General Data Protection Regulation (GDPR) FAQs
Below are some frequently asked questions regarding the General Data Protection Legislation which comes into effect in May this year.
Click on a question to be taken to the answer.
A full suite of resources for GDPR compliance in parishes is also available here:
You can download the slides from our GDPR Seminars held in March 2018 here.
- Who is the data controller for parish information?
- Is a multi-parish benefice a single data controller?
- Who will be the data controller for data that the “incumbent or priest-in-charge” holds? Who is responsible for compliance in the Diocese?
- If “incumbent or priest-in-charge” is being used in the legal sense then who will be the data controller for the data that colleagues hold, the incumbent or the PCC?
- What is a privacy notice?
- What are the implications of the incumbent being a separate data controller?
- How do I go about providing a privacy notice?
- Who do I need to provide a privacy notice to?
- How do I recognise a subject access request?
- How long do I need to keep information for?
- Is it ok for me to use an online document storage system, for example Google Drive or Dropbox?
- When do I need to carry out a data protection impact assessment?
- Will Church House Publishing or SPCK be updating their standard forms for baptism applications and wedding banns to include consent for the Church to inform them about upcoming consents?
- What is the position about weddings / baptisms / funerals from past years? I guess we can send baptism anniversary cards and Christmas cards to wedding couples provided it is simply that, if we use it to advertise or fund raise then presumably we will need consent?
- Is consent required to send invites to the All Souls Service for past funerals?
- Do copies of funeral visits / notes, funeral director confirmation letters, sermons etc need to be shredded or can they be kept as they contain contact details for next of kin?
- Currently, material is frequently sent home with children promoting events at church that have nothing to do with school life. Do our schools now have to obtain the express permission of parents to communicate with them about church rather than school affairs? The Diocesan vision wishes us to consider our schools as an extension of our worshipping communities but these regulations appear to work in precisely the opposite direction.
- Will church schools receive explicit advice about the implementation of the GDPR?
- Are the downloadable forms on the Diocese website going to be amended so that people can opt out of sharing information with any other body / organisation? E.g. after gift aid receiving requests from charitable organisations for money.
- We often send out named invitations to the whole village to attend special services. Can we do this without specific permission?
- Can the Church discuss in person with parishioners who are not necessarily regular church attenders about the Parish Giving scheme?
- Do we keep copies of personal details forms and confidential declaration forms once an applicant has had a DBS check done?
- When do we not need consent to process special categories of personal data (such as information about religion)?
- Can parents give consent on behalf of their children for GDPR purposes?
- I have contact details for family members which I have obtained through funerals, weddings, baptisms and so on. Do I need consent before I contact them about events? Also, do I need consent before sharing their contact details with other vicars?
- What does “consent” really mean in practice? Does it have to be in writing? Also, can consent be implied (for example, we have been sending parishioners newsletters for years, can we treat it as valid consent if they have never opted-out or complained)?
- I understand that under data protection law we need to make sure that the personal data we have is kept secure. This is not something I have thought about before. Where do I start with this?
- I need to a enter a password before I can access the start screen on my laptop. Does this count as encryption?
- I would like to include photographs of a recent event in the parish newsletter. Do I need to get consent for this?
- We have lost a laptop containing staff and payroll information. The laptop also contained scanned copies of staff employment contracts. The laptop was not encrypted. Do we need to tell anyone?
- I have heard a lot in the news about cyber threats and organisations being hacked. Is this relevant to our parish?
- I notice in the ‘Consent, Right and Accountability’ of the ‘A Brief Guide to Data Protection for PCC Members’ that from May 2018 people will need to give their consent before we send marketing communications. We send a Benefice Magazine to every household in the benefice which advertises Benefice Church events and also has advertisements from local or relevant traders. Should we be getting consent to deliver this before we push them through peoples letterboxes?
- Is there anything extra we need to be thinking about when we use contractors to handle personal data. For example, IT contractors?
- Under the GDPR individuals have a “right to be forgotten”, ie a right to have their personal data deleted. We have some historic information relevant to an allegation made against a former clergy person. Can that individual exercise their right to be forgotten and require us to delete their personal data?
