The new regulations give individuals more rights and protection over how their personal data is used by organisations.
For personal data to be stored legally, each individual must give their consent which must be “affirmative and unambiguous”
The legislation establishes seven basic principles for the storage of personal data.
What is personal data?
- names and addresses
- email addresses
- telephone numbers
- dates of birth
- IP addresses and cookie identifiers
To whom does it apply?
- office holders
- staff & former staff
- job applicants
When/where does it apply?
- registers of baptisms, marriages and funerals
- information re news, events, activities, services etc
- Gift Aid
- social media
- engaging sob-contractors
What are the principles?
Data can only be held
- fairly and lawfully
- for a specific purpose with a valid legal basis
- if its relevant and adequate – the minimum that is needed
- if it’s accurate and up to date
- for as long as necessary
- if it is secure
- if its retention is accountable
Policies and procedures will be need to demonstrate the adherence to each principle
The national Church of England Parish Resources website has a page of advice, guidance, templates and a checklist to help parishes comply with the new regulations.
There are two guides:
- a two page overview (designed for use with PCCs), and
- a more detailed guide for the person implementing this in the parish.
The checklist covers the actions outlined in the guides, to help PCCs monitor progress.
Carrying out a data audit is recommended as the amount of personal data your parish stores and processes may surprise you. Parish Resources has a template data audit document along with some helpful hints to get you started.
Parishes will also need to make sure they have consent to communicate with those on its mailing lists. you will need to have consent before you send marketing or fundraising communications to people, which includes general information about the activities of the parish, services and other events. Download our simple form
Parishes will also need to produce a Privacy Notice. If you have a website, it’s good practice to make this available online. A Sample Privacy Notice can be found here which can be amended and adopted. Guidance on how you can write your own Privacy Notice is also available.
Finally however, there will be some data processing done as part of normal church management which you will not need to gain specific consent for, for example holding lists of group members etc. This is covered by a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.