Section A - Introduction
The new European General Data Protection Regulation (GDPR) came into force on 25th May 2018.
Before the introduction of GDPR, the Information Commission’s Office (ICO) produced guidance on steps that could be taken to prepare for its arrival. This Focus Note tailors the steps for Methodist Managing Trustees setting out specific practical steps for Local Churches, Circuits and Districts to take and continue taking to help them look after the personal information they collect and use (Steps). After each Step there is a “help box” highlighting the practical support available to assist Managing Trustees in fulfilling that Step. Whether the information (data) belongs to Church members, their families, employees or third parties who use church premises it is in everybody’s interests to ensure that the information is looked after carefully and kept safe. Taking the steps in this Focus Note will help Managing Trustees to do that.
Please read this Focus Note together with the toolkit of policies, templates, guidance and training being produced by the Data Protection Working Party (Working Party) to help Managing Trustees understand how to practically comply with the requirements of GDPR. Accomplishing the Steps is an ongoing process and Managing Trustees should continue to work towards compliance using the guidance, policies and procedures provided by the Working Party.
- Ensure those who deal with personal data (whether compiling the Circuit Directory or organising lifts for guests to a local church’s luncheon club) read the data protection guidance available via TMCP’s website (and the Methodist Church Website) and understand how this applies to what they do.
- Promote use of the data protection guidance, policies (see below) and template documents being produced by the Working Party (the “Data Protection Toolkit”). The Data Protection Toolkit is available from the data protection page.
- Ensure that the Managing Trustees implement the data protection policies and best practice that is being developed and promoted by the Working Party:
- Privacy Notice
- Data Protection Policy (request from TMCP pending protected area of website coming online)
- Data Security Policy (request from TMCP pending protected area of website coming online)
- Data breach Policy (Interim) (request from TMCP pending protected area of website coming online)
- Complete the online data protection training offered by TMCP, in conjunction with the Working Party (available to view on the TMCP website) and ensure representatives of the managing trustee body attend any appropriate face-to-face training that may be offered from time to time by the Working Party.
To help with this:
The best way for Managing Trustees to keep abreast of new Methodist specific guidance on data protection issues and bespoke training is to sign up to receive email alerts via the TMCP website. Look out for the “Stay Updated” heading at the foot of each TMCP webpage and insert your email address. |
- Nominate members of the local Church Council, Circuit Meeting or District to review (and keep under review) what personal information (data) the managing trustee body holds such as lists of members, contact details for third party users of church premises (licensees or tenants) and right to rent documents that Managing Trustees may hold for residential tenants living in Local Church, Circuit or District property.
- Managing Trustees need to question what the personal information is, where it came from, why it is held (what purpose?), who actually holds the data e.g. the Minister or church administrator, who has access to it and who it is shared with?
- Record the results using the Template Data Mapping Form for Managing Trustees produced by the Working Party and the Non-Exhaustive List of Examples. Completing the form will help Managing Trustees evaluate the personal information they hold, how it is used and provide the records required under GDPR.
- Use the information collated together with the policies and good practice set out in the Data Security Policy (available from TMCP on request) to pinpoint what further action is required – What action can the Managing Trustees take to ensure the data held is secure? Can the number of people with access to the records be limited e.g. on a need to know basis? Is all the data Managing Trustees currently collect actually necessary? Can less personal information be collected? Is it necessary to record youth fellowship member’s postal addresses if contact is only ever made by telephone or email? Is it necessary to record dates of birth for the Local Church’s men’s and women’s fellowships?
To help with this:
Use the Template Data Mapping Form for Managing Trustees and the Non-Exhaustive List of Examples (a practical breakdown of results) produced by the Working Party to help Managing Trustees to complete their own data mapping exercises (audits).
The Working Party has identified the range of data commonly held by Local Churches, Circuits and Districts and how it is collected, stored and used. This work was carried out using a representative sample of Local Churches and Circuits through “data mapping” exercises coordinated by the Data Protection Implementation Officer and analysing the data produced. The results helped to produce the Non-Exhaustive List of Examples.
