Section A - Introduction

These frequently asked questions are to be read in conjunction with the data protection guidance available from the data protection page and cover issues that are often raised in relation to data protection in the context of the Methodist Church. The issues covered include the changes that will be brought in by the General Data Protection Regulation (GDPR) when it comes into force on 25 May 2018.

In these Frequently Asked Questions:

Working Party is the Data Protection Working Party comprising representatives of TMCP and the Connexional Team.

GDPR is the General Data Protection Regulation.

9 Steps Focus Note is the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR (9 Steps) Focus Note produced by the Working Party.

Processing" basically means anything that Managing Trustees do to or with personal data. The GDPR states that processing includes the; “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of such data (GDPR Article 4(2)).

Section B – Frequently Asked Questions

Q1. Introduction of GDPR

Q1.1 Members of the Circuit Meeting have been reading about the General Data Protection Regulation in the media and are alarmed. Where can we get help and what is the Connexion doing to help Managing Trustees like us?

A1.1 There is no need for Managing Trustees to be alarmed by the new laws brought about by the GDPR. Although GDPR brings some changes to the current data protection laws, the changes are not as far reaching and alarming as Managing Trustees may fear from the coverage in the media. GDPR can be seen as simply bringing the current laws into the twenty first Century recognising the sheer amount of data that is now collected, much of it by electronic means and ensuring everybody looks after this information properly. There is time for Managing Trustees to review their existing procedures and ensure that they are ready to process personal information (data) in accordance with GDPR by the time it comes into force in May using the resources being developed especially for Managing Trustees by the Working Party. The GDPR Myths article discusses some of the myths surrounding GDPR and explains while there is work to be done; Managing Trustees do not need to be alarmed.

TMCP and the Connexional Team are working together having formed the Working Party to oversee the transition from the current legislation. Guidance, support and training will be rolled out to all Methodist Districts in the run up to GDPR coming into force on 25th May 2018, which will help the Districts assist Circuit Meetings and Local Churches to understand the steps that will need to be taken to comply with the new requirements. The Working Party has undertaken a data mapping exercise to gain an insight into the personal information held by Local Churches, Circuits and Districts, what this is used for, who has access to it and how it is currently protected. This work will enable the Working Party to draw up policies, procedures and template documents and forms for Managing Trustees to use, accompanied with detailed and practical guidance aimed specifically at Methodist Managing Trustees. Managing Trustees can therefore rest assured that support is at hand and work is underway to help them through the transition.

Managing Trustees can refer to Section C for details of where to find helpful guidance. In terms of changes brought by GDPR, the General Data Protection Regulation (GDPR) Guidance Note and GDPR Changes at a Glance set out the main changes GDPR will bring to data protection law and how this will affect the Methodist Church as a whole. Managing Trustees are also encouraged to read the 9 Steps Focus Note and follow the practical steps that Managing Trustees will need to take to prepare for GDPR. This Focus Note indicates the types of template documents, policies and detailed guidance that are in the pipeline.

Q1.2 Does the introduction of the GDPR affect us as a Local Church?

A1.2 Yes, the GDPR will be the main data protection legislation in the UK and all EU member states when it comes into force on 25th May 2018. GDPR applies to all organisations that deal with (process) personal information about individuals (personal data) whether the organisation is a large corporation, a local authority or a small charity such as a Local Church Council. GDPR, like the current Data Protection Act 1998 applies to the various managing trustee bodies that process personal information (data) within the Methodist Church including Local Churches, Circuits and Districts.

It is therefore important for all those who deal with personal data within the Local Church, whether Managing Trustees, other church members, volunteers or employees to use the guidance and other resources that are being produced by the Methodist Church’s Working Party to ensure that the Local Church collects, stores and uses (processes) the personal information that it handles carefully in accordance with current data protection legislation, and gets ready for the introduction of GDPR. The 9 Steps Focus Note outlines the practical steps that Managing Trustees will need to take to do this.

Q1.3 In summary, what does GDPR mean we now have to do with personal information?

