CofE resource for parishes on compliance with the GDPR
The Church of England’s Parish Resources website has posted a summary of the requirements of the General Data Protection Regulation (GDPR) which are relevant to parishes, Data Protection: Parishes and the “GDPR”. Extracts from this document are included below, in addition to some background on the legislation.
The EU General Data Protection Regulation (GDPR) (ref.1) replaces the Data Protection Directive 95/46/EC, and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. As primary EU legislation it is directly applicable in all Member States without the need for implementing national legislation, and will take effect on 25 May 2018. Significant penalties may be imposed for non-compliance.
The GDPR gives member states limited opportunities to make provisions for how it applies in their country. Within the UK, the present Data Protection Act 1998 sets out how personal information can be used by companies, government and other organisations. The GDPR changes how personal data can be used and its provisions in the UK will be covered by a new Data Protection Bill; the Data Protection Bill [HL] 2017-19 will repeal the 1998 Act and include other provisions not covered by the GDPR. The Bill was considered at Report Stage (HC) on Wednesday 9 May 2018 and read and passed with Amendments.
The GDPR will be regulated within the UK by the Information Commissioner’s Office, a non-departmental public body (NDPB) which reports directly to Parliament and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). Further information on the GDPR and Data Protection Bill is on its web site.
By incorporating the GDPR into UK law, the majority of its provisions will remain post-Brexit, although issues concerning decisions of the CJEU and the European Board of Data Protection are at present uncertain, as is the participation of the ICO in the European Data Protection Board. On 10 October 2017, the House of Commons Library issued the Briefing Paper Brexit and data protection.
CofE Advice for Parishes
The Advice observes that parishes must comply with the requirements of the GDPR, “just like any other charity or organisation”, and provides a number of useful resources:
- a two-page overview, designed for use by PCCs, and a more detailed guide for the person implementing this in the parish;
- Frequently asked questions (FAQs);
- Checklist covering the actions outlined in the guides to help in monitoring progress;
- Template to assist in the data audit, along with some helpful hints;
- Guidance and sample forms relating to consent on the collection and processing of data;
- Sample Privacy Notice for the web site, that can be amended and adopted, and Guidance on writing a bespoke Privacy Notice.
The Advice also notes:
“…whilst you will rely on consent for some of your communications, there will be some data processing you will want to do as part of normal church management for which you will not need to gain specific consent for that particular action – holding lists of group members, for example.
This can be processed as part of the legitimate interests of the PCC, and where ‘special category data’ which reveals religious belief, this can be processed on the basis of a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
One specific question relates to how churches should run fundraising events and giving reviews – a specific guidance note on this is available here.”
The ICO has a useful self-assessment checker, and by going through the questions it is possible to determine if whether as an individual or on behalf of a business or organisation, it is necessary to register with the ICO. Other guidance is also given on its web site.
Importantly, CCTV when used on a property, even that of a domestic householder, will be subject to the Data Protection Act if it captures footage of individuals outside the property. It is then necessary to register as a data controller, and pay the appropriate annual fee.
On 10 May, we posted a Data protection policy statement which indicates how Law and Religion UK will comply with the GDPR.
Reference 1: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, L119, 1-88.
Relevant provisions within the Regulation are: Articles 3, 28-31 and Recitals 22-25, 81-82.