Prayer for Israel and Palestine at this time
Click here for more details
-
Vacancies and moves
-
News and events
-
Diocesan Investment Programme
-
What we do
-
Vision 2026
-
History, background and Vision Update 2021-24
-
Vision 2026 Key themes
-
Vision 2026 Parish Toolkit
-
Vision 2026 stories
-
Strategic Development Funded Projects
-
-
Giving
-
Life Calling
-
Growing Leaders
-
Opportunities to Explore
-
Lay Majority Ministry
-
Whole life discipleship
-
Ordination
-
-
About us
-
Women in Ministry
-
Contact us
-
Meet the Diocesan Office teams
-
Our deaneries - Blackburn Archdeaconry
-
Our deaneries - Lancaster Archdeaconry
-
Our diocesan finances
-
Our wider church family
-
Our governance structures
-
-
Resources
-
HR support for parishes
-
Liturgy and church services
-
Energy saving and cost of living support, advice and resources
-
Carbon Net Zero Roadmap
-
For lay ministry
-
Senior clergy talks, articles and sermons
-
For clergy
-
Communications resources
-
Discipleship, prayer and worship
-
Parish Finance
-
Parish administration and governance
-
Community transformation
-
Being witnesses (parish mission resources)
-
Church buildings, land and legal matters
-
Parish Vision Fund
-
-
Safeguarding
Quicklinks
-
Vacancies and moves
-
Vacancies and moves
9th February 2018
Are you getting ready for changes in Data Protection law?
You may have heard the law regarding the protection of personal data is changing.
On May 25, 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998.
Parishes, in common with the Diocesan Offices, need to know what things they should keep doing and what things they should do differently to comply with the new law.
The good news first. The GDPR’s main concepts and principles are similar to those contained in the current 1998 Act. Therefore, if you are complying with the 1998 Act, much of what you do will still apply.
However, there are some changes and additions, so you may have to do some things for the first time and some things differently.
GDPR places a much greater emphasis on transparency, openness and the documents you need to keep to show you are complying with the legislation. This approach is incorporated within the idea of ‘accountability’ and the new ‘accountability principle’.
In essence, you cannot just state you are compliant; you have to prove it and provide the evidence.
To do this there are a number of actions you should take, such as documenting the decisions you take about your processing activities and various other ways that show compliance – such as attending training, reviewing any policies and auditing processing activities - for example, the processing of personal data in relation to the electoral roll.
In this case, the personal data processed is likely to be sensitive (by implication, if not directly, it relates to ‘religious belief’).
An electoral roll can be said to be a legitimate activity of the PCC, under the Church Representation Rules but if you wanted to share this data with another party, you would require the consent of any relevant individual(s) on the roll.
And so, consent is another area that parishes should be aware of when responding to the new GDPR regulations.
Where you rely on consent as the lawful basis for processing any personal data to be valid under the GDPR, consent must be freely given, specific, informed, unambiguous and able to be withdrawn.
Also, you will need to record how and when the consent was obtained (and review this over time).
As much of the data processed by a PCC or an incumbent in a parish is sensitive (relates to ‘religious belief’) if consent is needed this will have to be explicit consent.
Consent will require ‘clear affirmative action’ - silence, pre-ticked boxes or inactivity will not constitute consent.
You will also have to tell individuals that they have the right to withdraw consent at any time and ensure that the procedure for withdrawing consent is just as simple as granting consent, (e.g. by sending an email or (un)ticking a box).
A simple example related to this is that you cannot use the personal data from the electoral roll to send mail to individuals about events at the church without seeking their consent first.
You will also need to keep records of all consents received and periodically review them to ensure that they are still valid.
Then there is data storage. Data must be held securely and not be easily transferable or downloadable. So, if it is stored on a portable USB drive it must be encrypted.
There is a lot more to GDPR. How do you find out more? Staff at the Diocesan Offices and the national church are working hard to support parishes …
- For general advice on preparing for GDPR visit this dedicated page which will be populated in the coming weeks and months with helpful information and pointers, as well as links to other key websites including the Parish Resources website (www.parishresources.org.uk) which contains a wealth of advice for parishes on GDPR (including full Q and As; checklists and audit forms).
- Look out for more information about GDPR Parish Briefing Sessions being held in March (dates TBC) by checking on the Diocesan website GDPR page or in the website events calendar.
- Additional information will also be available in future editions of the Diocesan magazine, The See, sent to parishes and the monthly email Communications Update.
- Once the regulations are in force after May, if a data protection issue comes up and you are unsure how to respond, contact details for help via the Diocesan Offices will be available on the Diocesan website GDPR pages.