A1.3 For an introduction to the steps that will need to be taken to comply with the current data protection requirements, now embodied in GDPR and the Data Protection Act 2018, please refer to the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR and the summary of the responsibilities placed on Managing Trustees in the booklet Data Protection Responsibilities in a Nutshell.
In summary however, this means that Managing Trustees would need to take the following steps when being given or handling personal information:

  • ensure that the required privacy information is provided to individuals - let people know where to find the Managing Trustees’ Privacy Notice; tell them where to find it on TMCP’s website or on your noticeboard. Do this in person e.g. when they give you personal information or include a short notice at the end of your email or a form collecting information for example. Include a hyperlink if you are corresponding electronically. For an example of the wording that could be used please refer to the Template Fair Processing Statement
  • keep the information secure – follow the guidelines in the Security Policy;
  • deal with any requests to exercise individual’s rights under GDPR ; and
  • apply the retention and destruction policies (see Section 6.2 of the Security Policy).

Please refer to the Data Protection page on TMCP’s website for guidance, policies, template documents and general information about data protection in the context of the Methodist Church.

Q2. Consent

Q2.1 One of our members has told us that new data protection laws are being introduced and they will mean that we have to ask for consent before we do anything involving personal data. Is this true?

A2.1 No. Consent is just one of six legal grounds (lawful bases) on which Managing Trustees can deal with (process) personal information. While consent maybe the only legal ground available to Managing Trustees in some cases, such as allowing third party access to sensitive information about health for example,there will often be other legal grounds that can be used. These include; “contractual obligations”, “legal obligations” and “legitimate interests”. Although the issue of consent has caught the imagination of the media and is a key issue in some areas such as sharing sensitive information (in particular) with third parties, please remember that Managing Trustees do not need consent every time they deal with (process) personal information (data). The Methodist Church is a member organisation, not a mass marketing company. As discussed at Step 5 of the 9 Steps Focus Note and the GDPR Myths article, Managing Trustees can base their use of personal information on one or more of a number of legal reasons, it is not all about “consent”.

Detailed guidance is going to be produced in relation to consent once the Working Party has analysed the results of the data mapping exercise (please refer to Step 2 of the 9 Steps Focus Note for information about data mapping). The results of this exercise will help the Working Party to look at the common purposes  for which Managing Trustees process personal information belonging to their members and the wider community and provide specific guidance on the most appropriate legal grounds that the data can be processed and how to document this.

If the only legal ground that Managing Trustees have for processing data is consent e.g. contact one-off donors about a specific fundraising event, then after 25th May 2018 the Managing Trustees would need to be careful that the consent obtained from an individual was valid under GDPR. Detailed guidance will be made available on this but for a summary please refer to Step 6 of the 9 Steps Focus Note and the guidance that is available from the ICO including their guidance on lawful bases for processing: “Consent”.

Q2.2 Do we need Consent from Individuals to include them in our Directories?

A2.2 Technically it may not always be necessary to obtain consent from individuals to include their details in Local Church and Circuit Directories but this does depend upon what happens to the Directories. It is understood that Directories are sometimes left in church vestibules, uploaded on to websites and sometimes actively distributed to non-members meaning that they are shared with third parties. Further more specific guidance will be provided to help Managing Trustees decide which lawful basis or bases they can rely on for Directories once the results of the Working Party’s data mapping exercise have been studied.

Where it is necessary to rely on consent e.g. where Directories are made available to the general public, and following the introduction of GDPR on 25th May 2018, this consent should be explicit and not implied. This means that the individual giving consent must have done something positive to provide their consent i.e. ticked a box saying they were happy for their details to be published in the directory. The consent must also have been given freely, specifically for the purpose in question (the directory), unambiguously and be informed. The individual has to understand why their consent is being asked for and what it is being given to.

Pending the more detailed guidance on selecting appropriate legal grounds (lawful bases) for using (processing) personal information, Managing Trustees can find specific guidance on Directories in the Local Church Circuit and District Directories – Data Collection article available in the News Hub Section of TMCP’s website. Managing Trustees can also use the Template Consent Form produced by the Working Party.

Q3. Directories

Q3.1 Does the Church/Circuit Directory have to be re-issued once GDPR comes into force?

