Churches have charitable status but are not regulated by the charity commission as other charities are. Despite this, church trustees have the same responsibilities as other charity trustees. These responsibilities include compliance with laws such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Good data protection practices are a legal requirement, so regular refresher training is an essential means of ensuring compliance amongst volunteers and church employees. This is because churches possess a large amount of personal data, such as information about clergy members and attendees.
GDPR requires that organisations perform regular data audits, thus parish resources must be monitored for compliant data use and retention. With an increased focus on accountability, members of the church are required to demonstrate compliance rather than simply state it. This demonstration can take the form of documenting processing activities, data protection training, policy reviews and audits of parish resources and processes.
Explaining the Jargon
Data protection applies to any individual/organisation that processes personal data. Personal data is information about an identifiable, living person, whilst processing is anything that happens to this data (including its storage and transfer). Special category data is a type of personal data that is viewed as more sensitive, and is consequently more at risk should a data breach occur. Religious belief falls into this special category of data, so churches must be especially cautious with data that affiliates individuals with religion. Data controllers are any individuals/organisations that collect and are responsible for the use of personal data. Within a church the incumbent and the Parochial Church Council (PCC) are seen as separate data controllers. Individuals/organisations that process personal data on behalf of the data controller are termed data processors. The data controller retains ultimate responsibility for personal data, even when in the hands of the data processor. For this reason, if churches outsource any data processing functions to third parties, they must ensure a written contract is signed whereby the processor agrees to comply with certain data policies.
Data subjects are individuals who have personal data held about them which is out of their control; essentially all of us fall into this category.
Who Requires a Data Protection Officer (DPO)?
There are certain criteria whereby data controllers are required to appoint a Data Protection Officer (DPO). A DPO is an individual removed from the daily processes of your organisation who is responsible for ensuring data protection compliance. Large scale processing of special category data necessitates a DPO, however the scale of processing in most churches does not fulfil this criteria. Although, you are at liberty to appoint a DPO even when not required to do so.
Data Subject Rights
Under new legislation, data subjects now have extended rights over their personal data. Your church must issue a privacy notice, informing data subjects how their data will be processed and ensure they have informed consent for it. Subjects have the right to access any personal data the church stores about them, through submission of Subject Access Request (SAR). You must respond within one month of receiving a SAR.
Consent is one of the grounds on which you can legally process personal data. In order to be valid, consent must be freely given, unambiguous and indicated by a clear affirmative action. It must also be specific and informed. Past consent must be checked for validity and re-obtained if it is not up to current standards.
Specific consent is required to use an individual's personal data for marketing purposes. It is important to recognise that sending people information about church services could be viewed as marketing so you must apply marketing restrictions accordingly. You are not permitted to use the data on your electoral roll for marketing purposes unless you have acquired specific consent to do so.
Why is Data Protection Important for Your Church?
Failure to comply with data protection can result in data breaches. It is your legal and moral duty to protect those you hold personal data about. Data breaches can result in emotional, physical and financial consequences for the affected data subjects. Additionally, the consequences of a data breach on your church could be substantial. Repercussions include damage to your reputation as well as penalties issued by the Information Commissioner's Office. Data protection training can help to demonstrate compliance, protect your data subjects and avoid the devastating effects that a data breach could have on your church.