GDPR and the Church Electoral Roll – Update

Revised advice on compatibility with data protection legislation

The draft Church Representation, Ecumenical Relations and Ministers Measure and draft Amending Canon No. 38 received first consideration in 2017, and the latest report of the Steering Committee includes a reconsideration of their compatibility with data protection legislation. 

Background

The publication of church electoral rolls, for which inspection is permitted, involves processing personal data that reveals the religious beliefs of the data subjects; this is special category data for the purposes of the General Data Protection Regulation (GDPR). The starting point was that the Revision Committee took the decision not to rely on the provisions in data protection legislation that are based on obtaining the consent of data subjects to the processing of their data, as this would impose too onerous an obligation on electoral roll officers and others. Instead, it was therefore decided to rely on a combination of provisions that (a) permit the processing of personal data generally where the processing is required by law; and (b) permit the processing of ‘special category’ personal data (which includes data that reveals a person’s religious beliefs), under Article 9(2)(d) General Data Protection Regulation.

The rationale for adopting this approach was that the processing of data on electoral rolls under the Rules would be required by law, because the Church Representation Rules are statutory and impose legal obligations. As to the processing being carried out in accordance with Article 9(2)(d) GDPR, the processing of data contained on electoral rolls would be a legitimate activity of the Church of England, and the processing would relate solely to its members or former members.

Recent legal advice

However, the Revision Committee identified a difficulty with the reliance on Article 9(2)(d) for the purpose of the publication and inspection of church electoral rolls. A provision at the end of this Article prohibits data being disclosed outside the religious body in question; consequently, if a church electoral roll is published by being displayed at the church, or on a parish website, and if it is open to inspection, the data it contains will potentially be disclosed outside the body of persons who are members of the Church of England.

Legal advice given to the Committee indicated that it will be possible to rely on Article 9(2)(e) of the GDPR for these purposes. Article 9(2)(e) permits the processing of special category data where “processing relates to personal data which are manifestly made public by the data subject”.

There are no decided cases on Article 9(2)(e) and the Office of the Information Commissioner has not issued any relevant guidance. However, the EU legislation which preceded the GDPR contained a provision that was in identical terms to Article 9(2)(e) and that provision was given effect in the domestic law of the United Kingdom by paragraph 5 of Schedule 3 to the Data Protection Act 1998. In cases decided by the courts under the old legislation, it has been held that where it is a legal consequence of a particular act of the data subject that data is made public, that data can be processed on the basis that it has been made public “as a result of steps deliberately taken by the data subject” [reference 2 in the Report, below]. The Committee concluded:

[15]. … In the case of the church electoral roll, the Committee was satisfied that there was a sound case for taking the view that where an individual applies to have his or her name enrolled on a church electoral roll, the automatic legal consequence of which is that certain data about that individual will be published and open to inspection, that individual is, by submitting his application form, manifestly making public that data.

[16]. On that basis the Committee was content to retain in the new Church Representation Rules the long-established provision requiring the publication of church electoral rolls when they are revised or renewed, and the provision which makes the roll available for inspection. A note has been added to the application form for enrolment so that an applicant for enrolment is informed that the roll will be published.

[17]. Names only will be included in the published version of the roll; other personal data will be excluded.”


Reference

[2]. NT 1 & or v Google LLC & or. [2018] 3 WLR 1165, paras. 110-113. An appeal by the data subject against the decision was due to be heard by the Court of Appeal on 20 December 2018 but was withdrawn. See also Townsend v Google Inc [2017] NIQB 81.

Cite this article as: David Pocklington, "GDPR and the Church Electoral Roll – Update" in Law & Religion UK, 5 February 2019, https://lawandreligionuk.com/2019/02/05/gdpr-and-the-church-electoral-roll-update/

8 thoughts on “GDPR and the Church Electoral Roll – Update

  1. [17]. Names only will be included in the published version of the roll; other personal data will be excluded.”