A3.1 No. The Information Commissioner’s Office (ICO) recognises that organisations often collect personal information (personal data) on an annual basis and have indicated that provided steps are in place to comply with the requirements under GDPR for future collections of data e.g. when information is collected for the next, the 2018/2019 Directory, this should be sufficient. If the legal reason of “consent” is being relied upon at the moment, perhaps because the Directory is made available to third parties, the consent from last year will suffice until the Directory is re-issued at the start of the next Connexional year (1 September 2018).  It is akin to a service provider continuing to use their customer list to continue with their day to day business.

Next time personal information is collected for the Circuit or District Directory, Managing Trustees will need to be careful to obtain consent at the point of collection if this is one of the legal bases that the Managing Trustees decide to rely upon. Care will need to be taken that the information provided to members at the time (in the privacy notice and privacy policy), is sufficient. Step 3 of the 9 Steps Focus Note discusses the information that must be provided to individuals. This includes details of the legal reasons being relied on for that processing.

As discussed in FAQ 2.1, there are different legal grounds on which Managing Trustees can deal with (process) personal information (data) including publishing personal data in Local Church and Circuit Directories, not just consent. A Template Privacy Policy and Notice for Managing Trustees to adapt for their own use will be available shortly with accompanying guidance using the results of the Working Party’s data mapping exercise. The accompanying guidance will help Managing Trustees to decide what legal bases they can rely upon for collecting personal information to put into the Directory and using that information over the course of the Connexional year.

Q3.2 Can we circulate the Directory electronically?

A3.2. Yes, provided that all persons named in the Directory have explicitly consented to its distribution in this way. Please refer to FAQ 2.2 in relation to consent and the upcoming guidance.

If it is the intention to publish the Directory on a website e.g. the Local Church or Circuit’s website, then Managing Trustees need to consider that it may be viewed outside of the EU and the possibilities of people misusing the data for their own purposes. The Managing Trustees will be anxious to weigh the advantages of publishing the Directory on their website against the potential risks and may want to consider whether the amount of information can be limited to protect their members or if it should be withheld altogether. Why do the Managing Trustees want to publish the information on their website? Can they get the information to those who need it in a way that would better protect their members? Could the information be available to members only through the use of logins and passwords (albeit this could still be open to hackers) or only available on request allowing the Managing Trustees to verify why the information is needed and who wants to access it? If the information is publicised to enable third parties to make room bookings etc. can details of the room booking secretary be made available on the website using generic emails such as roombookings@localchurch.org.uk instead? While such measures may help the Managing Trustees to protect data, unless the information was anonymised or withheld completely, the measures would not remove the need for consent.

Further specific guidance on church websites is being produced by the Working Party. Managing Trustees will be notified when this is available via TMCP’s website and communications with the Districts.

Q3.3 Do we need Consent from Individuals to include them in our Directories?

A3.3 Refer to FAQ 2.2.

Q4. CCTV

Q4.1 We have CCTV installed at our Church.  Are we covered under TMCP’s notification?

A4.1 Yes, CCTV coverage is covered by TMCP’s registration (notification) with the Information Commissioner’s Office (ICO). As mentioned in FAQ 4 there are different legal reasons (lawful bases) that Managing Trustees can rely on to use (process) personal information and further guidance will be provided on this following collation of the results from the Working Party’s data mapping exercise. The legal reasons for recording images using CCTV would include for safety monitoring and crime prevention purposes.

The ICO has published a very detailed code of practice for CCTV that Managing Trustees can access. Although it relates to the Data Protection Act 1998 it is still relevant as a code of best practice pending the production of an updated code and includes a simple checklist for users of very limited CCTV systems which may be of particular relevance to Managing Trustees. The Working Party will also be providing specific guidance on CCTV aimed at the Methodist Church and a template policy for Managing Trustees to adapt for their use. As a general point, Managing Trustees must ensure that the footage recorded is fit for purpose and is not kept longer than is necessary.

Q5. Third party users

Q5.1 The Church keeps a database of all users of the premises along with contact details of managers and key holders.  Is this covered under TMCP’s Notification?

