General Data Protection Regulation GDPR GDPR 25 May

GDPR – 25 May 2018 • Applies to churches because they process personal data

Personal Data • Personal Information about living individuals • Identifies an individual • Includes

Processing – Fair, Transparent, Lawful • Fair – data is used in a way

Lawful bases for processing • Consent – the individual has given clear unambiguous consent

Consent vs Legitimate Interest • There is no requirement to obtain consent to process

Special Category Data Churches will usually be able to rely on two of the

Consent • Use consent if there is no other legitimate means of collecting or

Privacy Notice – EVERY CHURCH MUST HAVE ONE THE NOTICE SHOULD INCLUDE: • which

Rights of Data Subjects • right to be informed • Information in the privacy

Pastoral Concerns and News – to share or not to share • Strictly, under

Directories • If you compile (for general circulation) a directory of officers and/or members

Be aware of • Subject Access Requests (SAR) – individual requests ALL the data

What do we need to do? • Visit the URC website www. urc. org.

Other Information Sources • The Information Commissioner’s website www. ico. org. uk • especially

Slides: 15

Download presentation

General Data Protection Regulation (GDPR)

GDPR – 25 May 2018 • Applies to churches because they process personal data • Builds on 1998 Data Protection Act • Applies to paper and electronic records • Common rules for EU – and will apply post Brexit • Establishes legal bases for processing • Requires Privacy (Information) Notices • Confers Individual Rights • Establishes a requirement of Transparency

Personal Data • Personal Information about living individuals • Identifies an individual • Includes all people: members, adherents, visitors, employees • Special Category Data (Sensitive) • • Racial/ethnic origin Political opinions Religious or philosophical beliefs Trade Union membership Genetic/biometric data Health Sex life and sexual orientation

Processing – Fair, Transparent, Lawful • Fair – data is used in a way that is consistent with the way and purpose for which it was collected • Transparent – data use is consistent with the information in the privacy notice • Lawful – requires a lawful basis under the act

Lawful bases for processing • Consent – the individual has given clear unambiguous consent • Contract – the processing is necessary for a contract you have with the individual • Legal obligation – the processing is necessary to comply with the law • Vital interests – the processing is necessary to protect someone’s life • Public task – the processing is necessary to perform a task in the public interest or official functions, and has a clear basis in law • Legitimate interests – the processing is necessary for the organisation’s legitimate interests

Consent vs Legitimate Interest • There is no requirement to obtain consent to process data that is not ‘special category’ if you can show a legitimate reason for processing • So, maintaining membership records, keeping contact details for publicising events are legitimate reasons for a church to process data – this provides the LEGAL basis for processing under GDPR • But this must be made clear TRANSPARENT in the Church’s privacy notice • The data should be used only for the purposes stated in the privacy notice FAIR and not be shared with anyone • There are more rigorous conditions for processing ‘Special Category’ data

Special Category Data Churches will usually be able to rely on two of the conditions for processing special category data to hold safely ‘religious belief’ data about members: • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-forprofit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to the former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; and • processing relates to personal data which are manifestly made public by the data subject.

Consent • Use consent if there is no other legitimate means of collecting or processing data • A consent request should be prominent, concise, separate from other terms and conditions and easy to understand • It should include: • • • the name of the organisation requesting the consent; the name of any third parties who will rely on the consent; why you want the data; what you will do with it; the fact that individuals can withdraw consent at any time.

Privacy Notice – EVERY CHURCH MUST HAVE ONE THE NOTICE SHOULD INCLUDE: • which data are being gathered • how are the data gathered • why the organisation needs the data • what it will do with it • how long it will keep it There is a template on the URC website

Rights of Data Subjects • right to be informed • Information in the privacy notice • right of access • access to an individual’s own personal information • right to rectification • individual can have personal data rectified if it is inaccurate or incomplete • right to erasure (right to be forgotten) • individual can have data erased and to prevent processing in certain circumstances • right to restrict processing • individual can have data processing restricted • right to data portability • right to obtain own personal data and reuse it elsewhere – only applies if processing is carried out by automatic means • right to object • relates to: processing in the public interest, direct marketing, processing for scientific/historical research • rights in relation to automatic decision making and profiling • provides safeguards where decisions are taken without human intervention

Pastoral Concerns and News – to share or not to share • Strictly, under GDPR, you should get explicit, unambiguous, ‘opt in’ consent. but let’s be practical…… • ideally check with the individual that they are happy to be named • be more careful regarding people who are not members of the congregation and might not understand the common practice • only include the names of those you know won’t object in circulated prayer lists/newsletters/magazines • you do not need to worry about anything that an individual has ‘disclosed’ publicly eg on Facebook • avoid recording sensitive details in minutes

Directories • If you compile (for general circulation) a directory of officers and/or members including addresses, phone numbers, email addresses, then you should obtain consent • Certain officers of the church will already have made freely available their contact details which are published in various places – this is necessary for the running of the church

Be aware of • Subject Access Requests (SAR) – individual requests ALL the data you hold about him/her – you have 30 days to comply • Data Breaches – notify data breaches to the data subject within 72 hours

What do we need to do? • Visit the URC website www. urc. org. uk for • Checklist - Establishing Good Data Protection Practice in Your Church • Template Privacy Notice • Hints and Tips • Consent Proforma

Other Information Sources • The Information Commissioner’s website www. ico. org. uk • especially the booklet – Guide to the General Data Protection Regulation (GDPR) • www. parishresources. org. uk/gdpr/ the Church of England Resource • https: //www. baptist. org. uk/Groups/220864/Legal_and_Operatio ns. aspx and search ‘GDPR’ Baptist Union of Great Britain