Section A - Introduction
These frequently asked questions are to be read in conjunction with the data protection guidance available from the data protection page and cover issues that are often raised in relation to data protection in the context of the Methodist Church. The issues covered include the changes that were brought in by the General Data Protection Regulation (GDPR) when it came into force on 25 May 2018.
In these Frequently Asked Questions:
Working Party is the Data Protection Working Party comprising representatives of TMCP and the Connexional Team.
GDPR is the General Data Protection Regulation.
9 Steps Focus Note is the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR (9 Steps) Focus Note produced by the Working Party.
“Processing" basically means anything that Managing Trustees do to or with personal data. The GDPR states that processing includes the; “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of such data (GDPR Article 4(2)).
Section B – Frequently Asked Questions
Q1. Introduction of GDPR
A1.1 Yes, the GDPR is enshrined in UK law under the Data Protection Act 2018. The Data Protection Act 2018 applies to all organisations that deal with (process) personal information about individuals (personal data) whether the organisation is a large corporation, a local authority or a small charity such as a Local Church Council. The Data Protection Act 2018 applies to the various managing trustee bodies that process personal information (data) within the Methodist Church including Local Churches, Circuits and Districts.
It is therefore important for all those who deal with personal data within the Local Church, whether Managing Trustees, other church members, volunteers or employees to use the guidance and other resources available on the TMCP website to ensure that the Local Church collects, stores and uses (processes) the personal information that it handles carefully in accordance with current data protection legislation. The 9 Steps Focus Note outlines the practical steps that Managing Trustees will need to take to do this.
Q1.2 In summary, what does GDPR mean we now have to do with personal information?
A1.2 For an introduction to the steps that will need to be taken to comply with the current data protection requirements, now embodied in GDPR and the Data Protection Act 2018, please refer to the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR and the summary of the responsibilities placed on Managing Trustees in the booklet Data Protection Responsibilities in a Nutshell.
In summary however, this means that Managing Trustees would need to take the following steps when being given or handling personal information:
- ensure that the required privacy information is provided to individuals - let people know where to find the Managing Trustees’ Privacy Notice; tell them where to find it on TMCP’s website or on your noticeboard. Do this in person e.g. when they give you personal information or include a short notice at the end of your email or a form collecting information for example. Include a hyperlink if you are corresponding electronically. For an example of the wording that could be used please refer to the Template Fair Processing Statement
- keep the information secure – follow the guidelines in the Security Policy;
- deal with any requests to exercise individual’s rights under GDPR ; and
- apply the retention and destruction policies (see Section 6.2 of the Security Policy).
Please refer to the Data Protection page on TMCP’s website for guidance, policies, template documents and general information about data protection in the context of the Methodist Church.
Q2. Consent
Q2.1 Do the new data protection laws introduced in 2018 mean that we have to ask for consent before we do anything involving personal data?
A2.1 No. Consent is just one of six legal grounds (lawful bases) on which Managing Trustees can deal with (process) personal information. While consent maybe the only legal ground available to Managing Trustees in some cases, such as allowing third party access to sensitive information about health for example,there will often be other legal grounds that can be used. These include; “contractual obligations”, “legal obligations” and “legitimate interests”. Although the issue of consent caught the imagination of the media at the time and is a key issue in some areas such as sharing sensitive information (in particular) with third parties, please remember that Managing Trustees do not need consent every time they deal with (process) personal information (data). The Methodist Church is a member organisation, not a mass marketing company. As discussed at Step 5 of the 9 Steps Focus Note and the GDPR Myths article, Managing Trustees can base their use of personal information on one or more of a number of legal reasons, it is not all about “consent”.
Detailed guidance has been produced on the Lawful Bases that Managing Trustees can rely on. Please refer to the Lawful Bases Guidance and the Annex to the Managing Trustees Privacy Notice which sets out which lawful basis should be relied on in any given situation.
If the only legal ground that Managing Trustees have for processing data is consent e.g. contact one-off donors about a specific fundraising event, then the Managing Trustees would need to be careful that the consent obtained from an individual was valid under GDPR. Please refer to Step 6 of the 9 Steps Focus Note, the Managing Trustees Data Collection Consent Form and the guidance that is available from the ICO including their guidance on lawful bases for processing: “Consent”. Please ensure that consent is recorded using the Template Consent Record.
