Data Protection Act (DPA) and GDPR

 

For the purposes of small and not for profit organization, such as our Church, the Information Commissioner does not need to be notified that we hold records of Parishioner details. That does not mean we can ignore the DPA, but also means we can keep things fairly simple.

 

Large organizations require a Data Controller. For smaller organization, Clubs, Churches etc. the Parish Secretary will suffice. For our Church the Parish Secretary currently maintains the Parish Database that also holds details of consent with regard to ensuring DPA compliance.

 

This all sounds very complex, and it could be. However, the following is a summary of the DPA and GDPR. Comments in Red are specifically what we MUST be aware of in respect to Parishioner details.

 

To comply with the Act the eight data protection principles concerning personal information follows, along with the response relevant to our Church and Parish:

*      Fairly and lawfully processed

o   Collation of Parishioner Records, which currently only include Name, Address and contact details (Telephone number(s) and email address)

*      Obtained only for specified and lawful purposes

o   Retention of Parishioner Records

*      Adequate, relevant and not excessive

o   Nothing other than the following is kept:      

§  Name, Address, Contact details (Telephone number(s) and email address)

§  Relevant dates (if supplied), such as DOB, Date of Marriage etc.

§  Functions/Duties carried out for our Church

§  Church Related Activities, such as any membership of Church related associations

*      Accurate and kept up to date

o   At least once a year updates are applied, although in practice changes are applied as and when they occur

*      Not kept longer than necessary

o   Records of Parishioners who have relocated have records maintained in the event of re-locating back to the Parish

*      Processed in line with the rights of data subjects under the Act

*      Secure

o   Records are maintained on a secure database only accessible through User Identification and Password. This is controlled by the Parish Secretary

*      Not transferred to other countries without adequate protection

 

In a nutshell the principles of the DPA must be observed and every Parishioner must be made aware of them.

 

 

General Data Protection Regulation (GDPR)

The GDPR is the amendment to the DPA that comes into force on May 25th 2018. To be completely open, the regulation follows:

 

More communication
You will need to give people more information that you need to tell people about how and what you do with their data at the point you collect it.

ICO notifications
You no longer have to notify the ICO as a data controller – you may already not need to under the current not-for profit organisation.

Responding to subject access requests
Subject access requests (requests for copies of personal data from individuals) will need to be responded to within one calendar month rather than the current 40 calendar day period. It is also no longer possible to charge £10 for dealing with the request.

Obligations
There will be direct obligations on data processors as well as on data controllers. This may mean that if you use any third parties to process data, for example hosting your website, then you must have a written contract in place, and these are likely to be negotiated and drafted in favour of your processors.

Fines increase significantly
Currently the highest fine the ICO can levy is £500,000. Under the GDPR they will be able to issue fines up to 20 million euros or 4% of your global annual turnover (whichever is the higher) for serious breaches. The fine could be 10 million euros or 2% of your global annual turnover (whichever is the higher) for less serious breaches.

Getting consent
Consent will be much harder to achieve. If you rely on consent from individuals to use their personal data in certain ways, for example to send marketing emails, then there are additional requirements to comply with.

Data retention
Retention policies need to be clear. You can’t keep data for longer than is necessary for the purpose for which it was collected. You also need to inform people how long you will keep their personal data and you can’t keep it indefinitely.

Privacy by design
If you are planning on putting in place a new system or electronic portal, then you need to consider whether the service provider you choose has adequate security to protect personal data.

Breaches
You will only have 72 hours from being aware of a breach to report it to the ICO. Under the Data Protection Act there are no obligations to report breaches.

Children
There are additional protections for children’s personal data. If you collect children’s personal data then you need to make sure that your privacy policy is written in plain simple English. And if you offer an online service to children, you may need to obtain consent from the parent or guardian to process the personal data.

 

 

GDPR and Our Church

 

Data transfer
One of the principles of the Data Protection Act 1998 (and the GDPR), is that we only process data for the purpose for which it is collected. This means that if we (as the Church of
Our Lady of Lourdes & St. Cecilia, Blandford Forum) collect a name and contact details of an individual as a Parishioner of our Church, we can’t simply use that information to allow any affiliates (if they exist) to contact Parishioners for marketing purposes.

 

For any collection of details Parishioners must be informed that we DO NOT transfer or share data other than within our Church and possibly the Diocese of Plymouth.

 

Privacy or data capture statements
When Parishioners provide their details, it will be made clear and transparent about why we have it and what we will do with their information. This means we need to make sure that the right data capture statements to present to individuals when they give you their personal details.

 

Consent

As Parishioner data is entirely held within our Church (and possibly Diocese) the subject of consent is not relevant. However, for any other reason than for keeping Parishioner records then consent can no longer be presumed, but must be obtained. A negative approach is no longer acceptable. See the following examples:

 

Your details will be included unless you say No. This will be illegal. Instead

 If you consent then your details will be included. This is legal as consent must be obtained before action.

 

For our Church this will apply to the any publishable document, notably the Newsletter and, if one is produced, a Parish Directory. Only Parishioners who consent to have their details published in either, or any, document will be included, and in any event that information may be abbreviated according to the level of consent.

 

A register of consent will effectively be maintained on the Parish Database.

 

Ultimately Parishioners not consenting to have their details in the Directory will not be included

 

For your information if at any time you have inadvertently not ticked a box, whether online at a website or on a paper advertisement that is required to opt-out of mailings then after May 25th this will be illegal and your fresh consent must be sought.

 

The most common example would be:

 

Tick here if you do not want to be included on our mailing list.

 

This will be deemed to be illegal and fresh consent must be sought, such as:

 

Tick here if you want to be included on our mailing list.

 

Subject access requests
If any Parishioner request it, then a complete list of all data will be provided. However, no data other than listed under the
Adequate, relevant and not excessive principle of the DPA is kept. Parishioners can only make requests if they have something to complain about. A log must be maintained of how and when a response is delivered and that we apply the exemptions from disclosure carefully.

 

Data breaches
All personal data is held securely, i.e. electronic documents are encrypted and password protected and that they are backed up on a regular basis. If a breach occurs we need to identify what has happened and take remedial steps to ensure it is not repeated.

 

Caveat

This summary specifically applies to our Church and Parish and not ‘partner data’ as possibly held by The Diocese of Plymouth. If different or varied advice is handed down from the Diocese this will be disseminated as a matter of high importance.