Assistance for Chapels / Documents / 25. General Data Protection Regulation

The General Data Protection Regulation (GDPR) and how it affects Us

A circular letter to the churches was sent out on 18 May 2018, the text of which can be downloaded here.  This web page give more details of the new law and the ability to download and modify for your own use samples of some of the documents required.

The new General Data Protection Regulation governs the use and security of personal data held by all organisations.  It will therefore affect churches and chapels.  Some with a small congregation where everyone knows everyone else and where they live, will hardly be affected.  Other larger congregations will need to do more work to ensure that they comply with the law. The GDPR is not intended to restrict the processing of personal data, but rather align it to the modern digital world and ensure that such processing is done in a way that protects the rights of those whose data is being held by others.
 
The aim of the new regulations is simply to control the use and abuse of personal data – to prevent situations such as a person giving a donation to a charity and then finding they are swamped by begging letters from other charities pleading for money, because their contact details have been passed on to other charities without permission.  The principles of the new regulations are straightforward and can be summarised fairly simply. 

Underlying Principles

These include that personal data:
  • • Must be processed lawfully, fairly and transparently.
  • • Is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
  • • Should be “adequate, relevant and limited,” i.e. only the minimum amount of data should be kept for specific processing.
  • • Must be “accurate and where necessary kept up to date.
  • • Should not be stored for longer than is necessary, and that storage is safe and secure.
  • • Should be processed in a manner that ensures appropriate security and protection.

The Key Changes to the Law

  • • Changes to how consent can be obtained from data subjects for the use of their data. For example, data subjects (people who have data about them held by a third party) have to explicitly “opt in” to allowing their data to be shared, and it must be made clear for what purpose their data is being used.
  • Data subjects have new rights, such as data portability (the ability of a subject to receive data held about them for the purpose of passing on to another party) and the right to be forgotten (for a subject to have any data held about them erased).  There is new guidance around requests by a person to an organisation to tell them what personal data is held about them (that is, to access that data).
  • Data must only be used for the purpose it was gathered for and should be deleted when it is no longer needed for that purpose.
  • Sanctions over sharing data outside the EEA (European Economic Area) will be strengthened. This requires organisations to ensure adequacy decisions or appropriate privacy safeguards are in place with organisations holding data outside the EEA.
  • • All new and existing staff and other key data users must have suitable training and awareness as well as additional sources of guidance and support when required.  For example, a deacon dealing with gift aid and a pastor’s salary will need to know how to handle sensitive personal data legally.
  • • Conducting Data Protection Impact Assessments (DPIA) in order to design data privacy into any new systems and processes will often be mandatory. E.g. if new technology is deployed, where there is processing on a large scale of “sensitive personal data”, or if profiling is performed which will have an impact on individuals. Some organisations (but highly unlikely to apply to chapels) will need to appoint a Data Protection Officer.
  • Data breaches (the intentional or unintentional release of personal data to an unauthorised party, however this occurs) must be reported where this is required, to the ICO (Information Commissioner’s Office) within 72 hours of the breach.
  • • A new principle of ‘accountability’ puts the burden on chapels for compliance, requiring them to produce and maintain documents that demonstrate what actions have been taken to achieve compliance.

Consent, Rights and Accountability

From May 2018, any personal data given for a specific purpose (e.g. to inform members of the congregation of any change to the services due to unforeseeable circumstances) can be used for that purpose only.  If you wish to use their name and address e.g. to send them any other information, people will need to give their consent for you to do it. This consent will need to be clear and unambiguous - some form of positive action to “opt-in.” You will need to gather this consent, and it must be documented and you need to be able to report on what personal data is held about anyone who might ask.
 
Data subjects have a number of rights, including that of knowing how data is used by the data controller (the person managing and controlling the personal data being held), of knowing what data is held about them, of correcting any errors and generally the right “to be forgotten” under certain circumstances. Data controllers, such as the church and its officers, will need to make provision for people to exercise these rights.
 
The GDPR introduces a stronger requirement on accountability for data controllers. This means that you must be able to show that you are complying with the principles by providing evidence.
 
The new accountability principle means that churches must be able to show that they are complying with the principles set out earlier. In essence, you cannot just state you are compliant; you have to prove it and provide evidence. To do this there are a number of actions you need to take, such as documenting the decisions you take about your processing activities and various other ways that show compliance - such as attending training, reviewing any policies and auditing processing activities.

What do you need to do now?

