It is now nearly five years since the General Data Protection Regulations (GDPR) came into force on the 25th May 2018 along with the Data Protection Act 2018 which effectively implemented GDPR in the UK.
As the onus of responsibility shifts from implementation to accountability the Annual Data Protection Checklist (Checklist) seeks to demonstrate the practical steps that Local Churches, Circuits and Districts across the Connexion are taking to ensure their data protection practices are robust. The guidance below explains the purposes behind the Checklist, how to complete and return the Checklist and the additional help available to you. You can download the Checklist from the links at the foot of this webpage.
Why do we need to complete the Checklist?
As Controllers, TMCP and the Connexional Team ask managing trustee bodies i.e. Local Churches, Circuits and Districts to complete the Checklist each year so that everyone can confirm they are doing what they can to achieve compliance. This is ultimately about “protecting people” by keeping everyone’s personal information safe. It also provides assurance that there is adequate compliance with data protection legislation which is required as part of the Church’s audit procedures.
What do we need to do and who will help us?
Each Managing Trustee body (see Who completes the Checklist?) needs to complete and submit one Checklist by the end of May each year confirming the steps that they have taken to comply with the data protection responsibilities placed on them by data protection legislation.
Your District Data Champion will circulate an email via the Circuit which will include a link to a Google Form version of the Checklist specific to your District. When you receive this email at Local Church, Circuit or District level you should refresh yourself by reviewing the help provided in this guidance note and take any practical steps to ensure that you can confirm the seven statements/checks in the Checklist. This guidance note provides details of what you need to do.
When you are ready to complete the Checklist, click on the link in your email and complete and submit the Checklist online. Alternatively, you can download and complete the Checklist by clicking on the link at the foot of this webpage, signing and dating the document as indicated and returning this by email to your District Data Champion - your District Office if your District does not have a Data Champion - or in accordance with any other instructions provided to the Local Church or Circuit.
Your District Data Champions are there to help you complete the Checklist and answer any questions that you may have about using the Google Form, what you need to do to confirm the checks and how to submit your completed Checklist. They are responsible for collecting completed Checklists by the end of May each year and sharing the results with the TMCP and the Connexional Team as the Controllers. The District will keep a record of who has completed the Checklist and of those completed, where there are gaps in the checks fulfilled.
Who is your data champion?
If you have any questions about the Checklist and these are not answered in the detailed guidance below, please ask your District Data Champion for help. If they are unable to assist, then please contact TMCP.
The Checklist should be completed by those responsible for keeping information relating to other people safe. Please bear in mind that only one Checklist is needed per Managing Trustee body, so one for each Local Church, Circuit and District. If you are part of a multi-site Local Church or a one Local Church Circuit for example, only one Checklist needs to be completed for that Local Church Council, not one per chapel.
If your Managing Trustee body is separately registered with the ICO e.g. you are part of a Sharing Church and have opted to follow the data protection requirements of your sharing partner or you are an exceptional case where your activities are not covered by TMCP’s registration, please complete the Checklist to record this. You will not need to complete the seven checks, but you will be able to provide your details and confirm that you are separately registered. Please refer to the Who are the Data Controllers and where to get help? Focus Note for details.
Why does the Checklist matter?
Whether the personal information (data) of individuals belongs to Church members, their families, employees or third parties who use church premises, it is in the interests of all to ensure that the information is looked after carefully and kept safe. Carrying out the seven checks of the Checklist will assist those that handle personal data to ensure that they are carrying out the practical steps required to achieve that. Please note that the seven checks are not a completely definitive list, but they should help you to ensure you are on the right track. Please keep an eye on any data protection training or news from your Districts and TMCP via the TMCP NewsHub.
Where do we get guidance on the requirements placed on us under data protection legislation and how to practically comply?
Please work through the detailed guidance in this document and fulfil the actions required to fulfil these checks. In addition, please refer to the “Follow-Up Steps” in “Step 3” of this guidance note and the suite of data protection guidance and policies already available on the Data Protection page on TMCP’s website.
Before completing the Checklist, please read the detailed guidance in Steps 1 to 3 of this guidance note explaining the practical steps you need to take (or have taken) to be able to complete the corresponding check on the Checklist. Checking the box on the Checklist confirms that you have taken the steps required to satisfy yourselves that you are fulfilling the requirements placed on you under data protection legislation.
What do we need to do to confirm that we have satisfied the checks in the Annual Data Protection Checklist?
