Section A - Introduction
These frequently asked questions are to be read in conjunction with the data protection guidance available from the data protection page and cover issues that are often raised in relation to data protection in the context of the Methodist Church. The issues covered include the changes that will be brought in by the General Data Protection Regulation (GDPR) when it comes into force on 25 May 2018.
In these Frequently Asked Questions:
Working Party is the Data Protection Working Party comprising representatives of TMCP and the Connexional Team.
GDPR is the General Data Protection Regulation.
9 Steps Focus Note is the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR (9 Steps) Focus Note produced by the Working Party.
“Processing" basically means anything that Managing Trustees do to or with personal data. The GDPR states that processing includes the; “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of such data (GDPR Article 4(2)).
Section B – Frequently Asked Questions
Q1. Introduction of GDPR
Q1.1 Members of the Circuit Meeting have been reading about the General Data Protection Regulation in the media and are alarmed. Where can we get help and what is the Connexion doing to help Managing Trustees like us?
A1.1 There is no need for Managing Trustees to be alarmed by the new laws brought about by the GDPR. Although GDPR brings some changes to the current data protection laws, the changes are not as far reaching and alarming as Managing Trustees may fear from the coverage in the media. GDPR can be seen as simply bringing the current laws into the twenty first Century recognising the sheer amount of data that is now collected, much of it by electronic means and ensuring everybody looks after this information properly. There is time for Managing Trustees to review their existing procedures and ensure that they are ready to process personal information (data) in accordance with GDPR by the time it comes into force in May using the resources being developed especially for Managing Trustees by the Working Party. The GDPR Myths article discusses some of the myths surrounding GDPR and explains while there is work to be done; Managing Trustees do not need to be alarmed.
TMCP and the Connexional Team are working together having formed the Working Party to oversee the transition from the current legislation. Guidance, support and training will be rolled out to all Methodist Districts in the run up to GDPR coming into force on 25th May 2018, which will help the Districts assist Circuit Meetings and Local Churches to understand the steps that will need to be taken to comply with the new requirements. The Working Party has undertaken a data mapping exercise to gain an insight into the personal information held by Local Churches, Circuits and Districts, what this is used for, who has access to it and how it is currently protected. This work will enable the Working Party to draw up policies, procedures and template documents and forms for Managing Trustees to use, accompanied with detailed and practical guidance aimed specifically at Methodist Managing Trustees. Managing Trustees can therefore rest assured that support is at hand and work is underway to help them through the transition.
Managing Trustees can refer to Section C for details of where to find helpful guidance. In terms of changes brought by GDPR, the General Data Protection Regulation (GDPR) Guidance Note and GDPR Changes at a Glance set out the main changes GDPR will bring to data protection law and how this will affect the Methodist Church as a whole. Managing Trustees are also encouraged to read the 9 Steps Focus Note and follow the practical steps that Managing Trustees will need to take to prepare for GDPR. This Focus Note indicates the types of template documents, policies and detailed guidance that are in the pipeline.
Q1.2 Does the introduction of the GDPR affect us as a Local Church?
A1.2 Yes, the GDPR will be the main data protection legislation in the UK and all EU member states when it comes into force on 25th May 2018. GDPR applies to all organisations that deal with (process) personal information about individuals (personal data) whether the organisation is a large corporation, a local authority or a small charity such as a Local Church Council. GDPR, like the current Data Protection Act 1998 applies to the various managing trustee bodies that process personal information (data) within the Methodist Church including Local Churches, Circuits and Districts.
It is therefore important for all those who deal with personal data within the Local Church, whether Managing Trustees, other church members, volunteers or employees to use the guidance and other resources that are being produced by the Methodist Church’s Working Party to ensure that the Local Church collects, stores and uses (processes) the personal information that it handles carefully in accordance with current data protection legislation, and gets ready for the introduction of GDPR. The 9 Steps Focus Note outlines the practical steps that Managing Trustees will need to take to do this.
Q2.1 One of our members has told us that new data protection laws are being introduced and they will mean that we have to ask for consent before we do anything involving personal data. Is this true?
