NTM-UK Data Protection Policy

1      Policy Statement

New Tribes Mission, U.K. (known as NTM-UK), attaches great importance in both protecting and using appropriately the personal data we control. We are committed to keeping your personal data safe and treating it confidentially as required by UK legislation including the General Data Protection Regulations and the Data Protection Act (2018).

New Tribes Mission is a registered charity in England and Wales with charity number 278627. NTM is registered with the Information Commissioner’s Office (ICO) as a Data Controller, reference number Z5904410.

This includes North Cotes College (Registered with British Accreditation Council), Noah’s Ark Nursery) and Sunrise Childcare (Both registered with OFSTED).

Nature of work:

  • Charity
  • College
  • Childcare

2      Contact Information     

Address:          New Tribes Mission

Kenneth Campbell Road

North Cotes

Lincolnshire

DN36 5XU

United Kingdom

Telephone:      01472 387708

Email:              Data.Control@ntm.org.uk

3      Scope

 New Tribes Mission, UK (NTM-UK), process personal information for the following reasons:

  • To promote the interests of the charity, including sending out the Link magazine and prayer updates
  • To enable us to provide a voluntary service for the benefit of the national public as specified in our constitution
  • Maintain financial accounts and records
  • Administer membership records for members, associates, and volunteers
  • Care for our members, visitors, and their families
  • To care for and teach students at North Cotes College (NCC)
  • To operate childcare facilities called Noah’s Ark Nursery and Sunrise Childcare
  • Provide a safe environment for those children of both members and students on site
  • Attendance at an NTM Conference or event
  • Staying in guest accommodation
  • the use of CCTV systems for the prevention of crime

We do not retain this data for longer than is necessary and we have communicated with the Data Subject the reason for retention of their data, how it will be processed and for how long we will retain the data before it is archived or deleted.

This personal information, whether it is collected on paper, stored in a computer database (whether on a server or on the cloud), or recorded in any other form; must be collected and processed appropriately, including the provision of safeguards to ensure this data complies with the General Data Protection Regulation 2018.

To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.

 4      Data Protection Officer

 The NTM Data Protection Officer’s responsibilities include:

  • Briefing the NTM-UK trustees on Data Protection responsibilities
  • Reviewing Data Protection and related policies
  • Advising other members on Data Protection issues
  • Ensuring that Data Protection induction and training takes place
  • Notification – Notifying the Information Commissioner about the data processing activities, including any data breaches that occur
  • Handling subject access requests
  • Approving unusual or controversial disclosures of personal data
  • Approving contracts with Data Controllers and Processors

The trustees of NTM-UK have the overall responsibility for ensuring that the organisation complies with its legal obligations.

5      Data Controller

Each department where personal data is handled has its own Data Controller. Within NTM-UK there are Data Controllers who supervise the processing of data in the following departments:

  • North Cotes College
  • Contingency
  • Head Office, (including Finance & Publications)
  • Noah’s Ark Nursery
  • Sunrise Childcare
  • Hospitality (Guest House)
  • Personnel
  • Safeguarding
  • Volunteers Department
  • IT

The Data Controller’s responsibilities include:

  • Responsible for drawing up their department’s specific operational procedures
  • Induction and training to ensure that good Data Protection practice is established and followed
  • Determine what personal information is being held, the use and the duration that it will be retained, which is clearly documented
  • Keeping full and accurate records of processing activities for which the controller is responsible
  • Informing the Data Protection Officer immediately when they become aware of any data breaches
  • Informing the Data Protection Officer of any changes in their uses of personal data that might affect the organisation’s notification to ICO (Information Commissioner’s Office)

6      Definitions

Data is information, which is stored electronically, on a computer or other media (e.g. photograph or video) or in paper-based filing systems.

Personal Data means any information relating to a living individual; this is someone who can be identified, directly or indirectly.