Q2.2 If consent is the legal basis relied upon for handling an individual’s personal data, does the consent have to be given via the Consent Form?A2.2 No. Whilst the use of the Consent Form is recommended because it specifies what consent is being given for, consent can be given verbally or via email.
The consent, however it has been given, needs to be recorded so that Managing Trustees can verify when the consent was provided. As consent does not last forever, it is important for such records to be kept so that Managing Trustees know when the consent needs to be renewed. Whilst the periods for consents will vary, one year for the publication of annual church directories which are made publicly available for example, it should not exceed two years. There is a Template Consent Record available for Managing Trustees to use on the TMCP website.
Q2.3 Is consent always required in relation to Circuit Directories and the Circuit plan?
A2.3 No. Consent is only required where;
- the directories / plans are put into the public domain by making them publicly available e.g. leaving them in church foyers or publishing them on a Local Church or Circuit website; and
- the personal information being made public belongs to individuals who are not Ministers in full Connexion or Local Church, Circuit and/or District officers.
When information is made public, control over how the personal data is used is lost. However, providing the directories/plans are not freely circulated to people outside of the Methodist Church family then Managing Trustees can rely on legitimate interest to produce them. Legitimate interests can also be relied upon where the information being made public belongs to Ministers in full Connexion or Local Church, Circuit and/or District officers. This is because they would expect their details to be made public When they take on the role. A Bookings Manager for example should expect that their contact details are made public in order for members of the public to contact them in relation to hiring church premises. They should however be given a choice as to what contact details are published.
Q2.4 The Data Collection Consent Form on TMCP’s website does not cover the sending out of the church magazine. Can I amend the consent form to include it?
A2.4 Yes. The Data Collection Consent Form is a guide and the circumstances listed are only examples of when consent could be required. Managing Trustees should refer to the Managing Trustees’ Privacy Notice and the Lawful Bases Guidance Note to help them determine whether or not consent is actually required as consent is not always the best legal basis to rely on for processing personal data. This is because consent can be withdrawn and unless another legal basis is identified, Managing Trustees would need to stop processing that person’s personal data.
Q3. Directories and Plans
Q3.1 Can we circulate the Directory electronically?
A3.1. Yes, provided that all persons named in the Directory have explicitly consented to its distribution in this way. Please refer to FAQ 2.3 in relation to consent.
If it is the intention to publish the Directory on a website e.g. the Local Church or Circuit’s website, then Managing Trustees need to consider that it may be viewed outside of the EU and the possibilities of people misusing the data for their own purposes. The Managing Trustees will be anxious to weigh the advantages of publishing the Directory on their website against the potential risks and may want to consider whether the amount of information can be limited to protect their members or if it should be withheld altogether. Why do the Managing Trustees want to publish the information on their website? Can they get the information to those who need it in a way that would better protect their members? Could the information be available to members only through the use of logins and passwords (albeit this could still be open to hackers) or only available on request allowing the Managing Trustees to verify why the information is needed and who wants to access it? If the information is publicised to enable third parties to make room bookings etc. can details of the room booking secretary be made available on the website using generic emails such as roombookings@localchurch.org.uk instead? While such measures may help the Managing Trustees to protect data, unless the information was anonymised or withheld completely, the measures would not remove the need for consent.
Further specific guidance on church websites is being produced by the Working Party. Managing Trustees will be notified when this is available via TMCP’s website and communications with the Districts.
Q3.2 Do we need Consent from Individuals to include them in our Directories?
A3.2 Refer to FAQ 2.3.
Q3.3 Do we need consent to produce the Preaching Plan (the ‘Plan’) and can we share this with third parties?
A3.3 No.You do not need consent to ‘produce’ the Plan as these are required to record the appointments Local Preachers have committed to in accordance with their duties under SO.563.
It is a legitimate interest of the Methodist Church for the contact details of Local Preachers to be listed on the Plan so that members of the Local Preacher’s Meeting can communicate with one another, for example to substitute their appointments where they are unable to preach in accordance with SO 563(2)(vi).
Local Preachers are also expected to participate in a programme of continuing local preacher development under SO 563(3)(iii). The Plan and record data is used by the Districts, regional learning & development teams and the Local Preachers Office within the Connexional Team so that they can identify where certain training provisions and needs lie but also so they can keep the current approved Methodist Council training programme up to date and relevant.
