Section A - Introduction
This Focus Note looks at the role of a Data Controller, who the Controllers are in the context of the Methodist Church and who Managing Trustees can contact to get help from. The Focus Note references the changes that will be brought in by the GDPR when it comes into force on 25 May 2018.
Please read this Focus Note in conjunction with the data protection guidance available from the data protection page.
In this guidance note:
The Data Controller (“Controller” under the GDPR) is the legal entity that is responsible for ensuring compliance with the relevant data protection legislation.The Data Controller determines the purposes for which data is processed and the means by which it is processed.
The Data Processor (“Processor” under the GDPR) is any person who processes data on behalf of the Controller.
A Data Subject is an individual about whom particular personal data is about.
A Data Subject Access Request (SAR) is a written request made by an individual (the Data Subject) to see a copy of the information that an organisation holds about them.
Personal Data is any information relating to an identified or identifiable natural person, the ‘Data Subject’,
The term “processing" is defined very broadly in the GDPR (as it was in the data Protection Act 1998) and basically means anything that Managing Trustees do to or with personal data. The GDPR states that processing includes the; “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of such data. (GDPR Article 4(2)).
Section B – Who are the Data Controllers in the Methodist Church?
TMCP acts as the Data Controller for all Churches, Circuits and Districts (who are deemed to be the “Data Processors” i.e. the people who deal with data/ information on behalf of the Church). TMCP’s notification (registration) with the Information Commissioner’s Office (ICO) will continue after GDPR comes into force in May 2018.
Following a review the Connexional Team (under the name of the Methodist Church of Great Britain) have now notified (registered) separately with the ICO to cover those data processing activities which fall outside TMCP’s registration and for which they are solely responsible. Under the Connexional Team’s registration, the issues which affect Managing Trustees are: safeguarding and complaints and discipline issues. This means that with immediate effect, the Connexional Team will be responsible for all data protection matters concerning safeguarding and, complaints and discipline issues for the whole Methodist Church and these matters will no longer form part of TMCP’s registration.
In exceptional circumstances local Churches, Circuits and Districts may need to register independently with the ICO because their data processing activities are not covered by TMCP’s registration. An example of this would be if the Managing Trustees established a Charitable Incorporated Organisation i.e. a separate legal entity. However, Managing Trustees should not register separately without first speaking to TMCP.
Section C – What Data is Covered by TMCP and What Data is Covered by the Connexional Team’s Notification (Registration) with the ICO?
General data protection issues relating to day to day matters such as lists of members, third party users of church premises and lay employees employed by local Churches, Circuits and Districts is covered by TMCP’s notification whereas data protection matters concerning safeguarding and complaints and discipline issues are covered by the Connexional Team’s notification.
Managing Trustees can check the specific data processing activities covered under the respective registrations (notifications) by referring to the registrations on the ICO’s website (https://ico.org.uk/esdwebpages/search). TMCP’s registration number is: Z5439898 and the registration can be viewed here. The Methodist Church of Great Britain is registered with number: ZA303456 and the registration can be viewed here. The notifications are very comprehensive and cover virtually all areas that will be applicable to the Methodist Church.
If Managing Trustees are unsure whether a particular type of “processing” is covered by the existing notifications then please speak with TMCP. This could be one of the rare cases where Managing Trustees would need to register themselves but please speak to TMCP first.
Section D – Where Do We Go For Help?
If any data protection issues arise such as requests by individuals for information relating to the data held by Managing Trustees or breaches of security, first identify who the appropriate controller is (refer to Section C of this Focus Note) and then contact TMCP or the Conference Office at Methodist Church House as appropriate.This includes any Data Subject Access Requests (SARs) that Managing Trustees receive from members or former members and employees of former employees of the Church.
Given the types of data protection issues that Managing Trustees are likely to face, the following rule of thumb can be applied:
Does the issue relate to safeguarding and complaints and discipline issues? => Contact the Conference Office at Methodist Church House.
Does the issue relate to any other data protection issues? => Contact TMCP Data Protection .
Section E – Where Can We Find Further Guidance?
Please refer to the guidance that is available on TMCP’s website and the Methodist Church website.
There is also a wealth of guidance available on the ICO’s website: https://ico.org.uk/for-organisations/
If Managing Trustees have any queries then please contact TMCP (firstname.lastname@example.org) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (email@example.com).
Please note that this document is to provide guidance and assistance to Managing Trustees and their professional advisers. This guidance note is general in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of any particular matter.
Also note that nothing within the documents and guidance notes provided by TMCP nor any receipt or use of such information, should be construed or relied on as advertising or soliciting to provide any legal services. Nor does it create any solicitor-client relationship or provide any legal representation, advice or opinion whatsoever on behalf of TMCP or its employees.
Accordingly, neither TMCP nor its employees accept any responsibility for use of this document or action taken as a result of information provided in it.
Please remember that Managing Trustees need to take advice that is specific to the situation at hand. This document is not legal advice and is no substitute for such advice from Managing Trustees' own legal advisers.