Special Category Data (also known as Sensitive Personal data) includes information about such things as, but not exclusively, a person’s gender, sexual orientation, racial or ethnic origin, religious or similar beliefs, or physical or mental health condition.

Data Subject is a living individual who is the subject of personal data.

 Data Users are those members of NTM-UK whose work involves processing personal data for NTM-UK or North Cotes College.

7      Data Collection

NTM-UK will, through appropriate management and strict application of criteria and controls:

  • Observe fully the conditions regarding the fair collection and use of information
  • Meet its legal obligations to specify the purposes for which information is used
  • Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements
  • Ensure that personal data is only collected and processed for specific, explicit and legitimate purposes, and that these purposes had been communicated to the Data Subject before the data has been collected
  • Should there be a new purpose for processing the personal already collected from a Data Subject that is not compatible with the original purpose, the Data Subject must be informed before their personal data is used for the new purpose.
  • Ensure the quality of information used
  • Ensure that the rights of people about whom information is held, can be fully exercised under the Act.

These include:

  • The right to be informed that processing is being undertaken
  • The right of access to one’s personal information
  • The right to prevent processing in certain circumstances and
  • The right to correct, rectify, block or erase information which is regarded as wrong information
  • The right to data portability
  • The right to withdraw consent at any time and without explanation
  • The right to erasure if; personal data is no longer necessary in relation to the purposes for which they were collected, if the Data Subject has withdrawn their consent, the Data Subject has objected to the processing, or the processing is unlawful
  • The right to be notified of a data breach
  • The right to make a complaint
  • Rights in relation to automated decision making and profiling
  • Take appropriate technical and organisational security measures to safeguard personal information
  • Ensure that personal information is not transmitted abroad without suitable safeguards
  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
  • Set out clear procedures for responding to requests for information
  • When the data collected is no longer required for the specific purposes for which it was collected, the data is to be deleted or destroyed.
  • NTM-UK will ensure transparency with its Data Subjects when providing information on how their personal data will be processed, so that the information is concise, easily accessible, easy to understand and written in plain language.

Informed consent is when a Data Subject clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data, and how to revoke consent and the Data Subject agrees to that use of the data.

 NTM-UK will ensure that data is collected within the boundaries defined in this policy.

This applies to data that is collected in person, or by completing a form.

When collecting data, NTM-UK will ensure that the Data Subject:

  • Clearly understands why the information is needed
  • Understands what it will be used for and what the consequences are should they decide not to give consent to processing
  • Grants explicit consent for data to be processed when necessary
  • Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
  • Has received sufficient information on why their data is needed and how it will be used
  • Is made aware of their rights that they can request to see the data held by the organisation on them, they have rights to rectification, to erase, right to receive their data in a portable manner, that they have the right to object and be involved in automated decision making and profiling
  • Is aware of their ability to withdraw consent if given

We collect and process data necessary for legitimate interests pursued by the Data Controller or relevant third party. If the Data Subject does not wish to have their information processed for this purpose, they can opt-out of having their data processed but are responsible for repercussions from the relative authority. In certain circumstances, NTM-UK is required to hold data for specific purposes, and therefore we may not be able to comply with their request to withdraw consent. Care will be taken to protect the fundamental rights and freedoms of the Data Subject, particularly in reference to Children.

8      Subject Access Request

All Data Subjects are permitted to make a Subject Access Request (SAR) regarding their own information. They may be asked to provide proof of their identity before NTM-UK discloses any information.

A Data Subject is entitled to the following

  • The reasons why their data is being processed
  • The description of the personal data concerning them
  • A copy of all records including e-mails where they are mentioned
  • Information about anyone who has received or will receive their personal data
  • Details of the origin of their data if it was not collected from them

The Data Protection Officer will be responsible for handling SARs and delegating requests to the appropriate controllers. NTM-UK has 30 days to provide the requested information or to provide a reason as to why the information cannot be given. The Data Subject will be made aware of any reason and their right to complain to an appropriate supervisory authority.

