National Churches Trust Research

blank white paper
Photo by Brandi Redd on Unsplash

National Churches Trust wrote inviting churches, chapels and meeting houses throughout the UK to take part in a new online survey to help find out how they are maintained, funded, managed and contribute to their wider communities. Please help them to engage with as many of these Christian places of worship as possible? 

The survey is available online  and will take approximately 20-30 minutes to complete. The deadline for completion is  Wednesday 4th March 2020.

Data from the survey will be used in a new study into the benefits that churches provide to local communities and to the UK more generally. The new research will build on a similar study, undertaken in 2010, which looked at the physical condition of places of worship and also the way they are managed, funded and used by their communities.

You can find out more about the work here:

Don’t forget that the National Churches Trust also provides the following grant support to churches:

·         Cornerstone  – Grants of £10,000 to £50,000 towards urgent and essential structural repair projects with estimated costs of at least £100,000, and the installation of kitchens and toilets with estimated costs of at least £30,000, to improve access for all.

·         Gateway – Grants of £3,000 to £10,000 to support churches in their project development up to RIBA stage 1; and essential repair projects with estimated costs of between £10,000 and £100,000.

·         Foundation Grants for Maintenance – Grants of £500 to £5,000 to support small, urgent maintenance and repair issues or to carry out small investigative works costing up to £10,000.

·         Preventative Maintenance Micro-Grants  – Grants of up to £500 to support the cost of MaintenanceBooker maintenance services.

For further information about any of these, please visit the grants pages of our website:

Starting out fine… & finishing well

Trending Topics Flickr, used under CC

I’m a firm believer in planning and starting out new projects or years with the end in mind. At this time of year, people are usually thinking more about last December than next. Finishing off the previous year’s accounts and reports – and yet, realising what was stressful and ensuring that you don’t repeat any problems is a good use of that review.

On the MBS resources tab are two spreadsheets – one for AM clerks and one for Premises committees, both have the same remit. By calendarising regular tasks and agenda items you ensure they don’t fall by the wayside but also to free up some memory – you no longer need to worry or think about these as you know they are safely recorded. It is a simple form of corporate memory, and a useful piece of evidence of good governance and maintenance if things go wrong.

This is also the time of year that new members of committees arrive, is there an onboarding pack or do you just presume they will learn everything through osmosis? You don’t want to overload them – handing over the Operations Manual may be a bit much, but a summary document, or a copy of that agenda calendar mentioned above, to give them an idea of what they’ll be tackling over the next year can be useful.

Onboarding, also known as organizational socialization, is management jargon first created in the 1970s that refers to the mechanism through which new employees acquire the necessary knowledge, skills, and behaviors in order to become effective organizational members and insiders.


It’s also worth the committee taking some time to consider where they’d like to be January 2021. Are there projects you want to be ready to start? Or ones you hope to finish? Deciding to create some of the corporate memory documentation, doing a data audit, a building tour, sending members to a conference or on a training course are all things that might be on your list.

Looking back at 2019 (or earlier) what do you know you don’t want to do? Where did things go wrong, or what mistakes were avoided? Have you written down any lessons learned? Amended or created policies to help prevent a repeat where necessary?

A good place to start is to read through last year’s agendas and minutes, useful for creating an annual report if you haven’t already. Grabbing a drink and making notes as you go along – perhaps as part of the introduction to any new members can help reveal patterns and gaps.

  • Do you have a plan for this year?
  • What would ‘successful’ look like?
  • What simple thing can you decide to do (or not do!) this month that helps set you up for a successful year ahead?

National Guttering Day 2019

Did you know there was such a thing?

SPAG (a Society for the Protection of Ancient Buildings) founded this national day in 2002 to encourage people to look at their roofs and gutters as we go into winter. You can read about it on the SPAG blog where they have a useful ‘top ten tips’ for this year’s maintenance week.

Water is a menace to all buildings, old and new, and a small unnoticed leak can have serious consequences. When I lived in Muswell Hill meeting house it was flooded three times. On one occasion from both the guttering and the sewer at the same time – as both were overloaded from the amount of water coming down. London wasn’t designed to deal with to such heavy downpours! Unlike this Florida roof which clearly was designed for a lot of rain arriving in a short period of time.