Carrying out a data mapping exercise and keeping this under review will also assist Managing Trustees in maintaining records of their data processing activities and help demonstrate compliance with the GDPR. This is all part of the new “accountability” principle, which confirms the need to ensure proper systems are in place to manage the security of personal data. |
- Use the Privacy Notice (sometimes referred to as a “privacy policy”) to give members, ministers, volunteers, lay workers, supporters (and all those whose personal information Local Churches, Circuits and Districts hold), the privacy information that needs to be provided to them under GDPR (see “help box” below).
- Ensure that the information given in the Privacy Notice is readily accessible;
- Take appropriate steps to make those people whose personal information you already hold aware of the new Privacy Notice:
- Email your contact list with this link to the Privacy Notice (https://www.tmcp.org.uk/about/data-protection/managing-trustees-privacy-notice);
- Pin a physical copy of the Privacy Notice to the noticeboard at your Local Church, Circuit or District premises;
- Put a link to the Privacy Notice on your Local Church, Circuit or District website.
- Tell people, perhaps in Local Church notices, over coffee or in AOB at your next meeting that a notice telling them about their privacy rights and what the Church does with their information is available for them to see on the noticeboard or via the local or TMCP’s website.
- Decide on the best way to give the privacy information in the Privacy Notice to individuals when you first collect (or receive) their personal information. To make the privacy information as accessible as possible, think carefully about how best to present it to people. Amongst other things this will depend upon how the information is collected e.g. in person, over the telephone or via email or online form:
- Hand over a copy of the Privacy Notice or tell people where they can find it (e.g. on the Local Church noticeboard) when you ask for information in person or over the telephone.
- Attach a copy to paper forms or tell people where they can find it e.g. on TMCP’s website, via the Local Church website or a physical copy on the Local Church noticeboard.
- Provide a link to it on any online forms/ correspondence and/or attach the pdf version to emails sent out asking people to provide personal information e.g. their contact details to include in the Circuit Plan or Directory.
- Take appropriate steps to make those people whose personal information you already hold aware of the new Privacy Notice:
- Ensure everybody who handles personal information is familiar with the Privacy Notice and follows the policy contained within it when collecting and using personal information.
To help with this:
TMCP in conjunction with the Working Party has produced the Privacy Notice for Managing Trustees to use. Please also refer to the accompanying guidance in the article; New – Privacy Notice for Managing Trustees.
More information
Managing Trustees complying with existing data protection legislation will already be ensuring that they let their members, employees, third party users etc. (data subjects) know what information they hold about them, how it will be used and who it will be shared with. GDPR requires Managing Trustees to provide additional privacy information such as details of the legal reason (lawful basis) for using their personal information and the rights of the people whose data is being collected (Data Subjects) including the right to complain to the ICO and how and when the data will be destroyed. However, to ensure that all the required information is provided and there is consistency across the Connexion, Managing Trustees need to use the same privacy notice.
. |
Step 4 – Understand the rights of the people whose personal information Managing Trustees hold (Data Subjects) and work out what Managing Trustees need to do to accommodate these rights.
- Bear in mind the rights of those people Managing Trustees hold personal information about set out in Section 9 of the Privacy Notice and Section C of the GDPR Guidance Note. These rights include the right to be informed (through the Privacy Notice for example), the right of individuals to access their data (Subject Access Request or “SAR”) or request that it is corrected or erased.
- Work out how the Managing Trustees will be able to deal with requests to exercise these rights and check that existing procedures are adequate or put in place new procedures:
- Note that the timescales for dealing with a request are short and should be dealt with without undue delay.
- Who is going to be responsible for updating or deleting personal information and with whose authority?
- Work out how the Managing Trustees will deal with requests for details of exactly what data they hold about an individual (data subject access requests) known as DSARs:
- Details of exactly what data Managing Trustees hold about an individual must be given within 30 calendar days.
- Can Managing Trustees access all the records they hold to process DSARs quickly enough?
- Who will be responsible for accessing this information?
- Follow the policy for dealing with requests including DSARs (Data Subject Access Request Policy). Ensure everybody can identify a DSAR and is aware of how to react if they receive such a request. In the meantime Managing Trustees can refer to the current SARs Policy in Sections (8) to (11) of the Data Protection Booklet and the checklist in Section (11).