- Our staff and volunteers use their personal laptops for parish matters. Is this compliant?
- A local charity has contacted us because they are looking for volunteers. We think that a number of our own volunteers would be a good fit for the charity. Can we pass on their details to the charity?
- I would like to collect information about parishioners even though I am not yet sure what I want to do with that information. For example, we are thinking about new events and activities to improve engagement but we don’t have any fixed plans yet. What do we need to do?
- What do I need to do to make sure that the information we have is accurate?
- Is it OK to use memory sticks (also known as USB sticks) to store personal data?
- Can we keep personal data for historical research purposes without consent?
- Do we need consent before sharing information about people who help out in the Parish? For example, we give flowers to comfort people (eg, if they are bereaved) every Sunday. We have a rota so that volunteers know when they are on duty. Do we need to get consent from a volunteer to share the rota with other volunteers?
- Can I use contact details obtained from the electoral roll to contact people with Church news and events?
- We are required by the CRR to post the electoral roll on the door of the Church for 3 to 4 weeks before the Annual Parochial Council meeting. This list includes the name and address of each member of the congregation/parishioner on the list. What are the implications on this vis a vis the Data Protection Act? And can we legally post such information in a public place, ie the main door of the Church?
- Once people have agreed to be in the directory, which we currently only give to people in the directory, with say 200 copies distributed it is virtually impossible to ensure that it won’t be shared, even if you print on the directory that the information in it may not be shared with anyone not included.
- Can we still publish our electoral roll?
- Will we need to seek consent to publish the electoral roll?
- Can we still send details of deanery synod elections and churchwardens elected etc. to the diocesan office. Will we need consent to do this?
- Can you please clarify the statement “This allows religious (amongst others) not-for-profit bodies to process data without specific consent as long as it relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.” I am concerned that parishes may think they don’t need consent for any processing of information.
- My parish is in a multi-parish benefice – how do the consent and privacy forms relate to that situation rather than the single parish/benefice situation?
- Children and GDPR
- We have paid staff and the payroll is provided by another organisation (e.g. a Diocese or payroll service provider) – can we still share information with them?
- Do we need to get all of our existing consents with people renewed?
- What are the implications of the incumbent being a separate date controller?
- Safeguarding advice appears to be – keep everything. A diary or parish magazine from twenty years ago can show that someone was not where it is alleged they were, or was not a churchwarden when they claimed to be. Is this in conflict with the right to be forgotten?
The PCC and the incumbent are separate data controllers – “please see who is responsible for compliance in the Diocese?” for more information.
Each parish will be a separate data controller. You should make sure that your privacy notice and consent forms make it clear that you are processing the data on behalf of multiple parishes. In addition, you should have a data sharing agreement between the parishes which documents the rules around sharing data, for example, which parish is responsible for the privacy notice and consent form, who responds if an individual makes a complaint or subject access request and so on. The agreement does not have to be formal, for example, an exchange of emails or a letter signed by each parish would be fine so long as the email / letter covers all points
The data controller is the person (or organisation) who is legally responsible for data protection compliance. They decide the manner in which and the purposes for which the personal data are processed. Often there will be more than one data controller. For example, if both the incumbent and the PCC use a set of personal data about parishioners then both will likely be a data controller of that information.
4. Is the phrase “incumbent or priest-in-charge”, when used in the parish resource leaflet, being used generically, i.e. for all ministers, or specifically for those of incumbent status? If generically then all ministers, whether incumbent, associate priest, curate, reader lay pastoral assistant etc. are data controllers and each will have to be able to demonstrate that they are complying with the GDPR. If “incumbent or priest-in-charge” is being used in the legal sense then who will be the data controller for the data that colleagues hold, the incumbent or the PCC?
An incumbent is a data controller. Those in Team Vicar, priest-in-charge and other self supporting clergy will come under the remit of the PCC as a data controller as well as the incumbent as part of their own individual data responsibilities will also be responsible for ensuring that data shared about individuals eg funerals, weddings etc is held appropriately. All other individuals (pastoral workers etc) in a parish holding data about individuals do so in their roles/ministry in the wider parish and ensuring they are compliant rests with the Incumbent (for good practice and leadership) and the PCC.