The Plans used by the Circuit Local Preachers Meeting, District Local Preachers Officers and the Connexional Local Preachers Office is a legitimate interest of the Methodist Church in order to fulfil their functions under section 56 of Standing Orders. These elements of the Methodist Church are all ‘members’ of the Methodist Church, answerable to Conference and therefore for the purposes of Article 9(d) of GDPR does not breach any data sharing restrictions.
However, where the Plans are made public by leaving them in local church vestibules etc, control over Local Preachers’ personal data is lost and therefore consent is required from all such Local Preachers who are not in full Connexion. It must be made clear that consent is not being obtained to ‘produce’ the Plan, but to make the Plan ‘public’.
This often results in mixed views across the Connexion and a solution found by several Circuits is to produce two Plans:
- One which is for internal Methodist use only and which contains all contact details etc.
- Another which is limited to name only, preferably Christian name and an initial for the surname, which is made available to the general members of the public.
This solution found by several Circuits satisfies the Connexional needs of the Methodist Church by allowing the data to be shared within the Methodist family in order to fulfil the duties and the ongoing development of our Local Preachers as well as continuing to be the ‘open’ church by allowing members of the public to see the preaching appointments.
Q4. CCTV
Q4.1 We have CCTV installed at our Church. Are we covered under TMCP’s notification?
A4.1 Yes, CCTV coverage is covered by TMCP’s registration (notification) with the Information Commissioner’s Office (ICO). As mentioned in FAQ 2.1 there are different legal reasons (lawful bases) that Managing Trustees can rely on to use (process) personal information. The legal reasons for recording images using CCTV would include for safety monitoring and crime prevention purposes. Please refer to the Annex to the Managing Trustees Privacy Notice and the Lawful Bases Guidance for further information.
The ICO has published a very detailed code of practice for CCTV that Managing Trustees can access. Although it relates to the Data Protection Act 1998 it is still relevant as a code of best practice pending the production of an updated code and includes a simple checklist for users of very limited CCTV systems which may be of particular relevance to Managing Trustees. The Working Party will also be providing specific guidance on CCTV aimed at the Methodist Church and a template policy for Managing Trustees to adapt for their use. As a general point, Managing Trustees must ensure that the footage recorded is fit for purpose and is not kept longer than is necessary.
Q5. Third party users
Q5.1 The Church keeps a database of all users of the premises along with contact details of managers and key holders. Is this covered under TMCP’s Notification?
A5.1 Yes, TMCP’s registration with the Information Commissioner’s Office (ICO) covers use of personal information by Local Churches, Circuits and Districts including information about their third party users.
Please ensure those people are aware that their details are being kept in this way and review the information that is given to them when their details are collected. Certain information has to be provided to individuals at the point that data is collected. The information includes details of the legal grounds (lawful bases) for processing the personal information (data). Please refer to the Template Fair Processing Statement. TMCP has updated the Standard Licence and Template Booking Form to include data protection clauses.
As mentioned in FAQ 2.1 and Step 3 of the 9 Steps Focus Note, there are different legal grounds that Managing Trustees can rely on to use personal information. Please refer to the Lawful Bases Guidance and the Annex to the Managing Trustees Privacy Notice. The legal grounds for storing (and using) the information on the “third party user” database maintained by the Local Church are stated in row 9 of the table in the Annex to the Managing Trustees Privacy Notice.
Q5.2 We have third parties, such as the Brownies, which use our premises. Are we responsible for the data collected by them? If they disclosed personal information to us by mistake, would we be responsible for the information then? Would we need to destroy such information and report it to the ICO?
A5.2 Third party user groups, (but not “church” groups) are responsible for the processing of their own data. However, Managing Trustees need to be aware that should any of their third party groups’ data be incorrectly disclosed to the Managing Trustees, the Managing Trustees will be bound by the data protection principles. This means that the Managing Trustees must not share the data with others, publish the data or gain from that data etc.
If there was a data breach by a third party e.g. an attendance register was left in the church premises at the end of a session, the Managing Trustees would be obliged to inform the 3rd party of the breach. It would then be the third party’s responsibility to assess whether the breach should be reported to the ICO and/or the individuals concerned i.e. the members appearing on that attendance register. The Managing Trustees would not necessarily be under a duty to destroy the data if it could simply be handed back with no trace left on Managing Trustees’ records.
Q6. Data Controllers and Processors
Q6.1 Who are the Data Controllers in the Methodist Church?
