GDPR & record keeping

The directive is about keeping information secure, and about being transparent about how it is used. It doesn’t forbid anything you may have a good reason to do. Here are some questions you may want to consider:

Does your privacy notice say that contact details are stored on your phone (or “on mobile devices used by staff”)?

Is your phone password protected (or protected in some other way) so that if you lost it, it would not mean that others could see the information?

I take it this means contact details are stored on a cloud based system. Is the system you are using GDPR compliant? It could be out of the European Economic Area.

Is it a private phone or a work phone? We have been noticing that if you have Facebook on your phone set up to recognise your contacts, then your private Facebook account can become linked to people who are contacting you for work, which seems undesirable. You need to look at the way Facebook is set up – or consider carrying two phones.

They may want to amend the amount of information that is available, and make sure that participants understand that the PCC cannot completely control how the information is used, even if the document reminds recipients that the information is provided for church purposes only, and that recipients must not, for example, reuse the data on church membership to advertise a non-church activity.

The short answer is ‘no, you do not need to gain consent to publish information recorded in your registers’.

For those interested in the detail of this answer, records/registers are public documents i.e. it has been long established that “Parish registers of baptisms, marriages and burials, being public documents, are admissible in evidence to prove the facts stated in them…” (Halsbury’s Laws of England – Vol 11 – Civil Procedure) – paragraph 967).

“Per LORD BLACKBURN:- “A public document” means a document that is made for the purpose of the public making use of it – especially where there is a judicial or quasi-judicial duty to inquire. It’s very object must be that the public, all persons concerned in it, may have access to it…”. Sturla v Freccia (1880) 5 App Cas 623

So, in the view of the Church of England Information Governance and Data Protection Officer, the publication in the parish magazine is effectively using data that is already in the public domain – i.e. if the source is “public registers” then there is no issue with further processing by publishing it, so the lawful bases would be legitimate interest (Article 6) and manifestly made public (Article 9).

• send anniversary cards to the children on the anniversary of their baptism. Is this a legitimate activity in terms of GDPR and if so can we add the family to our on-line database without opt-in consent?
• invite to special events such as Godparent services, Messy Church. If people don’t want to hear about this, can we still send the anniversary card?

While the church may consider the newly baptised to be a member (as indeed they are), some families may not see things in quite that way. It is for the PCC to decide whether they wish to rely on the legal reason of legitimate interest, or whether they want to use consent – taking into account the local situation.

It needs to be transparent and clear to parents that you will keep in touch with the various activities that you propose, and if families are not regular church goers, then it may be a surprise. One light touch approach that we have suggested in the training course is to offer a card to families during the pastoral visits/baptism preparation. This is designed to give you a half to leave with the families and a half to take away (and is repeated so that you can get two cards out of one piece of card.) Obviously you would change the wording to suit you.

You can find the card here.

A lot will depend on what sort of communication you are using mailchimp for, and what legal basis you are relying on? Is it legitimate interest? Or is it consent? If it is the former then you will not need a programme to collect consents.

However, you may want to pay attention to the principle that the data should be accurate: and as part of good practice, you may want to take the opportunity to write to people and ask them to confirm their details, and possibly the sort of emails that they would like to get from you: weekly service sheets, special services, or whatever categories you use. Before you do this, you may want to check that you have the correct categories, or lists set up, and that everyone who uses mailchimp knows how they are to be used.

You should make sure that your privacy notice identifies the data that you are holding in mailchimp: including the ability to see what fraction of emails are actually opened. You are actually sharing your data with the mailchimp organisation, and they may be holding the data outside the European Economic Area, and so you should check that their privacy policy is at least as strong as your own.

Most PCCs do not need to register with the Information Commissioner’s Office (ICO) - but are still bound by GDPR. Exceptions are if you make a profit or use CCTV.​

You must:​

• only process information necessary to establish or maintain membership or support​
• only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it​
• only hold information about individuals whose data you need to process for this exempt purpose​
• the personal data you process is restricted to personal information that is necessary for this exempt purpose​

The data you have is not very sensitive unless you have any contacts with particular security needs. It would be reasonable to make sure that you have thought about the stuff you keep at home, and how likely it is to be accessed by others: but if you have a tidy office and well-behaved visitors, then you can argue you have taken fair precautions.

You do need to think about what might happen is a subject access request was made and you were on holiday. Could it be answered in the time required? Might it be better for electronic information to be stored on “the cloud” so that another person could access it if needed? How can you make this work for the paper information you are holding?

The form SG1 is a statutory form provided by the national church and is in the Church Representation Rules. We don’t have any authority to amend it. It is designed to collect information necessary to put people on the electoral roll: no consent is needed for that because it is a legal function being carried out by the parish.

 The Church Representation Rules explicitly set out the data that is collected via this form and for what purposes.

PCC members may have their own copies of minutes, and, depending on what your minutes contain, you may want to develop local procedures about how they should be kept and destroyed. It is unlikely that sensitive personal data is routinely included in non confidential minutes. Your PCC secretary will know how to deal with confidential matters.

You may want to think about how you write minutes going forward. “The PCC agreed to continue with the same person to mow the churchyard”, rather than “The PCC asked Jane Smith of 10 the Avenue Phone 12345 to do the cleaning.”

As a parish with multiple clergy, all my clergy colleagues will process their data under the terms of the parish privacy notice. As I have to have my own, do I have to have my own set of consent forms, and manage my own data audit?

The incumbent is responsible for ensuring that he/she manages personal data provided by data subjects in line with GDPR, so all of the guidance provided is applicable to incumbents as well as PCCs.

As to a consent form, the incumbent needs to ask themself whether they are relying on consent as the legal basis, and whether the person already consented to having their information held by the PCC for the same purpose (eg contact, prayer), and so that, as a member of the PCC, the incumbent can rely on that consent.

The only time the incumbent would need a consent form is for personal data they are holding as an incumbent, rather than as the church as a whole, and for which you need consent. Register info may be held by the incumbent, but is required by canon law, so no consent needed. Other pastoral encounters, may need consent, but belong to the church as a whole (even if they are confidential to one or two people) rather than to the incumbent. If there is data held by the incumbent, by virtue of the office, and for which consent is required then there will need to be a separate consent form, presumably a variation of the PCC one.

Other parish clergy come under the PCC – so as long as they follow the procedure the PCC has set out – they are covered.

I suggest you use the model consent form on the parish resources website.

And let people know where they can see your privacy notice.

Keep or Bin