A2.1 No. Consent is just one of six legal grounds (lawful bases) on which Managing Trustees can deal with (process) personal information. While consent maybe the only legal ground available to Managing Trustees in some cases, such as allowing third party access to sensitive information about health for example,there will often be other legal grounds that can be used. These include; “contractual obligations”, “legal obligations” and “legitimate interests”. Although the issue of consent has caught the imagination of the media and is a key issue in some areas such as sharing sensitive information (in particular) with third parties, please remember that Managing Trustees do not need consent every time they deal with (process) personal information (data). The Methodist Church is a member organisation, not a mass marketing company. As discussed at Step 5 of the 9 Steps Focus Note and the GDPR Myths article, Managing Trustees can base their use of personal information on one or more of a number of legal reasons, it is not all about “consent”.
Detailed guidance is going to be produced in relation to consent once the Working Party has analysed the results of the data mapping exercise (please refer to Step 2 of the 9 Steps Focus Note for information about data mapping). The results of this exercise will help the Working Party to look at the common purposes for which Managing Trustees process personal information belonging to their members and the wider community and provide specific guidance on the most appropriate legal grounds that the data can be processed and how to document this.
If the only legal ground that Managing Trustees have for processing data is consent e.g. contact one-off donors about a specific fundraising event, then after 25th May 2018 the Managing Trustees would need to be careful that the consent obtained from an individual was valid under GDPR. Detailed guidance will be made available on this but for a summary please refer to Step 6 of the 9 Steps Focus Note and the guidance that is available from the ICO including their guidance on lawful bases for processing: “Consent”.
Q2.2 Do we need Consent from Individuals to include them in our Directories?
A2.2 Technically it may not always be necessary to obtain consent from individuals to include their details in Local Church and Circuit Directories but this does depend upon what happens to the Directories. It is understood that Directories are sometimes left in church vestibules, uploaded on to websites and sometimes actively distributed to non-members meaning that they are shared with third parties. Further more specific guidance will be provided to help Managing Trustees decide which lawful basis or bases they can rely on for Directories once the results of the Working Party’s data mapping exercise have been studied.
Where it is necessary to rely on consent e.g. where Directories are made available to the general public, and following the introduction of GDPR on 25th May 2018, this consent should be explicit and not implied. This means that the individual giving consent must have done something positive to provide their consent i.e. ticked a box saying they were happy for their details to be published in the directory. The consent must also have been given freely, specifically for the purpose in question (the directory), unambiguously and be informed. The individual has to understand why their consent is being asked for and what it is being given to.
Pending the more detailed guidance on selecting appropriate legal grounds (lawful bases) for using (processing) personal information, Managing Trustees can find specific guidance on Directories in the Local Church Circuit and District Directories – Data Collection article available in the News Hub Section of TMCP’s website. Managing Trustees can also use the Template Consent Form produced by the Working Party.
Q3.1 Does the Church/Circuit Directory have to be re-issued once GDPR comes into force?
A3.1 No. The Information Commissioner’s Office (ICO) recognises that organisations often collect personal information (personal data) on an annual basis and have indicated that provided steps are in place to comply with the requirements under GDPR for future collections of data e.g. when information is collected for the next, the 2018/2019 Directory, this should be sufficient. If the legal reason of “consent” is being relied upon at the moment, perhaps because the Directory is made available to third parties, the consent from last year will suffice until the Directory is re-issued at the start of the next Connexional year (1 September 2018). It is akin to a service provider continuing to use their customer list to continue with their day to day business.
Q3.2 Can we circulate the Directory electronically?
A3.2. Yes, provided that all persons named in the Directory have explicitly consented to its distribution in this way. Please refer to FAQ 2.2 in relation to consent and the upcoming guidance.