Florida roof guttering

Building tours are highly recommended, and are useful for a wide variety of reasons. Take photos of the building from various angles, filing them in a central storage place (on line or printed into a folder) and if repeated on a regular basis this will build up to be a useful resource for yourself and future Premises committees, as well as historians.

I’ve given details about building tours previously, and recommend an annual building inspection as they’re useful at any time of year. However, they’re also a good thing to do for new committee members or trustees who may not have looked at the building in this way. A thing to remember if you have new cohorts starting in January.

  • Have you checked your gutters recently?

Fire Alarm – Do Not Touch!

2018 03 fire alarm - do not touch
Photo taken by Dana Rancette, used with permission


Fire is a serious risk. However, even if the equipment can be tempting to small people, I don’t recommend telling them taping the control panel shut, or posting signs telling people not to touch the fire alarm.

I suspect those intent on fiddling will ignore the sign. While you definitely don’t want to confuse someone in an emergency situation where they *should* sound the alarm.

Instead have regular fire alarm drills. Give training to your volunteers or employees. Suggest training for anyone else who use your building. You might be able to combine groups and provide training to everyone.

These combined with clear signage, plus the use of appropriate equipment coverings to prevent accidental usage or damage will mean fewer false alarms and give everyone involved more confidence that they know what they are doing if an emergency occurs.

You might also want to read:

Generating Passwords

Hacking Password
Image used under Creative Commons license from

Your password is a vital piece of defence in the digital age. Or, more likely, passwords, since you probably have several. And choosing a strong password for every login you have is therefore very important.

The Problem

But often password generators give you a long and hard-to-type (not to mention impossible to remember!) string of characters. And the conventional advice of picking a word and then swapping out random characters for similar-looking numbers or symbols isn’t much better.

And then you’re told you’re meant to change your passwords regularly, so just as you’ve gotten one string of gobbledegook down it’s no longer valid!

To make it worse, these passwords aren’t actually that strong against a dedicated attempt to crack your password. Thankfully, there is an easier and simpler system you can use to have fairly easy to remember and easy to type, yet strong passwords.

The System:

Pick four random words which are 5-7 letters long. From a book, from this blog post, from your favourite quote of QF&P, it really doesn’t matter!

Make any two of them ALL CAPS.

Choose a random symbol from the following: -, +, :, or /, and put one between each word.

Pick four random numbers, and put two on each end.

Pick a random symbol from the following: !, ?, @, & and put it on each end.

You’re done! That’s your password. To demonstrate, I’ll make one right now.

An Example

My favourite Advices and Queries is 17. So, if I pick four random words, I might end up with “discern”, “listen”, “untrue”, and “hurtful”.

I’ll make the first and third caps. So, now I have “DISCERN listen UNTRUE hurtful”.

From the separators listed above, I’ll go with +. Now I have “DISCERN+listen+UNTRUE+hurtful”.

This is a quote from A&Q 17, which in my copy of QF&P is on page 19, so I’ll use 17 and 19 (these aren’t quite random numbers, but it’s weird enough that some mindless bot trying to guess your password are never going to think of them. Just don’t use something like your birthday or address). Now we have “17DISCERN+listen+UNTRUE+hurtful19”.

Finally, from the padding symbols listed above, I’ll go with !. That means my finished password is


Sure, that’s a weird sentence, but it’s much easier to remember than something like “wK5Jj3$6”, and far, far stronger.

Have A Personal System

Here’s another tip – you can use the same caps pattern, separator and padding symbol for all your passwords. Just make sure you use different words and numbers for each one. Since everyone will (hopefully) pick a different combination, anyone who’s trying to crack your password won’t know what you went with.

So, having generated that password, it would then be even easier to make my next one. Let’s say I ended up with something like


See how, since I now have a system, I only have to remember which numbers and words are in my password? I know that the first and third words are the ones in caps, that the words are separated by +, and that the password is padded with !.

So, the only thing I have to remember is “involve resist desire seeming, from Advices and Queries 38, on page 22.” To make it even better, if I then wrote the above down and someone else found it – it wouldn’t tell them my password! They don’t know my system for padding out the password, only the unique parts of this one.

And because my system is consistent across my passwords, and is simple (“first and third, +, !.”) it’s very unlikely that I’ll forget it.

