General Data Protection Regulation (GDPR)
This regulation took effect in the UK on 25 May 2018. It gives individuals rights and protections with regard to how their personal data is used by organisations. Congregations must comply with its requirements as there are no relevant exemptions for charities or small organisations.
The underlying data protection principles set out in the GDPR are:-
Personal data must be processed:-
1 lawfully, fairly and transparently;
2 only used for a specific processing purpose that the data subject has been made aware of;
3 adequate, relevant and not excessive;
4 accurate and where necessary kept up to date;
5 not stored for longer than is necessary;
6 stored in a safe and secure manner.
There is also an accountability principle which ensures that the data controller must be able to demonstrate compliance with the first six principles.
Key definitions are:-
Personal data is information relating to a living individual, who can be identified from that data or indirectly from other data held.
Processing is anything done with or to personal data, including storing it.
The data subject is the person about whom personal data is processed.
The data controller is the person or organisation who determines the manner and purposes of data processing.
Data is processed on the basis of legitimate interest such as membership lists or rotas and legal obligation such as Gift Aid and contracts. The data held reveals religious belief so becomes special category data which is processed where an individual has given explicit consent or where processing is carried out in connection with the legitimate activities of the church. Two safeguards are, firstly, that the processing relates solely to the members or former members or to persons who have regular connection with the church, and secondly, that the personal data is not disclosed outwith the church without consent. Data subjects have the right to know how the data is used, to know what data is held about them and to be able to have any errors corrected.
Ness Bank Church has appointed Mr David R Abbott with responsibility for data protection issues. Contact details are telephone 01463 243656 or email firstname.lastname@example.org
The Church Office has copies of the following documents relating to Data Protection:
GDPR A Brief Guide
GDPR General Guidance
Guidance for Safeguarding Co-ordinators
Frequently Asked Questions
Data Audit Form
Data Protection Policy
Data Retention Policy
Legitimate Interests Assessment
GDPR Consent Form
Live Streaming Guidance
Breach Notification Form
Subject Access Guidance
Subject Access Request Policy
Subject Access Request Form and Record of Processing.
GDPR training using the Church of Scotland webinar at https://youtu.be/9FZND07hXgE