A6.1 A Data Controller (“Controller” under the GDPR) is the legal entity that is responsible for ensuring compliance with the relevant data protection legislation. There are two Data Controllers for the Methodist Church; TMCP who acts as the Data Controller for all Local Churches, Circuits and Districts whose registration relates to all matters except where the Connexional Team’s registration applies, and the Connexional Team (under the name of the Methodist Church of Great Britain). The Connexional Team’s registration covers the work of the Connexional Team and all safeguarding and complaints and discipline issues. Further information on the roles of both Data Controllers, what data is covered by the two registrations and who Managing Trustees need to contact for help is set out in the Who are the Data Controllers Focus Note.
Managing Trustees should bear in mind when reading guidance produced by/for other charities such as the Church of England that the situation of having central data controllers is not the same. For the avoidance of doubt Managing Trustees are not Data Controllers.
Q6.2 Who are the Data Processors in the Methodist Church?
A6.2 The managing trustee bodies who deal with data/ information on behalf of the Methodist Church, being the Local Churches, Circuits and Districts are deemed to be the “Data Processors”. Managing Trustees should bear in mind that as “Processors” they are legally obliged to comply with GDPR and ensure that the data protection principles are adhered to. Managing Trustees also need to note that everybody who deals with personal information within the managing trustee body, Managing Trustees, church members, other volunteers and lay employees etc. need to be aware of the requirements under GDPR and what policies and procedures to follow e.g. in the event of a breach or receipt of a request from an individual for information about their personal data (a “SAR”). The managing trustee body will need to ensure that the necessary people have the skills and knowledge to apply the law effectively. The guidance, training and template policies produced by the Working Party and available from the Data Protection page will assist Managing Trustees with this..
Q7. Brexit
Q7.1 Will Brexit mean that GDPR will no longer affect the UK?
A7.1 No, also the Data Protection Act 2018 is now in force to ensure that even after the UK has left the EU, the obligations under GDPR will continue to apply in the UK.
Q8. Prayer Requests
Q8.1 Does GDPR prevent us requesting prayers for family members? (Prayer Requests within the Methodist Family)
A8.1 No. An individual who asks for prayers relating to themselves is not covered by GDPR or the Data Protection Act 2018 because it has been asked in a personal capacity and they may disclose any information they wish to be made public. The data protection working party (Working Party) takes a pragmatic and sensitive approach to the interpretation of GDPR within the Methodist Church and interprets ‘personal capacity’ to include ‘immediate family’. This means that prayer requests relating to immediate family would also be treated as being asked in a personal capacity and fall outside of GDPR. ‘Immediate family’ should however be limited to spouses, parent/child relationships and siblings only and includes civil partnerships and step parent/child/sibling relationships. This conclusion has been reached following careful consideration of the risks involved and typical expectations of immediate family members within the Methodist Church.
However, even where GDPR and its administrative requirements do not apply, Managing Trustees do need to check that the request accords with the Methodist Church’s own prayer guidelines contained in the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report). Please refer to the Prayer Request Focus Note (to follow). It is the individual's story; it is their choice whether or not to share their name and situation, what information is shared and who with, e.g. within the Church family or whoever may be at public worship or picks up a copy of a publicly available newsletter which may include prayer requests. Managing Trustees will want to ensure that the individual is happy for their information to be shared and that in accordance with good practice; they have their “express permission”.
Please note that this is not the same as consent under GDPR and does not carry the administrative requirements discussed in FAQ 8.4. Also note that these are guidelines for good practice rather than prescriptive rules. It is recommended that Managing Trustees consider their current systems in light of the Report and their particular congregation and keep their practices under review.
Q8.2 Does GDPR prevent us requesting prayers for non-immediate family members verbally such as during a pastoral visit or in open worship? (Prayer Requests within the Methodist family)
A8.2 Verbal prayer requests are not covered by GDPR or the Data Protection Act 2018 because they are not written. However, neither the request, nor the prayer itself, should be recorded in any way. If it was then the information would need to be treated as personal information under the data protection legislation. (Please refer to FAQ 1.2.)
However, although GDPR and its administrative requirements do not apply, Managing Trustees do need to consider the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report). The Report calls for care to be taken when inviting topics for intercessory prayer (paragraph 12.9). Information about people should only be shared with their permission. Does the congregation need to be gently reminded of this? The Report suggests that topics for prayer could be invited rather than naming individuals (paragraph 8.16). Please refer to the guidance in FAQ 8.1.
