on your Google+ profile to review and manage all of your +1's. Learn more about how to get to your +1 tab.
- Incognito mode in Chrome allows you to browse the web without recording web-pages and files in your browser history. Cookies are deleted after you've closed all of your incognito windows and tabs, and your bookmarks and settings are stored until you delete them. Learn more about cookies.
15. Privacy and Information collected
We may collect and process the following data about you and the data subjects whose personal data you provide:
- Information that you provide by filling in forms on our site. This includes information provided at the time of registering to use our site and the information you input. We may also collect information about your computing environment, and/or when you contact us we may ask you for further information.
- If you contact us, we may keep a record of that correspondence.
- Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, products viewed and purchased, and the resources that you access, whether this is required for our own purposes or otherwise.
16. IP addresses
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log onto the secure area of our website.
- Analytical/performance cookies. These allow us to recognise and count the number of users and to see how the users move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
Cookie Name Purpose ASP.NET_SessionId
- This cookie is necessary for site functionality and is set even if you do not give your consent
- It is held temporarily in memory and is deleted when the web browser is closed.
- This cookie contains no personally identifiable information.
- This cookie is used to identify your shopping basket.
- It is only set when you add items to your basket.
- This cookie will be stored for one year.
- This cookie is used to authenticate you so that you don't have to sign-in for every request.
- It is only set when you sign in to the Church Print Hub.
- If you select the "Remember Me" option, this cookie will be stored for one month.
- Otherwise, it will be deleted when the web browser is closed.
- This cookie is used to remember your user-name so that you don't have to re-type it when you come back to the Church Print Hub.
- It is only set when you sign out and select the option to save your email address.
- This cookie will be stored for one month.
- These cookies are related to Google Analytics.
- These cookies enable Google to determine whether you are a returning visitor to the site, and to track the pages that you visit during your session.
You may block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our sites.
Information about deleting or controlling cookies is available at www.AboutCookies.org.
18. Where we store personal data
All information you provide to us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access our site, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
19. How we use the information we collect/store
We use information held about you and the information you provide in relation to third party personal data, in the following ways:
- to take, process, and deliver your order and for all related administration
- to ensure that our websites are presented in the most effective manner for those who visit and use them and for their computer or internet connected device
- to provide the features and functions of our sites (and their related services) to those who visit and use them
- to make contact for the purposes of the administration, support, and continued operation of this website
- to monitor and evaluate statistics and changing patterns in the work of the Church of England, those who are in touch with the Church, and with whom the Church is in touch, and the ways in which our Users interact with our websites. These statistics may be used in press releases and other public documents, or otherwise put into the public domain, in a form in which personal data is anonymised, in order to promote the work of the Church of England
- to help develop and tailor ours sites, content, features, resources, functionality, and direction to those who visit our sites and use our products and resources
- to provide information about the products, initiatives, and resources which have been, are, or will be coming to the Church Support Hub, Church Print Hub, Pastoral Services Diary, and/or are part of the wider work of the Church of England
- to provide information about other products, initiatives, resources, and/or news stories to which we wish attention to be drawn
- to request opinions, input, and/or feedback regarding the Church Support Hub, Church Print Hub, Pastoral Services Diary, and/or the wider work of the Church of England, including, but not limited to, resources, products, and initiatives
- to provide information about website and service downtime, errors, issues, changes, updates related to the Church Support Hub, Church Print Hub, Pastoral Services Diary, and/or the wider work of the Church of England
- to send additional periodic e-newsletters where they have been requested
20. Disclosure of information
By providing your information you give consent that we may disclose it to such other Church related entities as may be necessary to provide you with our services.
We may also disclose your personal information to other parties without seeking your prior consent provided that the disclosure would not be in breach of the Act, for the purpose of law enforcement, or when we:
- are subject to a legal obligation to disclose the information
- believe it is necessary to protect your vital interests
- believe it is necessary to protect our rights, property or the safety of our staff
21. Access to information
You may ask for a copy of the information that we hold about you by writing to us at: Martin Kettle, Church House, Great Smith Street, London, SW1P 3AZ, or call 020 7898 1000.
Please note that we may charge a statutory fee of up to £10 for providing this information, and we may also charge you for postage. In order to be sure that your personal information is not disclosed improperly we may require you to provide us with proof of identity before the information is provided to you.
Once you have paid the statutory fee (if requested) and ID has been confirmed your request will be dealt with within 40 calendar days.
You may also ask us to correct the information that we hold about you, or to delete or stop using such information, by writing to the same address.
22. Data retention
The Act does not specify the period of time for which personal information should be held, it simply states that it should not be kept longer than is necessary for the purpose for which it processed. If the personal data is no longer required for the purpose for which it was processed, then it should be deleted.
24. Contact and further information
Martin Kettle can be contacted at Church House, Great Smith Street, London, SW1P 3AZ, or call 020 7898 1000.
Independent advice about data protection, privacy and access to information, is available from the
Information Commissioner’s office at:
The Data Protection Act (1998)