Data Protection

CLICK HERE to download the Data Protection Policy in PDF format
 
The General Data Protection Regulation (GDPR) takes effect across Europe from 25 May 2018. It replaces the existing law on data protection and gives individuals more rights and protection in how their personal data is used by organisations.
There must be a valid lawful basis in order to process personal data. There are six available lawful bases for processing. Which basis is most appropriate will depend on your purpose and relationship with the individual. The majority of data held by the Denomination should be held under the basis of consent, such as a permission slip for photography during youth activities, or legal obligation, e.g a safeguarding referral.

Personal data is information about a living person which is capable of identifying them. This that includes, address, telephone number, email address, age, birthday, names of family members.

​The Information Commissioner’s Office (ICO) provides for special conditions for not for profit organisations. This includes an exemption from registering with the ICO where data is processed only for the purposes of: establishing or maintaining membership; supporting a not-for-profit body or association; or providing or administering activities for either the members or those who have regular contact with it. The information must not be kept after the relationship between the individual and the organisation ends, unless it is necessary for the purposes described above.

Sensitive personal data can only be processed with explicit consent. This includes data contains information about: racial/ethnic origin; political opinions; religious or philosophical beliefs; TU membership; genetic/biometric for identification; health; sex life and sexual orientation.

Where gathering information regarding health, including allergies or medical conditions, you should always seek explicit permission.

Where information is held in electronic form it may be necessary to register with the ICO. Where data is held in hard copy this is not necessary. All data must be held securely in a locked cupboard to which there is no general access.

The basic premise of the GDPR is that people are entitled to know what data is being held by organisations, for what purpose and how long. Where organisations hold data they should make clear how they intend to store, manage and use this. This can be covered in a short sentence on a permission slip seeking permission to photograph.

​Personal data should not be shared without consent however if you are keeping records for child protection reasons, you don’t necessarily need to get consent from the adults and/or children concerned.  More information is available from the NSPCC at https://safeguardingtool.nspcc.org.uk/documents/171/Child_protection_records_retention_and_storage.pdf. If you are in doubt as to whether you need to inform a child or adult that data has been shared after a concern is raised you should make the referral first and discuss notification with the agency you are dealing with e.g Police or social services.

​Congregations should appoint a Data Controller who will record what type of information is held by the Congregation and ensure it is used only for the exempted purposes above. This should not be an onerous role and can be shared by more than one person. 

Under GDPR a person has the right to ask organisations to set out what information they hold about them. Congregations should decide who will deal with Subject Access Requests (SAR). There is a statutory limit (30 days) within which to comply with a Subject Access Request. When a request is received the Congregation should respond setting out what information they hold and for what purpose. 

Further information on the GDPR can be found on the ICO website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

 

​Establishing Good Data Protection Practice in Your Church Checklist

REMEMBER - Data Protection legislation applies to both paper and electronic records and includes photos and videos as well as documents.

  1. Confirm who is the Data Controller for your church. In most cases this is likely to be the eldership.
  2. Make sure that the Data Controller(s) understands what constitutes personal data. (Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller's possession or likely to come into such possession.)
  3. Make sure that the Data Controller(s) understand what constitutes SPECIAL CATEGORY (sensitive) personal data (ie data which contains information about: racial/ethnic origin; political opinions; religious or philosophical beliefs; TU membership; genetic/biometric for identification; health; sex life and sexual orientation. Special Category data can only be processed with explicit consent.
  4. Compile a full list of all the types of personal data the Church collects and holds.
  5. For each type of information determine where and how it Is held.
  6. Ensure that the data is held securely. Take steps to ensure that personal data is not disclosed to others without that person's permission — this includes: birthdays; addresses; telephone numbers; email addresses; matters relating a person's health.
  7. For each type of information determine how long it should be held and be able to justify your decisions.
  8. Dispose securely of any data which is no longer useful.
  9. For each type of information establish a routine for the permanent and secure disposal of time-expired data.
  10. Determine who will deal with Subject Access Requests (SAR). Usually the Church Secretary.
  11. Make sure that the Church Secretary or other relevant person(s) know that there is a statutory limit (30 days) within which to comply with a Subject Access Request.
  12. Complete and publish your church's Privacy Statement.
  13. Make sure that the Privacy Statement is posted in a prominent position and that members, friends and adherents are aware of its existence and that copies are available for them to take away.
  14. Bring the Privacy Statement to the notice of members at a Church Meeting and review regularly its effectiveness - suggest at Annual Church Meeting.
  15. Monitor, review and amend as necessary.


The United Reformed Church,  GDPR Checklist vi —1 February 2018
 

 

​Hints and Tips — Good Data Protection Practice

  • Respect everyone's privacy.
  • Data should only be used and stored electronically for Church matters, administration and the specific purpose the information was collected for:  not shared without permission outside the Church.
  • Ensure that paper records are kept in a locked cupboard.
  • Do not disclose any personal information about an individual without first obtaining that person's consent—that includes, address, telephone number, email address, age, birthday, names of family members.’
  • Consider data security when sending e-mails regarding Church matters from a personal e-mail address. You may wish to set up a congregational or office bearer email addresses using a provider like Gmail e.g. This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it.
  • When emailing groups of people always put their email addresses In the 'bcc' row rather than the 'To' row. This prevents an individual's email address being visible to all the recipients
  • If you are sharing birthday information (age or date) about an individual with others always ask for the individual's permission first. Ideally this should be in writing.
  • When mentioning pastoral concerns or praying for identifiable individuals take reasonable steps to ensure that the individual (and anyone else who may be directly or indirectly involved) is willing for this to happen.
  • When minuting pastoral concerns, refrain from mentioning names and the nature of the concern.
  • Prayer lists should be confidentially destroyed immediately after they have been used.


Based on information produced by United Reformed Church, Hints and tips Good Data Protection Practice vl - I February 2015