- Forward any DSARs to the appropriate data controller (refer to the Focus Note “Who are the Data Controllers and where to get help?”):
- the Conference Office (if it relates to Safeguarding or Complaints and Discipline) or
- TMCP Data Protection if it relates to anything else
at the earliest opportunity.
To help with this:
Tackling Step 2 and getting to grips with what data Managing Trustees hold will go a long way in assisting Managing Trustees in complying with any requests received by people wanting to exercise their rights as “Data Subjects”. If the Managing Trustees have a record of what data they hold and where it is kept, they will be able to quickly help an individual who wants to have their personal data corrected or deleted or simply wants to know what data the managing trustee body holds about them.
TMCP (or the Connexional Team in relation to Safeguarding or Complaints and Discipline matters) will help Managing Trustees to deal with DSARs and other requests from individuals regarding their rights.
TMCP has produced a DSAR Policy with step by step guidance note on how to deal with DSARs.
Encourage anybody wanting to make a DSAR to use the template DSAR Form produced by TMCP as this asks the person making the request to describe all the information they require and where Managing Trustees should find it. |
- Consider the ways that the managing trustee body uses (processes) personal data (as revealed in Step 2) and identify in each case what legal reason(s) (see “help box” for details of the available legal reasons) the Managing Trustees are relying on for doing so. (These need to be the reasons set out in the Privacy Notice - see Step 3).
- Use the Lawful Bases Record to be produced by the Working Party to keep a record of the legal reason(s) that is/are being relied on for each “processing” activity e.g. using somebody’s personal details to respond to a HMRC query over tax would be founded on a different legal reason to contacting them about upcoming church activities. The record will be based on the Annex to the Privacy Notice which sets out the processing activities carried out by Local Churches, Circuits and Districts and the legal reasons being relied upon.
To help with this:
The Working Party has produced the Privacy Notice to help Local Churches, Circuits and Districts to identify the appropriate lawful basis (or bases) they are relying on and inform individuals (data subjects).
The Working Party is also producing a template Lawful Bases Register to record which lawful bases are being relied upon. |
Step 6 – Review how Managing Trustees obtain, record and manage consent – one of the legal reasons (lawful bases) discussed in Step 5.
- Look at areas identified in the Annex to the Privacy Notice where the Managing Trustees rely solely on the consent of individuals to use their data. This could be where a one-off donor is contacted about a new fundraising appeal or the Circuit Plan is made available through the Circuit’s website.
- Check whether the consent being relied on is valid under the GDPR i.e. was it given freely, specifically for the purpose in question, unambiguously and was it informed?
- Was the consent in question given explicitly i.e. did the individual do something positive to provide their consent e.g. tick a box or confirm verbally that they wanted to receive information about upcoming fundraising events?
- Is this consent fully documented, i.e.do Managing Trustees have comprehensive records of when and how consent was given along with records of exactly what the individual was told at the time? Use the Template Consent Record.
- Where consent is to be the lawful basis relied upon (use the information gained from carrying out the exercise in Step 2 and the Annex to the Privacy Notice), plan how to ensure that valid consent is obtained where it is not already in place, and in the future. Use the Template Consent Form where appropriate.
To help with this:
Although the issue of consent has caught the imagination of the media, please remember that Managing Trustees do not need consent every time they use (process) personal information (data). As discussed at Step 5 and in Data Protection FAQ 2.1, use of personal information will be based on one or more of a number of legal reasons. It is not all about consent and most of the time, as demonstrated in the Annex to the Privacy Notice, consent will not be the answer. The Privacy Notice and accompanying guidance on lawful bases aims to help Managing Trustees identify when consent is an issue and how to ensure that they can rely on consent when they do need it. |
- Check whether the managing trustee body holds any data relating to children.
- Check what this data is used for/ how it is processed and whether the changes introduced by GDPR will be relevant e.g. have Managing Trustees developed commercial internet services such as social networking to promote youth services?
- If you have any such projects, contact the Conference Office for specific guidance on any safeguarding aspects and in addition TMCP in this complex area.