    Which rather leaves the question of how to identify a particular person, from, for example, a surfeit of ‘John Smiths’, if the primary purpose of publication of the Roll is to enable others to challenge if they believe a person to be incorrectly included… Or, indeed, to check if they are included.

    John Henley

    • I expect that initially, the church Electoral Roll Officer would be concerned with “a surfeit of ‘John Smiths’”, though I’m uncertain how he/she might resolve this. with regard to access to the Roll, there are two separate issues: its availability for inspection by bona fide inquirers, as required by Schedule 3, Part I 1(1) of the 1969 Measure, as amended; and in relation to appeals under Part IV of the Schedule. There are no restrictions on bona fide inquirers, but they have no other rights apart from accessing the Roll.

      With regard to appeals relating to: (a) any enrolment, or refusal of enrolment, on the roll of a parish or the registers of lay or clerical electors; (b) the removal of any name, or the refusal to remove any name, from the roll of a parish or the registers of lay or clerical elector, these may only be made by the person concerned or “any person whose name is entered on the roll or register who wishes to object to the enrolment or removal of the name of any other person on that roll or register”. Furthermore,

      “notice of appeal shall be given not later than fourteen days after the date of enrolment, removal or refusal or if the appeal arises on the revision of the roll or register or the preparation of a new roll or register, not later than fourteen days after the first publication of the revised or new roll or register”.

      David Lamming has also written “The Church Electoral Roll: Some Vagaries of The Church Representation Rules”, Ecclesiastical Law Journal, Volume 8, Issue 39, July 2006 , pp. 438-452.

  2. I was glad to see the future intention to limit the published information to full name only. However, the legislation allows for the Roll to be inspected for “reasonable purposes” without specifying these, which is a clear violation of GDPR where each purpose must be specified.
    Also, to make publication of personal data a condition of full participation in the life of the Church seems to me to violate Article 9 of the European Convention on Human Rights which grants “Freedom of thought, conscience and religion” since it requires the church member to surrender their rights under one piece of legislation even though they are protected elsewhere.
    The GDPR is superior law to that of the CRRs and in the event of a challenge or claim for compensation in the event that the publication of the Roll leads to a registrant suffering loss, harm or damage, is there some assurance that the Church would help defend the case and indemnify the parish concerned against any award of damages?

  3. Update:
    And so now, here in France, a group of disaffected former parishioners are attempting to harrass us by demanding access to various documents in the hope of harming the integrity of our Anglican Chaplaincy and possibly bankrupting us by forcing us into obtaining legal representation (which will not be funded by the Diocese of Europe). One document which they are demanding access to is the Electoral Roll. The issue which we are now facing is that a number of loyal and devout parishioners are objecting to their details being disclosed on the grounds that they fear harrassment by the disaffected group and/or unsolicited communications.
    The absence of definition of a ‘bona fide enquirer’ for who can inspect the register and/or what use they can put this information to is about to cause us a problem. Who will judge who is a bona fide enquirer ?
    As our Data Protection Officer, and considering myself bound by GDPR which has legal force in France, and the Church Representation Rules which do not other than as a component of our constitution, I am minded to ask Members of the Electoral Roll to give their positive consent to being on the Open Roll – with access to the full Roll being confined to Church and French Legal Authorities.
    My comments above still stand, and whereas I had not expected this firestorm to ignite so close to home, this was always going to flare up somewhere.

  4. Our church electoral roll has been displayed on a notice board where groups not connected to the church can see. Not only does it contain our names but our addresses too. I need to know if this is required or am I within my rights to ask the church wardens to take this list of names and addresses down.

      • Or to the Information Commissioner’s Office. The Information Commissioner’s Office said to me that they will consider any individual complaint that they receive but will not look at this as a matter of principle until they are asked to rule on a specific complaint.

Leave a Reply

Your email address will not be published. Required fields are marked *