The General Data Protection Regulation (GDPR) marks a shake up to data protection legislation and addresses the advances in the electronic world since the Data Protection Act 1998 (DPA) came into force. Although the main principles will remain the same, GDPR will totally repeal the DPA and officially comes into force on the 25th May 2018. This guidance note focuses on the changes in statute. It should be read in conjunction with guidance on the practical application of the changes and the steps that Managing Trustees can take available from the Data Protection page. Further practical guidance specifically for Methodist Managing Trustees on the GDPR will be available in January 2018.
At the heart of GDPR is the ethos of ‘Privacy by Design’ which in itself will entail maintaining records of personal data and processing activities for both Controllers and Processors. Data protection and an individual’s privacy must be at the core of all new data processing activities and not an additional thought. Of course, the processing of personal data is absolutely necessary in order to carry out the day to day functions of the Church but Managing Trustees must be thinking of how their data processing activities will impact on individuals’ privacy; the key words being ‘transparency’ and ‘accountability’.
A1 – DPA guidance
TMCP’s guidance on the DPA is still relevant despite the proposed introduction of the GDPR, because the DPA remains in force until May 2018. This guidance note should be read in conjunction with the TMCP DPA guidance (Data Protection Booklet) and the rest of the data protection guidance available from the Data Protection page.
A2 – Terminology
All definitions are similar to those defined by the DPA, the most notable change being the decision to drop the word ‘Data’ from the definition of the Data Controller and Data Processor.
In this guidance note:
- Personal Data is any information relating to an identified or identifiable natural person, the ‘Data Subject ‘,
- Special Categories of Personal Data, formally Sensitive Personal Data, is the processing of personal data regarding a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
- The Controller is the legal entity that is responsible for ensuring compliance with the relevant data protection legislation - for the Methodist church this is TMCP.
- The Processor is any person (other than an employee of the Controller) who processes data on behalf of the Controller – for the Methodist Church this is the local churches, Circuits and Districts.
- A Data Subject is an individual about whom particular personal data is about.
- A Privacy Notice is a notice informing individuals about why their personal data is being collected and how it will be used.
Managing Trustees should note that as with the current legislation, TMCP will continue to be the Controller for the local churches, Circuits and Districts who in turn remain the Processors. However, from early next year, the Methodist Council will become Controller’s in relation to the work undertaken by the Connexional Team. They will also be the relevant Controller for safeguarding and complaints and discipline matters. Managing Trustees will be notified when this happens.
A3 - Brexit
The UK’s decision to leave the EU will not affect the implementation of GDPR because:
- If the UK wants to continue trading with Europe then our data protection laws must be compatible with the rest of the EU; and
- The UK is set to leave the EU after GDPR comes into force and its provisions will be enshrined in UK law by a new Data Protection Act; the Bill for this is currently making it way through Parliament.
B1 - GDPR Principles
The Six Principles, described below, are broadly the same as those that relate to the DPA although principles relating to individuals’ rights and overseas transfers now have their own provisions within GDPR which demonstrates the importance of those areas of data protection law. The Six Principles are specified in Article 5 of GDPR and this sets out that personal data shall be:
|Article 5 of GDPR|
5.1 a) Processed lawfully, fairly and in a transparent manner;
5.1 b) Collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes (processing for archiving in the public interest, scientific or historical research purposes or statistical purposes will not be considered to be incompatible with the initial purposes) – (Purpose Limitation);
5.1 c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed – (Data Minimisation);
5.1 d) Accurate and where necessary kept up to date – all reasonable steps should be taken to ensure that all inaccurate data is erased or rectified without delay – (Accuracy);
5.1 e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (processing for archiving in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals) – (Limited Retention);
5.1 f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures – (Security).
Article 5(2) requires that:
B2 - GDPR and the Main Changes
Apart from offering Data Subjects more privacy protection, GDPR also aims to harmonise the different data protection laws of the separate member states of the EU. Some of the changes are unlikely to affect many of the local churches, such as the right to Data Portability (See Section C7) but TMCP has included the changes for your information.