Q8.3 Prayer trees and prayer boxes - Does GDPR mean that we can’t use prayer trees, books, chains and networks anymore?
A8.3 No – Prayer trees, books, chains and networks play an important role in the life of many Local Churches and GDPR does not put a stop to this. However, the introduction of GDPR does give Local Churches a good opportunity to review how and what information is shared in this way and to consider whether steps need to be taken to protect people, to ensure people are happy with their names and situations being shared in this way and to keep information safe.
Steps that Managing Trustees can take in view of the recommendations set out in the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report) and GDPR include:
- Make sure that people using the prayer tree, book, chain or network are aware that they should only disclose people’s names and situations if they have that person’s express permission. (This is one of the recommendations set out in the Report and is not a result of GDPR.) => Put a notice/message on the prayer book or online prayer tree or network etc. and make sure that users see this information before they post their prayer request.
- Include a tick box where people can indicate that they have express permission.
- Encourage people not to disclose special category personal information such as health information. (See Section A2 of the General Data Protection Regulation (GDPR) Guidance Note and Lawful Bases Fact Sheet 7 - Special Category Personal Data for an explanation of what information is deemed to be “special category” and the implications of this.)
- Ensure that people understand that if special category information is disclosed and relates to people outside of the Church family or will be published e.g. available to the general public online or in a prayer book kept at the back of the chapel, that consent under GDPR will be required (see FAQ 2 and Lawful Bases Fact Sheet 4 – Consent).
- Keep prayer requests made via prayer trees, books, chains and networks etc. under review. You can then keep track of requests that include names or describe situations without “express permission” or where special category information without consent is disclosed (where they relate to people outside of the church family or will be published) and can take down the request to protect the person at the focus of such request.
- Let people know where to find the Managing Trustees’ Privacy Notice; include a short notice letting people know where to find it (e.g. on TMCP’s website and on your Local Church noticeboard) or include a hyperlink if prayer requests are shared electronically. For suggested wording please refer to the Template Fair Processing Notice.
Please bear in mind that limiting the information disclosed in open prayer or publicly available prayer requests to keep the individual’s identity hidden/confidential would mean that GDPR did not apply. |
Q8.4 One of our Church Council members has told us that we can only pray for people if we have their consent. Is this true? It isn’t always practical or appropriate to ask for consent, especially where people need our prayers because they are so ill.
A8.4 Consent is not a pre-condition for prayer. As discussed in the answers to FAQs 8.1, 8.2 and 8.3, quite often GDPR does not even apply to prayer requests; namely where the requests are oral and/or relate to close family members. GDPR also does not apply where the request does not contain any personal information. Even if GDPR does apply, consent is only one legal reason that Managing Trustees can rely on to use personal information. In most cases Managing Trustees can rely on legitimate interests; prayer missionary is an integral part of the life of the Church and would be within the expectations of those within the Church family. This is confirmed in the Annex to the Managing Trustees’ Privacy Notice.
However, as confirmed in the Annex to the Managing Trustees’ Privacy Notice, there are situations when consent under GDPR is required. Consent would be required if:
- A prayer request included personal information including special category information such as health information relating to members of the Church family (See Lawful Bases Fact Sheet 7 - Special Category Personal Data) AND was made public (via a website, publicly available newsletter or noticeboard/prayer tree accessed by the general public, for example). This is because health information is treated as “special category personal data” under GDPR. This means that it requires satisfaction of one of the conditions under Article 9 of GDPR as well as establishing one of the lawful bases. If the information was not made public e.g. the prayer request could only be seen within the Church family, then consent would not be required. Under Article 9(2)(d) of GDPR, Managing Trustees can process sensitive personal information in the course of the legitimate activities of the charity with respect to their own members, former members, or persons with whom it has regular contact in connection with its purposes, provided that the information is not made public. (Please refer to further guidance in the Lawful Bases Fact Sheet 7 – Special Category Personal Data.)
- A prayer request included personal information relating to an individual outside of the Church family. Legitimate interests is unlikely to apply because on balance, there is a risk that the request would not be within the individual’s reasonable expectations.
Where consent was required, the Managing Trustees would need to ensure that valid consent was obtained and recorded. This is detailed in Lawful Bases Fact Sheet 4 – Consent. Managing Trustees can use the Consent Form and the Template Consent Record to help them. Please note that this goes beyond the “permission” required under the prayer guidelines contained in the 2008 report adopted by the Methodist Conference called, “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report). (If consent is required, such consent would automatically show that you had obtained “permission” under the Report.)
