Section A - Introduction

The new European General Data Protection Regulation (GDPR) came into force on 25th May 2018.

Before the introduction of GDPR, the Information Commission’s Office (ICO) produced guidance on steps that could be taken to prepare for its arrival. This Focus Note tailors the steps for Methodist Managing Trustees setting out specific practical steps for Local Churches, Circuits and Districts to take and continue taking to help them look after the personal information they collect and use (Steps). After each Step there is a “help box” highlighting the practical support available to assist Managing Trustees in fulfilling that Step. Whether the information (data) belongs to Church members, their families, employees or third parties who use church premises it is in everybody’s interests to ensure that the information is looked after carefully and kept safe. Taking the steps in this Focus Note will help Managing Trustees to do that.

Please read this Focus Note together with the toolkit of policies, templates, guidance and training being produced by the Data Protection Working Party (Working Party) to help Managing Trustees understand how to practically comply with the requirements of GDPR. Accomplishing the Steps is an ongoing process and Managing Trustees should continue to work towards compliance using the guidance, policies and procedures provided by the Working Party.

Step 1 - Ensure that those people in the Local Church, Circuit or District who collect and/or use (process) personal information (personal data) are aware of the requirements under GDPR.

  • Ensure those who deal with personal data (whether compiling the Circuit Directory or organising lifts for guests to a local church’s luncheon club) read the data protection guidance available via TMCP’s website (and the Methodist Church Website) and understand how this applies to what they do.
  • Promote use of the data protection guidance, policies (see below) and template documents being produced by the Working Party (the “Data Protection Toolkit”). The Data Protection Toolkit is available from the data protection page.
  • Ensure that the Managing Trustees implement the data protection policies and best practice that is being developed and promoted by the Working Party:
    • Privacy Notice
    • Data Protection Policy (request from TMCP pending protected area of website coming online)
    • Data Security Policy (request from TMCP pending protected area of website coming online)
    • Data breach Policy (Interim) (request from TMCP pending protected area of website coming online)
  • Complete the online data protection training  offered by TMCP, in conjunction with the Working Party (available to view on the TMCP website) and ensure representatives of the managing trustee body attend any appropriate face-to-face training that may be offered from time to time by the Working Party.

 

To help with this:

 

The best way for Managing Trustees to keep abreast of new Methodist specific guidance on data protection issues and bespoke training is to sign up to receive email alerts via the TMCP website. Look out for the “Stay Updated” heading at the foot of each TMCP webpage and insert your email address.

Step 2 – Carry out a review of the personal information (data) the Local Church, Circuit or District holds (known as a “data mapping” exercise) and maintain the results / keep them updated.

  • Nominate members of the local Church Council, Circuit Meeting or District to review (and keep under review) what personal information (data) the managing trustee body holds such as lists of members, contact details for third party users of church premises (licensees or tenants) and right to rent documents that Managing Trustees may hold for residential tenants living in Local Church, Circuit or District property.
  • Managing Trustees need to question what the personal information is, where it came from, why it is held (what purpose?), who actually holds the data e.g. the Minister or church administrator, who has access to it and who it is shared with?  
  • Record the results using the Template Data Mapping Form for Managing Trustees produced by the Working Party and the Non-Exhaustive List of Examples. Completing the form will help Managing Trustees evaluate the personal information they hold, how it is used and provide the records required under GDPR.
  • Use the information collated together with the policies and good practice set out in the Data Security Policy (available from TMCP on request) to pinpoint what further action is required – What action can the Managing Trustees take to ensure the data held is secure? Can the number of people with access to the records be limited e.g. on a need to know basis? Is all the data Managing Trustees currently collect actually necessary? Can less personal information be collected? Is it necessary to record youth fellowship member’s postal addresses if contact is only ever made by telephone or email? Is it necessary to record dates of birth for the Local Church’s men’s and women’s fellowships?

To help with this:

 

Use the Template Data Mapping Form for Managing Trustees and the Non-Exhaustive List of Examples (a practical breakdown of results) produced by the Working Party to help Managing Trustees to complete their own data mapping exercises (audits).