If it is the intention to publish the Directory on a website e.g. the Local Church or Circuit’s website, then Managing Trustees need to consider that it may be viewed outside of the EU and the possibilities of people misusing the data for their own purposes. The Managing Trustees will be anxious to weigh the advantages of publishing the Directory on their website against the potential risks and may want to consider whether the amount of information can be limited to protect their members or if it should be withheld altogether. Why do the Managing Trustees want to publish the information on their website? Can they get the information to those who need it in a way that would better protect their members? Could the information be available to members only through the use of logins and passwords (albeit this could still be open to hackers) or only available on request allowing the Managing Trustees to verify why the information is needed and who wants to access it? If the information is publicised to enable third parties to make room bookings etc. can details of the room booking secretary be made available on the website using generic emails such as firstname.lastname@example.org instead? While such measures may help the Managing Trustees to protect data, unless the information was anonymised or withheld completely, the measures would not remove the need for consent.
Further specific guidance on church websites is being produced by the Working Party. Managing Trustees will be notified when this is available via TMCP’s website and communications with the Districts.
Q3.3 Do we need Consent from Individuals to include them in our Directories?
A3.3 Refer to FAQ 2.2.
Q4.1 We have CCTV installed at our Church. Are we covered under TMCP’s notification?
A4.1 Yes, CCTV coverage is covered by TMCP’s registration (notification) with the Information Commissioner’s Office (ICO). As mentioned in FAQ 4 there are different legal reasons (lawful bases) that Managing Trustees can rely on to use (process) personal information and further guidance will be provided on this following collation of the results from the Working Party’s data mapping exercise. The legal reasons for recording images using CCTV would include for safety monitoring and crime prevention purposes.
The ICO has published a very detailed code of practice for CCTV that Managing Trustees can access. Although it relates to the Data Protection Act 1998 it is still relevant as a code of best practice pending the production of an updated code and includes a simple checklist for users of very limited CCTV systems which may be of particular relevance to Managing Trustees. The Working Party will also be providing specific guidance on CCTV aimed at the Methodist Church and a template policy for Managing Trustees to adapt for their use. As a general point, Managing Trustees must ensure that the footage recorded is fit for purpose and is not kept longer than is necessary.
Q5. Third party users
Q5.1 The Church keeps a database of all users of the premises along with contact details of managers and key holders. Is this covered under TMCP’s Notification?
A5.1 Yes, TMCP’s registration with the Information Commissioner’s Office (ICO) covers use of personal information by Local Churches, Circuits and Districts including information about their third party users.
Please ensure those people are aware that their details are being kept in this way and review the information that is given to them when their details are collected (privacy notice) to ensure that it will meet the requirements under GDPR from 25th May 2018. As discussed in FAQ 3.1, certain information has to be provided to individuals at the point that data is collected and further guidance will be provided on this shortly following the data mapping exercise being carried out by the Working Party. The information includes details of the legal grounds (lawful bases) for processing the personal information (data). TMCP is also considering including data protection clauses into the standard licence and template booking form.
As mentioned in FAQ 2.1 and Step 3 of the 9 Steps Focus Note, there are different legal grounds that Managing Trustees can rely on to use personal information and further guidance will be provided on this once the results of the Working Party’s data mapping exercise have been collated and analysed. The legal grounds for storing (and using) the information on the “third party user” database maintained by the Local Church, could include contractual obligations and legitimate interests.
- Is it necessary to perform obligations under the licence agreement?
- Is storing and using the records necessary for the purposes of the legitimate interests of the charity?
- Is the Managing Trustees use of the third party users’ personal information inside the reasonable expectations of the individuals involved (data subjects) – would they expect the Managing Trustees to use their information in this way?
- Is use of the database necessary to enable the Managing Trustees to manage use of the rooms and/or satisfy the requirements under their insurance policy?
Managing Trustees will be notified when further guidance on lawful bases and the Template Privacy Notice and Policy are available via TMCP’s website.
Q5.2 We have third parties, such as the Brownies, which use our premises. Are we responsible for the data collected by them? If they disclosed personal information to us by mistake, would we be responsible for the information then? Would we need to destroy such information and report it to the ICO?
A5.2 Third party user groups, (but not “church” groups) are responsible for the processing of their own data. However, Managing Trustees need to be aware that should any of their third party groups’ data be incorrectly disclosed to the Managing Trustees, the Managing Trustees will be bound by the data protection principles. This means that the Managing Trustees must not share the data with others, publish the data or gain from that data etc.