Also, whether or not consent was required under GDPR, good practice under the Report would still need to be followed. Only share names and situations if you have “express permission”. Although consent under GDPR is different to the “express permission” required under the Report in terms of the administrative requirements (consent form, record etc.) in essence very little has changed. “Express permission” stems from Methodism itself rather than the external forces of GDPR.
Q8.5 What happens if we do not know whether consent under GDPR was given to disclosing health information in open prayer?
A8.5 If you are unable to verify whether or not consent has been given then no health information relating to that person should be disclosed. This is not to say that prayers cannot be offered, but care must be taken not to disclose the individual’s identity or health issues (e.g. can prayers be offered to; “one of our members who is currently in hospital”)? The same would apply to non-disclosure of names and situations if you were unsure whether “express permission” had been given. Please refer to FAQ 8.1, paragraph 2 and the discussion of the guidelines set out in the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ”.
Q8.6 We have a prayer book where anybody who comes into our Local Church can write their requests. How do we obtain consent if an individual writes down one of their neighbour’s names for example and discloses their personal health information?
A8.6 If Ministers or preachers do not know who has made the prayer request, perhaps because the prayer book is open to general members of the public, then it is suggested that a notice is placed alongside the book. The notice should clearly state that health information should not be disclosed without the individual’s consent and that by completing the prayer request, the Methodist Church will assume that the person making the request does have consent of the individual in question. For more protection it is recommended that the prayer book has a self-declaring tick box where the person making the request has to confirm that they have consent. Unless this is ticked, health information should not be read out in open prayer.
Please also bear in mind good practice under the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ” on not disclosing names and situations without permission and consider whether this should be made clear to people using the prayer book.
Q8.7 Our Minister has told church members that they should only give Christian names when making prayer requests. We think this is disrespectful; do we have to do this under GDPR?
A8.7 In addition to non-disclosure of health information without consent, it is recommended by the Working Party that prayer requests should be limited to Christian name only in order to protect the individual as much as possible. It is understood that some people do find the use of first names only to be disrespectful. If the person making the request felt this way then under the report adopted by the Methodist Conference in 2008 called, “With Integrity and Skill – Confidentiality in the Methodist Church ” the individual’s express permission would be required. Depending upon whether the information includes health information, if the individual about whom the prayer request has been made is within the church family, and whether the information will be shared publicly, consent under GDPR could also be required (please see FAQ 8.4).
Q8.8 How does GDPR impact on Methodist practice?
A8.8 As demonstrated in the “With Integrity and Skill – Confidentiality in the Methodist Church ” (the Report), the Methodist Church has required permission to be given for the sharing of names and information about an individual's situation in public worship and open prayer for many years. GDPR only impacts on the treatment of the personal information contained in a prayer request (see bullet points in the response to FAQ 1.2). It also impacts on the way consent is obtained and recorded if consent is actually required under GDPR e.g. where prayer requests include health information and this is either shared publicly or relates to individuals who are outside of the church family.
Q9. Records
Q9.1 Whilst under taking the data mapping exercise, we have identified that our old records are stored within the County Archives. Does GDPR affect this practice?
A9.1 No. Managing Trustees are directed by Standing Order 015 to deposit with the public authority; “all minute books, account books, and baptismal, burial and marriage registers, and any other records relating to the district, circuit and local church affairs which are deemed worthy of permanent preservation by the district archivist and recipient archivist, when no longer needed for current reference in the conduct of business”.
The Standing Order also sets out direction on the duration of time which must elapse before the records can be accessed.
It is however prudent for Managing Trustees to check such records before they are deposited with the local authority to redact any personal data which is not relevant for permanent retention. Names in meeting minutes would need to be preserved, but if their contact details are minuted in any way, then these are not fundamental to the record and may be redacted.
Q10. Data Security
Q10.1 Our Local Church has a ‘visitor book’. Does GDPR prevent the use of these?
A10.1 No. But a distinction must be made between visitor books that are used in buildings for fire evacuation purposes and those which are left in buildings of interest for general members of the public to leave comments about the property.
Visitor books which are routinely used by Managing Trustees so they know who is in their building (and who the individual is there to visit) is covered by GDPR. Therefore in order for the visitor book to be GDPR compliant, a visitor to church premises should technically not be able to see the details of the visitor before them. This can be hard to achieve particularly when people arrive at the property at the same time for the same event but every effort must be made to protect the personal data of the person visiting the property beforehand and the visitor book should not be left on public display.
