Christ Church Data Privacy Notice
1. Introduction
Christ Church is committed to protecting the privacy and security of personal data.
This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we store and handle that data, and keep it safe.
“Personal data” is information relating to you as a living, identifiable individual.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it.
The law requires us:
- To process your data in a lawful, fair and transparent way;
- To only collect your data for explicit and legitimate purposes;
- To only collect data that is relevant, and limited to the purpose(s) we have told you about;
- To ensure that your data is accurate and up to date;
- To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
- To ensure that appropriate security measures are used to protect your data.
We know that there is a lot of information here but we want you to be fully informed about your rights, and how Christ Church uses your data.
We hope the following sections will answer any questions you have but if not, please do get in touch with us.
It is likely that we will need to update this Privacy Notice from time to time. Notification of any significant changes will be posted on our website, but you are welcome to come back and check it whenever you wish.
Christ Church has two data controllers: the Governing Body of Christ Church, and the Dean and Canons of Christ Church.
2. What is Christ Church?
Christ Church is, formally, the Cathedral Church of Christ of the Foundation of King Henry VIII in Oxford. It was founded by Henry VIII in 1546 as a joint establishment of college of the University of Oxford and as the cathedral of the Diocese of Oxford. It is governed by statutes ratified by the Christ Church Oxford Act of 1867, and most recently updated in 2015.
3. Explaining the legal bases we rely on
The law on data protection sets out a number of difference reasons for which a company may collect and process your personal data. When collecting your personal data, we will always make clear to you which data is necessary for each purpose or type of data. Most commonly, we will process your data on the following lawful grounds:
Consent
In specific situations, we can collect and process your data with your consent.
This is usually in relation to direct marketing, but is also used extensively in the collection of personal data by schools.
Contractual obligations
In certain circumstances, we need your personal data to comply with our contractual obligations.
Legal compliance
If the law requires us to, we may need to collect and process your data.
Legitimate interest
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of the running of the college, cathedral, and cathedral school, and which does not materially impact your rights, freedom or interest.
We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on the basis of your consent. If you are aged under 18, we may ask your parent or guardian for their consent also.
Special category data
"Special categories" of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We aim to collect and process special category data as little as possible and, when we do, it is usually to do with your health and well-being. Christ Church has documented all incidents of our processing of special category data in our Information Asset Registers, and will be preparing a separate document itemising all of these, with reasons, having conducted assessment on each occasion.
The special categories of personal data consist of data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership.
They also consist of the processing of:
- genetic data;
- biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;
- data concerning health;
- data concerning someone's sex life or sexual orientation.
We may process special categories of personal data in the following circumstances:
- With your explicit written consent; or
- Where it is necessary in the substantial public interest, and further conditions are met;
- Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law.
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.
4. When do we collect your personal data?
When you are a student of Christ Church;
When you are an alumnus/alumna of Christ Church;
When you are a senior member of Christ Church;
When you are an honorary or emeritus member of Christ Church;
When you are employed by Christ Church;
When you are employed by Christ Church as a contractor;
When you are a volunteer at Christ Church;
When you visit Christ Church as a tourist, or as a member of the cathedral congregation, or as a researcher in the library or archive, or as a guest at a conference, event, or a continuing education student;
When you are a tenant of Christ Church;
When you are a supplier to or purchaser from Christ Church;
When you access or engage with our website;
When you communicate or engage with Christ Church by letter, or email, or other means, including social media;
When your image is collected on our CCTV system;
When you contribute to any Christ Church publications.
5. What sort of personal data do we collect?
Depending on your relationship with Christ Church, we may collect the following personal data:
Your name and contact details (including, but possibly not exclusively, address, email address, telephone number(s), URLs;
Your date of birth;
Your payment card and bank details;
Your employment record;
Your educational record;
Your health data;
Your image on CCTV and details of access to buildings and grounds;
Your car type and registration number;
Technical information about your access to the website.
NB. This list is not exclusive. Christ Church will collect more data on some subjects than on others.
For example: a tourist purchasing a ticket at the Visitor Centre will provide minimal personal details and may be recorded on CCTV whereas the personal data collected and processed on members of staff and on students is much more extensive. Christ Church aims, as part of its Data Protection compliance, to collect only what is necessary and to retain that information only for as long as it is needed.
6. How and why do we use your personal data?
Christ Church collects personal data in order to manage its functions as college, cathedral, and tourist destination:
To teach, supervise, house, and protect our students;
To process applications from prospective students;
To manage the employment of our staff, both academic and non-academic;
To administer the endowment and our finances generally;
To manage the Cathedral;
To manage the cathedral school and the choir, and to protect the staff and pupils at the school;
To manage and protect visitors to the college and cathedral;
To manage the site and its buildings;
To keep in touch with alumni and alumnae, and friends of both college and cathedral;
To manage our website;
To comply with our contractual and legal obligations.
7. How we protect your personal data
Christ Church makes every effort to keep your personal data safe. All departments within college and cathedral have drawn up Information Asset Registers which include information on the measures in place to protect both physical and digital data during its collection, processing, and destruction (if relevant). These Information Asset Registers (or Records of Processing Activities) are under constant review to ensure they are correct and current. Enquiries should be directed to the Data Protection Officer at the address below.
Access to your personal data is limited to those who need to process it. As far as possible, paper records are kept in locked cabinets or cupboards which are themselves behind access-controlled doors. The whole site is monitored during the day by custodial staff and CCTV is used in public areas. Digital files are always password-protected and encryption is encouraged when personal data is moved. Servers are protected by firewalls and security software. When data is deleted, every effort is made to ensure the deletion of all copies.
8. How long will we keep your personal data?
Data Protection legislation requires that personal data is only retained for as long as it is necessary, and all Information Asset Registers include retention periods. In some cases, personal data will be kept in perpetuity, and these Registers will indicate the types of data which are archived for historical or statistical purposes. Regular reviews will ensure that retention schedules are followed.
9. With whom do we share your personal data?
Christ Church will not sell your data to third parties. We may sometimes share your personal data with trusted third parties if we are allowed or required to do so by law. We do not allow third parties to use your data for their own purposes. Third parties may include:
Your relatives, guardians, and next of kin;
The University of Oxford;
Conference of Colleges;
Loan and financial support providers (including the Student Loans Company);
Pension providers
Mailing companies for magazines and reports, etc.;
Till management company;
Investment and property management companies;
Letting agencies and mortgage providers;
GPs and hospitals, and other health service providers;
Potential employees;
Other educational institutions;
Electoral
Law enforcement agencies, if required;
Government departments, such as HMRC, and the Disclosure and Barring Service (DBS).
Data Protection legislation requires that data sharing agreements are acquired from each of these third parties, and that the companies guarantee that they comply with the data protection legislation. This list is designed to indicate the possible recipients of your personal data, not to suggest that your personal data will be shared with any or all. A data sharing form will soon be added here, which gives further information on the types of personal data that may be shared and the reasons for doing so.
10. Where your personal data may be processed
Data Protection legislation does not allow the transfer of data outside the EEA without consent or without guarantees from those countries that there is adequate data protection legislation in place.
Christ Church has students, staff, and visitors from all over the world, and every effort will be made to ensure that no personal data is transmitted to any country without relevant and adequate legislation without your consent. Data which may be transferred outside the EEA is noted on the Information Asset Registers.
11. What are your rights over your personal data?
You have the right to request, in most circumstances:
- Access to the personal data we hold about you, free of charge unless your request is unreasonable;
- The correction of your personal data if it is incorrect, out-of-date, or incomplete;
- In certain circumstances, the erasure of your data;
- The suspension of the processing of your data;
- Copies of any data shared with another Data Controller
You can contact us to exercise these rights at any time by contacting the Data Protection Officer at the address below.
If you wish to make an access request for data collected by CCTV, contact the Steward of Christ Church on 01865 286580 or via the Stewards PA at jacqueline.folliard@chch.ox.ac.uk
If you have given consent for Christ Church to collect and process your personal data, you have the right to change your mind at any time and to withdraw that consent.
When Christ Church relies on legitimate interest to collect and process your data, you may ask for processing to be stopped. If, however, Christ Church believes it has a legitimate and over-riding reason to collect and process your personal data, we may continue to do so.
12. Contacts
The Data Protection Officer (DPO) at Christ Church is Mr James Lawrie. He can be reached at Christ Church, Oxford, OX1 1DP or at james.lawrie@chch.ox.ac.uk or on 01865 276177.
If you feel that your data has not been handled correctly, then you may lodge a complaint with the Information Commissioner’s Office on 0303 123 1113 or on their website.
13. If you live outside the UK
If you live outside the UK, then complaints can be lodged with the relevant office in your own country.
14. Any questions?
If there is anything you would like to ask about the handling of your personal data, please contact the DPO at the address above in section 12.
Version control: JHC/V2(general) – 1 July 2021