A5.1 Yes, TMCP’s registration with the Information Commissioner’s Office (ICO) covers use of personal information by Local Churches, Circuits and Districts including information about their third party users.

Please ensure those people are aware that their details are being kept in this way and review the information that is given to them when their details are collected (privacy notice) to ensure that it will meet the requirements under GDPR from 25th May 2018. As discussed in FAQ 3.1, certain information has to be provided to individuals at the point that data is collected and further guidance will be provided on this shortly following the data mapping exercise being carried out by the Working Party. The information includes details of the legal grounds (lawful bases) for processing the personal information (data). TMCP is also considering including data protection clauses into the standard licence and template booking form.

As mentioned in FAQ 2.1 and Step 3 of the 9 Steps Focus Note, there are different legal grounds that Managing Trustees can rely on to use personal information and further guidance will be provided on this once the results of the Working Party’s data mapping exercise have been collated and analysed. The legal grounds for storing (and using) the information on the “third party user” database maintained by the Local Church, could include contractual obligations and legitimate interests.

  • Is it necessary to perform obligations under the licence agreement?
  • Is storing and using the records necessary for the purposes of the legitimate interests of the charity?
  • Is the Managing Trustees use of the third party users’ personal information inside the reasonable expectations of the individuals involved (data subjects) – would they expect the Managing Trustees to use their information in this way?
  • Is use of the database necessary to enable the Managing Trustees to manage use of the rooms and/or satisfy the requirements under their insurance policy?

Managing Trustees will be notified when further guidance on lawful bases and the Template Privacy Notice and Policy are available via TMCP’s website.

Q5.2 We have third parties, such as the Brownies, which use our premises.  Are we responsible for the data collected by them? If they disclosed personal information to us by mistake, would we be responsible for the information then? Would we need to destroy such information and report it to the ICO?

A5.2 Third party user groups, (but not “church” groups) are responsible for the processing of their own data.  However, Managing Trustees need to be aware that should any of their third party groups’ data be incorrectly disclosed to the Managing Trustees, the Managing Trustees will be bound by the data protection principles.  This means that the Managing Trustees must not share the data with others, publish the data or gain from that data etc.

If there was a data breach by a third party e.g. an attendance register was left in the church premises at the end of a session, the Managing Trustees would be obliged to inform the 3rd party of the breach. It would then be the third party’s responsibility to assess whether the breach should be reported to the ICO and/or the individuals concerned i.e. the members appearing on that attendance register.  The Managing Trustees would not necessarily be under a duty to destroy the data if it could simply be handed back with no trace left on Managing Trustees’ records.

Q6. Data Controllers and Processors

Q6.1 Who are the Data Controllers in the Methodist Church?

A6.1 A Data Controller (“Controller” under the GDPR) is the legal entity that is responsible for ensuring compliance with the relevant data protection legislation. There are two Data Controllers for the Methodist Church; TMCP who acts as the Data Controller for all Local Churches, Circuits and Districts whose registration relates to all matters except where the Connexional Team’s registration applies, and the Connexional Team (under the name of the Methodist Church of Great Britain). The Connexional Team’s registration covers the work of the Connexional Team and all safeguarding and complaints and discipline issues. Further information on the roles of both Data Controllers, what data is covered by the two registrations and who Managing Trustees need to contact for help is set out in the Who are the Data Controllers Focus Note.

Managing Trustees should bear in mind when reading guidance produced by/for other charities such as the Church of England that the situation of having central data controllers is not the same. For the avoidance of doubt Managing Trustees are not Data Controllers.

Q6.2 Who are the Data Processors in the Methodist Church?

A6.2 The managing trustee bodies who deal with data/ information on behalf of the Methodist Church, being the Local Churches, Circuits and Districts are deemed to be the “Data Processors”. Managing Trustees should bear in mind that as “Processors” they are legally obliged to comply with GDPR and ensure that the data protection principles are adhered to. Managing Trustees also need to note that everybody who deals with personal information within the managing trustee body, Managing Trustees, church members, other volunteers and lay employees etc. need to be aware of the requirements under GDPR and what policies and procedures to follow e.g. in the event of a breach or receipt of a request from an individual for information about their personal data (a “SAR”).  The managing trustee body will need to ensure that the necessary people have the skills and knowledge to apply the law effectively. The guidance, training and template policies produced by the Working Party (see FAQ 1) will help the Managing Trustees in this process.