- Where online services such as social networking are offered to young people, ensure appropriate systems are in place to check childrens’ age. The age limit under which children can freely give consent in these circumstances under the Data Protection Act 2018 is 13.
- If you are relying on consent for processing other than online services, children can give consent where they understand what they are consenting to and the implications of giving consent.
- Obtain consent from parents or legal guardians if required e.g. where a child does not have a full understanding of the position or is under 13 in the case of online services..
To help with this:
Managing Trustees can contact the Connexional Team for help on issues regarding safeguarding.
For more information Managing Trustees can refer to the ICO’s detailed guidance on Children and the GDPR. |
- Follow the policies and good practice guidelines set out in the Data Security Policy (available from TMCP). Consider what systems need to be put in place to minimise any potential data breach (unauthorised access to data or even its loss. For example, with electronic files, keep these secure (e.g. pass worded, encrypted and appropriate virus, malware, anti-phishing software is loaded to protect electronic data). With manual files, keep these in locked filing cabinets (or other suitably secure cupboards) and follow good practice by maintaining a “clear desk policy”.
- Ensure those handling personal data are trained in appropriate security measures so that they can help to look after the personal data of those involved in the life of the Church.
- If you believe that a breach has occurred, follow the steps set out in the Breach Policy (Interim) (available from TMCP).
- Use the Breach Record for Managing Trustees prepared by the Working Party to record all instances of a personal data breach (see “help box”), regardless of how small e.g. an email being sent to the wrong recipient.
- Review and provide training (further to the training being provided by the Working Party) to all those who deal with personal data in a Local Church, Circuit or District so that they know what to do and what has to be recorded.
- Contact TMCP if you believe that a breach needs to be reported to the ICO i.e. a breach leading to loss of confidentiality or reputational damage so that we can handle this for the Managing Trustees as Data Controller.
- Contact TMCP if you believe that a breach needs to be notified to individuals themselves i.e. where ID fraud or financial loss is a high probability. Further information will be produced by TMCP in due course.
It is important to contact TMCP as soon as possible to that help can be provided.
More information:
The Working Party has produced a Breach Record for Managing Trustees together with detailed guidance on avoiding and dealing with data breaches in the Data Security Policy and the Breach Policy (Interim) (both available from TMCP).
|
- Ensure that the managing trustee body considers what it needs to do to protect the personal information of its members, their families and anybody else who has an association with the Church (and whose data they hold) whenever it starts a new project that could involve dealing with personal information in any way.
- Such a new project could involve a Circuit office transferring its paper records onto a new computer programme – what will happen to the paper records? How can they be destroyed safely and completely? Is the new computer system secure? Is it password protected? Who will have access to it?
- A project could also be something less obviously related to personal information such as opening negotiations with a potential new sharing partner – will information about the Local Church, its members and third party user groups be discussed?
- Before starting a new project that is likely to have a high impact on the rights and freedoms of individuals e.g. if a Church Council decided to employ an external group to take over the running of a local church’s youth club, consider carrying out a full risk assessment known as a Privacy Impact Assessment. This risk assessment will help the Managing Trustees identify any risk to individuals and how these can be overcome.
To help with this:
|
Additional material to help Managing Trustees to take these steps will continue to appear on TMCP’s website. Sign up to receive the News Hub alerts to keep a pace with what is available. Alternatively, please do not hesitate to contact TMCP if you have any general data protection queries and the Conference Office for enquiries relating to safeguarding and complaints and discipline issues.
Disclaimer
Please note that this document is to provide guidance and assistance to Managing Trustees and their professional advisers. This guidance note is general in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of any particular matter.
Also note that nothing within the documents and guidance notes provided by TMCP nor any receipt or use of such information, should be construed or relied on as advertising or soliciting to provide any legal services. Nor does it create any solicitor-client relationship or provide any legal representation, advice or opinion whatsoever on behalf of TMCP or its employees.
Accordingly, neither TMCP nor its employees accept any responsibility for use of this document or action taken as a result of information provided in it.
Please remember that Managing Trustees need to take advice that is specific to the situation at hand. This document is not legal advice and is no substitute for such advice from Managing Trustees' own legal advisers. |