Putting individuals in control of their data is at the heart of GDPR.
Consent by an individual to process data must be freely given and can no longer be implied from silence or inaction. It must be unambiguous and in clear plain English and so cannot be hidden within a contract or large papers of information. TMCP has produced an article (Data Collection) regarding the collection of data and consent for local church, Circuit and District Directories, which provides further information.
Managing Trustees must also provide clear information on how an individual can withdraw consent and prevent the processing of their data for any given purpose.
C2 Right to be informed
Normally provided in a Privacy Notice, which TMCP will be providing further guidance on in due course, individuals must be informed of:
- the purpose for the data processing;
- who, if anyone the data will be shared with;
- how long the data is likely to be kept;
- details of the data subject’s rights;
- right and process to withdraw consent at any time;
- right to lodge a complaint;
- whether or not the data will be transferred to another country;
C3 Right of Access
Although similar to rights under the DPA, generally Controllers will no longer be able to charge an administration fee (currently £10) for providing data to an individual.
Also, when a Data Subject Access Request is received, there is less time in which to formally respond to the individual. The current statutory time period of 40 calendar days will be reduced to 30 calendar days. This emphasises why it is so important for Managing Trustees to know what they are processing, where it is kept and that the data is not kept any longer than absolutely necessary. TMCP will provide further guidance on what Managing Trustees should do if they receive a request for personal data in due course.
C4 Right to Rectification
An individual has the right for inaccurate or incomplete data to be corrected within one month, although this can be extended to two months if the request is extremely complicated. If the data has been shared with third parties, then they must be informed of the rectification.
C5 Right to Erasure
Also known as the ‘Right to be Forgotten’ it is not an absolute right but there are circumstances where individuals can request the deletion or removal of their data where there is no compelling reason for the continued processing:
- the data is no longer necessary for the purpose for which it was collected;
- consent is withdrawn;
- there is no legitimate interest for the continuing processing;
- the data was unlawfully processed;
- the data related to online services aimed at children.
With a few exceptions, such as the processing is necessary in order to comply with statutory requirements e.g. tax information or is required to defend a legal claim, an individual’s data must be deleted if it causes unwarranted damage or distress.
This right would apply, for example, where a member of a local church decides to become part of another denomination. Unless there were legal implications, there would be no need for the Methodist Church to continue to hold and process the individual’s data.
C6 Right to Restrict Processing
This right is similar to those contained under the DPA where individuals can restrict processing activities where:
- the accuracy of the data is questioned;
- there has been an objection to the processing and it is being considered whether there are legitimate grounds to override the objection e.g. required for payroll purposes;
- processing is unlawful and the individual has requested restriction as opposed to erasure;
- the data is no longer required but the individual requires it for legal purposes
So, if an individual no longer wanted to receive pastoral support, perhaps because their personal circumstances have changed, then they should no longer be discussed in pastoral meetings etc.
If the data has been shared with third parties then they must be informed of the restriction.
C7 Right to Data Portability
This is a new right created by GDPR where individuals may use their data, which has been provided in a commonly used and machine readable format, for their own purposes and transfer the data to another Controller for different services. An example of this is using data collected by one service provider to use with a price comparison website to compare the prices of other providers.
This is unlikely to be applicable to the Church and has been included for information purposes only.
C8 Right to Object
Again, this right is similar to those contained under the DPA where individuals can object to processing activities. This right must be brought to the individual’s attention at the first point of communication and should be included in a Privacy Notice.
If an objection is raised by an individual the data processing must be stopped immediately unless:
- it can be demonstrated that there are legitimate grounds for processing which override the rights and freedoms of the individual; or
- is required to establish, exercise or defend a legal claim; or
- conducting research for the performance of a public interest task.
No exception exists when an objection has been received for direct marketing.
C9 Automated Decision Making and Profiling
This is another right similar to those contained in the DPA and is unlikely to be applicable to the Church.