A privacy notice (also known as a transparency notice) is to inform parishioners (and other individuals that you hold information about) how their personal data is used. Providing a privacy notice is part of the obligation to process personal data fairly, which is a fundamental principle of data protection compliance. You can find a sample privacy notice here: http://www.parishresources.org.uk/gdpr/
We suggest that incumbents should be thinking about the following in particular: (1) Making sure that privacy notices and consent forms cover incumbents (in addition to the PCCs); (2) Documenting how personal data is shared between them and the wider Diocese. We suggest that there should be some form of agreement in place between the incumbent and the PCC setting out key data governance issues such as who is responsible for the privacy notice, what happens if a data subject makes a complaint or seeks to exercise any of their rights, and so on. The agreement does not have to be lengthy or particularly legalistic. A letter or exchange of emails would suffice so long as it covered the key points.
A copy of the privacy notice must be provided to the individual when they first provide their personal data. If the individual’s personal data is provided by a third party then the privacy notice must be provided to the individual on the earlier of: a reasonable time period (being no more than one month); when you first communicate with the individual; and if disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed to that recipient. The notice should also be published on the parish’s website (in addition to being provided on request) so that it can be easily accessed for future reference There should be a link to the privacy notice on every page of the website. It goes without saying that providing the privacy notice should be done with the appropriate level of sensitivity. For example, if you are discussing funeral arrangements with a deceased’s relatives then it may not be appropriate to hand them a lengthy privacy notice at the first meeting. An alternative might be to include a brief summary of key information (eg, in a FAQ document covering other matters relating to funeral arrangements) with a link to the full version of the notice on your website.
A privacy notice should be provided to anyone about whom the parish will hold or process personal data. This includes children, as well as adults. Children are permitted to exercise their own rights in relation to their data once they are mature enough which is often taken to be from and including the age of 12. Therefore, we would recommend providing an age-appropriate privacy notice to children once they reach this age.
An individual has a right to request a copy of the personal data held about them. This is known as making a subject access request or SAR. A SAR does not have to be labelled as such and does not even have to mention data protection. The only requirement is that the request is made in writing, verbal requests are not valid. For example, an email from a parishioner or clergy person which simply states “Please send me copies of all emails you hold about me” is a valid SAR.
Guidance on specific retention periods can be found here:
http://www.lambethpalacelibrary.org/content/record... Please note that this guidance will likely need to be updated to take account of GDPR. The Independent Inquiry into Child Sexual Abuse (formerly the Goddard Inquiry) has issued retention instructions to a range of institutions regarding records relating to the care of children.
In light of this, many institutions are temporarily ceasing the routine destruction of those records which might be relevant to the Inquiry in case they are requested by the Inquiry or made subject to a disclosure order. This means that before destroying any document you should consider if it contains information that may fall within the Inquiry’s remit. The range of documentation which might need to be kept is wide. Accordingly, we suggest you seek advice from Jan before destroying any records, this is the case even if the retention period contained in the guidance referred to above has been reached.
a) For children’s activities – the simple details of where there were Sunday Schools, holiday clubs, choirs etc = 50yrs after the activity has ceased
b) Where there were safeguarding records relating to concerns raised or any risk assessments etc = 70yrs after the last contact with the individual.
(The Diocese could retain these records for a PCC but a separate agreement about records storage will need to be agreed and a PCC minute of what has been agreed so that there is always clarity of access).
c) Personnel files for employees (or volunteers where these are available) for anyone working with children or vulnerable adults = 75yrs after employment.
(The Diocese could retain these records for a PCC but a separate agreement about records storage will need to be agreed and a PCC minute of what has been agreed so that there is always clarity of access).
d) Application forms for those not successful at application stage =1yr after the role has been filled. Then the form should be shredded and destroyed.
