GDPR and ecumenical organisations
The Data Protection Act (1998) will be replaced by new European regulations (GDPR – General Data Protection Regulations ) which become law on May 25th 2018.
The period 1998-2017 has seen an explosion in social media and electronic storage and the regulations take account of that and seek to protect all of us as individuals from the misuse of our personal data. They have at their heart a simple principle – that an individual’s personal data is precious and needs proper protection.
The paramount right to privacy
The new regulations place the individual’s (data-subject’s) right to privacy at the centre of legislation. That is expressed in three main ways. First of all, the data-subject must give consent to their data being held. Second, the organisation handling that data must keep it secure, must not misuse it, and only use it for the purposes for which it has been supplied. Third, the data must be accurate and as far as possible up to date.
Article 5 of the GDPR sets out six underlying principles which will ensure those rights:
Transparency: data must be processed lawfully, fairly and in a transparent manner.
Purpose limitation: data must be collected for specified, explicit and legitimate purposes.(Non-profit religious organisations have a legal right to collect religious data under condition 9 (2) (d) of the Regulations.)
Minimisation: data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: reasonable steps need to be taken to ensure that data is accurate and up to date.
Retention: data should be kept for no longer than in necessary for the purposes for which it was collected.
Security: data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
And article 5 (2) states that the Controller (which is the organisation rather than a named individual) shall be responsible for ‘…and able to demonstrate’ compliance with the principles.
What must we do?
CTE will not be offering model documents because all ecumenical bodies, including Churches Together groups and Intermediate Bodies are different. However, it is clear that compliance involves:
Conducting a data audit to see what information you actually have
Obtaining consent from those whose data you hold. The main difference in the new regulations is that you have to obtain consent. An opt-out email will no longer suffice. You need the permission of all whose data you hold to retain it, and you need to have evidence of that.
All organisations need to provide evidence of their accountability and so Trustees will need to have a Data Protection policy in place and ensure that an annual review of the policy is undertaken.
All organisations will need to review the security of their data, whether kept electronically or manually.
A great deal of information is available from the Office of the Information Commissioner and some of the major English denominations to help churches and religious organisations and charities comply with these new regulations. As you set about the business of compliance, you may find the following material helpful: