GDPR requires that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
This includes the following useful links that you should read, and they contain useful documents for you to adapt and use.
A brief guide to GDPR
A more detailed guide for the person implementing this in the parish
A simple checklist which covers the actions outlined in the guides to help PCCs monitor progress
A template data audit document which will help you to identify the personal data that your parish stores and processes
Sample consent form as parishes will need to make sure they have consent to communicate with those on the mailing lists
Parishes will also need to produce a privacy notice, and a sample privacy notice is given which can be amended and adopted. If you have a website, it is good practice to make it available online. Guidance on how you can write your own privacy notice is also available.
Finally – do check that your procedures are up-to-date, such as what to do if people request to see the data stored about them, and review your breach management procedures to ensure you know what to do in the event of a breach
Frequently Asked Questions are also available.
Storing data securely
Think about where your data is held and its security.
-
Does it reside with 3rd parties on IT systems such as cloud suppliers, church members homes etc.?
-
Of the data you hold about data subjects are these records electronic or paper based?
-
How are the IT or paper system protected? (Passwords, encryption, lockable drawers, safes).
-
Who needs authorised access to this data and information?
Any systems used to store or process data need to consider security as part of their implementation. You should only collect the data you need and keep it only as long as needed in order to fulfil an agreed purpose and then delete it. The Church of England's retention schedule for churches is Keep or Bin - The Care of Church Records.
This means PCCs need to think very carefully about what data they have on people, where it is and who has access to it. This will include the technology used and security in place. For example, data encryption would be one way in which computer data held can be secured.
How the Diocese of Manchester uses your information
The Privacy Notice - MDBF outlines how we use and safeguard the information we hold about you.