In principle yes, but you need to make sure that it is used in a way that is data protection compliant. In particular, you should carry out a data protection impact assessment, which will involve thinking about: (1) What you plan to do; (2) An assessment of necessity and proportionality; (3) What the risks are; and (4) How to mitigate those risks. One of the features of many online document storage systems is that they are designed to make it as easy as possible to share information. As such it is important to make sure that the system is going to be secure in practice. The sorts of questions you may wish to ask include Is there a risk that documents could be downloaded to someone’s personal computer? Could access permissions be changed inadvertently? Some organisations have concluded that using “off the shelf” document storage systems is too risky and instead use bespoke systems. This may be especially relevant to where the platform is intended to be used to store information which is especially sensitive, such as safeguarding or child protection information. It is possible to purchase software which is specifically aimed at protecting high risk information, such as child protection information. Finally, an online document storage provider is likely to be a “data processor” so you should also read the following FAQ: Data processors (#A).
Under the GDPR organisations must carry out a data protection impact assessment (DPIA) if what is planned is likely to result in a “high risk” to individuals. The following are all examples of when it would be appropriate to carry out a DPIA: If you plan to introduce a new IT system or use or store personal data in a different way (for example, if you decided to switch from paper to using online storage such as Dropbox). You should also carry out a DPIA before carrying out monitoring (eg, CCTV or installing software to track staff internet browsing habits). It is also good practice to carry out a DPIA in relation to any personal data you hold about children. The DPIA must include 1. A detailed description of what you plan to do and why (including legitimate interests relied on); 2. an assessment of necessity and proportionality (ie, “is what we are doing necessary and proportionate”); 3. an assessment of the risks; and 4. steps taken to mitigate those risks.
We are following up with the national church officers
14. What is the position about weddings / baptisms / funerals from past years? I guess we can send baptism anniversary cards and Christmas cards to wedding couples provided it is simply that, if we use it to advertise or fund raise then presumably we will need consent?
You do not need consent to send anniversary cards, assuming the recipient is someone you are in “regular contact” with. Regular contact does not mean frequent, so this would be fine even if the recipient only attended the Easter service every other year, for example. Anniversary cards are great, and you might also want to add in the card the website of the Church, or just an encouraging sentence that you hope they might like to look at the Church and what it’s up to. We assume that the cards would be sent in the post, the rules are a bit more restrictive for email communications and for email you will often need to get consent. This is because the card may count as marketing (especially if you do decide to include some wording encouraging them to look at what the Church is up to) and email marketing almost always requires consent.
You do not need consent to contact people about the All Souls Service if the individual is someone you are in regular contact with. However, where there is no regular contact (which may often be the case for family members of the deceased) we suggest that the best way round this is to ask them verbally if you can stay in touch and if they say yes send a follow up card/letter along with a consent form and envelope where you can specifically let them know how you’d like to be in touch with them, include in the letter the details of the service and how their loved ones’ names will be remembered/read out, and they can then sign their consent for you to be in touch (and your consent can be for five years – and they can withdraw at any stage eg if they move away). The actual anniversary of death or funeral is a matter of public record so these can be stated in a parish magazine. In addition, the GDPR only applies to living individuals.
You can keep this information so long as you have a good reason to do so. It is of course fine to keep notes of funeral visits so that you can prepare the sermon and also going forward if you need to keep notes as part of ongoing support to the family. The key is that you must be transparent so that people understand why their data is being kept. You could therefore have an explanation in your privacy notice or in an information leaflet made available to the family which cross refers to the privacy notice.
17. Currently, material is frequently sent home with children promoting events at church that have nothing to do with school life. Do our schools now have to obtain the express permission of parents to communicate with them about church rather than school affairs? The Diocesan vision wishes us to consider our schools as an extension of our worshipping communities but these regulations appear to work in precisely the opposite direction.
The “belt and braces” approach would be to seek consent. However, there is a strong argument that seeking consent is not necessary but there is a risk that this could be challenged by the ICO (the data protection regulator). If you decide not to seek consent then the School should still notify parents and pupils about the practice. This gives parents (and older pupils) the opportunity to object. Where parents (or older pupils) do object, the School should keep a list of these to ensure that material is not sent home with these particular children. The church material should be passed to the School to distribute to the children. The School should not pass on personal data to the wider church without consent (even if it decides not to seek consent for the initial communication to parents). If the parent wanted to attend a church event, they should either contact the relevant parish direct or give their consent to the School passing on the information.
The Education Department and BDAT will inform and work with schools directly.