 

The Working Party has  identified the range of data commonly held by Local Churches, Circuits and Districts and how it is collected, stored and used. This work was carried out using a representative sample of Local Churches and Circuits through “data mapping” exercises coordinated by the Data Protection Implementation Officer and analysing the data produced. The results helped to produce the Non-Exhaustive List of Examples.


The results also provided valuable information to help the Working Party shape policies and guidance specific to the Methodist Church and the way it deals with (processes) personal information.

 

Carrying out a data mapping exercise and keeping this under review will also assist Managing Trustees in maintaining records of their data processing activities and help demonstrate compliance with the GDPR. This is all part of the new “accountability” principle, which confirms the need to ensure proper systems are in place to manage the security of personal data.

Step 3 – Ensure clear and accessible information is provided to individuals about how their data will be used (use of a Privacy Notice).

  • Use the Privacy Notice (sometimes referred to as a “privacy policy”) to give members, ministers, volunteers, lay workers, supporters (and all those whose personal information Local Churches, Circuits and Districts hold), the privacy information that needs to be provided to them under GDPR (see “help box” below).
  • Ensure that the information given in the Privacy Notice is readily accessible;
    1. Take appropriate steps to make those people whose personal information you already hold aware of the new Privacy Notice:
      • Email your contact list with this link to the Privacy Notice (https://www.tmcp.org.uk/about/data-protection/managing-trustees-privacy-notice);
      • Pin a physical copy of the Privacy Notice to the noticeboard at your Local Church, Circuit or District premises;
      • Put a link to the Privacy Notice on your Local Church, Circuit or District website.
      • Tell people, perhaps in Local Church notices, over coffee or in AOB at your next meeting that a notice telling them about their privacy rights and what the Church does with their information is available for them to see on the noticeboard or via the local or TMCP’s website.
    2. Decide on the best way to give the privacy information in the Privacy Notice to individuals when you first collect (or receive) their personal information. To make the privacy information as accessible as possible, think carefully about how best to present it to people. Amongst other things this will depend upon how the information is collected e.g. in person, over the telephone or via email or online form:
      • Hand over a copy of the Privacy Notice or tell people where they can find it (e.g. on the Local Church noticeboard) when you ask for information in person or over the telephone.
      • Attach a copy to paper forms or tell people where they can find it e.g. on TMCP’s website, via the Local Church website or a physical copy on the Local Church noticeboard.
      • Provide a link to it on any online forms/ correspondence and/or attach the pdf version to emails sent out asking people to provide personal information e.g. their contact details to include in the Circuit Plan or Directory.
  • Ensure everybody who handles personal information is familiar with the Privacy Notice and follows the policy contained within it when collecting and using personal information.  

To help with this:

 

TMCP in conjunction with the Working Party has produced the Privacy Notice for Managing Trustees to use. Please also refer to the accompanying guidance in the article; New – Privacy Notice for Managing Trustees.


The Privacy Notice has been specifically drafted for use by Local Churches, Circuits and Districts within the Methodist Church in Great Britain. It is tailored to the Church’s use (processing) of personal data identified in the data mapping exercise.

More information


What is a privacy notice?


A privacy notice is a statement which provides data subjects with all the information the GDPR says must be given to them about the use of their personal data under Articles 13 and 14 of GDPR (see the article New – Privacy Notice for Managing Trustees and the paragraph “What Information is in the Privacy Notice?”). It  tells people how their personal data is used by the Church, why/on what lawful bases and what rights they have.

 

Managing Trustees complying with existing data protection legislation will already be ensuring that they let their members, employees, third party users etc. (data subjects) know what information they hold about them, how it will be used and who it will be shared with.  GDPR requires Managing Trustees to provide additional privacy information such as details of the legal reason (lawful basis) for using their personal information and the rights of the people whose data is being collected (Data Subjects) including the right to complain to the ICO and how and when the data will be destroyed. However, to ensure that all the required information is provided and there is consistency across the Connexion, Managing Trustees need to use the same privacy notice.


Managing Trustees can nevertheless present the Privacy Notice as they choose. The wording chosen to alert people to the Privacy Notice can help people to understand what it is and make it more accessible. To help with this, the Working Party will shortly be releasing template wording that can be used or adapted to suit particular Local Churches, Circuits and Districts. The wording could be included on papers forms, emails and newsletters for example.


