Local churches, Circuits and Districts find themselves holding a variety of personal data including details of members and employees. The information accessible from this Data Protection page explains the obligations imposed on Managing Trustees in relation to this data under Data Protection legislation. The guidance helps Managing Trustees to identify what personal data is, how to hold it securely and for what purposes that personal data can be used. This includes church and Circuit directories and the use of and recording of CCTV.
GDPR Training Events
To help Managing Trustees of Local Methodist Churches, Circuits, and Districts to better understand their obligations under the new General Data Protection Regulation (GDPR) and implement relevant policies and procedures, two training events are being offered by TMCP and the Connexional Team (‘together the Working Party’): one in Manchester and one in London (same content at each). A web based version of the training will be available on www.tmcp.org.uk shortly afterward.
10.00 – 16.00 – presented by TMCP Legal Team.
What will be covered?
The training events are to assist ministers, officeholders and employees of local churches, circuits and districts who hold or process personal data. Due to the limited number of places circuits and districts are encouraged to identify one person who could attend the training event. This person will then be able to encourage and enable compliance with the new regulations within their circuit or district. The Working Party will ensure that webinars are made available after the event for those not able to attend or unable to obtain a place.
Lunch will be provided but attendees must attend at their own travel cost. Places are limited and will be allocated on a first come, first served basis. To book click on the link below:
Guidance for Managing Trustees on Data Protection
The law surrounding the General Data Protection Regulation (‘GDPR’) has not yet been finalised. The UK Data Protection Bill has been through its third reading in Parliament and amendments are being considered. There are likely to be changes in legislation and to the guidance provided by the ICO before 25 May 2018. Due to the fluid situation, the information provided on this website is also subject to amendment.
The Working Party will notify Managing Trustees when changes are made to existing guidance or when new guidance is made available via this website and other forms of publication or email (where appropriate). Don’t forget Managing Trustees can stay up to date by signing up to the TMCP News Hub and the link can be found at the bottom of this page.
Managing Trustees will find it helpful to refer to the following guidance:
Managing Trustees' Privacy Notice
- The Privacy Notice for Local Churches, Circuits and Districts within the Methodist Church in Great Britain.
Videos and Slides:
- GDPR Training Webinar 1 - Introduction to GDPR - Initial training video for Methodist Managing Trustees outlining the impact of GDPR and the next steps for Managing Trustees to take to prepare for its introduction on 25th May 2018 and beyond.
- Introduction to GDPR - slides - Slides from the above presentation in .pdf format. If you would like a copy of the original PowerPoint presentation, please contact us via the contact form or by email and we will be pleased to send this out to you.
- RMF Presentation Slides – slides from the presentation given at the Resourcing Mission Forum on 9 May 2018 in pdf format. A video to accompany the slides will be available shortly. In the meantime if you would like Powerpoint version of the slides please contact us via the contact form or by email.
- Training Day Slides - Slides from the GDPR training day held in Manchester on 22nd May 2018. If you would like a copy of the original PowerPoint presentations, please contact us via the contact form or by email and we will be pleased to send this out to you.
- 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR - Practical steps for Managing Trustees to take now to prepare for the arrival of the General Data Protection Regulations (GDPR) on 25 May 2018.
- General Data Protection Guidance Note – Legislation guidance focusing on the changes brought in by the new GDPR.
- Do’s and Don’ts – A new guidance note summarising the basic steps that Managing Trustees can take (and avoid) to help them to comply with the Data Protection Act 1998 and the GDPR (when it comes into force in May 2018).
- Who are the Data Controllers and where to get help? - Information on the role of Data Controller, who they are in the context of the Methodist Church and how and when to contact them.
- Lawful Bases Guidance - Guidance to help Managing Trustees understand what lawful bases are, why they are needed, which lawful bases are appropriate in different circumstances and their responsibilities.
- New Data Protection Guidance – News Hub – Article highlighting the next instalment of data protection guidance and templates available on the TMCP website from 6 March 2018.
- GDPR Myths - News Hub – Article challenging some of the common myths about GDPR in the context of the Methodist Church.
- Data Collection article - News Hub – Article on collecting personal data for inclusion in local church, Circuit and District directories under the new GDPR.
- GDPR Information for Church Directories - News Hub – Article including short form of wording to alert people to the forthcoming GDPR
Standard Documents and Forms:
- Data Subject Access Request Form (SAR Form) – Sample Data Subject Access Request Form that can be used by individuals to request details of personal data held.
Data Mapping Form for Managing Trustees – Template form that Managing Trustees can use to help them to record what personal data they hold.
Non-Exhaustive List of Examples – Examples based on the results of the Working Party’s data mapping exercise to help Methodist Managing Trustees complete the Data Mapping Form .
Template Consent Form – Template form of wording that can be adapted for use by Managing Trustees where consent is required. Further guidance on lawful bases will follow but in the meantime please refer to the GDPR Myths article and FAQ 2.2 for guidance on consent and bear in mind that it is not always required.
- GDPR Changes at a Glance – Chart summarising the changes brought in by the General Data Protection Regulation (GDPR).
- Data Protection FAQs – A sample of questions frequently asked by Managing Trustees about data protection issues.
- Data Protection Booklet – Detailed guidance on the obligations on Managing Trustees under the Data Protection Act 1998 and the role of TMCP as data controller.
- Data Protection Responsibilities in a Nutshell - Summarises the steps that volunteers, ministers and staff within the Church need to take to protect each other's privacy and keep personal information safe. Also available to print in booklet format.
Practical guidance in the form of questions and answers is available via the Parishes Resources website in the Archbishop Council’s Parish Guide to the General Data Protection Regulation (GDPR). Although aimed at the Church of England and containing much of the same information as the General Data Protection Regulation (GDPR) Guidance Note Managing Trustees may find the guidance of assistance.
Please watch this space for new and upcoming guidance on Data Protection. Further practical guidance will follow over the next few months together with a toolkit of policies, template documents and forms for Managing Trustees to put in place to get ready for the introduction of GDPR.
What do we do if we receive a data subject access request (SAR)?
Managing Trustees need to be aware that individuals have a legal right to know what data is being held about them by making a Data Subject Access Request (SAR). If you receive a SAR please forward this to TMCP immediately as TMCP currently acts as advisor on “Data Subject Access Requests”.
Although TMCP has devised the SAR Form for an individual to complete and submit, there is no specific format which a request for data should take. If Managing Trustees receive an SAR from an individual then there is a statutory time period of 40 calendar days (note that this will be 30 days after the GDPR comes into force) in which they must respond and Managing Trustees must contact TMCP in its role as data controller at the earliest opportunity. If Managing Trustees fail to take immediate action within the timescales, they could be liable to a fine or legal proceedings could be instigated as a result of non-compliance with the Act. Please refer to Section C3 of the General Data Protection Guidance Note for details of the changes to be brought in under the GDPR.
The working party will be regularly updating the Church on developments so please keep referring back to this page and see the Methodist Church website.
You can also receive email alerts from TMCP if you “sign up” to receive notification of new articles published in the News Hub section on the TMCP website. Please sign-up to receive notifications from TMCP’s website to ensure that you receive notice of new and updated guidance on data protection. To do this please look out for the “Stay updated” banner appearing at the foot of each webpage, insert your contact email address and confirm you would like to receive notifications when you receive a welcome email from TMCP.
If you have any general queries on Data Protection please contact TMCP.