It is now nearly four years since the General Data Protection Regulations (GDPR) came into force on the 25th May 2018 along with the Data Protection Act 2018 which effectively implemented GDPR in the UK.
As the onus of responsibility shifts from implementation to accountability the checklist below summarises the practical steps that all Local Churches, Circuits and Districts must take to ensure their data protection practices are robust. The Checklist should be completed by those responsible for keeping information relating to other people safe.
Your District Data Champions will ensure that all Local Churches, Circuits and the District complete the checklist and hold a signed and dated copy of it by the end of May each year. The District will keep a record of who has completed the checklist and provide a copy of the Data Protection Checklist Annual Return to TMCP. TMCP will be in touch with the Districts and the District Data Champions separately in due course.
Whether the personal information (data) of individuals belongs to Church members, their families, employees or third parties who use church premises it is in the interests of all to ensure that the information is looked after carefully and kept safe. Carrying out the new seven checks of the checklist will assist those that handle personal data to do that. Please note this is not a completely definitive list and there may be other issues that Districts need to consider.
Please read this checklist together with the suite of data protection guidance and policies already available on the Data Protection page on TMCP’s website which will help you understand how to practically comply with the requirements of data protection legislation.
There is also a shortened Word version of the Checklist which can be downloaded here. This should however be read in conjunction with the more detailed Checklist below.
Step 1 - Where to begin?
Before starting to complete the checklist please take this opportunity to review the personal information that your Managing Trustee body i.e. the Local Church, Circuit or District holds. You can only carry out checks 2 to 7 if you first understand what personal information you have and what you do with it. Reviewing the information you hold is called “data mapping” and is effectively an inventory of the information you hold about individuals. Please refer to the guidance and resources accompanying Check 1 to help you. If you carried out this exercise in 2018 and/or when you completed the first Annual Checklist last year, you just need to double check that your records are up to date. For example, do you hold less information than last year due to a dance class no longer using your premises or more data due to a new messy church group starting?
Follow up actions
A – Use the guidance available
Make sure those handling people’s information are aware of their data protection responsibilities.
Over time, different people are appointed to positions within the Church who handle personal data about individuals. It is also the case that people need to be provided with reminders and refresher training on the requirements of Data Protection legislation.
Ensure that people consider and regularly refer to the following resources to help Managing Trustees with their ongoing training and encourage them to sign up to the TMCP Newshub so that they can be alerted to any updates as soon as they become available:
- Data Responsibilities in a Nutshell – this is a good place to start if you are new to data protection;
- Data Protection Toolkit;
- 9 Steps for Managing Trustees to take now;
- GDPR Do’s & Don’ts;
- Review the Data Protection Policies and ensure you understand the GDPR Principles;
- Watch the Data Protection Training webinar on the TMCP website;
- Access and watch additional training material as and when it becomes available.
B - Know who your District Data Champion is and go to them for help
For Local Churches and Circuits that have a District Data Champion, they are a crucial point of contact for Managing Trustees wanting to discuss routine data protection matters. They have received additional data protection training, which is ongoing, and are equipped to assist Managing Trustees navigate the requirements of data protection legislation.
Please find out who your Data Champion is and contact them if you have any data protection questions.
For the Districts which have not yet appointed a DDC, we kindly ask that this is made a priority over the New Year. There are still 11 Districts who have not yet appointed a DDC and to ensure that, as a Church, we have complied with the legal responsibilities upon us, demonstrate commitment to the data protection responsibilities and be seen as a Church which cares about their members and associates, we strongly urge those Districts to take action to make such an appointment.
C - Let us know if you have any training needs and make use of the resources available on TMCP’s website to help you
Ongoing training is a requirement of the GDPR and Managing Trustees must be able to demonstrate this in order to comply with the Accountability Principle. Keep a record of who has accessed what training and when. A sample Training Record is now available for Managing Trustees here.
As Managing Trustees work through the various training resources on TMCP’s website and put this into practice, it will become apparent where additional training needs are required. These will become especially apparent if, and when, a data breach is experienced.
Please contact TMCP if there are any specific training requirements Managing Trustees would like to see featured in the next round of data protection training.
Additional material to help Managing Trustees to take these steps will continue to appear on TMCP’s website. Sign up to receive the News Hub alerts to keep a pace with what is available. Alternatively, please do not hesitate to contact TMCP if you have any general data protection queries and the Conference Office for enquiries relating to safeguarding and complaints and discipline issues.