Now that a “master” privacy notice is in place, ancillary privacy notices to provide individuals with more information about particular processing activities such as CCTV and local websites are being discussed so please look out for updates via TMCP’s News Hub. These are likely to include templates for use where the activities being carried out by Local Churches, Circuits and Districts are very specific to those individual managing trustee bodies such as local websites and employment. Such ancillary privacy notices would be very closely linked to and cross reference the “master” privacy notice, (‘the Privacy Notice’).

 

.

Step 4 – Understand the rights of the people whose personal information Managing Trustees hold (Data Subjects) and work out what Managing Trustees need to do to accommodate these rights.

  • Bear in mind the rights of those people Managing Trustees hold personal information about set out in Section 9 of the Privacy Notice and Section C of the GDPR Guidance Note. These rights include the right to be informed (through the Privacy Notice for example), the right of individuals to access their data (Subject Access Request or “SAR”) or request that it is corrected or erased.
  • Work out how the Managing Trustees will be able to deal with requests to exercise these rights and check that existing procedures are adequate or put in place new procedures:
    • Note that the timescales for dealing with a request are short and should be dealt with without undue delay.
    • Who is going to be responsible for updating or deleting personal information and with whose authority?
  • Work out how the Managing Trustees will deal with requests for details of exactly what data they hold about an individual (data subject access requests) known as SARs:
    • Details of exactly what data Managing Trustees hold about an individual must be given within 30 calendar days.
    • Can Managing Trustees access all the records they hold to process SARs quickly enough?
    • Who will be responsible for accessing this information?
  • Put in place the policy for dealing with requests including SARs (that will be available from the Working Party in due course) and ensure everybody is aware of how to react if they receive such a request. In the meantime Managing Trustees can refer to the current SARs Policy in Sections (8) to (11) of the Data Protection Booklet and the checklist in Section (11).
  • Forward any SARs to the appropriate data controller (refer to the Focus Note “Who are the Data Controllers and where to get help?”):

at the earliest opportunity.

To help with this:

 

Tackling Step 2 and getting to grips with what data Managing Trustees hold will go a long way in assisting Managing Trustees in complying with any requests received by people wanting to exercise their rights as “Data Subjects”.  If the Managing Trustees have a record of what data they hold and where it is kept, they will be able to quickly help an individual who wants to have their personal data corrected or deleted or simply wants to know what data the managing trustee body holds about them.

 

TMCP (or the Connexional Team in relation to Safeguarding or Complaints and Discipline matters) will help Managing Trustees to deal with SARs and other requests from individuals regarding their rights.

 

The Working Party will be producing a step by step guidance note on how to deal with SARs and updated SARs Policy in the near future. Managing Trustees will be notified when this is available if they sign up to receive updates via TMCP’s News Hub alerts.

 

Encourage anybody wanting to make a SAR to use the template SAR Form produced by TMCP as this asks the person making the request to describe all the information they require and where Managing Trustees should find it. Note the standard £10 fee referred to in the template will be abandoned when GDPR comes into force.

Step 5 – Identify what legal reason (lawful basis) Managing Trustees have to use the personal information (data) they hold and record this.

  • Consider the ways that the managing trustee body uses (processes) personal data (as revealed in Step 2) and identify in each case what legal reason(s) (see “help box” for details of the available legal reasons) the Managing Trustees are relying on for doing so. (These need to be the reasons set out in the Privacy Notice - see Step 3).
  • Use the Lawful Bases Record to be produced by the Working Party to keep a record of the legal reason(s) that is/are being relied on for each “processing” activity e.g. using somebody’s personal details to respond to a HMRC query over tax would be founded on a different legal reason to contacting them about upcoming church activities. The record will be based on the Annex to the Privacy Notice which sets out the processing activities carried out by Local Churches, Circuits and Districts and the legal reasons being relied upon.

