A Brief Guide to General Data Protection Regulation (GDPR)for PCC Members
In the UK, data protection is governed by the Data Protection Act 2018 which controls how personal information is used by organisations, businesses and the government. Parishes must comply with its requirements, just like any other charity or organisation. This guide tells you what you need to do. You may also find our checklist (http://www.parishresources.org.uk/wp-content/uploads/GDPRchecklist.pdf) and sample consent forms helpful (http://www.parishresources.org.uk/gdpr/consent/), and there is a longer briefing note available for people leading on this at parish level (http://www.parishresources.org.uk/wp- content/uploads/Parish-Guide-to-GDPR.pdf).
Explaining the jargon:
Personal data is information about a living individual which is capable of identifying that individual.
Processing is anything done with/to personal data, including storing it. The data subject is the person about whom personal data are processed.
The data controller is the person or organisation who determines the how and what of data processing, in a parish usually the incumbent or PCC.
A. Underlying Principles,
The law is complex, but there are several underlying principles, including that personal data:
- will be processed lawfully, fairly and transparently.
- is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
- collected on a data subject should be “adequate, relevant and limited.” i.e. only the minimum amount of
data should be kept for specific processing.
- must be “accurate and where necessary kept up to date”
- should not be stored for longer than is necessary, and
- Is handled in a way that ensures appropriate security.
There is stronger legal protection for more sensitive information, such as religious beliefs.
B. Consent, Rights and Accountability
- Consent – if you’re sending direct marketing by post, you don’t need consent. However, if you’re putting someone’s name on a letter or flyer, you’ll need a lawful basis for using their personal data. This also applies if you know the name or other information which can identify the person you’re sending the marketing to.
- Rights – Data subjects have a number of rights, including that of knowing how data is used by the data
controller, of knowing what data is held about them, of correcting any errors and generally the right ‘to be forgotten’. The PCC will need to make provision for people to exercise these rights, including developing a Privacy Notice.
- The GDPR introduces a stronger requirement on accountability for data controllers. This means that you must be able to show that you are complying with the principles by providing evidence.
C. Key Points for Parishes
- Consent for one element of data processing does not give you permission to do anything else with it. You cannot mail everyone on your electoral roll, or even everyone for whom you have a Gift Aid declaration, with fundraising communications. You need further consent.
- If the purpose of an individual supplying data to the PCC is clear and unambiguous, then a separate consent is not required. For example, a completed electoral roll application form provides sufficient
consent to add them to the roll. Likewise, a completed Gift Aid declaration is sufficient consent for you to claim Gift Aid on the relevant donations. However, as stated above, you can’t then use that data for other purposes.
- Where you collect consents, e.g. to be added to an email mailing list, you will need to store those consents. You are likely to need several different consent forms (or elements within a single form) to cover different areas of data processing within the life of the church.
- Note that each incumbent or priest-in-charge is considered to be a separate data controller from their PCC because they are separate legal entities.
- In our case Richard Pepys acts as Data Controller for the Meon Bridge Benefice.
D. Further help available…
- This is a short guide for PCC members. There is a more detailed guide at http://www.parishresources.org.uk/wp-content/uploads/Parish-Guide-to-GDPR.pdf.
- The Information Commissioner’s Website has much helpful guidance: https://ico.org.uk