But the examples I gave above won’t show up in any list of the most common passwords (like “123456”, or “password”) and if you check the strength, you’ll find they are extremely strong against brute force attacks.

Online Resources

If you don’t want to generate your passwords manually, you can use this online tool:

And if you want to check how strong a password is against brute force attacks, as well as read a more in-depth explanation of why this type of password is stronger than the ones that are normally recommended, check here:

Using this calculator, I can see that to be sure of guessing “wK5Jj3$6” someone would have to check 6,704,780,954,517,120 potential passwords, while to be sure of guessing “!17DISCERN+listen+UNTRUE+hurtful19!” they would have to check a whopping 1,678,502,284,981,138,890,416,014,999,354,759,820,605,904,877,122,660,028,807,660,366,626,495 potential passwords!

Which, even with a ridiculously fast system, would take 5.34 billion trillion trillion trillion centuries! Somehow, I don’t see anyone spending that long trying to get into my email account. (If you’re curious, cracking “wK5Jj3$6” with the same system would take only 1.12 minutes – that’s how much difference having a longer password makes!)

General Data Protection Regulations or GDPR

Europe GDPR PD
Image from Flickr, used under Creative Commons license

GDPR – what is it?

The General Data Protection Regulations or GDPR, as it is commonly known, is an EU wide directive that came into law in 2016. You have until May 25th 2018 to be compliant.

It is a complete overhaul of the data protection regulations – and applies to charities as well as businesses.


The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.

For Quakers, Friends House staff have just produced some Data Safety guidance:

The ICO has also produced a helpful introductory overview, and self assessment documentation.

I’m certain this is the beginning of a learning curve! I’ve booked several training sessions and webinars. Including one run by ACAT who are planning to run several across the UK, find out more at:

  • Did you know about GDPR?
  • Have you done any preparations?

Setting Up Your Organisation’s Email Part II

Knowledge Sharing by Ewa Rozkosz

Okay, in Part I we covered the concepts behind email, now it’s time for the…


Create an account for the organisation

This ensures that all the data that belongs to your organisation is under your control.

With the majority of communication taking place via email, the temptation will be to use the email addresses that the individuals involved already have.

Don’t do it!

It may be easier now, but when the role is handed over to someone else the data will almost certainly be lost. In addition, if the data is attached to an individual’s private account it legally belongs to them, not the organisation.

And if the relationship between the organisation and individual in question breaks down, you may as well kiss your data goodbye. Getting it back will almost certainly be very painful, and take more time, money, and lawyers than you have access to.

Services such as Google allow small organisations and charities to do this for free, (Google for Non-Profits) so make use of them. We do not advocate for Google, and other services exist. The choice of which suits you best will be dependent on your organisation & circumstances, but theirs is a good offering.

One reason for this is because they have a suite of integrated services included with the email, notably Google Drive, which lets you store all your data in an easier to use format than just having it in emails. This is something you should consider, and that I will be detailing in a later post.

Whether you use Google or not, sticking to a big-name provider reduces the risk of your service being lost without notice.

  • The administrator user name and password for the account should be available only to recognised office holders. An admin account lets you make whatever changes you want, so if someone who doesn’t know what they’re doing uses it they could do a lot of damage.
  • User names and passwords should be stored in such a way that they can be accessed by other office holders should the nominated person suddenly become unavailable. Shared cloud based password systems are useful for this and other reasons. A personal emergency should never leave your organisation unable to access its own account!
  • Name the account unambiguously. At this point you should seriously consider registering a domain name for your organisation, for the following reasons:
  1. It only costs a few pounds per year.
  2. Your email addresses are those of your organisation and not your service provider ( rather than for example).
  3. If you choose to move your service provider you won’t have to change all your email addresses, avoiding the disruption that would entail.
  4. If you don’t do it people will assume that you’re too cheap, technically inept, or simply couldn’t be bothered, and that’s not a good look.
  • You can do this within Google as part of the sign-up process or with a separate domain registrar. Your preferred domain may already be taken so be prepared to try a few variations until you get one that’s available. Your will probably want a domain as this signifies that you are a non-commercial organisation in the United Kingdom.