If there was a data breach by a third party e.g. an attendance register was left in the church premises at the end of a session, the Managing Trustees would be obliged to inform the 3rd party of the breach. It would then be the third party’s responsibility to assess whether the breach should be reported to the ICO and/or the individuals concerned i.e. the members appearing on that attendance register. The Managing Trustees would not necessarily be under a duty to destroy the data if it could simply be handed back with no trace left on Managing Trustees’ records.
Q6. Data Controllers and Processors
Q6.1 Who are the Data Controllers in the Methodist Church?
A6.1 A Data Controller (“Controller” under the GDPR) is the legal entity that is responsible for ensuring compliance with the relevant data protection legislation. There are two Data Controllers for the Methodist Church; TMCP who acts as the Data Controller for all Local Churches, Circuits and Districts whose registration relates to all matters except where the Connexional Team’s registration applies, and the Connexional Team (under the name of the Methodist Church of Great Britain). The Connexional Team’s registration covers the work of the Connexional Team and all safeguarding and complaints and discipline issues. Further information on the roles of both Data Controllers, what data is covered by the two registrations and who Managing Trustees need to contact for help is set out in the Who are the Data Controllers Focus Note.
Managing Trustees should bear in mind when reading guidance produced by/for other charities such as the Church of England that the situation of having central data controllers is not the same. For the avoidance of doubt Managing Trustees are not Data Controllers.
Q6.2 Who are the Data Processors in the Methodist Church?
A6.2 The managing trustee bodies who deal with data/ information on behalf of the Methodist Church, being the Local Churches, Circuits and Districts are deemed to be the “Data Processors”. Managing Trustees should bear in mind that as “Processors” they are legally obliged to comply with GDPR and ensure that the data protection principles are adhered to. Managing Trustees also need to note that everybody who deals with personal information within the managing trustee body, Managing Trustees, church members, other volunteers and lay employees etc. need to be aware of the requirements under GDPR and what policies and procedures to follow e.g. in the event of a breach or receipt of a request from an individual for information about their personal data (a “SAR”). The managing trustee body will need to ensure that the necessary people have the skills and knowledge to apply the law effectively. The guidance, training and template policies produced by the Working Party (see FAQ 1) will help the Managing Trustees in this process.
Q7.1 Does the Brexit Vote mean that GDPR will not affect the UK?
A7.1 No, the UK's Information Commissioner has confirmed that GDPR will come into force on the 25th May 2018, which is before the UK is due to leave the EU. Managing Trustees should also bear in mind that the Data Protection Bill and European Union (Withdrawal) Bill are also going through parliament to ensure that even after the UK has left the EU, the obligations under GDPR will continue to apply in the UK.
Section C – Where Can We Find Further Guidance?
Please refer to the specific guidance that has already been produced for Methodist Managing Trustees accessible from the data protection page on TMCP’s website and refer to the Methodist Church website. Further specific guidance is being produced all the time and Managing Trustees will be notified when this is available via TMCP’s website and communications with the Districts.
There is a wealth of detailed guidance available on the Information Commissioner’s Office (ICO)’s website: https://ico.org.uk/for-organisations/.
Although the practicalities of dealing with data protection are not exactly the same in the Methodist Church of Great Britain and the Church of England, Managing Trustees may find the Church of England’s general guidance on the General Data Protection Regulation of assistance:
Managing Trustees should however rely on the practical, day to day guidance and templates being produced by the Working Party.
If Managing Trustees have any queries then please contact TMCP (email@example.com) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (firstname.lastname@example.org).
Please note that this document is to provide guidance and assistance to Managing Trustees and their professional advisers. This guidance note is general in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of any particular matter.
Also note that nothing within the documents and guidance notes provided by TMCP nor any receipt or use of such information, should be construed or relied on as advertising or soliciting to provide any legal services. Nor does it create any solicitor-client relationship or provide any legal representation, advice or opinion whatsoever on behalf of TMCP or its employees.
Accordingly, neither TMCP nor its employees accept any responsibility for use of this document or action taken as a result of information provided in it.
Please remember that Managing Trustees need to take advice that is specific to the situation at hand. This document is not legal advice and is no substitute for such advice from Managing Trustees' own legal advisers.