Revised advice on compatibility with data protection legislation
The draft Church Representation, Ecumenical Relations and Ministers Measure and draft Amending Canon No. 38 received first consideration in 2017, and the latest report of the Steering Committee includes a reconsideration of their compatibility with data protection legislation.
The publication of church electoral rolls, for which inspection is permitted, involves processing personal data that reveals the religious beliefs of the data subjects; this is special category data for the purposes of the General Data Protection Regulation (GDPR). The starting point was that the Revision Committee took the decision not to rely on the provisions in data protection legislation that are based on obtaining the consent of data subjects to the processing of their data, as this would impose too onerous an obligation on electoral roll officers and others. Instead, it was therefore decided to rely on a combination of provisions that (a) permit the processing of personal data generally where the processing is required by law; and (b) permit the processing of ‘special category’ personal data (which includes data that reveals a person’s religious beliefs), under Article 9(2)(d) General Data Protection Regulation.
The rationale for adopting this approach was that the processing of data on electoral rolls under the Rules would be required by law, because the Church Representation Rules are statutory and impose legal obligations. As to the processing being carried out in accordance with Article 9(2)(d) GDPR, the processing of data contained on electoral rolls would be a legitimate activity of the Church of England, and the processing would relate solely to its members or former members.
Recent legal advice
However, the Revision Committee identified a difficulty with the reliance on Article 9(2)(d) for the purpose of the publication and inspection of church electoral rolls. A provision at the end of this Article prohibits data being disclosed outside the religious body in question; consequently, if a church electoral roll is published by being displayed at the church, or on a parish website, and if it is open to inspection, the data it contains will potentially be disclosed outside the body of persons who are members of the Church of England.
Legal advice given to the Committee indicated that it will be possible to rely on Article 9(2)(e) of the GDPR for these purposes. Article 9(2)(e) permits the processing of special category data where “processing relates to personal data which are manifestly made public by the data subject”.
There are no decided cases on Article 9(2)(e) and the Office of the Information Commissioner has not issued any relevant guidance. However, the EU legislation which preceded the GDPR contained a provision that was in identical terms to Article 9(2)(e) and that provision was given effect in the domestic law of the United Kingdom by paragraph 5 of Schedule 3 to the Data Protection Act 1998. In cases decided by the courts under the old legislation, it has been held that where it is a legal consequence of a particular act of the data subject that data is made public, that data can be processed on the basis that it has been made public “as a result of steps deliberately taken by the data subject” [reference 2 in the Report, below]. The Committee concluded:
. … In the case of the church electoral roll, the Committee was satisfied that there was a sound case for taking the view that where an individual applies to have his or her name enrolled on a church electoral roll, the automatic legal consequence of which is that certain data about that individual will be published and open to inspection, that individual is, by submitting his application form, manifestly making public that data.
. On that basis the Committee was content to retain in the new Church Representation Rules the long-established provision requiring the publication of church electoral rolls when they are revised or renewed, and the provision which makes the roll available for inspection. A note has been added to the application form for enrolment so that an applicant for enrolment is informed that the roll will be published.
. Names only will be included in the published version of the roll; other personal data will be excluded.”
. NT 1 & or v Google LLC & or.  3 WLR 1165, paras. 110-113. An appeal by the data subject against the decision was due to be heard by the Court of Appeal on 20 December 2018 but was withdrawn. See also Townsend v Google Inc  NIQB 81.