Jesus Youth JY UK Safeguarding
Section 6

Data Sharing & Third Parties

When and how Jesus Youth UK shares personal data with third parties, including statutory agencies and data processors.

When We Share Data

Jesus Youth UK does not routinely share personal data with third parties. We only share data when there is a lawful basis to do so and it is necessary for a specific purpose.

Statutory Agencies

We may share personal data with statutory agencies where required by law or where necessary to protect individuals from harm. This includes:

  • Local Authority Children’s Services — where there are safeguarding concerns about a child
  • Police — where there is a risk of harm or where a criminal offence may have been committed
  • Disclosure and Barring Service (DBS) — as part of the recruitment process for roles involving children
  • HMRC — for tax, payroll, and Gift Aid purposes
  • Health and Safety Executive — in the event of a reportable incident

Safeguarding Referrals

Where safeguarding concerns arise, the protection of the child or vulnerable adult takes priority over data protection considerations. We will share information with statutory agencies without consent where necessary to:

  • Protect a child or vulnerable adult from harm
  • Prevent or detect a crime
  • Comply with a court order or other legal obligation

This is consistent with our Safeguarding Policy and with guidance from the ICO, which confirms that data protection law is not a barrier to sharing information for safeguarding purposes.

Diocesan and Church Safeguarding

As a Catholic organisation, we may share safeguarding information with:

  • The relevant diocesan safeguarding office
  • The Catholic Safeguarding Standards Agency (CSSA)

These bodies have their own data protection obligations and handle information in accordance with UK GDPR.

Third-Party Data Processors

We use a limited number of third-party service providers who process data on our behalf. These include:

Provider TypePurposeData Shared
Email service providerSending newsletters and communicationsName, email address
Cloud storage providerSecure storage of documents and recordsVarious, depending on document type
Website hostingHosting our websiteData submitted via web forms
DBS umbrella bodyProcessing DBS checksIdentity and address details
Accounting softwareFinancial record-keepingStaff and donor financial data

All third-party processors are required to:

  • Process data only on our documented instructions
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without our written authorisation
  • Assist us in responding to data subject requests
  • Delete or return data at the end of the processing relationship

We have written Data Processing Agreements in place with all third-party processors, as required by Article 28 of the UK GDPR.

International Transfers

Jesus Youth UK primarily processes data within the United Kingdom. Where data is transferred outside the UK (for example, if a cloud service provider stores data in another country), we ensure that:

  • The transfer is to a country with an adequacy decision from the UK Government, or
  • Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), or
  • A specific derogation under UK GDPR applies

We do not transfer personal data to countries outside the UK without ensuring an adequate level of protection.

Data Sharing Agreements

Where we regularly share data with another organisation (other than through a standard processor agreement), we put in place a Data Sharing Agreement that sets out:

  • What data is shared and for what purpose
  • The lawful basis for sharing
  • Security measures in place
  • Retention and deletion arrangements
  • Responsibilities of each party