In essence, there are a few things.  Each church should:
  • • Decide who will be responsible for data protection.
  • Review the personal data the church holds and document why it is held, how it was obtained if this is not self-evident, for what purpose it is used, and for how long.  This means all personal data including employees and volunteers, service users, members, donors and supporters and more. You should document your findings because you must keep records of your processing activities. You should also record if you share data with any third parties.  A sample data audit form can be downloaded here which should cover most of the aspects likely to be important. It also includes the likely reasons for you wanting to process the data (see next paragraph) – but you need to confirm this is true in your own case.
  • • Identify and document your “lawful basis” for processing data – To legally process data under the GDPR you must have a “lawful basis” to do so. For example it is a lawful basis to process personal data to deliver a contract you have with an individual. There are a number of different criteria that give you lawful basis to process and different lawful bases give different rights to individuals. Understand and document your lawful basis for processing data. Data can be held and used for one or more reasons which are listed in Appendix 1 below.
  • • Know how you will deal with “subject access requests” – Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party. They have the right to be given this information in a permanent form. This is known as a “subject access request” or “SAR”. You need to be able to identify an SAR, find all the relevant data and comply within one month of receipt of the request. Under the GDPR the time limit for responding to SARs is reduced from 40 days to one month and the £10 fee is abolished.
  • • Ensure all data is kept up-to-date and kept securely, i.e. protected against loss both by damage of storage media, theft, fire etc.
  • • Decide on any necessary privacy notices and a privacy policy. You must always tell people who give you personal data freely (i.e. not as part on a contract of employment for example) in a concise, easy to understand way how you intend to use their data. Privacy notices are the most common way to do this and under the GDPR, privacy notices must give information such as how long you will keep data for and what lawful basis you have to process data. This information must be easily accessible, transparent and presented using clear and plain language. A privacy policy deals in more general terms how the organisation collects, stores and uses personal information.  It could include details of your data retention policy, how the data is secured and held, and how a data subject can issue a subject access request. It is helpful for a privacy policy to be displayed in a prominent place, e.g. on an internal chapel noticeboard or on a web site, where it can be referred to within a privacy notice.  An example of a privacy policy can be downloaded here and a sample privacy notice here.
  • • Ensure that the church has documented evidence for the use of any data given freely, if it is likely to use it for any purpose other than that for which it was given.  For example, if the members of a congregation give their contact details to the deacons, is there documented assent to say for what purposes those contact details can be used for?  A sample consent form can be downloaded here.
  • • Ensure that the principles of the GDPR are carried out in the future, and the storage and use of personal data is monitored to this end.
 

Other Helpful References

A more detailed GDPR toolkit with downloadable resources is on the web site of the London Diocese of the Church of England at https://www.london.anglican.org/kb/data-protection/ and to which we acknowledge our indebtedness in producing some of this outline guidance.  It is clear on the general principles of the GDPR, but is confusing on the use of privacy policies and privacy notices.  The official reference to GDPR is on https://gdpr-info.eu/ .  The Information Commissioner’s Office web site is at https://ico.org.uk/.  This has a lot of answers to detailed questions which might arise.
 

Links to Downloads

Circular Letter to Churches 18/5/2018
Sample Data Audit Form
Sample Privacy Policy
Sample Privacy Notice
Sample Consent Form

 

Summary

The requirements of the GDPR are complex, bewildering and daunting to consider. Many churches and chapels will will have little to worry about, but the main things to do are:
1. Audit what personal data you hold and consider whether you hold any data which has been given to you freely (i.e. not part of any contract or business transaction).  Use the sample audit form to help you.
2. Produce a privacy policy;and privacy notices if you need to.
3. If you do hold data given to you freely, make sure you are authorised to hold it, that you keep it safely and only for as long as necessary, and that you use it only for the purposes for which has been given.  If you want to use it for other purposes, make sure you have the assent of the data subject to do so.
4. Make sure that the principles of the GDPR are followed in the future for all data you hold and any othe data you may acquire.
 

Appendix 1 – Reasons for Holding Personal Data

The six lawful bases for holding personal data:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent must be freely given and individuals must be able to withdraw consent without detriment to the running of the organisation.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life. (E.g. in a life or death situation it is permissible to use a person’s medical or emergency contact information without their consent).
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
 
Sensitive personal data which the GDPR refers to as ‘special category data’, means information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, criminal history and allegations. The GDPR adds the following new additional categories: genetic data, biometric data and sexual orientation.  It must be held first on a lawful basis 1-6 (see above) and second, at least one of the following must apply (in a religious context, most likely 1 and 4):
 
1. Explicit consent of the data subject has been obtained (which can be withdrawn).
2. Employment Law – if necessary for employment law or social security or social protection.
3. Vital Interests – e.g. in a life or death situation where the data subject is incapable of giving consent.
4. Charities, religious organisations and not for profit organisations – to further the interests of the organisation on behalf of members, former members or persons with whom it has regular contact such as donors. Note, however, that explicit consent is required for the personal data to be shared with a third party.
5. Data made public by the data subject – the data must have been made public ‘manifestly’.
6. Legal Claims – where necessary for the establishment, exercise or defence of legal claims or for the courts acting in this judicial capacity.
7. Reasons of substantial public interest – where proportionate to the aim pursued and the rights of individuals are protected.
8. Medical Diagnosis or treatment – where necessary for medical treatment by health professionals including assessing work capacity or the management of health or social care systems.
9. Public Health – where necessary for reasons of public health e.g. safety of medical products.
10. Historical, Statistical or scientific purposes – where necessary for statistical purposes in the public interest for historical, scientific research or statistical purposes.