19. Are the downloadable forms on the Diocese website going to be amended so that people can opt out of sharing information with any other body / organisation? E.g. after gift aid receiving requests from charitable organisations for money.
We are seeking external legal advice about gift aid from the national church officers but currently no individuals’ informatin is shared with any external other charity.
You will need specific permission for this.
You can always have a conversation and hand out any information fact sheets etc that people can then take further if they wish. It would also be fine to publish something on the parish website or parish Facebook wall, for example.
Yes, these documents should be retained for 75 years after employment ceases.
Under the GDPR, religious (amongst others) not-for-profit bodies may process data without specific consent as long as it is for legitimate purposes and relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent. We are calling this the “legitimate purposes” rule. As an exception consent will still be required for certain types of marketing communication even if the legitimate purpsoes rule applies. For example, you will still need consent to send a fundraising email.
Children can exercise their own rights in relation to their data once they are mature enough, which in practice is often taken to be from and including the age of 12. This means that any consent should often come from the child (rather than a parent) once the child is aged 12. However, in many cases it will still be appropriate to involve the parent until the child is older, eg, by requiring both the parent and the child to sign the consent form until the child is 16. For children who do not have sufficient maturity (ie, the majority of those aged 11 and younger) the parent can give consent on behalf of their child. If you are offering an online service to a child and you are relying on consent as the basis for doing this then the consent can come from the child once the child is aged 13. In other words, the general rule that children can exercise their rights from and including the age of 12 is displaced for online services where consent is sought.
25. I have contact details for family members which I have obtained through funerals, weddings, baptisms and so on. Do I need consent before I contact them about events? Also, do I need consent before sharing their contact details with other vicars?
There are a number of points to consider here. First, you need to make sure that individuals know that you have got their details and why. As part of this, they should be provided with a copy of the privacy notice. Whether you can contact them without consent will depend on the reason why you want to contact them. For example, if it is to invite them to attend a fundraising event then we suggest that consent should be sought. You will need their consent before sharing with other vicars unless that sharing was clearly within the expectation of the individual concerned. For example, you would not need consent if a vicar had to step in to cover a funeral at short notice.
26. What does “consent” really mean in practice? Does it have to be in writing? Also, can consent be implied (for example, we have been sending parishioners newsletters for years, can we treat it as valid consent if they have never opted-out or complained)?
Under the GDPR, consent must be freely given, specific, informed and unambiguous. In many cases, it will need to be explicit as well. This means that the following should be kept in mind in particular: (1) Consent should be sought using a form which requires the individual to tick a box to consent (opt-in consent). If the form states that the individual will be treated as having consented unless they state otherwise then this will not count as valid GDPR consent. (2) You should break down the consent as much as reasonably practicable. For example, if you are seeking consent for two different things then you should have a separate tickbox for each. In addition, if you are asking for consent to add a parishioner to your mailing list then you should have a separate tick box for each channel of communication, for example: email, post, text message. (3) You must not “bundle” consent with other matters. For example, imagine a parishioner was told that appearing on the electoral roll meant that they were deemed to consent to receiving the parish newsletter. This does not count as valid consent. (4) People must be told about their right to withdraw their consent and it must be as easy for someone to withdraw their consent as it is for them to give it. (5) You must keep a record of consents obtained.
The starting point is that you must make sure that you have taken appropriate “technical” and “organisational” measures. Technical measures cover things such as using encryption, making sure that data is backed-up and so on. Organisational measures concern training staff, clergy and volunteers on the data protection risks, having written data protection policies and procedures in place and auditing your data protection compliance. It is important to think about how you can apply these principles in practice. For example, when people work “on the go” or use a family computer for PCC and / or parish matters.
Encrypting data means that the data is encoded such that it cannot be accessed without knowing the key to unlock it. Sometimes the key is in the form of a password that must be entered before the data can be read, but there are other types of encryption. For example, sometimes data can only be unencrypted after you have inserted a key fob into your computer. The password you enter when you first turn on your laptop does not count as valid encryption.
Yes, you will need to do so in the vast majority of cases. For children, the consent should come from the parent until the child has reached 12. Once they are 12, the consent shuold come from the child and the parent. Once they are 16 or over, the consent just needs to come from the child.
