UFM Worldwide Personnel Privacy Notice & Data Protection Policy
Effective Date: March 2025
Reviewed: March 2025
1. Purpose
This policy sets out how UFM Worldwide (“the Organisation”) collects, processes, and stores personal and sensitive data related to mission partners. It covers data collected during initial enquiries, applications, ongoing Memorandum of Understanding, yearly and end-of-term reviews, regular communications, and other interactions involving mission partners. This policy aims to ensure the protection, security, and lawful handling of mission partners’ data in compliance with the UK GDPR, Data Protection Act 2018, and other relevant data protection regulations.
2. Scope
This policy applies to all UFM Worldwide employees, volunteers, contractors, and third-party service providers involved in handling mission partner data. The data covered by this policy includes, but is not limited to:
| Category of Data | Details |
|---|---|
| Personal and Contact Information | Name, address, email, phone number |
| Sensitive Personal Data | Health, psychological, and family information |
| Employment and Ministry Data | Previous employment and ministry-related data |
| Religious Beliefs | Religious beliefs and affiliations |
| Financial Information | Support and donations information |
| Travel Documentation | Passport, visa, and travel documentation |
| Ministry Scope & Activities | Church and ministry scope, activities, and impact |
| References | References collected during the application process |
3. Data Collection and Use
UFM Worldwide collects mission partner data to facilitate effective communication, support, and management of mission-related activities. Data collection is limited to what is necessary for the following purposes:
- Evaluating initial enquiries and processing applications, including collecting references
- Establishing and maintaining Memorandum of Understanding
- Conducting yearly, end-of-term, and regular reviews
- Regular communication with mission partners, including discussions on sensitive topics such as mental health
- Managing support services, including health and psychological assessments
- Ensuring legal and regulatory compliance
- Facilitating travel and logistics related to mission activities
- Supporting financial administration and reporting
4. Lawful Basis for Processing
The lawful bases for processing mission partner data include:
- Consent: Obtained explicitly from mission partners, particularly for processing sensitive data.
- Contractual Necessity: For processing required under service agreements.
- Legal Obligation: Compliance with legal and regulatory requirements.
- Legitimate Interests: Where necessary for the effective support and management of mission activities.
5. Data Security and Storage
UFM Worldwide implements appropriate technical and organisational measures to safeguard mission partner data:
- Access Control: Access to mission partner data is restricted to authorised personnel only.
- Data Encryption: Sensitive data is encrypted both in transit and at rest.
- Physical Security: Physical records are stored securely in locked cabinets with restricted access.
- Data Backups: Regular backups are conducted to prevent data loss, with secure storage locations.
- Data Disposal: Secure deletion and destruction processes are followed for obsolete data, including shredding of physical documents and secure erasure of digital files.
6. Retention of Data
Mission partner data will be retained only as long as necessary for the purposes for which it was collected and as required by law. Retention periods are regularly reviewed to ensure compliance with data protection regulations.
7. Sharing of Data
Mission partner data will not be shared with third parties unless:
- Required to fulfil service agreements (e.g., travel agents for visa applications).
- Necessary to comply with legal or regulatory obligations.
- Explicitly consented to by the mission partner.
We sometimes share sensitive and personally identifiable information with third parties, such as authorities conducting criminal record checks and organisations involved in safeguarding practices when working with minors. We share applicant information, including relevant application details, with council members (trustees) as part of the interview and decision-making process. We may also share information with the applicant’s sending church when relevant to the interview, application, or ongoing ministry support. We also share mission partner data with our partner organisation, UFM Worldwide USA, Inc. All data is handled in accordance with UK and USA data protection laws, and appropriate safeguards, such as Standard Contractual Clauses, are in place to protect your data during international transfers, as outlined in our previous policies.
All third-party data processors are contractually bound to comply with UFM Worldwide’s data protection standards, ensuring that your data is protected at all stages of processing.
8. Individual Rights
Mission partners have rights regarding their data, including:
- The right to access their data.
- The right to request rectification of inaccurate data.
- The right to request deletion of data where applicable.
- The right to restrict or object to certain data processing activities.
- The right to withdraw consent at any time.
Requests should be made in writing to the Data Protection Officer, who will respond within 30 days.
9. Handling Sensitive Data
UFM Worldwide will ensure that sensitive data, such as health, psychological, and religious information, is handled with the utmost care and processed only with explicit consent or as legally permitted. This includes data discussed during regular communication with mission partners on sensitive topics such as physical and mental health. Extra safeguards will be applied to sensitive data to protect it from unauthorised access or disclosure.
10. Regular Communication and Data Handling
UFM Worldwide engages in regular communication with mission partners, where sensitive topics, including physical and mental health, may be discussed. These communications are handled with confidentiality and care, ensuring that any sensitive data shared is securely recorded, stored, and accessible only to authorised personnel. The same high standards of data protection apply to information disclosed during these communications as for other types of sensitive data.
11. Data Breach Response
In the event of a data breach involving mission partner data, UFM Worldwide will follow its Data Breach Response Procedure, which includes:
- Immediate containment and assessment of the breach.
- Notification to the Data Protection Officer.
- Reporting to the ICO within 72 hours if required.
- Informing affected mission partners as necessary.
12. Roles and Responsibilities
- Data Protection Officer (DPO): Responsible for overseeing data protection compliance and responding to mission partners’ data protection queries.
- Employees and Volunteers: Required to adhere to this policy and complete regular data protection training.
- Third-Party Processors: Must comply with UFM Worldwide’s data protection standards as outlined in their agreements.
13. Policy Review and Updates
This policy will be reviewed annually or as required to reflect changes in data protection laws, best practices, or operational changes. Any amendments will be communicated to mission partners.
Contact Information
For questions or concerns about this policy, please contact the Data Protection Officer at data@ufm.org.uk.