Create mailboxes for roles not individuals

  • For each role, create a mailbox and give the user name and password to the individual performing that role. For example, ‘Treasurer@domainname’ rather than ‘Bob_Example@domainname’. This means that when Bob moves on, you don’t have to create a whole new account or have their replacement constantly explain that they aren’t Bob.
  • Ensure that all electronic communication for a role is performed with that mailbox. Do not use personal accounts, and do not cross-contaminate roles (e.g., dealing with Clerk matters in the Treasurer account). This is especially important if you have someone with access to multiple accounts.
  • The first action performed by anyone taking over a mailbox should be to change the password, to ensure that only they can access it.
  • When setting up a mailbox for the first time, if individuals already have correspondence in their personal mailboxes (and you’re still on good terms) get them to forward the relevant email to the new mailbox.
  • If it becomes necessary to have an individual’s access removed from a mailbox, the account administrator can force a password reset. This should be done as soon as an individual ceases performing a role, as a routine matter of security.
  • On a regular basis (semi-annually or annually) who has access to each mailbox should be reviewed to ensure that it’s correct and up to date.


Setting Up Your Organisation’s Email Part I

Knowledge Sharing by Ewa Rozkosz


So, you need to hand off some of the jobs within your organisation to others, potentially to volunteers within it or people who are paid to perform those tasks. It looks rather complicated, but is realistically a couple of hours work to set up for any small to medium sized organisation.

If your organisation lacks the skills to set these systems up then you should engage the services of a third party to do it for you. A fairly small outlay here can save you a lot of time, stress, and expense later.

Here are some concepts to get comfortable with before you begin, and definitions for the Actions suggestions I’ll be making in Part II.

Roles vs Individuals

The role is the task to be performed on behalf of the organisation (treasurer, clerk, etc), while the individual is the actual human being(s) performing that task.

Account vs Mailbox

The account is the container in which all the mailboxes are created. One account will have multiple mailboxes in it. Both the account and its contents belong to the organisation rather than to any individual.

The account also has technical roles associated with it. At a basic level those are mailbox administrators and mailbox users; the administrator (or ‘admin’) role creates and manages the mailboxes on behalf of the organisation, whereas mailbox users only have access to their own mailbox. Due to the security implications, only the most trusted individuals should be granted the administrator role.

It should be made clear to the role holders when they are appointed that the organisation owns the mailbox and all its contents, can and must be able to access it at any time, and that they cannot (and indeed should not) expect privacy. That’s what personal email accounts are for.

Domain vs Account

The domain is the label that is used for the account. Essentially it is the name that the internet uses to get your email to you – it’s the bit after the @ symbol for email and the www. for a website. So, our domain is It can’t contain spaces or underscores. It’s common for the account and domain to have the same name, as this keeps things simpler, but they can be named differently.

You can choose to not have a domain but all your email addresses will end with the domain of your service provide ( for instance). If you’re okay with that then you can skip setting up a domain. However it’s generally worth doing as it’s not a lot of hassle, makes your organisation look more professional, and if you choose to move to another service provider later your email addresses won’t change.

That’s the concepts covered, the nitty gritty is in Part II.

Providing Guest WiFi At Your Premises

Knowledge Sharing by Ewa Rozkosz

So you need to provide guest WiFi at your premises and don’t where to start? Then you’re in the right place! I can’t give you chapter and verse, but there are the things that you’ll need to consider:

The Legalise

Your organisation is legally liable for the traffic that originates from your WiFi network – the good and the bad. To protect yourself from the bad you’ll need to have your users sign an Acceptable Use Policy (AUP). The AUP is your organisation’s way of absolving itself from any blame for bad traffic that users of your premises may generate and the easiest way to get them to sign it is to include it in the terms of the contract you have with them.

There are many use policy templates around the internet for you to copy (like here) but I’m no lawyer so I can’t tell you how watertight they are. If you’ve got one in place you’ve at least shown willing and in any legal proceeding that will probably go a long way to protecting your organisation.

If you charge for WiFi access you’re obliged to provide it, while if it’s complimentary a best endeavours approach will be acceptable (in other words, if it’s down you can get away with it for longer).

The Money

This will cost you to provide, it doesn’t come free. There will an initial set-up cost for the provision of your line and the purchase of any necessary network equipment (and additional installation) and then a monthly running cost. Research the packages available to you, and decide how much you’re willing to pay and which extras you want enough to pay extra for (we give some suggestions of what to keep in mind further down the post).