To help with this:


The legal reasons (lawful bases) for using personal data are explained in the Lawful Bases Guidance Note. Briefly, the lawful bases are the legal reasons as to ‘why’ Managing Trustees process data. In most day to day cases Managing Trustees will rely on one of 4 following possibilities (out of 6 in total):

  • Contractual obligations e.g. use is necessary to perform obligations under an employment contract or licence agreement; (See Lawful Bases Fact Sheet 1 – Contractual)
  • Legal obligation e.g. use of the data is necessary to comply with HMRC requirements or landlord and tenant legislation such as “right to rent”; (See Lawful Bases Fact Sheet 2 – Legal Obligations)
  • Legitimate interests e.g. after careful consideration weighing up the needs of the charity and the interests, rights and freedoms of the individual, the Managing Trustees are satisfied that they need to use the information for their own legitimate interests such as maintaining lists of members. (See Lawful Bases Fact Sheet 3 – legitimate Interests);
  • Consent from the person whose data is being held (data subject); (See Lawful Bases Fact Sheet 4 – Consent)

The Working Party has produced the Privacy Notice to help Local Churches, Circuits and Districts to identify the appropriate lawful basis (or bases) they are relying on and inform individuals (data subjects).

 

The Working Party is also producing a template Lawful Bases Register to record which lawful bases are being relied upon.

Step 6 – Review how Managing Trustees obtain, record and manage consent – one of the legal reasons (lawful bases) discussed in Step 5.

  • Look at areas identified in the Annex to the Privacy Notice where the Managing Trustees rely solely on the consent of individuals to use their data. This could be where a one-off donor is contacted about a new fundraising appeal or the Circuit Plan is made available through the Circuit’s website.
  • Check whether the consent being relied on is valid under the GDPR i.e. was it given freely, specifically for the purpose in question, unambiguously and was it informed?
  • Was the consent in question given explicitly i.e. did the individual do something positive to provide their consent e.g. tick a box or confirm verbally that they wanted to receive information about upcoming fundraising events?
  • Is this consent fully documented, i.e.do Managing Trustees have comprehensive records of when and how consent was given along with records of exactly what the individual was told at the time? Use the Template Consent Record.
  • Where consent is to be the lawful basis relied upon (use the information gained from carrying out the exercise in Step 2 and the Annex to the Privacy Notice), plan how to ensure that valid consent is obtained where it is not already in place, and in the future. Use the Template Consent Form where appropriate.

To help with this:


The Working Party has produced the following template documents and guidance focusing on consent:

Although the issue of consent has caught the imagination of the media, please remember that Managing Trustees do not need consent every time they use (process) personal information (data). As discussed at Step 5 and in Data Protection FAQ 2.1, use of personal information will be based on one or more of a number of legal reasons. It is not all about consent and most of the time, as demonstrated in the Annex to the Privacy Notice, consent will not be the answer. The Privacy Notice and accompanying guidance on lawful bases aims to help Managing Trustees identify when consent is an issue and how to ensure that they can rely on consent when they do need it.

Step 7 – Review data relating to children and systems for obtaining consent.

  • Check whether the managing trustee body holds any data relating to children.
  • Check what this data is used for/ how it is processed and whether the changes introduced by GDPR will be relevant e.g. have Managing Trustees developed commercial internet services such as social networking to promote youth services?
  • If you have any such projects, contact the Conference Office  for specific guidance on any safeguarding aspects and in addition TMCP in this complex area.
  • Where online services such as social networking are offered to young people, ensure appropriate systems are in place to check childrens’ age. The age limit under which children can freely give consent in these circumstances under the Data Protection Act 2018 is 13.
  • If you are relying on consent for processing other than online services, children can give consent where they understand what they are consenting to and the implications of giving consent.
  • Obtain consent from parents or legal guardians if required e.g. where a child does not have a full understanding of the position or is under 13 in the case of online services..

To help with this:


The Connexional Safeguarding Team in conjunction with the Working Party is producing guidance on data protection issues relating to safeguarding.

 

Managing Trustees can contact the Connexional Team for help on issues regarding safeguarding.

 

For more information Managing Trustees can refer to the ICO’s detailed guidance on Children and the GDPR.

Step 8 – Be prepared to deal with any personal data breaches.

