General Data Protection Regulations (GDPR) replaced the Data Protection Act in May 2018. To make sure that we look after the personal data of members and friends of the church as well as we can, we've shared this guidance:
General Data Protection Regulation (GDPR)
Everyone who runs any organisation in the Church needs to be aware of this regulation, even if they do not use a computer or email. However, it does not apply to many of us as it does not cover groups of friends unless you share their information with someone else – and then all you have to do is make sure that it is accurate and that they are happy for it to be shared.
Data Protection Officer
The Church Data Controller (DC) is Colin Usher. Contact him on colinu5[@]outlook.com if you need to know more.
Organisations within the Church should document what personal data they hold, where it came from and who they share it with.
When collecting personal information about people (like their names, addresses, phone numbers and email) we will need to explain the basis for processing the data, our data retention period (2 years) and that individuals have a right to complain if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language.
The GDPR includes the following rights for individuals:
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object;
the right not to be subject to automated decision-making including profiling;
the right to know that information will be deleted 2 years after it was last used.
Also: • children’s data must be secure and parental/guardian consent verifiable.
Lawful Basis for Processing Personal Data
In simple terms this means that if a Church organisation holds data on someone then they should know that we have that information; and that if they ask to have it removed then it must be removed in 28 days from all relevant sources. If you start a new Church based group talk to the Data Controller before collecting information.
The Church should make sure that the right procedures are in place to detect, report and investigate a situation where data may have been mislaid or have got into the wrong hands. However, by implication if someone in receipt of (say) an email has their system hacked, then it is possible that this could expose all recipients of emails from a Church organisation to risk. It is therefore vital that the blind copy (BCC) option is used at almost all times to prevent an individual email address being visible to all the recipients. This can be a nuisance, but it will be necessary.
If you think that you have mistakenly lost information, sent it to the wrong person, or you have been hacked then DO NOT PANIC! First, try to get the data back. Then let Colin know and discuss with him the scope of the problem. If any other action is needed, we may have to consult with the URC Head Office to get their advice. Any breaches must be reported to the Data Controller for support and investigation.
Be Purposeful about Data Protection
Sensitive information should be stored securely. For example, the Saturday Kidz information is held in a locked cabinet when not in use and monitored at all times when it is being used. Some electronic data (possibly the Church Directory) should be held in a password protected, encrypted format. Order your records - minimise what you keep. Do not share it outside of Church. Let Colin know if you hold anything other than names, addresses, phone numbers and email details.
GDPR Hints and Tips
If information is kept in your home it should be in a locked drawer, just as it should be if it is in the Church. If it is held on a computer then you should be running a reputable antivirus/malware program and should have a password or pin preventing easy access to your pc, laptop, phone or tablet.
Blind copy emails when sending them to a group of email addresses
Firstly, this is sometimes counter-productive, so if you need the people that you are emailing to ‘reply to all’ so that everyone sees what everyone else is saying in their replies, then don’t bother. But my rule of thumb is to not cc more that 6 people if possible.
To get this feature you may need to open a new email, go to ‘Options’ and then add it from ‘Show Fields’.
If you need to ask for the details of people who are not just your friends, then you do need to explain clearly why this information is needed.
Make sure that you cannot be overheard if you are doing this by telephone
Explain who you are and why you are collecting information**
Only ask for, and record, what you really need - keep it to a minimum
Make sure it is accurate and keep it in a secure place **say something like “We need this information so that we can contact you with details about this event and also so that we can contact you in an emergency” – if this is the case.
If you think that you have mistakenly lost information, sent it to the wrong person, or you have been hacked then DO NOT PANIC! First, try to get the data back. Then let Colin know and discuss with him the scope of the problem. If any other action is needed, we may have to consult with the URC Head Office to get their advice.
Working with Children
The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial internet services. We must obtain consent from a guardian before processing a child’s data. Consent needs to be verifiable, and therefore communicated in language they can understand.