Briefly, it gives individuals the right to have a decision normally made by automated means, by a human, or in the case of profiling, human intervention can be requested where automated processing evaluates personal aspects of an individual such as performance at work.
Under GDPR, Managing Trustees will need to demonstrate that they have a lawful basis for processing data. Details of this are normally provided in a Privacy Notice which informs Data Subjects of what information is held about them and how it is used by the Managing Trustees. TMCP will be providing Managing Trustees with guidance on what constitutes a Privacy Notice along with a Model Notice, which Managing Trustees will be able to adapt for their own purposes.
D1 The six Legal Bases for Processing Personal Data
GDPR stipulates six legal bases for which the processing of personal data is lawful, these are:
- Consent from the Data Subject;
- The processing is necessary for the performance of a contract; This would apply to Managing Trustees where they pay lay workers for example, they do not need to obtain explicit consent to process personal data in order to pay their wages.
- The processing is necessary for compliance with a legal obligation; An example of this is the payment of income tax and national insurance, where Managing Trustees are required by law to account to HMRC in respect of employee payment details.
- The processing is necessary to protect the vital interests of the Data Subject or another person; As with the DPA, the emphasis is on the word ‘vital’ and therefore this legal basis should not be used lightly and only in critical or life and death situations.
- The processing is necessary for the performance of a task carried out in the public interest; The Methodist Church is not a public body and therefore this does not apply to Managing Trustees.
- The processing is necessary for the legitimate interests of the Controller, subject to the interests, rights and freedoms of the Data Subject.
Further details are given below in section D3 and further guidance will be produced by TMCP in due course.
This is where the Data Subject has given their consent to his or her personal data being processed for one or more specific purpose. More details regarding what constitutes valid consent is given in section A1 above but TMCP will be producing further guidance for when the obtaining of consent may not be appropriate or difficult to obtain in due course. It is important however to bear in mind that there may be another legal basis for processing personal data available to Managing Trustees.
D3 Legitimate Interests
There may be occasions where it is not possible, reasonable or appropriate to obtain explicit consent from the Data Subject. It may therefore be possible to identify a legitimate interest of the Church. Further guidance will be produced on this topic by TMCP but two examples of where Managing Trustees could identify a legitimate interest of the Church would be:
- A Minister attending a member of the local church for pastoral reasons would not need the member’s consent to take notes as this would be deemed to be a legitimate interest as part of a Ministers role. However, the member still has the right to object.
- Managing Trustees processing data in order to comply with CPD would have a legitimate interest.
Whilst accountability has always been considered best practice under the DPA, it is now a requirement of GDPR under Article 5(2). This essentially means that you need to show and demonstrate that the data protection legislation is being adhered to.
E1 Processing Records
Where an organisation has more than 250 employees or processes Special Categories of Data (Previously described as Personal Sensitive Data under the DPA and is described in more detail in TMCP’s guidance on the DPA) or criminal convictions or offences, the following records must be kept:
- Name and details of the church organisation;
- Description of the categories of personal data;
- Description of the likely recipients of the personal data;
- Details of any transfers to third countries outside of the EU;
- Retention schedules; and
- Description of the technical and organisational security measures.
Even where Managing Trustees feel they do not fall into this category, perhaps because they have less than 200 members, it is still considered best practice to keep records of the data they are processing.
E2 Privacy by Design and Default
There is a new duty to demonstrate that data protection has been considered at the start of data processing activities. Although it was always considered as being best practice under the DPA, it is now mandatory under GDPR.
Privacy Impact Assessments are required when the processing is highly likely to affect the rights and freedoms of individuals. It is a way of assessing whether there is any risk to individuals and how any issues can be overcome in order to protect individuals. This would apply where Managing Trustees decide to outsource services. For example, an external group could be employed to continue running a local church’s youth club where the existing members are no longer able to volunteer to run the club. Further guidance on this topic will be provided by TMCP in due course.
