Data Protection Policy
NESS BANK CHURCH OF SCOTLAND INVERNESS
Charity Number SC010870
GENERAL DATA PROTECTION REGULATION
The Church of Scotland and its congregations are required by law to comply with the recently introduced EU General Data Protection Regulation (GDPR). Ness Bank Church has always taken Data Protection Regulations very seriously and the Kirk Session has appointed an individual with responsibility for data protection issues.
Mr David R Abbott (Tel 01463 225081; Email firstname.lastname@example.org) has agreed to take on this rôle.
What is happening and why is it important?
The General Data Protection Regulation (GDPR) took effect in the UK on 25 May 2018. It replaced the existing law on data protection (the Data Protection Act 1998) and gives individuals more rights and protections with regard to how their personal data is used by organisations.
Congregations must comply with its requirements, as there are no relevant exemptions for charities or small organisations. This is a brief guide highlighting the main things you need to know and the points that you will need to action.
The GDPR sets out a list of data protection principles.
They are that personal data must be:
1. processed lawfully, fairly and transparently;
2. only used for a specific processing purpose that
the data subject has been made aware of;
3. adequate, relevant and not excessive;
4. accurate and where necessary kept up to date;
5. not stored for longer than is necessary, i .e. storage limitation;
6. stored in a safe and secure manner.
There is also a new ‘accountability’ principle which provides that the data controller must be able to demonstrate compliance with the first 6 principles.
Personal data is information relating to a living individual, who can be identified directly from that data or indirectly by reference to other data held.
Processing is anything done with/to personal data, including storing it.
The data subject is the person about whom personal data is processed.
The data controller is the person or organisation who determines the manner and purposes of data processing.
Key Points for Congregations
1. There are several legal bases for processing data. The main one which will be relevant for congregations is legitimate interest. This allows for processing of information for general church management including dealing with membership lists and rotas, etc. Other legal bases include: legal obligation(such as processing Gift Aid);contract (e.g. letting out the church hall);or consent(this will generally only be required if personal details being shared with a third party e.g. by uploading it to a website, publishing it in a magazine or posting in on a noticeboard in a public place). For each processing activity, you will need to be clear about the legal basis for doing so.
2. If you are obtaining consent for the data processing described above, this will need to be clear and unambiguous with some form of positive action to ‘opt in’. You must ensure that you have this consent before any processing begins.
3. Where the data reveals religious belief it becomes “special category data” which requires additional care. Processing is prohibited unless one of the listed exemptions applies. Two of these exemptions will be especially relevant and useful for congregations:
(i) the individual has given explicit consent to the processing of the personal data for one or more specified purposes;
(ii) processing is carried out in the course of its legitimate activities with appropriate
safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the data subjects.
4. Data subjects have a number of rights, including that of knowing how data is used by the data controller, of knowing what data is held about them, of correcting any errors and generally the right ‘to be forgotten’(although this is not an absolute right).
5. The GDPR introduces a requirement of accountability for data controllers. This means that you must be able to show that you are complying with the principles by providing evidence.
6. Whilst the GDPR removes the requirement for data controllers to register with the Information Commissioner’s Office (ICO), there will be an annual data protection fee.
The good news is that Presbytery Clerks will continue to register for all congregations within their bounds.
Training is essential and office bearers and those handling personal information should watch the Church of Scotland Training Webinar which can be accessed by clicking here.
All the relevant documents about GDPR can be found by followimg this link to the
Everyone who processes data on behalf of the congregation has the responsibility to ensure that personal data collected and stored is handled appropriately. For electronic storage, passwords should be kept secure, should be strong, should be changed regularly and should not be written down or shared with others. Do not send emails containing personal data to, or receive from, a work email address. Use “bcc” rather than “cc” or “to” fields. Encrypt or password protect personal data before sending it electronically.