You must inform the ICO (the data protection regulator) within 72 hours of becoming aware of the incident unless the incident is unlikely to put individuals at risk. In addition you must inform data subjects themselves if the risk is “high”. In this case, owing to the possibility of identity theft, it is likely that the ICO and staff will need to be told. In addition, you will need to inform your insurers and you may also want to report this to the Police.
If you have been hacked as a consequence of failing to put adequate measures in place to protect your systems then you will likely be in breach of the GDPR (assuming personal data has been put at risk). There are a number of online resources to help deal with cyber threats. This includes Cyber Essentials, which is a government backed scheme containing standards relevant to cyber security. Further information can be found here: https://www.cyberessentials.ncsc.gov.uk/
32. I notice in the ‘Consent, Right and Accountability’ of the ‘A Brief Guide to Data Protection for PCC Members’ that from May 2018 people will need to give their consent before we send marketing communications. We send a Benefice Magazine to every household in the benefice which advertises Benefice Church events and also has advertisements from local or relevant traders. Should we be getting consent to deliver this before we push them through peoples letterboxes?
You only need consent if you are processing personal data in relation to sending out the magazine. For example, if the magazine is being sent to every household in the benefice and is addressed “Dear Resident” rather than “Dear Mrs Smith” then consent is not required.
This is a specific question you should raise in the first instance with Jan Smart, as part of your specific questions to GDPR leads.
34. Under the GDPR individuals have a “right to be forgotten”, ie a right to have their personal data deleted. We have some historic information relevant to an allegation made against a former clergy person. Can that individual exercise their right to be forgotten and require us to delete their personal data?
The right to be forgotten is subject to a number of exemptions. For example, you do not have to comply with a request if you have a legal obligation to keep hold of the information, or if you need the information to defend a claim. In addition, you can likely keep the information if doing so is in the public interest, this will likely apply in many cases where historical allegations have been made.
This is a tricky area because the GDPR requires you to go to great lengths to protect information held on computer (and paper records as well). Allowing staff and volunteers to use their personal laptops without any extra protection in place is unlikely to be compliant. You could think about giving staff and volunteers secure remote desktop so that everything they do is saved centrally to the parish systems, but we do appreciate that this is not practicable for many parishes. An alternative, which will go a long way to reducing the risks (even if this is not quite enough on its own for GDPR purposes) would be to require staff and volunteers to encrypt anything on their computer that is church related. Some modern computers come pre-installed with encryption (which means that the data is encrypted automatically without staff / volunteers having to do anything) and it is also easy to download encryption software from the internet. In addition, you should ensure that staff and volunteers are given training on the data protection “dos and don’ts” and that this training is backed up by written policies and procedures.
36. A local charity has contacted us because they are looking for volunteers. We think that a number of our own volunteers would be a good fit for the charity. Can we pass on their details to the charity?
Not without consent.
37. I would like to collect information about parishioners even though I am not yet sure what I want to do with that information. For example, we are thinking about new events and activities to improve engagement but we don’t have any fixed plans yet. What do we need to do?
First, you should make sure that what you are planning to do is covered by your privacy notice. In some cases you will need consent before you collect information. However, you cannot be collecting personal data on the off-chance you might need it for some future (as yet undefined) purpose. Therefore we suggest that you hold off for now until you are clearer about what you plan to do.
You must take “every reasonable step” to ensure that the personal data you hold is accurate. For example, staff and volunteers should be reminded on an annual basis to tell you if their details have changed.
This should be avoided if possible. Memory sticks are easily lost, it would be better to store personal data centrally. If memory sticks are to be used then at the very least we suggest that they should be encrypted.
The short answer is yes although the GDPR requires certain safeguards to be put in place. In addition, individuals have a right to object to their personal data being kept for historical research purposes.
41. Do we need consent before sharing information about people who help out in the Parish? For example, we give flowers to comfort people (eg, if they are bereaved) every Sunday. We have a rota so that volunteers know when they are on duty. Do we need to get consent from a volunteer to share the rota with other volunteers?