Step 1 - Where to begin
Before starting to complete the Checklist please take this opportunity to review the personal information that your Managing Trustee body i.e. the Local Church, Circuit or District holds. You can only carry out checks 2 to 7 if you first understand what personal information you have and what you do with it. Reviewing the information you hold is called “data mapping” and is effectively an inventory of the information you hold about individuals. Please refer to the guidance and resources under the heading “Check 1” to help you.
If you carried out this “data mapping” exercise in 2018 and/or when you completed the f Checklist in 2021 or 2022, you just need to double check that your records are up to date. For example, do you hold less information than last year due to a dance class no longer using your premises or more data due to a new messy church group starting?
Once you have completed Check 1 the first time it should simply be a question of reconfirming this has been completed unless there has been a major change e.g. the Local Church has merged with one or more other Local Churches. However, even here, hopefully the work already done by these individual Local Churches will make the mapping exercise for the merged Local Church much easier.
Carrying out a review of the information you hold about individuals is one of the most important aspects of data protection; knowing what you hold and who is holding it.
The type of personal data and how it is used may change over a period of time. Refer to Step 2 of the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR to ensure that a correct record of the information processed about individuals is available.
By confirming this check is complete you are confirming that you have a record of the personal information your Managing Trustee body holds and this record is up to date.
Step 2 – Completing checks 2 to 7
Now that you know what information you hold you are ready to complete checks 2 to 7 inclusive.
Check 2 – Data Cleansing: Have you destroyed any privacy information that is no longer required?
During the Data Mapping exercise under Check 1 you will have identified all the personal data that is held and used about individuals connected with your Local Church, Circuit or District.
Under the Principles of the GDPR you are required to ensure that the information that is processed about individuals is used for the purposes in which it was collected and is kept relevant and up to date.
Where information about individuals is identified as not being required anymore, perhaps because a person is no longer a member of a Local Church, then as much information about that person should be permanently deleted as soon as possible, such as removing them from the members list or the Church Directory. Please do check the Data Retention Schedule to ensure that you are not destroying any information that you need to keep.
By confirming this check you are stating that you have reviewed the personal information that you hold and have destroyed any information that you no longer need.
Check 3 – Managing Trustees’ Privacy Notice: Have you read the current “Managing Trustees’ Privacy Notice” and is the most up to date version easily available to those whose personal information you hold?
The most up-to-date version of the Managing Trustees’ Privacy Notice is available on the TMCP website. The box at the top of the privacy notice confirms the latest amendments made to it.
To see the most up-to-date version of the Managing Trustees’ Privacy Notice please, click here.
Please ensure that the latest version of the Managing Trustees’ Privacy Notice is easily available to those whose personal information you hold and deal with. The following are some suggestions as to how you can do this, please select the most appropriate for your circumstances:
- Display the Managing Trustees’ Privacy Notice on your Local Church, Circuit or District notice board - ensure that you are displaying the most up-to-date version
- Include a notice on your board telling people where they can find the Privacy Notice e.g. www.tmcp.org.uk/about/data-protection/managing-trustees-privacy-notice. You could use the wording from the template Fair Processing Statement
- Include a link on your website and in your email footer to the most up to date version of the privacy notice. Again, use the template Fair Processing Statement.
Are you satisfied that members of the Local Church, adherents, third party user groups and visitors to your premises etc, can easily find the privacy information?
By confirming this check you are stating that you have read the Managing Trustees’ Privacy Notice drafted by TMCP and a copy is easily accessible to those whose personal information you hold.
Check 4 – Accuracy: Is all the contact information you hold still correct?
Principle 4 of GDPR states that the information you are holding about individuals must be relevant, accurate and up to date. TMCP has devised a Data Collection Form to help you fulfil these requirements.
The Data Collection Form is designed to enable individuals to ensure that the personal information held about them is correct and also advises Managing Trustees how those individuals wish to be contacted by allowing them to indicate their contact preferences.
Consider when you last checked that the information you hold is correct and take steps to ask those whose data you hold to reconfirm their details have not changed. There are many different ways you could do this but as suggestions, you could:
- ask everyone to complete a new Data Collection Form every two years;
- ask people to reconfirm by email or face to face that the information held on their last form is still correct and record this on your Processor Record (see check 6) or on the existing Data Collection Forms;
- send out an email and/or include in the Notices a request for anyone whose details have changed to get in touch with you so that you can update their data collection form and associated records.
You may wish to use a combination of methods depending on whose information you are seeking to verify: third party users may already have updated their information when you entered into this year’s licence to occupy, some people may not use emails, others may not read the church notices. Please avoid leaving out in open areas previous years Data Collection Forms and asking people to review and sign them again which could in itself be a data breach.
By confirming this check, you are stating that you are satisfied that the information you hold about people is still correct.