Q7. Brexit

Q7.1 Does the Brexit Vote mean that GDPR will not affect the UK?

A7.1 No, the UK's Information Commissioner has confirmed that GDPR will come into force on the 25th May 2018, which is before the UK is due to leave the EU. Managing Trustees should also bear in mind that the Data Protection Bill and European Union (Withdrawal) Bill are also going through parliament to ensure that even after the UK has left the EU, the obligations under GDPR will continue to apply in the UK.

Q8. Prayer Requests

Q8.1 Does GDPR prevent us requesting prayers for family members? (Prayer Requests within the Methodist Family)

A8.1 No. An individual who asks for prayers relating themselves is not covered by GDPR or the Data Protection Act 2018 because it has been asked in a personal capacity and they may disclose any information they wish to be made public.  The data protection working party (Working Party) takes a pragmatic and sensitive approach to the interpretation of GDPR within the Methodist Church and interprets ‘personal capacity’ to include ‘immediate family’.  This means that prayer requests relating to immediate family would also be treated as being asked in a personal capacity and fall outside of GDPR. ‘Immediate family’ should however be limited to spouses, parent/child relationships and siblings only and includes civil partnerships and step parent/child/sibling relationships. This conclusion has been reached following careful consideration of the risks involved and typical expectations of immediate family members within the Methodist Church.

However, even where GDPR and its administrative requirements do not apply, Managing Trustees do need to check that the request accords with the Methodist Church’s own prayer guidelines contained in the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report). Please refer to the Prayer Request Focus Note (to follow). It is the individual's story; it is their choice whether or not to share their name and situation, what information is shared and who with, e.g. within the Church family or whoever may be at public worship or picks up a copy of a publically available newsletter which may include prayer requests. Managing Trustees will want to ensure that the individual is happy for their information to be shared and that in accordance with good practice; they have their “express permission”.

Please note that this is not the same as consent under GDPR and does not carry the administrative requirements discussed in FAQ 8.4. Also note that these are guidelines for good practice rather than prescriptive rules. It is recommended that Managing Trustees consider their current systems in light of the Report and their particular congregation and keep their practices under review.

Q8.2 Does GDPR prevent us requesting prayers for non-immediate family members verbally such as during a pastoral visit or in open worship? (Prayer Requests within the Methodist family)

A8.2 Verbal prayer requests are not covered by GDPR or the Data Protection Act 2018 because they are not written.  However, neither the request, nor the prayer itself, should be recorded in any way. If it was then the information would need to be treated as personal information under the data protection legislation. (Please refer to FAQ 1.3.)

However, although GDPR and its administrative requirements do not apply, Managing Trustees do need to consider the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report). The Report calls for care to be taken when inviting topics for intercessory prayer (paragraph 12.9). Information about people should only be shared with their permission. Does the congregation need to be gently reminded of this? The Report suggests that topics for prayer could be invited rather than naming individuals (paragraph 8.16). Please refer to the guidance in FAQ 8.1.

Q8.3 Prayer trees and prayer boxes - Does GDPR mean that we can’t use prayer trees, books, chains and networks anymore?

A8.3 No – Prayer trees, books, chains and networks play an important role in the life of many Local Churches and GDPR does not put a stop to this. However, the introduction of GDPR does give Local Churches a good opportunity to review how and what information is shared in this way and to consider whether steps need to be taken to protect people, to ensure people are happy with their names and situations being shared in this way and to keep information safe.