The concept to keep in mind is Total Cost of Ownership (TCO). This is a standard business idea along the lines of ‘buying cheap three times costs more than buying expensive once, so lower cost is rarely better value’.

The Internet

The first step is to provide the connection from your premises to the internet. A large part of the pricing is how much data you can consume at a time – a lot of users simultaneously downloading videos will use more bandwidth than a few users browsing text, so the number of users and what they use your network for will dictate how much data you need.

The numbers to look for here are Kilobits per second (Kb/s), or Megabits per second (Mb/s), depending on how fast the available services are.

Then there is the amount of data you can download over a given time frame, usually expressed as Gigabytes per month. If you hit this limit within that time frame you either have to pay a top up charge or wait until the next charging period – neither of these are good. If you can afford to go for an unlimited plan from the get go then you avoid this hassle, so it’s generally worth a few pounds a month extra.

Next is the Service Level Agreement (SLA). This details (amongst other things) how quickly you’ll have your service back when it fails on the provider’s end, domestic connections generally having a longer time to repair than a business connection.

If your users view having internet access as being critical, you may want to go for a business rated connection. While these cost more, they also tend to have better service agreements and will get back online faster.

The WiFi

The last step is to provision the wireless network within your premises. If it’s a small area then the router that supplies your internet bandwidth may already do this and you’re all set – lucky you!

For a larger building or one with thick brick, concrete or stone walls it’s a bit more complicated. You’ll need Access Points (APs) for the users’ devices to connect to, perhaps one per room, and these will need to connect back to the internet router, usually via cables which you’ll need to have installed.

In this instance your best bet is to go to a professional outfit. It’ll likely be the most expensive part of the installation, but is a one off cost and is worth doing properly to give as long and trouble free a service life as possible. Badly installed equipment costs more to keep working over its service life than properly installed equipment, so once again, cheaper isn’t always better.

For your users to access the WiFi you’ll need to give them two details, namely the SSID and password. The SSID is the network name which will show up on the device menu when your users go to connect. You’ll want something clear, like ‘(Meeting Name) WiFi’, so they know they’re connecting to you and not someone else by mistake.

The WiFi password should be:

  • Secure. You want a phrase of at least four words, preferably random – see this post for more in-depth advice on choosing a password.
  • Changed regularly – at least monthly. Once your password leaks beyond your user base (and it will) your neighbours WILL steal your bandwidth – I’ve watched it happen. The only way to stop this is to change it often enough that they can’t keep up.
  • Distributed to your users. Ensure that you have a consistent means of informing your users what the current password is. You can do this on site, such as on a notice board (try to make sure it’s somewhere only users will see, such as the kitchen), or distribute it via a mailing list or newletter, either paper or digital.
  • Encrypted with WPA2 encryption to prevent it from being cracked; WEP and WPA are very weak and won’t offer you much protection.

The Maintenance

Provision of internet is seen more and more as an essential rather than optional feature, so it’s worth having systems in place to deal with any issues as quickly as possible. You don’t want your users to frequently struggle with the network being down – if coffee houses lose custom over it, so can you.

All the components listed above are complicated beasts and when they go wrong (note that’s when, not if) you’ll need access to someone who knows what they’re doing to get it working again.

If you engaged a company to install the network in the first place they may well offer this service, and would have the advantage of knowing your network already so they won’t have to figure it out in the middle of a fault. Otherwise, you may have to engage a seperate professional.

Either way, have things arranged ahead of time to minimise the delay between the issue being reported and resolved. You don’t want to have to be scrabbling around comparing quotes and reviews while you have an actual issue on your hands.

Consider the service level agreements here as well; shorter repair times may be worth paying extra for if you know that your users will be relying heavily on your network and it not being available for a week would cause problems.

Don’t sign up for terms longer than a year unless you’re very comfortable with the company or they offer a large discount. If they know you’ve got four years left before you can exit a contract you may not get as good a quality of service as you would with only six months left, for example.

Like all other technologies, wireless networking is continuously improving, so you can expect the access points to have a maximum service life of 3-5 years. Domestic grade access points will be cheaper to buy but not last anywhere near as long, and require more labour to manage, so will have a higher total cost.

Properly installed cabling, on the other hand, will have a life of at least 15-20 years and need very little maintenance.