This does not require consent so long as the rota is only shared with clergy, staff and volunteers. If the rota was to be made available to the public (eg, if it was printed on the noticeboard in the church) then consent would be required. Please note that consent must be specific, so if someone had consented to appearing in the directory you would need another consent for the noticeboard.
The electoral roll information cannot be used to contact individuals with Church news or events, unless the individual has consented. As a general rule you can send people information about news and events by post so long as: (a) you have been transparent with them (eg, you tell people in your privacy notice this is what you plan to do); (b) it is within their reasonable expectations that they will be contacted in that way; and (c) they are someone who is a member (or former member) of the parish or someone you are in regular contact with. However, in the vast majority of cases you would need consent before sending news and events related communications by email.
43. We are required by the CRR to post the electoral roll on the door of the Church for 3 to 4 weeks before the Annual Parochial Council meeting. This list includes the name and address of each member of the congregation/parishioner on the list. What are the implications on this vis a vis the Data Protection Act? And can we legally post such information in a public place, ie the main door of the Church?
You can (in fact must) publish the electoral roll in this way because you are under a legal obligation to do so. However, you must be very transparent with individuals such that they are informed beforehand that their details will be published in this way. You could do this by, for example, having clear and prominent wording on the application form to join the electoral roll. If however, you wanted to publish the roll anywhere else, for example, in a directory, then you would likely need consent for that.
44. Once people have agreed to be in the directory, which we currently only give to people in the directory, with say 200 copies distributed it is virtually impossible to ensure that it won’t be shared, even if you print on the directory that the information in it may not be shared with anyone not included.
You need to make sure that the consent form makes it clear that the directory will likely be shared with the public at large.
Yes – the Church Representation Rules (CRR) require that “(11) The roll shall where practicable contain a record of the address of every person whose name is entered on the roll . . .” and that “(3)
After the completion of the revision, a copy of the roll as revised shall, together with a list of the
names removed from the roll since the last revision (or since the formation of the roll, if there has
been no previous revision), be published by being exhibited continuously for not less than fourteen
days before the annual parochial church meeting on or near the principal door of the parish church
in such manner as the council shall appoint.”
The CRR require publication, this will, therefore, be considered to be a legitimate activity of a notfor-profit body under the GDPR. So, data will still be able to be processed in this way. The CRR are part of the Synodical Government Measure 1969 and they prescribe the relevant forms in relation to administrative matters dealt with by the PCC. You will not be able to alter the forms unless the amendments went through the synodical legislative process at the General Synod.
The forms themselves already state that the names of individuals will be published on or near the church door. For instance, see “Form of Notice of Revision of Church Electoral Roll”. Indeed, under r.2(1) this “Form of Notice” of the intended revision is itself published on or near the church door of every church in the parish and every building licensed for worship and will remain there for a period of not less than 14 days prior to the revision, making individuals aware that the revised roll will be published, so giving them a chance to object. So, if they do not object, by applying to have their name entered on the electoral roll they are already consenting to its publication in the manner set out above.
Nevertheless, you can take the additional measure (if you so wish) of letting people know where and for how long their details will be publicly displayed, by providing such information in a covering letter with the enrolment forms. If there are reasons why someone’s details cannot be made public they should let you know (e.g. they are in a sensitive position (prison, policy, army etc.) where publication of these details could cause harm or damage). It does say in the rules cited above “where practicable”.
No – As the CRR require publication, then this is a legitimate activity of a not-for-profit body under the GDPR and so data can be processed in this way. In addition, by applying to have their name placed on the electoral roll individuals are consenting to their personal data being processed in accordance with the CRR. See answer above for further details.
Yes you can share this information with the Diocese – managing and administering the elections will require the Dioceses to process this information, this is stipulated in the CRR. Consent will not be needed for the data to be shared for this purpose. Indeed, if you stand for election you would expect your data to be shared with the diocesan office. The Rules state that the results will be sent to the Diocesan Electoral Registration Officer.
48. Can you please clarify the statement “This allows religious (amongst others) not-for-profit bodies to process data without specific consent as long as it relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.” I am concerned that parishes may think they don’t need consent for any processing of information.
The longer version of our guide to GDPR for parishes – PDF HERE provides more information on what can be processed without consent and what does need consent.