The lawful basis for keeping the visitor book is a legitimate interest for fire evacuation purposes and property security reasons. Do not forget to include the visitor book in your data mapping record.
Open visitor books which are voluntarily completed by visitors to the property are not caught under the same rules because an individual does not have to complete the book, it is merely a way that members of the public can leave comments about the property they are visiting.
However, for the protection of the person completing the visitor book, they should not be asked for their full address details as this will advertise the fact that the individual may be away from home on holiday. Managing Trustees are often interested to know where their visitors come from and the visitor book could therefore ask for “location” only.
Q10.2 I share an email address with my wife. Is this still permitted under GDPR?
A10.2 The use of shared email addresses is not considered good practice when processing the personal data of individuals for Church purposes. Not least because the account is accessible by all persons to whom the account belongs, meaning that the email could be received by the wrong recipient which is a data breach according to GDPR. There are certain office holders who should never use shared email accounts for church business, such as Safeguarding Officers and they should be using email accounts specifically designated for them by the Methodist Church.
Please bear in mind that Individual email accounts can be created very cheaply or for free. Yes, there is an element of risk attached to some of the free providers, particularly those who are based in the USA, but the risk is considered to be low given that the major USA companies have signed up to Privacy Shield which is an agreement by US companies with the EU that they will comply with the provisions of GDPR. This risk must be weighed up with that of unauthorized access by a third party, even if it is by your spouse, for church business.
Q10.3 Are we still permitted to display the Cradle Roll?
A10.3 TMCP and the Connexional Team over the last couple of years have received numerous queries as to how data protection legislation impacts on the use of cradle rolls in local churches. It is understood that some churches publicly display the name, date of birth, date of baptism and photo of all those baptized in the church.
Together we considered the implications of the public display of this personal data under data protection legislation and concluded that date of birth should not be available to the public due to the increased risk of misuse of the information, such as identity fraud.
It is understood that some local churches also use the information on the cradle roll to send a birthday card for up to five years to children who have been baptized in the church. TMCP and the Connexional Team concluded that the use of the personal information in this way may not be reasonably expected by the data subject and therefore legitimate interests cannot be relied upon. It is therefore necessary to ask for consent. A simple consent form should be completed (TMCP’s consent form can be adapted for this purpose) when the baptism is arranged and must be kept for as long as the personal data is held. The personal data should be destroyed after the final card is sent.
It is recognized and understood that local churches who undertake these practices do so as part of their mission and ministry to the wider community. We certainly do not wish to discourage local churches in acts of kindness towards parents and children of those they have baptized, however in the light of our legal obligations under data protection legislation, it is important that personal data is managed securely, and appropriate protection measures are in place.
This guidance should be followed for baptisms taking place from now onwards (you will not need to seek consent for any baptisms in the past).
Section C – Where Can We Find Further Guidance?
Please refer to the specific guidance including numerous articles that have been produced for Methodist Managing Trustees accessible from the data protection page on TMCP’s website and refer to the Methodist Church website. Further specific guidance is being produced all the time and Managing Trustees will be notified when this is available via TMCP’s website and communications with the Districts.
There is a wealth of detailed guidance available on the Information Commissioner’s Office (ICO)’s website: https://ico.org.uk/for-organisations/.
Managing Trustees should however rely on the practical, day to day guidance and templates produced by TMCP and the Connexional Team..
If Managing Trustees have any queries then please contact TMCP (dataprotection@tmcp.org.uk) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (dataprotection@methodistchurch.org.uk).
Disclaimer
Please note that this document is to provide guidance and assistance to Managing Trustees and their professional advisers. This guidance note is general in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of any particular matter.
Also note that nothing within the documents and guidance notes provided by TMCP nor any receipt or use of such information, should be construed or relied on as advertising or soliciting to provide any legal services. Nor does it create any solicitor-client relationship or provide any legal representation, advice or opinion whatsoever on behalf of TMCP or its employees.
Accordingly, neither TMCP nor its employees accept any responsibility for use of this document or action taken as a result of information provided in it.
Please remember that Managing Trustees need to take advice that is specific to the situation at hand. This document is not legal advice and is no substitute for such advice from Managing Trustees' own legal advisers. |