See also Data Privacy Notice
- This policy is based on law valid throughout the United Kingdom as applied to the Church of England and specifically in the Diocese of Southwell and Nottingham.
- This document aims to be simple and, where necessary, refers to rather than replicates material from the higher authority.
- This policy applies to all parishes within the Benefice.
- The benefice has a responsibility to comply with the GDPR. General guidance is given at http://www.parishresources.org.uk/wp-content/uploads/GDPR-PCC-Guide.pdf
- The principles of the GDPR are similar to those in the Data Protection Act (DPA), with added detail at certain points. The DPA requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that individuals should be told what we are going to do with their personal data before we use it and consent to such use;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are used;
- accurate and, where necessary, kept up to date. Personal data that is found to be inaccurate should be deleted or corrected without delay. All personal data should be periodically checked to make sure that it remains up to date and relevant;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; for instance, records of pastoral care discussions should not be kept for a number of years without justification. Records could be kept, for instance, if all identification features were removed, referred to as “anonymisation”; and
- kept securely. Personal data storage should be safe and secure – in lockable filing cabinets or in password protected computer files. Names and addresses of individuals should not be left unattended.
- The new accountability principle means that we must be able to show that we are complying with the principles of the GDPR. In essence, we cannot just state we are compliant; we have to prove it and provide evidence. To do this there are a number of actions we should take, such as documenting the decisions we take about our processing activities and various other ways that show compliance – such as attending training, reviewing any policies and auditing processing activities.
- The Vicar is a Data Controller for the Benefice.
- Each Parochial Church Council (PCC) within the Benefice is a Data Controller for their respective parishes. PCC minutes should record that all members of the PCC have been informed of their general responsibilities within the GDPR. Each PCC may nominate one of their officers to lead at parish level on GDPR matters, although that individual does not need to be a fully trained Data Protection Officer. That individual should be aware of the guidance in http://www.parishresources.org.uk/wp-content/uploads/Parish-Guide-to-GDPR.pdf.
- The Data Controllers can be contacted via the Parish Secretary at the Parish Office, 107 Main Street, Balderton NG24 3NN or firstname.lastname@example.org.
- The Data Controllers have a responsibility to ensure that a data audit is carried out to identify actions that need to be taken.It is recommended that the Church of England template at parishresources.org.uk/gdpr/dataauditis used to help with this process.
- The data audit should be revisited annually to ensure that everything is still current and no new information needs to be managed.
- A summary of Audit results should be recorded in PCC minutes.
- A master register is to be created listing all the various holdings of personal data within the Benefice. This should provide for each holding details of:
- The Title or Subject Matter of the holding.
- Whether there is any legal or special sensitivity associated with the information held.
- Who is responsible for maintenance and security of the holding.
- The location of the holding.
- Whether the holding is computer-based or purely manual.
- The main data headings within the holding.
- Who has access to the holding.
- Whether information from the holding is passed to third parties and, if so, to whom.
- The master register is to be maintained in the Parish Office by the Parish Secretary.
- For each holding identified in the master register, an assessment is to be made whether the data held complies with the principles of the Data Protection Act. If not, action needs to be put in train to bring the holding into compliance. Progress is to be reported back to the PCC. Records should be held in ways that aid adequate management. A decision also needs to be taken on how long data may be retained. Guidance can be found at http://www.lambethpalacelibrary.org/files/care_of_parish_records_keep_or_bin_-_2009_edition_0.pdf
- Up to 2018, is had been assumed that individuals had given consent for their personal data to be held and processed for Diocesan/Parish purposes. The GDPR now states that specific consent is to be obtained. The following actions are to be taken:
- The Audit should have established which groups of people from whom the PCC should request consent forms.
- A general Consent Form 1 has been produced to enable Churches in the Benefice to obtain contact details from individuals who show an interest in Church Activities. Once completed and signed, this form gives the PCC authority to pass back details of services and other parish activities. Completed forms that have been received will be passed to the Church Wardens to ensure that appropriate action is taken where necessary. The Forms will be placed in a file in the Parish Office and a register of consent forms is to be maintained.
- A more comprehensive Consent Form 2 has been produced. This is to be given to all individuals for whom personal data is held as identified in the data audit. Completed forms will be passed to the Parish Secretary and placed in a file in the Parish Office and a register of consent forms is to be maintained. Those individuals who have responsibility for data holdings are to check this register against their data holdings and carry follow-up action where necessary.
- All general forms in current use should be reviewed to ascertain whether personal data is sought. Some forms may need to be re-drafted to ensure that consent is obtained for that personal data to be recorded and processed. Care needs to be taken with the wording because, if consent is not given, the PCC would not have the authority to contact the individual(s) who provided the information on the form. The Parish Secretary should ensure that any forms provided by the Diocese that appear not to comply with the GDPR are brought to the attention of the diocese for appropriate action.
- Data Subjects should be given the opportunity to read the Benefice Privacy Noticewhich is available from the Parish website or from the Parish Office. If necessary, it can be provided in printed format in conjunction with Consent Forms 1 and 2.
- The GDPR brings into effect special protection for children’s personal data, particularly in relation to commercial internet services, such as social networking. If we offer online services used by children and rely on consent to collect their information, we may need a parent’s or guardian’s consent in order to lawfully use that data. The GDPR sets the age when a child can grant consent at 16, (although the UK Government has proposed in its Data Protection Bill, currently going through parliament, that this be reduced to 13).
- We must to be able to show that we been given consent lawfully and therefore, when collecting children’s data, we must make sure that our privacy/data protection notice is written in a language that children can understand and copies of consents must be kept.
DATA SUBJECTS RIGHTS
- The GDPR includes rights for individuals who are data subjects. These are explained in more detail at http://www.parishresources.org.uk/wp-content/uploads/Parish-Guide-to-GDPR.pdf. Those rights are covered under the following headings:
- The right to be informed.
- The right to access (includes subject access requests).
- The right to rectification (correction).
- The right to erasure (also known as the right to be forgotten).
- The right to restrict processing
- The right to data portability This is highly unlikely to affect parishes
- The right to object.
- The right not to be subject to automated decision-making including profiling
A personal data breach is one that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
- The Benefice breach management procedures are based on guidance in parishresources.org.uk/gdpr.
- Currently, data breaches do not have to be routinely notified to the Information Commissioners Office(ICO) or others (although the ICO recommends that it is good practice so to do). The GDPR makes informing the ICO and the individuals affected compulsory in certain circumstances, (e.g. where there is a high risk to the individuals involved, for instance, through identity theft). Under the GDPR, we will have to notify the ICO of a data breach within 72 hours of finding out about this. It is important that those in the parish note this deadlineand seek the advice of the diocesan registrarabout any suspected breaches without delay.
- More details can be provided after 72 hours, but before then the ICO will want to know the potential scope and the cause of the breach, mitigation actions we plan to take, and how we plan to address the problem.