E3 Data Protection Officers
This is likely to be an issue for the Connexional Team only, but should a local church, Circuit or District wish to appoint somebody locally to look after data protection matters, Managing Trustees should take care not to call those persons Data Protection Officers; perhaps a ‘Privacy Administrator’ instead.
TMCP and the Data Protection Working Party is also always on hand to provide guidance and support to Managing Trustees.
F1 – Keeping Data Safe
This is not a new concept as Data Security and keeping personal data safe is an integral part of the DPA. There have been recent high-profile cases involving significant data breaches at large organisations, for example TalkTalk, Tesco and the NHS which resulted in their systems being hacked because of a lack of IT security. There are also many reported cases where a data breach has been caused by leaving laptops on trains or USB drives being misplaced etc. A data breach is a contravention of security which leads to the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
GDPR places additional emphasis on data security which the Church needs to be aware of and where appropriate, take the following measures:
- Pseudonymisation (protecting confidential information by removing identifying factors, e.g. through the use of pseudonyms) and encryption of personal data;
- ability to ensure the continuing integrity of IT systems – Windows XP is no longer supported by Microsoft for example and therefore not receiving vital security updates;
- ability to restore the data in the event of physical or technical loss;
- process for regularly testing the effectiveness of IT security.
Whilst these measures are not mandatory for many organisations, a lack of consideration to them will not bode well with the Information Comissioners Office (ICO) in the event of a data breach. Thought must also be given to the ever increasing use of virtual storage clouds, e.g. “the Cloud” and organisations must include these types of service providers into their security planning.
F2 Breach Notification
This is a new introduction under GDPR and requires organisations to formally report to the ICO certain types of data breach.
It is only the breaches which are likely to seriously affect the rights and freedoms of individuals, such as loss of confidentiality or reputational damage that need to be reported to the ICO.
Where there is a ‘serious’ risk of the breach affecting the rights and freedoms of individuals then the data subjects themselves should be notified. This would include situations where there has been ID fraud or financial loss is a high probability.
Regardless of whether a data breach is to be reported to the ICO, it is considered best practice for organisations to have an effective breach register to record all instances of a data breach; this could be as trivial as sending an email to the wrong person. TMCP will be producing further guidance about breach notification and recording in due course.
The transfer of personal data outside of the EU is not a matter that will affect much of the Church. However, for information purposes only, the transfer of data outside of the EU is not permitted unless the European Commission considers that those countries have adequate data protection laws.
As a result of GDPR, organisations processing the personal data of individuals residing within the EU will be covered regardless of where the organisation itself is located. This will affect non-EU based organisations offering services to EU nationals.
This element of GDPR will become more significant once the UK has left the EU following the Brexit vote.
The punitive sanctions given to the Supervisory authorities, the ICO in the case of the UK, are significantly widened by GDPR.
For the most serious data breaches, such as direct marketing without consent, the ICO will have the power to fine up to 4% of an organisation’s annual turnover or €20 Million (whichever is greater) or for lesser data breaches, such as not notifying the authorities of a data breach or conducting a privacy impact assessment, can result in fines of up to 2% of an organisation’s annual turnover or €10 Million (whichever is greater).
Managing Trustees are reminded that Standing Order 019 provides an indemnity to TMCP from the Managing Trustees should they be the cause of a data breach and TMCP receives a monetary penalty from the ICO.
If you have any queries in relation to the guidance in this document please contact TMCP Legal for further assistance.
Please note that this document is to provide guidance and assistance to Managing Trustees and their professional advisers. This guidance note is general in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of any particular matter.
Also note that nothing within the documents and guidance notes provided by TMCP nor any receipt or use of such information, should be construed or relied on as advertising or soliciting to provide any legal services. Nor does it create any solicitor-client relationship or provide any legal representation, advice or opinion whatsoever on behalf of TMCP or its employees.
Accordingly, neither TMCP nor its employees accept any responsibility for use of this document or action taken as a result of information provided in it.
Please remember that Managing Trustees need to take advice that is specific to the situation at hand. This document is not legal advice and is no substitute for such advice from Managing Trustees' own legal advisers.