GDPR & record keeping

The General Data Protection Regulation came into force in May 2018. It strengthened previous data protection regulations. It is applicable to PCCs, incumbents and deaneries, and requires them to take some action.

FAQs

Can I keep parish emails on my phone?

Is having the church office email account available to view on my phone is in breach of any new data protection directive?

The directive is about keeping information secure, and about being transparent about how it is used. It doesn’t forbid anything you may have a good reason to do. Here are some questions you may want to consider:

Does your privacy notice say that contact details are stored on your phone (or “on mobile devices used by staff”)?

Is your phone password protected (or protected in some other way) so that if you lost it, it would not mean that others could see the information?

I take it this means contact details are stored on a cloud based system. Is the system you are using GDPR compliant? It could be out of the European Economic Area.

Is it a private phone or a work phone? We have been noticing that if you have Facebook on your phone set up to recognise your contacts, then your private Facebook account can become linked to people who are contacting you for work, which seems undesirable. You need to look at the way Facebook is set up – or consider carrying two phones.

Can we publish a directory of names, addresses, phone numbers etc. for use by church members?

The PCC should assess the risks arising from this. They may want to consider: what information appears in it, does it include children’s’ names, how is it circulated, who can access it, are people aware that there information will be made semi-public in this way, do recipients of the directory understand for what purposes they may use the information?

They may want to amend the amount of information that is available, and make sure that participants understand that the PCC cannot completely control how the information is used, even if the document reminds recipients that the information is provided for church purposes only, and that recipients must not, for example, reuse the data on church membership to advertise a non-church activity.

Can we publish details of baptisms, weddings and funerals in our Parish magazine?

We include in our parish magazine a ‘From the registers section’ which gives details of baptisms, weddings and funerals that are recorded in our registers – which are public documents. I am aware that we do not need to gain consent for weddings generally as it is covered under the legal requirement, but do we then need to gain consent to include that info somewhere else, other than in the registers, when that information is already in the public domain?

The short answer is ‘no, you do not need to gain consent to publish information recorded in your registers’.

For those interested in the detail of this answer, records/registers are public documents i.e. it has been long established that “Parish registers of baptisms, marriages and burials, being public documents, are admissible in evidence to prove the facts stated in them…” (Halsbury’s Laws of England – Vol 11 – Civil Procedure) – paragraph 967).

“Per LORD BLACKBURN:- “A public document” means a document that is made for the purpose of the public making use of it – especially where there is a judicial or quasi-judicial duty to inquire. It’s very object must be that the public, all persons concerned in it, may have access to it…”. Sturla v Freccia (1880) 5 App Cas 623

So, in the view of the Church of England Information Governance and Data Protection Officer, the publication in the parish magazine is effectively using data that is already in the public domain – i.e. if the source is “public registers” then there is no issue with further processing by publishing it, so the lawful bases would be legitimate interest (Article 6) and manifestly made public (Article 9).

Can we send anniversary cards and invitations to our baptismal families?

During the baptismal service we welcome the ‘candidate’ as the newest member of our church family. As such is he/she considered to be part of the church membership at this stage? Specifically, as part of our mission we:

send anniversary cards to the children on the anniversary of their baptism. Is this a legitimate activity in terms of GDPR and if so can we add the family to our on-line database without opt-in consent?
invite to special events such as Godparent services, Messy Church. If people don’t want to hear about this, can we still send the anniversary card?

While the church may consider the newly baptised to be a member (as indeed they are), some families may not see things in quite that way. It is for the PCC to decide whether they wish to rely on the legal reason of legitimate interest, or whether they want to use consent – taking into account the local situation.

It needs to be transparent and clear to parents that you will keep in touch with the various activities that you propose, and if families are not regular church goers, then it may be a surprise. One light touch approach that we have suggested in the training course is to offer a card to families during the pastoral visits/baptism preparation. This is designed to give you a half to leave with the families and a half to take away (and is repeated so that you can get two cards out of one piece of card.) Obviously you would change the wording to suit you.

You can find the card here.

Do we need to get consent from our Mailchimp subscribers?

Do I need to get active consent from the people who are already on our Mailchimp monthly newsletter mailing list where consent has been assumed, for them to continue receiving it after May? Or is it just for people who join from the end of May?

A lot will depend on what sort of communication you are using mailchimp for, and what legal basis you are relying on? Is it legitimate interest? Or is it consent? If it is the former then you will not need a programme to collect consents.

However, you may want to pay attention to the principle that the data should be accurate: and as part of good practice, you may want to take the opportunity to write to people and ask them to confirm their details, and possibly the sort of emails that they would like to get from you: weekly service sheets, special services, or whatever categories you use. Before you do this, you may want to check that you have the correct categories, or lists set up, and that everyone who uses mailchimp knows how they are to be used.

You should make sure that your privacy notice identifies the data that you are holding in mailchimp: including the ability to see what fraction of emails are actually opened. You are actually sharing your data with the mailchimp organisation, and they may be holding the data outside the European Economic Area, and so you should check that their privacy policy is at least as strong as your own.

Does our PCC need to register with the Information Commissioner's Office (ICO)?

Most PCCs do not need to register with the Information Commissioner’s Office (ICO) - but are still bound by GDPR. Exceptions are if you make a profit or use CCTV.

You must:

only process information necessary to establish or maintain membership or support
only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
only hold information about individuals whose data you need to process for this exempt purpose
the personal data you process is restricted to personal information that is necessary for this exempt purpose

https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment/

Personal information and correspondence are held on my personal computer…

I keep personal information and correspondence are held on my personal computer (password protected) and paper copies of contact lists are filed in my home office...

The data you have is not very sensitive unless you have any contacts with particular security needs. It would be reasonable to make sure that you have thought about the stuff you keep at home, and how likely it is to be accessed by others: but if you have a tidy office and well-behaved visitors, then you can argue you have taken fair precautions.

You do need to think about what might happen is a subject access request was made and you were on holiday. Could it be answered in the time required? Might it be better for electronic information to be stored on “the cloud” so that another person could access it if needed? How can you make this work for the paper information you are holding?

Should the template Electoral Roll form be updated to include positive consent for data processing, storage and disposal?

Our Electoral Roll Officer uses a version of the Diocese of Oxford’s Electoral Roll template form – she’s added fields for telephone and email addresses. In light of the requirements of GDPR, I’m wondering whether this template form should be updated to include positive consent for data processing, storage and disposal?

The form SG1 is a statutory form provided by the national church and is in the Church Representation Rules. We don’t have any authority to amend it. It is designed to collect information necessary to put people on the electoral roll: no consent is needed for that because it is a legal function being carried out by the parish.

The Church Representation Rules explicitly set out the data that is collected via this form and for what purposes.

We have a phone list pinned up on the wall of the church office.

A lot depends who is on the phone list. Is it the priest and other people whose contact details are widely circulated? Or is it everyone who has ever been in the church building. Consider whether it would be better to lock this away at the end of the day when the office is not staffed.

We have a transcript of the registers on the shelf in the office. What should we do?

The original registers are legal documents and must be kept. It would be reasonable for the PCC to agree that copies are not sensitive data, and that they can still be kept. The PCC may want to consider locking them away when the office is unsupervised.

What about names in PCC minutes? Should we destroy old minutes?

You must not destroy PCC signed minutes. They are legal documents and you are bound by law to keep them. Make sure your privacy notice includes PCC minutes.

PCC members may have their own copies of minutes, and, depending on what your minutes contain, you may want to develop local procedures about how they should be kept and destroyed. It is unlikely that sensitive personal data is routinely included in non confidential minutes. Your PCC secretary will know how to deal with confidential matters.

You may want to think about how you write minutes going forward. “The PCC agreed to continue with the same person to mow the churchyard”, rather than “The PCC asked Jane Smith of 10 the Avenue Phone 12345 to do the cleaning.”

What about the data stored by the retired priest who helps out in our parish sometimes?

If this data relates to his previous employment, then it is not the PCC's problem. However, the PCC may want to check that its former priests have destroyed any data that is the responsibility of the PCC.

What are the implications for clergy?

Can you advise on the implications for me of the incumbent being a data controller under GDPR? I have my own privacy statement, which I can put on the parish website. But do I have to have my own consent form, or can I operate under the terms of the PCC one?

As a parish with multiple clergy, all my clergy colleagues will process their data under the terms of the parish privacy notice. As I have to have my own, do I have to have my own set of consent forms, and manage my own data audit?

The incumbent is responsible for ensuring that he/she manages personal data provided by data subjects in line with GDPR, so all of the guidance provided is applicable to incumbents as well as PCCs.

As to a consent form, the incumbent needs to ask themself whether they are relying on consent as the legal basis, and whether the person already consented to having their information held by the PCC for the same purpose (eg contact, prayer), and so that, as a member of the PCC, the incumbent can rely on that consent.

The only time the incumbent would need a consent form is for personal data they are holding as an incumbent, rather than as the church as a whole, and for which you need consent. Register info may be held by the incumbent, but is required by canon law, so no consent needed. Other pastoral encounters, may need consent, but belong to the church as a whole (even if they are confidential to one or two people) rather than to the incumbent. If there is data held by the incumbent, by virtue of the office, and for which consent is required then there will need to be a separate consent form, presumably a variation of the PCC one.

Other parish clergy come under the PCC – so as long as they follow the procedure the PCC has set out – they are covered.

What wording should welcome cards include to be GDPR compliant?

Our church is in the process of designing new welcome cards. We shall be inviting new people to complete the card with any combination of name, address, email, phone number. This information will be passed to the ministry team and possibly the wardens too. Please can you advise us of any other wording we should include to be GDPR compliant?

I suggest you use the model consent form on the parish resources website.

And let people know where they can see your privacy notice.

With the advent of GDPR is there any diocesan guidance about the retention and disposal of Parish records?

We recommend the Church of England document, “Keep or Bin”.

Keep or Bin

Resources

Twenty-minute guide to GDPR (PDF)
GDPR for parishes and deaneries handout (PDF)
GDPR for parishes and deaneries presentation (PPT)
GDPR one-page audit form (PDF)
Privacy notice template document for parishes and benefices (Word)
Data Protection Policy template document for parishes, benefices or deaneries (Word)
Keep or Bin (the Church of England Document retention guide)
Safeguarding information sharing
GDPR guidelines for safeguarding case work and core groups
Sample baptism card (for parishes to adapt for all occasional offices)
Privacy policies (diocesan policies)

External sites

Information Commissioner's Office (main page)
Information Commissioner's Office: advice for small organisations (resources on starting with data protection, privacy notices, subject access requests, data breaches, etc)
Parishes and the GDPR (You can find the interim consent forms and privacy notices here, and some useful FAQ)

Please note, the guides, slides and handouts here were produced when the Data Protection Act 2018 came into force and while the UK was a member of the EU but they are still relevant.

Page last updated: Thursday 27th February 2025 4:37 PM