Data Protection

Local churches, Circuits and Districts find themselves holding a variety of personal data including details of members and employees. The information accessible from this Data Protection page explains the obligations imposed on Managing Trustees in relation to this data under Data Protection legislation. The guidance helps Managing Trustees to identify what personal data is, how to hold it securely and for what purposes that personal data can be used. This includes Circuit and District directories.

Managing Trustees will find it helpful to refer to the following documents and guidance in the Data Protection Toolkit.

Guidance for Managing Trustees on Data Protection

Data Protection Toolkit

The data protection toolkit is comprised of the following policies, guidance and templates:

Privacy Notice

Privacy Notice - This outward facing document tells people what the Local Churches, Circuits and Districts do with their information and how it is kept safe.

Policies

Data Protection Policy* - An overarching “policy” or “rulebook” that those handling personal data within Local Churches, Circuits and Districts need to follow clarifying what everybody’s responsibilities are. Read this policy alongside the Data Protection Responsibilities in a Nutshell guide with its practical examples and summary of the responsibilities placed on Managing Trustees and the controllers.
Data Security Policy* – Policy and practical guidelines on keeping personal information safe.
Breach Policy (Interim)* – Practical guidelines on how to respond to the loss or unauthorised disclosure of personal information.
Subject Access Request (SAR) Policy* – Policy setting out a step by step process that Managing Trustees need to follow when a Data Subject Access Request (DSAR) is received from an individual.

* Where a document is marked with a star, it is available on the password protected part of TMCP's website. This is because these policies are internal policies rather than the external facing Privacy Notice. Managing Trustees who do not already have the password, please contact TMCP.

Template Notices, Registers and Forms

Processor Record for Managing Trustees
Data Mapping Form for Managing Trustees – Template form that Managing Trustees can use to help them to record what personal data they hold.
Non-Exhaustive List of Examples – Examples based on the results of the Working Party’s data mapping exercise to help Methodist Managing Trustees complete the Data Mapping Form .
Breach Record for Managing Trustees – Table to record all instances of breach however large or small i.e. whether or not the individual concerned needs to be notified.
Template Consent Form – Template form of wording that can be adapted for use by Managing Trustees if (and only if) consent needs to be relied upon in accordance with the Annex to the Privacy Notice – perhaps because personal information about church members is being shared with third parties (e.g. making directories available on websites).
Consent Record for Managing Trustees – Table to record how and when consent was given and what was said using this record, if Local Churches, Circuits or Districts need to rely on consent.
Data Subject Access Request Form (SAR Form) – Sample Data Subject Access Request Form that can be used by individuals to request details of personal data held.
Template Fair Processing Statement

Guidelines and Schedules

Lawful Bases Guidance – “Guidelines on Lawful Bases for Processing Personal Data”
Retention Schedule – Please refer to the retention schedule on the Methodist Church website (http://www.methodist.org.uk/for-ministers-and-office-holders/office-holders/archivists/) – Note that this is under review and keep referring back to it for the up-to-date position.

Additional Guidance:

Videos and Slides:

Consents and Update on the Privacy and Electronic Communications Regulations (PECR) - A TMCP training video talking Managing Trustees through the consents form and PECR
Data Champions Forum - A recording of the meeting held with District Data Champions on 22nd April 2021
GDPR Training Webinar 1 - Introduction to GDPR - Initial training video for Methodist Managing Trustees outlining the impact of GDPR and the next steps for Managing Trustees to take to prepare for its introduction on 25th May 2018 and beyond.
Introduction to GDPR - slides - Slides from the above presentation in .pdf format. If you would like a copy of the original PowerPoint presentation, please contact us via the contact form or by email and we will be pleased to send this out to you.
RMF Presentation Slides – slides from the presentation given at the Resourcing Mission Forum on 9 May 2018 in pdf format. A video to accompany the slides will be available shortly. In the meantime if you would like Powerpoint version of the slides please contact us via the contact form or by email.
Training Day Slides - Below are links to PDF copies of the slides from the GDPR training days led by TMCP in Autumn 2019 and hosted by the firms on the Methodist Panel of Solicitors. If you would like a copy of the original PowerPoint (.pptx) presentations, please contact us via the contact form or by email and we will be pleased to send these out to you.