9      Data Transmission

NTM-UK may transmit data to other agencies such as the local authority. There may also be transmission within departments.

They may transmit data in one of four main ways. These ways are as follows:

  • Disclosure: when the recipient is told what data is held but no copies of the data are provided
  • Sharing: when the recipient receives access to the same copy of data as the giver is holding
  • Transfer: when the recipient receives their own copy of the data
  • Transfer Entirely: when all copies of the giver are given to the recipient so that the giver no longer has access to any copies of the data

The Data Subject will be made aware how and to whom their information will be transmitted unless there is legal reason why NTM-UK should not share this information. There are circumstances where the law allows NTM-UK to transmit data (including sensitive data) without the Data Subject’s consent.

These are:

  • Carrying out a legal duty or as authorised by the Secretary of State
  • Protecting vital interests of a Data Subject or another person
  • The Data Subject has already made the information public
  • Conducting any legal proceedings, obtaining legal advice or defending any legal rights
  • Monitoring for equal opportunities purposes – i.e. race, disability or religion
  • Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Individuals to provide consent signatures

NTM-UK shares data with other global partners with whom we are connected in accordance with the Global Partnership Agreement. This is the only instance where personal data is transferred outside of the European Economic Area (EEA).

NTM-UK regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

NTM-UK intends to ensure that personal information is treated lawfully and correctly.

To this end, NTM-UK will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 2018. Specifically, the Principles require that personal information:

  • Shall be processed fairly and lawfully, transparently, and, in particular, shall not be processed unless specific conditions are met
  • Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes
  • Shall be adequate, relevant and not excessive in relation to those purpose(s)
  • Shall be accurate and kept up to date, any inaccurate or out of date data should be destroyed
  • Shall not be kept for longer than is necessary
  • Shall be processed in accordance with the rights of Data Subjects under the Act
  • Shall be kept secure by the Data Controller(s) who takes appropriate technical and other measures to prevent unauthorized or unlawful processing or accidental loss or destruction of, or damage to, personal information
  • Shall not be transmitted to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals and Service Users in relation to the processing of personal information

10   Data Storage

Information and records relating to Data Subjects will be stored securely and will only be accessible to authorised members and volunteers.

Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately. Each Controller will have a specific policy in place for the separate departments and the type of data that is held.

It is NTM-UK’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation.

11   Data Security

Data must be secured by appropriate technical and organisational measures to prevent against accidental loss, destruction or damage, and against unauthorised or unlawful processing.

NTM-UK has put several systems in place to ensure the security of data that is held. There is a CCTV system set up around campus for the protection of the interests of NTM-UK and its members. Additionally, access to buildings on site are regulated using an access control system, ensuring only those with permission can access certain buildings.

Personal data must only be accessed from a computer that is password protected and stored on computer drives accessible only by data users with allocated security-controlled accounts and passwords, in order to restrict access to personal data to only those who need such access. Network access is controlled by network user access restrictions. System administrators can control who can access what within the computer system.

Data users must ensure that individual monitors do not show confidential information, such as sensitive personal data, to passers-by.

Where confidential data is stored on personal devices, such as a personal laptop, mobile, tablet or home computer, it is the responsibility of the owners to ensure these devices meet the above security requirements and stored safely to minimise the risk of unauthorised access.

Paper copies containing personal data should be kept in locked rooms, locked filing cabinets. This is especially true where Special Category data is stored, certain materials should be kept in a locked safe.

12   Data Retention

Data must only be kept for as long as necessary to fulfil its stated purpose, unless NTM-UK is legally required to retain it for longer.

Data must be destroyed or anonymised in a manner which will not risk a data breach.

13   Data Breach

 If there is a data breach, then the department Data Controller must inform the Data Protection Officer without delay.

The Data Protection Officer then has 72 hours to contact relevant authorities to inform them of the breach and any repercussions of the breach.