Check 5 – Consents: Do you have all the consents in place that you need and are these up to date?
Where consent is being relied upon as the lawful basis for using an individual’s personal information, you need to be aware that consent lasts for no more than two years. You will only need to renew your consents if they are over two years, and you need to rely on consent as your lawful basis.
The Data Consent Form has been updated to include specific scenarios where consent is likely to be required. Go to Data Consent Form for more information on how and when the Data Consent Form should be used.
The lawful bases are also included in the Annex to the Managing Trustees Privacy Notice for further information.
By confirming this check, you are stating that you have checked your consent records and any consents are no more than two years old OR you are not relying on consent as your lawful basis.
Check 6 – Records: Is the Church body’s ‘Processor Record’ up to date?
Article 30(2) of GDPR includes a requirement for processors (those within the Church who handle personal information), to keep records about the personal information that is processed (dealt with).
You should have by now completed a Template Processor Record for Managing Trustees, with the assistance of the worked example, to provide a central record of the different data protection documents and records that is used by the church. If you have not done this already, please ensure it is in place without delay.
Check that all the details you have entered on your Processor Record are still correct including your local contact and storage locations of the different data protection records referred to.
Completion of the Processor Record is also required in order to comply with the “accountability” principle in Article 5(2) of GDPR.
By confirming this check, you are stating that you have a completed and up to date Processor Record in place and would be able to provide this to the ICO (for example) on request.
Check 7 – Security: Is all the personal information you hold secure?
Data Security needs to be ongoing and regularly reviewed. Managing Trustees must ask themselves if the information which they hold about individuals is held as safe and secure as possible.
People who handle personal data must familiarise themselves with the Data Security Policy and ensure that the following minimum measures are undertaken:
- Ensure all software updates are installed as soon as it becomes available;
- Ensure all Malware and Antivirus software is updated are installed as soon as available; Ensure all electronic devices are password protected and / or encrypted at all times;
- Ensure a ‘clean desk’ policy is in place where all papers files are locked away when not in use;
- Ensure that work emails are kept separate from their own personal emails and accounts. The use of personal email accounts, especially those which are shared with other people, should be actively discouraged.
Poor data security is one of the main causes of data breaches which could be very costly to the Methodist Church from a financial perspective and a reputational one.
By confirming this check, you are stating that you have reviewed the position and are satisfied that the personal information you hold is safe.
There are a number of ongoing actions to take to ensure that you are complying with data protection legislation. The guidance in this section confirms what you can do to try and stay on top of your data protection responsibilities.
A – Use the guidance available
Make sure those handling people’s information are aware of their data protection responsibilities.
Over time, different people are appointed to positions within the Church who handle personal data about individuals. It is also the case that people need to be provided with reminders and refresher training on the requirements of Data Protection legislation.
Ensure that people consider and regularly refer to the following resources to help Managing Trustees with their ongoing training and encourage them to sign up to the TMCP Newshub so that they can be alerted to any updates as soon as they become available:
- Data Responsibilities in a Nutshell – this is a good place to start if you are new to data protection;
- Data Protection Toolkit;
- 9 Steps for Managing Trustees to take now;
- GDPR Do’s & Don’ts;
- Review the Data Protection Policies and ensure you understand the GDPR Principles;
- Watch the Data Protection Training webinar on the TMCP website;
- Access and watch additional training material as and when it becomes available.
For Local Churches and Circuits that have a District Data Champion, they are a crucial point of contact for Managing Trustees wanting to discuss routine data protection matters. They have received additional data protection training, which is ongoing, and are equipped to assist Managing Trustees navigate the requirements of data protection legislation.
Please find out who your Data Champion is and contact them if you have any data protection questions. Ask TMCP if you are unsure.
C - Let us know if you have any training needs and make use of the resources available on TMCP’s website to help you
Ongoing training is a requirement of the GDPR and Managing Trustees must be able to demonstrate this in order to comply with the Accountability Principle. Keep a record of who has accessed what training and when. A sample Training Record is now available for Managing Trustees here.
As Managing Trustees work through the various training resources on TMCP’s website and put this into practice, it will become apparent where additional training needs are required. These will become especially apparent if, and when, a data breach is experienced.
Please contact TMCP if there are any specific training requirements Managing Trustees would like to see featured in the next round of data protection training.
Additional material to help Managing Trustees to take these steps will continue to appear on TMCP’s website. Sign up to receive the News Hub alerts to keep a pace with what is available. Alternatively, please do not hesitate to contact TMCP if you have any general data protection queries and the Connexional Team’s Data Protection Officer for enquiries relating to safeguarding and complaints and discipline issues.