Guidance notes:

9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR (Updated on 7th June 2018) - Practical steps for Managing Trustees to ensure compliance with the General Data Protection Regulation (GDPR).
Shared Churches and Data Protection Focus Note
General Data Protection Regulation (GDPR) Guidance Note – Legislation guidance focusing on the changes brought in by the new GDPR.
Do’s and Don’ts – A new guidance note summarising the basic steps that Managing Trustees can take (and avoid) to help them to comply with the Data Protection Act and the GDPR.
Who are the Data Controllers and where to get help? - Information on the role of Data Controller, who they are in the context of the Methodist Church and how and when to contact them.

Articles:

New Privacy Notice for Managing Trustees
It's not all about Consent - New Lawful Bases Guidance
Data Responsibilities in a Nutshell
Data Protection Toolkit
New Data Protection Guidance – News Hub – Article highlighting the next instalment of data protection guidance and templates available on the TMCP website from 6 March 2018.
GDPR Myths - News Hub – Article challenging some of the common myths about GDPR in the context of the Methodist Church.

Charts:

GDPR Changes at a Glance – Chart summarising the changes brought in by the General Data Protection Regulation (GDPR).

FAQs:

Data Protection FAQs – A sample of questions frequently asked by Managing Trustees about data protection issues.

Publications:

Data Protection Responsibilities in a Nutshell - Summarises the steps that volunteers, ministers and staff within the Church need to take to protect each other's privacy and keep personal information safe. Also available to print in booklet format.

External guidance:

http://www.methodist.org.uk/
https://ico.org.uk/ - The Information Commissioner’s website.

Practical guidance in the form of questions and answers is available via the Parishes Resources website in the Archbishop Council’s Parish Guide to the General Data Protection Regulation (GDPR). Although aimed at the Church of England and containing much of the same information as the General Data Protection Regulation (GDPR) Guidance Note Managing Trustees may find the guidance of assistance.

Please watch this space for new and upcoming guidance, policies and templates on Data Protection.

What do we do if we receive a data subject access request (SAR)?

Managing Trustees need to be aware that individuals have a legal right to know what data is being held about them by making a Data Subject Access Request (SAR). If you receive a SAR please forward this to TMCP immediately as TMCP currently acts as advisor on “Data Subject Access Requests”.

Although TMCP has devised the SAR Form for an individual to complete and submit, there is no specific format which a request for data should take. If Managing Trustees receive an SAR from an individual then there is a statutory time period of 30 calendar days in which they must respond and Managing Trustees must contact TMCP in its role as data controller at the earliest opportunity. If Managing Trustees fail to take immediate action within the timescales, they could be liable to a fine or legal proceedings could be instigated as a result of non-compliance with the Act. Please refer to Section C3 of the General Data Protection Guidance Note for details of the changes to be brought in under the GDPR.

Staying updated

The working party will be regularly updating the Church on developments so please keep referring back to this page and see the Methodist Church website.

You can also receive email alerts from TMCP if you “sign up” to receive notification of new articles published in the News Hub section on the TMCP website. Please sign-up to receive notifications from TMCP’s website to ensure that you receive notice of new and updated guidance on data protection. To do this please look out for the “Stay updated” banner appearing at the foot of each webpage, insert your contact email address and confirm you would like to receive notifications when you receive a welcome email from TMCP.

If you have any general queries on Data Protection please contact TMCP.

v2.2

Index

Managing Trustees' Privacy Notice

The privacy notice for Local Churches, Circuits and Districts within the Methodist Church in Great Britain.

Resources