All Data Subjects whose information has been compromised will be informed of the breach without delay and kept up to date with any advances in the case.

If any deadlines cannot be met, the Data Protection Officer has to make note of why the deadline was not met and any possible consequences.

The Data Protection Officer will then record the incident and keep at least one copy of this record electronically and one hard copy.

14    Health and Safety

NTM-UK will have a designated Health and Safety Officer who will keep accounts of all accident reports for NTM-UK. These will be stored indefinitely either as a filed hard copy, on the server, or on the cloud, which only the Health and Safety Officer can access. The Health and Safety Officer will process this information on behalf of each Controller individually and NTM-UK as a whole.

15    Variations in Collection by Website or Social Media

 There is a privacy policy on the NTM-UK website www.ntm.org.uk which covers all data processing for the website. There are also popups which appear when a Data Subject is about to submit information to ensure that the Data Subject is aware of the reasons for processing and their rights as an individual. The policy also applies to the North Cotes College website https://www.northcotescollege.co.uk/. The privacy policy covers the official websites and does not include any sites linked to it.

The Facebook and Instagram pages for NCC and for the Reach Conference that promote the college and conferences, and often has Data Subject communication, are processed under the guidance of the publications department and their policy concerning the NTM-UK website and social media pages.

16     Data access and accuracy

All Data Subjects have the right to obtain the information NTM-UK holds about them. NTM-UK will also take reasonable steps ensure that this information is kept up to date by asking Data Subjects to inform them if there are any changes (this can be done on the NTM-UK website, selecting ‘Contact’ and then ‘Update personal information’, for updating an individual’s surname, address, or contact information).

In addition, NTM-UK will ensure that:

  • It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
  • Everyone processing personal information understands that they are contractually responsible for following good data protection practice
  • Everyone processing personal information is authorised and appropriately trained to do so
  • Everyone processing personal information is appropriately supervised
  • Anybody wanting to make enquiries about handling personal information knows what to do
  • It deals promptly and courteously with any enquiries about handling personal information
  • It describes clearly how it handles personal information
  • It will regularly review and audit the ways it holds, manages and uses personal information
  • It regularly assesses and evaluates its methods and performance in relation to handling personal information
  • All processors are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
  • When a Data Subject requests access to their data held the Data Protection Officer will handle the request and delegate to the relevant controller
  • This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 2018

17   Marketing

NTM-UK process personal information to promote the interests of the charity, including sending out the Link magazine and Prayer Bulletin. This information is sent only upon request from the data subject. New donors are sent a complimentary copy of the link magazine, and the option to register for regular updates. Once the complimentary copy is sent, their record is set so no magazine is sent unless they later request it.

An individual can subscribe to the Link magazine and the Prayer Bulletin via the website. The Link magazine will be sent to the individual three times a year via post, and the Prayer Bulletin will be sent to the individual via email.

NTM-UK must ensure that it has appropriate consent from individuals to send them marketing communications, and that when a Data Subject exercises their right to object to marketing, the request is honoured promptly.

18    Data Protection Impact Assessment (DPIA)

If processing the data presents a high risk to the rights and freedoms of a Data Subject, an assessment of risk needs to be undertaken to mitigate the risks.

The purpose of a DPIA is to help identify and minimize the data protection risk involved in the processing of personal data. DPIAs are required for when processing is likely to result in high risk to the individuals and their personal data.

A DPIA must; Identify the purposes of the processing, assess the necessity for the processing, identify and assess the risks to the individual, and identify any additional measure to mitigate the identified risks.

19   Complaints

We endeavour to meet the highest standards when collecting and using personal information. Therefore, any complaints received are taken seriously and we encourage individuals to bring to our attention if they think our collection or use of information is unfair, misleading or inappropriate.

 In the case of any queries, questions, or complaints in relation to this policy, please contact the NTM-UK Data Protection Officer using the email, Data.Control@ntm.org.uk.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

Information Commissioner’s Office
Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint.