This privacy notice aims to give you information on how INEQE Group Limited, trading as INEQE Safeguarding Group collects, shares and processes your personal data, including any data you may provide as part of the independent safeguarding audits of Church of England Church Bodies.

It is important that you read this privacy notice so that you are fully aware how and why we will use your data.

Please be aware that this notice may be amended to take account of legislative or regulatory changes or to reflect procedural changes in respect of data security.

This notice describes the Joint Controller relationship and respective responsibilities of the Audited (Church) Body and INEQE Safeguarding Group for the processing of personal data necessary to conduct independent audits of safeguarding in Church of England bodies.

For the purposes of each audit, and in accordance with Data Protection legislation, it has been determined that the following shall act as joint data controllers (i.e. the organisations that are responsible for personal data):

INEQE Group Limited, trading as INEQE Safeguarding Group
Ocean House,
13 Edgewater Road,
Belfast,
BT3 9JQ

And

The individual Church body being audited, i.e a Diocese or Cathedral. A copy of this notice and contact details will be displayed on the individual Church Body website.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where identity has been removed (anonymous data).
We collect, use, store and transfer different kinds of personal data about you for the following purposes:

• To enable Independent Safeguarding Audits to be conducted.
• To engage relevant authorities (both church and external) in the case of a safeguarding disclosure.
• To evaluate training needs and provision.
• To evaluate safeguarding provision.
• To evaluate governance structures.
• To facilitate the publication of reports.
• To undertake statistical analysis.
• To support employees, volunteers and beneficiaries of Church Bodies.

In order to complete safeguarding audits we may collect or share:

• Personal details including name
• Email address
• Phone numbers
• Employment/volunteer details
• Case file information
• Training records
• Vetting records
• IP Address
• HR disciplinary files
• CDM’s

As part of our safeguarding audit we may also process Special Category Data, including:

• Trade Union Membership
• Religion
• Race
• Ethnic origin
• Health
• Sex life
• Sexual Orientation
• Criminal allegations, proceedings or convictions

We may collect your personal information in a number of ways, principally:

• Directly from you,
• From your employer,
• From a colleague or other member of staff,
• From a beneficiary of your services,
• From open-source data.

We will only use or share your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• In the fulfilment of a contract, such as the independent safeguarding audits.
• Where we need to comply with a legal or regulatory obligation.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• For certain processing purposes, we may request your consent to authorise the processing.
• We may share your personal data with the following:
  • The Archbishop’s Council
  • Dioceses,
  • Bishop’s Offices
  • Cathedrals,
  • Parishes,
  • The NST,
  • [for Church bodies] Safeguarding Auditors,
  • Local Government (e.g. LADO),
  • Law enforcement,
  • Other statutory or regulatory bodies (e.g The Charity Commission).

The purpose of the safeguarding audits we process personal data for the following lawful purposes:

• Consent: Where you have given us clear consent to process your personal data for a specific purpose.
• We have a contractual obligation: We will process your personal data where this is necessary for the performance of a contract with you or to take steps at your request before entering into such a contract.
• Compliance with our legal obligations: In some cases, INEQE Group Limited process personal data in order to comply with health and safety legislation and assist with investigations by police and/or other competent authorities.
• Vital interests: Where the processing is necessary to protect someone’s life.
• Public task: Where the processing is necessary to enable us to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
• Legitimate interests. In other cases, INEQE Group Limited has ‘legitimate interests’ in processing personal information about individuals we interact with.

Where the lawful basis relies on legitimate interests for processing personal data, the data controllers have considered whether or not those interests are overridden by the interests or fundamental rights or freedoms of the individuals whose data are being processed and concluded that the processing is, on balance, fair and a Ligitimate Interest Assessment has been completed and is attached to this notice.

Where the auditors conduct a survey, the legal basis upon which we rely is consent. In other words, where you have given us clear consent to process your personal data for a specific purpose.

Where we process sensitive personal data, other legal bases for processing may apply, including where our processing is necessary for the establishment, exercise or defence of legal claims or judicial acts, for provision of medical care and treatment or where there is substantial public interest.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We do not sell any of your personal data to any third party.

We may, however, need to disclose your personal information in the following circumstances:

• We are under a legal duty,
• To protect the public,
• To safeguard children and individuals at risk
• For regulatory reasons
• Where we need to disclose it to protect our rights, property or safety of our staff, customers or others.

The information collected and processed by INEQE Group Limited in respect of this survey may be shared with your employer or other statutory body, most commonly as part of a statistical analysis.

We’re committed to keeping your personal data secure and have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Personal data will not be transferred to countries outside the UK or European Economic Area (EEA). In the event that this may occur, we will ensure that any such transfer meets the requirements of GDPR.

We typically use the following platforms for the processing, sharing, collection and storage of data:

• Microsoft Azure,
• Cosmos DB,
• Hubspot,
• Egress,
• Dropbox,
• Microsoft.

A cookie is a small piece of information that is placed on your computer or device when you visit our websites. They are used by most websites to make them work efficiently.

They are used to remember the choices you made when visiting our sites.

Our websites store cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customise your browsing experience and for analytics and metrics about our visitors both on this website and other media.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.

Because we respect your right to privacy, for the purpose of completing an audit survey, we will only use what is called a ‘necessary’ cookie. This enables the auditor to identify that the survey has been completed from a particular IP address.

Necessary – These cookies are necessary for websites to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in, or filling in forms. They are always active.

INEQE Safeguarding Group shall delete or otherwise destroy all personal data processed for purposes relating to the Church of England’s independent safeguarding audit programme once the audit contract is fulfilled, except where the fulfilment of INEQE’s statutory or professional obligations require continued processing of specific personal data for explicitly specified purposes. 

A certificate of destruction will be supplied by INEQE Safeguarding Group to the Church in respect of the data processed by them once the audit process is completed.

Under the Data Protection Act 2018 you have the right to:

• Your right to withdraw consent – You have the right to withdraw consent (where relevant).
• Your right of access – You have the right to ask us for copies of your personal information.
• Your right to be informed – You have the right to be informed about any personal information we hold about you.
• Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

If you would like to exercise any of these rights, please contact us in writing. Please note that these rights are not absolute and we may be entitled (or required) to refuse requests where exceptions apply.

Enquiries about the content, meaning or implications of the Audit Privacy Notice can be made to either Joint Controller. However, in the first instance, Subject Access Requests (SAR) should be directed to the relevant contact point at INEQE, (whose details are set out in this privacy notice).

We do not usually charge a fee for access to your data unless the request is excessive or vexatious.

If you are not satisfied with how we are processing your personal data, you can complain to the Information Commissioner’s Office (ICO). You can also find out more about your rights under the GDPR (and other data protection legislation) from the Information Commissioner’s Office.

Name: INEQE Group Ltd, trading as INEQE Safeguarding Group,
Address: Ocean House, 13 Edgewater Road, Belfast, BT3 9JQ
Phone Number: 028 90232060
Email: [email protected]

If you have any concerns about how we are processing your personal data, you can complain to the Information Commissioner’s Office (ICO). You can also find out more about your rights under the GDPR (and other data protection legislation) from the Information Commissioner’s Office.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113