Steps that Managing Trustees can take in view of the recommendations set out in the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report) and GDPR include:

  • Make sure that people using the prayer tree, book, chain or network are aware that they should only disclose people’s names and situations if they have that person’s express permission. (This is one of the recommendations set out in the Report and is not a result of GDPR.) => Put a notice/message on the prayer book or online prayer tree or network etc. and make sure that users see this information before they post their prayer request.
  • Include a tick box where people can indicate that they have express permission.
  • Encourage people not to disclose special category personal information such as health information. (See Section A2 of the General Data Protection Regulation (GDPR) Guidance Note and Lawful Bases Fact Sheet 7 - Special Category Personal Data for an explanation of what information is deemed to be “special category” and the implications of this.)
  • Ensure that people understand that if special category information is disclosed and relates to people outside of the Church family or will be published e.g. available to the general public online or in a prayer book kept at the back of the chapel, that consent under GDPR will be required (see FAQ 2 and Lawful Bases Fact Sheet 4 – Consent).
  • Keep prayer requests made via prayer trees, books, chains and networks etc. under review. You can then keep track of requests that include names or describe situations without “express permission” or where special category information without consent is disclosed (where they relate to people outside of the church family or will be published) and can take down the request to protect the person at the focus of such request.
  • Let people know where to find the Managing Trustees’ Privacy Notice; include a short notice letting people know where to find it (e.g. on TMCP’s website and on your Local Church noticeboard) or include a hyperlink if prayer requests are shared electronically. For suggested wording please refer to the Template Fair Processing Notice
Please bear in mind that limiting the information disclosed in open prayer or publically available prayer requests to keep the individual’s identity hidden/confidential would mean that GDPR did not apply.

Q8.4 One of our Church Council members has told us that we can only pray for people if we have their consent. Is this true? It isn’t always practical or appropriate to ask for consent, especially where people need our prayers because they are so ill.

A8.4 Consent is not a pre-condition for prayer. As discussed in the answers to FAQs 8.1, 8.2 and 8.3, quite often GDPR does not even apply to prayer requests; namely where the requests are oral and/or relate to close family members. GDPR also does not apply where the request does not contain any personal information. Even if GDPR does apply, consent is only one legal reason that Managing Trustees can rely on to use personal information. In most cases Managing Trustees can rely on legitimate interests; prayer missionary is an integral part of the life of the Church and would be within the expectations of those within the Church family. This is confirmed in the Annex to the Managing Trustees’ Privacy Notice.

However, as confirmed in the Annex to the Managing Trustees’ Privacy Notice, there are situations when consent under GDPR is required. Consent would be required if:

  • A prayer request included personal information including special category information such as health information relating to members of the Church family (See Lawful Bases Fact Sheet 7 - Special Category Personal Data) AND was made public (via a website, publically available newsletter or noticeboard/prayer tree accessed by the general public, for example). This is because health information is treated as “special category personal data” under GDPR. This means that it requires satisfaction of one of the conditions under Article 9 of GDPR as well as establishing one of the lawful bases. If the information was not made public e.g. the prayer request could only be seen within the Church family, then consent would not be required. Under Article 9(2)(d) of GDPR, Managing Trustees can process sensitive personal information in the course of the legitimate activities of the charity with respect to their own members, former members, or persons with whom it has regular contact in connection with its purposes, provided that the information is not made public. (Please refer to further guidance in the Lawful Bases Fact Sheet 7 – Special Category Personal Data.)
  • A prayer request included personal information relating to an individual outside of the Church family. Legitimate interests is unlikely to apply because on balance, there is a risk that the request would not be within the individual’s reasonable expectations.

Where consent was required, the Managing Trustees would need to ensure that valid consent was obtained and recorded. This is detailed in Lawful Bases Fact Sheet 4 – Consent. Managing Trustees can use the Consent Form and the Template Consent Record to help them. Please note that this goes beyond the “permission” required under the prayer guidelines contained in the 2008 report adopted by the Methodist Conference called, “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report). (If consent is required, such consent would automatically show that you had obtained “permission” under the Report.)

Also, whether or not consent was required under GDPR, good practice under the Report would still need to be followed. Only share names and situations if you have “express permission”. Although consent under GDPR is different to the “express permission” required under the Report in terms of the administrative requirements (consent form, record etc.) in essence very little has changed. “Express permission” stems from Methodism itself rather than the external forces of GDPR.
 
Q8.5 What happens if we do not know whether consent under GDPR was given to disclosing health information in open prayer?

