Local churches, Circuits and Districts find themselves holding a variety of personal data including details of members and employees. The information accessible from this Data Protection page explains the obligations imposed on Managing Trustees in relation to this data under Data Protection legislation. The guidance helps Managing Trustees to identify what personal data is, how to hold it securely and for what purposes that personal data can be used. This includes church and Circuit directories and the use of and recording of CCTV.
In 2018 we will see significant changes in Data Protection law with the introduction of the European General Data Protection Regulation (‘GDPR’). Managing Trustees need to be aware of the changes brought about by GDPR and how it will affect local church life.
TMCP and the Connexional Team are working together and have formed a Working Party which will oversee the transition from the current legislation to the new laws brought about by the GDPR which come into force in May 2018. For ongoing projects such as the Circuit Directories, steps will need to be taken to ensure compliance with the then current Data Protection law when data is next collected e.g. at the start of the next Connexional Year. Managing Trustees have time to ensure that appropriate processes are put in place.
Guidance and support will be rolled out to all Methodist Districts in the coming months to help Managing Trustees understand the steps that will need to be taken to comply with the new requirements. This will enable Districts to provide practical help and guidance to their local churches and circuits. This will run alongside target specific training provided by the Working Party which will come in the form of webinars, news bulletins, online articles and live training sessions at a number of different forums.
A whole host of policies and procedures have also been identified which will be made available to all Managing Trustees over the coming months by the working party to help ensure compliance with GDPR.
As well as identifying the policies and procedures that all local churches, Circuits and Districts will need for compliance with GDPR, the Working Party are also producing step by step practical guidance along with model documents and forms for use by the Managing Trustees.
A draft timeline has also been produced by the Working Party which identifies key dates which the Working Party are working towards in preparation of GDPR which includes a GDPR presentation at the District Chairs meeting in March.
Guidance for Managing Trustees on Data Protection
Managing Trustees will find it helpful to refer to the following guidance:
- Data Protection Booklet – Detailed guidance on the obligations on Managing Trustees under the Data Protection Act 1998 and the role of TMCP as data controller.
- Do’s and Don’ts – A new guidance note summarising the basic steps that Managing Trustees can take (and avoid) to help them to comply with the Data Protection Act 1998 and the GDPR (when it comes into force in May 2018).
- General Data Protection Guidance Note – Legislation guidance note focusing on the changes brought in by the new GDPR.
- Data Collection article - News Hub – Article on collecting personal data for inclusion in local church, Circuit and District directories under the new GDPR.
- GDPR Information for Church Directories - News Hub – Article including short form of wording to alert people to the forthcoming GDPR
Standard Documents and Forms:
- Data Subject Access Request Form (SAR Form) – sample Data Subject Access Request Form that can be used by individuals to request details of personal data held.
Practical guidance in the form of questions and answers is available via the Parishes Resources website in the Archbishop Council’s Parish Guide to the General Data Protection Regulation (GDPR) . Although aimed at the Church of England and containing much of the same information as the General Data Protection Regulation (GDPR) Guidance Note Managing Trustees may find the guidance of assistance.
Please watch this space for new and upcoming guidance on data Protection. At the start of January, we will be finalising user friendly guidance on the practical application of the changes brought by the GDPR in the Methodist Church and the steps that Managing Trustees can take including “Practical steps to take now to get you under way” and specific guidance on Church websites, newsletters and what to do if there is no consent.
What do we do if we receive a data subject access request (SAR)?
Managing Trustees need to be aware that individuals have a legal right to know what data is being held about them by making a Data Subject Access Request (SAR). If you receive a SAR please forward this to TMCP immediately as TMCP currently acts as advisor on “Data Subject Access Requests”.
Although TMCP has devised the SAR Form for an individual to complete and submit, there is no specific format which a request for data should take. If Managing Trustees receive an SAR from an individual then there is a statutory time period of 40 calendar days (note that this will be 30 days after the GDPR comes into force) in which they must respond and Managing Trustees must contact TMCP in its role as data controller at the earliest opportunity. If Managing Trustees fail to take immediate action within the timescales, they could be liable to a fine or legal proceedings could be instigated as a result of non-compliance with the Act. Please refer to Section C3 of the General Data Protection Guidance Note for details of the changes to be brought in under the GDPR.
The working party will be regularly updating the Church on developments so please keep referring back to this page and see the Methodist Church website.
You can also receive email alerts from TMCP if you “sign up” to receive notification of new articles published in the News Hub section on the TMCP website. Please sign-up to receive notifications from TMCP’s website to ensure that you receive notice of new and updated guidance on data protection. To do this please look out for the “Stay updated” banner appearing at the foot of each webpage, insert your contact email address and confirm you would like to receive notifications when you receive a welcome email from TMCP.
If you have any general queries on Data Protection please contact TMCP.