Provided you make it clear in your privacy notice and consent form that you are processing the data on behalf of the whole organisation – whether a single or a multi-benefice organisation then it will be ok to use a single privacy notice and consent form.
With regard to children, the ICO has stated that if an organisation offers services over the internet directly to children (in the UK, under the draft Data Protection Bill, this will be anyone under the age of 13), then you will need parental consent in order to process their personal data lawfully.
Other than this, there is little fundamental change to the rights of children, who are considered as individuals in the own right. Children’s data, (where on-line services are not involved) is covered by the fact that children are considered to be a vulnerable group and therefore warrant specific consideration and protection (i.e. they must be provided with clear information about what, why, how etc, and must be able to understand the risks, consequences and safeguards and their rights), but otherwise are accorded the same protections as adults in the DPA and the GDPR.
a. You must have clear and age-appropriate privacy notices for children.
b. The right to request erasure is particularly relevant when consent was given when the
individual was a child.
c. The concept of competence remains valid under GDPR – you may wish to give an individual with parental responsibility for a young child the ability to assert that child’s data protection rights on their behalf or consent to processing their data.
d. If an older child is not deemed competent to consent or exercise their own rights you may allow an adult to do this.
e. You can still process a child’s data under legitimate interests.
f. Privacy by design is the same and should be properly considered when processing children’s data.
g. So for example with regard to a youth group mailing list – parental consent may be considered appropriate depending on age and competence i.e. do the children understand the implications of the collection and processing? If yes, they can give their own consent
unless it is clear they are acting against their own interests.
Yes – The 3rd party is processing data on your behalf. You do though need to make sure that the contract you have with them is compliant with the GDPR (speak to your diocesan registrar and/or data protection officer at the diocesan office), in particular it will need to set out in clear terms what the organisation is doing with the data on your behalf and its location and security.
Not necessarily. Where you rely on consent, the ICO has stated that it will not be required to obtain fresh consent from individuals if the standard of that consent meets the requirements of the
GDPR, i.e. consent has been clearly and unambiguously given and you have a record of that
consent.Nevertheless, it is important to review all consent mechanisms to ensure that they meet the
standards required under the GDPR. If you cannot reach the high standard of consent as set out in
the GDPR, you must look for an alternative legal basis for processing the data or stop processing the
data in question. Under the GDPR, consent must be verifiable. This means that some form of
record must be kept of how and when consent was given. Consent must be freely given, specific, informed and unambiguous (i.e. consent requires clear affirmative action from an individual (i.e. the data subject)). Silence, pre-ticked boxes or inactivity (e.g. just staying on a website or not responding to a request) will not be sufficient. Individuals must also be informed of their right to withdraw consent at any time and how they can do this. In fact, it should be no more difficult to withdraw consent as it is to grant it.
The incumbent is responsible for ensuring that he/she manages personal data provided by data subjects in line with GDPR, so all of the guidance provided is applicable to incumbents as well as PCCs.
54. Safeguarding advice appears to be – keep everything. A diary or parish magazine from twenty years ago can show that someone was not where it is alleged they were, or was not a churchwarden when they claimed to be. Is this in conflict with the right to be forgotten?
“The right to erasure”, also known as the right to be forgotten, in the GDPR is the right to request the erasure of personal data in certain limited situations, such as where the personal data is no longer necessary for the purposes for which it was collected or processed or where the data subject withdraws consent to the processing, where consent is the legal basis relied upon to process the personal data. Therefore, all personal data that can be legitimately held will continue to be so, unless and until one of the provisions permitting erasure of personal data under the GDPR applies, (such as the purposes for which it is being processed have ceased (or consent withdrawn, (where relevant) etc.). The Independent Inquiry into Child Sexual Abuse (IICSA) has certain statutory powers under the Inquiries Act 2005 and using its statutory powers it has already stated that we should not destroy any personal data that might be relevant to the inquiry and the ICO has agreed this too. Secondly, with regard to material, such as the parish magazine, which is already in the public domain the so called “right to be forgotten” will be irrelevant because the material in question is already publicly available. Indeed, it would be completely impractical to request individuals destroy material, such as parish magazines, that has been made publicly available.