  • Follow the policies and good practice guidelines set out in the Data Security Policy (available from TMCP). Consider what systems need to be put in place to minimise any potential data breach (unauthorised access to data or even its loss. For example, with electronic files, keep these secure (e.g. pass worded, encrypted and appropriate virus, malware, anti-phishing software is loaded to protect electronic data). With manual files, keep these in locked filing cabinets (or other suitably secure cupboards) and follow good practice by maintaining a “clear desk policy”.
  • Ensure those handling personal data are trained in appropriate security measures so that they can help to look after the personal data of those involved in the life of the Church.
  • If you believe that a breach has occurred, follow the steps set out in the Breach Policy (Interim) (available from TMCP).
  • Use the Breach Record for Managing Trustees prepared by the Working Party to record all instances of a personal data breach (see “help box”), regardless of how small e.g. an email being sent to the wrong recipient.
  • Review and provide training (further to the training being provided by the Working Party) to all those who deal with personal data in a Local Church, Circuit or District so that they know what to do and what has to be recorded.
  • Contact TMCP if you believe that a breach needs to be reported to the ICO i.e. a breach leading to loss of confidentiality or reputational damage so that we can handle this for the Managing Trustees as Data Controller.
  • Contact TMCP if you believe that a breach needs to be notified to  individuals themselves i.e. where ID fraud or financial loss is a high probability.  Further information will be produced by TMCP in due course.

It is important to contact TMCP as soon as possible to that help can be provided.

 

More information:


Personal data breach” is: any act or omission that compromises the security, confidentiality, integrity or availability of personal data or the physical, technical, administrative or organisational safeguards that we as a Church have put in place to protect it. The loss, or unauthorised access, disclosure (sharing) or acquisition, of personal data is a personal data breach e.g. emailing personal data to the wrong person; or leaving personal data in a public place where others can access it.


To help with this:

The Working Party has produced a Breach Record for Managing Trustees together with detailed guidance on avoiding and dealing with data breaches in the Data Security Policy and the Breach Policy (Interim) (both available from TMCP).


Managing Trustees can refer to the ICO’s guidance note on security .

Step 9 – Consider data protection implications when making key decisions.

  • Ensure that the managing trustee body considers what it needs to do to protect the personal information of its members, their families and anybody else who has an association with the Church (and whose data they hold) whenever it starts a new project that could involve dealing with personal information in any way.
    • Such a new project could involve a Circuit office transferring its paper records onto a new computer programme – what will happen to the paper records? How can they be destroyed safely and completely? Is the new computer system secure? Is it password protected? Who will have access to it?
    • A project could also be something less obviously related to personal information such as opening negotiations with a potential new sharing partner – will information about the Local Church, its members and third party user groups be discussed?
  • Before starting a new project that is likely to have a high impact on the rights and freedoms of individuals e.g. if a Church Council decided to employ an external group to take over the running of a local church’s youth club, consider carrying out a full risk assessment known as a Privacy Impact Assessment. This risk assessment will help the Managing Trustees identify any risk to individuals and how these can be overcome.

To help with this:


The Working Party will be providing further guidance on this topic in due course. Although formal Privacy Assessments will not be required by most Managing Trustees, Managing Trustees should consider and document whether or not any of the data being processed could be subject to a risk assessment.  This means that Managing Trustees would need to consider whether the project exposed any data protection risks and if so, explain how these risks would be minimised.

 

Additional material to help Managing Trustees to take these steps will continue to appear on TMCP’s website. Sign up to receive the News Hub alerts to keep a pace with what is available.  Alternatively, please do not hesitate to contact TMCP if you have any general data protection queries and the Conference Office for enquiries relating to safeguarding and complaints and discipline issues.

 

 

Disclaimer

 

Please note that this document is to provide guidance and assistance to Managing Trustees and their professional advisers. This guidance note is general in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of any particular matter.

 

Also note that nothing within the documents and guidance notes provided by TMCP nor any receipt or use of such information, should be construed or relied on as advertising or soliciting to provide any legal services. Nor does it create any solicitor-client relationship or provide any legal representation, advice or opinion whatsoever on behalf of TMCP or its employees.

 

Accordingly, neither TMCP nor its employees accept any responsibility for use of this document or action taken as a result of information provided in it.

 

Please remember that Managing Trustees need to take advice that is specific to the situation at hand. This document is not legal advice and is no substitute for such advice from Managing Trustees' own legal advisers.