A8.5 If you are unable to verify whether or not consent has been given then no health information relating to that person should be disclosed.  This is not to say that prayers cannot be offered, but care must be taken not to disclose the individual’s identity or health issues (e.g. can prayers be offered to; “one of our members who is currently in hospital”)? The same would apply to non-disclosure of names and situations if you were unsure whether “express permission” had been given. Please refer to FAQ 8.1, paragraph 2 and the discussion of the guidelines set out in the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ”.

Q8.6 We have a prayer book where anybody who comes into our Local Church can write their requests. How do we obtain consent if an individual writes down one of their neighbour’s names for example and discloses their personal health information?

A8.6 If Ministers or preachers do not know who has made the prayer request, perhaps because the prayer book is open to general members of the public, then it is suggested that a notice is placed alongside the book.  The notice should clearly state that health information should not be disclosed without the individual’s consent and that by completing the prayer request, the Methodist Church will assume that the person making the request does have consent of the individual in question.  For more protection it is recommended that the prayer book has a self-declaring tick box where the person making the request has to confirm that they have consent.  Unless this is ticked, health information should not be read out in open prayer.

Please also bear in mind good practice under the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ”  on not disclosing names and situations without permission and consider whether this should be made clear to people using the prayer book.

Q8.7 Our Minister has told church members that they should only give Christian names when making prayer requests. We think this is disrespectful; do we have to do this under GDPR?

A8.7 In addition to non-disclosure of health information without consent, it is recommended by the Working Party that prayer requests should be limited to Christian name only in order to protect the individual as much as possible. It is understood that some people do find the use of first names only to be disrespectful. If the person making the request felt this way then under the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ”  the individual’s express permission would be required. Depending upon whether the information includes health information, if the individual about whom the prayer request has been made is within the church family, and whether the information will be shared publically, consent under GDPR could also be required (please see FAQ 8.4).

Q8.8 How does GDPR impact on Methodist practice?

A8.8 As demonstrated in the “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report), the Methodist Church has required permission to be given for the sharing of names and information about an individual's situation in public worship and open prayer for many years. GDPR only impacts on the treatment of the personal information contained in a prayer request (see bullet points in the response to FAQ 1.3). It also impacts on  the way consent is obtained and recorded if consent is actually required under GDPR e.g. where prayer requests include health information and this is either shared publically or relates to individuals who are outside of the church family.

Section C – Where Can We Find Further Guidance?

Please refer to the specific guidance that has already been produced for Methodist Managing Trustees accessible from the data protection page on TMCP’s website and refer to the Methodist Church website. Further specific guidance is being produced all the time and Managing Trustees will be notified when this is available via TMCP’s website and communications with the Districts.

There is a wealth of detailed guidance available on the Information Commissioner’s Office (ICO)’s website: https://ico.org.uk/for-organisations/.

Although the practicalities of dealing with data protection are not exactly the same in the Methodist Church of Great Britain and the Church of England, Managing Trustees may find the Church of England’s general guidance on the General Data Protection Regulation of assistance:

Archbishops Council’s Parish Guide to the General Data Protection Regulation (GDPR).

Managing Trustees should however rely on the practical, day to day guidance and templates being produced by the Working Party.

 

If Managing Trustees have any queries then please contact TMCP (dataprotection@tmcp.methodist.org.uk) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (dataprotection@methodistchurch.org.uk).

 

Disclaimer

 

Please note that this document is to provide guidance and assistance to Managing Trustees and their professional advisers. This guidance note is general in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of any particular matter.

 

Also note that nothing within the documents and guidance notes provided by TMCP nor any receipt or use of such information, should be construed or relied on as advertising or soliciting to provide any legal services. Nor does it create any solicitor-client relationship or provide any legal representation, advice or opinion whatsoever on behalf of TMCP or its employees.

 

Accordingly, neither TMCP nor its employees accept any responsibility for use of this document or action taken as a result of information provided in it.

 

Please remember that Managing Trustees need to take advice that is specific to the situation at hand. This document is not legal advice and is no substitute for such advice from Managing Trustees' own legal advisers.