Section A - Introduction

You” are all those volunteers, ministers and staff within Local Churches, Circuits and Districts of the Methodist Church who handle personal information (data).

Methodist Church refers to the wider Connexion of the Methodist Church in Great Britain.

We” refers to the controllers being the Trustees for Methodist Church Purposes and the Connexional Team (under the name of the Methodist Church in Great Britain), as explained in the Who is the Data Controller?  Focus Note.

Personal information (data) can only be collected and/or used (processed) if the Methodist Church has a legal reason for doing so under the General Data Protection Regulation (GDPR) (Article 6). These legal reasons are called “lawful bases”. There are six lawful bases that can be relied upon:

  • contractual;
  • legal obligation;
  • legitimate interest;
  • consent;
  • vital interest (life or death scenarios unlikely to apply to use of personal information within the Methodist Church on a regular basis but possible in the event of emergency services being called – see Lawful Bases Fact Sheet 5 - Vital Interests); and
  • public interest (mainly for public bodies, but could apply to the Methodist church in some situations - see Lawful Bases Fact Sheet 6 – Public Task).

You need to check that you have one or more “lawful bases” for processing personal information before you collect or use personal information for any particular purpose. You need to consider what category of personal information you are dealing with, the purpose of using (processing) the personal information and what lawful basis you can rely on under the Methodist Privacy Notice.

This process will help fulfil Step 5 of the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR Focus Note (9 Steps). Detailed information on lawful bases is available on the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/.

GDPR principles


By identifying the category of personal information, the purpose of each processing activity and the corresponding lawful basis for carrying it out (and providing information to individuals about the lawful basis and purpose for using their personal information), we will together satisfy the first GDPR principle to process personal information: “lawfully, fairly and in a transparent manner”.

 

If there is no lawful basis, the processing cannot be lawful.

 

The controller decides which of the six lawful bases will be used depending on the category of personal information (data) and the proposed use of that information to ensure that it is handled fairly.

This Lawful Bases Guidance Note is designed to take you through the process taken by the controllers to identify the appropriate lawful basis (or bases) to use. The Identifying a Lawful Basis Charts set out what requirements under GDPR or otherwise need to be followed (Chart 1) and why a particular lawful basis (or bases) should be used (Chart 2). More detailed guidance on each of the lawful bases and special cases is set out in the Lawful Bases Fact Sheets available at the end of this Lawful Bases Guidance Note:

Now that the results of the data mapping exercise carried out by the Data Protection Working Party (Working Party) are known, the Working Party is preparing a breakdown of results which will be set out in the Privacy Notice. While this will suggest lawful bases for typical Methodist purposes, this Lawful Bases Guidance Note will help you to understand the reasons for selecting a particular lawful basis and check that any suggested lawful bases are appropriate to your situation.

 

In many cases there is no right or wrong answer but there is a need to show that the options have been considered and the lawful basis (or bases) selected is justified. The information in this Lawful Bases Guidance Note should assist you in doing this.

Section B - Identifying a Lawful Basis Charts

You can work through the questions in Charts 1 and 2 in this Section to help establish the requirements under GDPR and identify why the lawful basis (or bases) suggested in the Privacy Notice is appropriate or adapt the suggestions to particular circumstances.

Note that more than one lawful basis can be used if appropriate and due to the different rights attaching to the different lawful bases it is helpful to use all those that are applicable. The Lawful Bases Fact Sheets 1 to 4 relating to “Contractual”; “Legal Obligation”; “Legitimate Interests” and “Consent” provide detailed information on each lawful basis including the rights attached to each.

Chart 1 – What GDPR and other requirements apply to the type of information in question?

 

Q1.

 

Is the information you intend to collect and use (process) “personal data”?

  • Does the information relate to a natural person as opposed to an organisation or company?
  • Is the individual it relates to identifiable from the data? and
  • Is the individual the data relates to alive?

YES
To collect and use (process) the information a lawful basis for doing so must be established.

=> Go to question 2.

NO
The Data Protection Act 1998 and General Data Protection Regulation (GDPR) from 25 May 2018 will not apply.

 

You should check whether there are any other limits on using the information such as a confidentiality clause in a contract with a surveyor or contractor. You will also need to adhere to the recommendations of the Methodist Church – Archivists  with regard to retaining documents.

 

Q2.


Is the personal data (1) “special category” personal data i.e. is it sensitive OR (2) relating to criminal information?

 

(1) special category - Does it include any information about a living individual regarding their:

  • race;
  • ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • health;
  • sex life or sexual orientation; or
  • genetic data or biometric data for the purpose of uniquely identifying a natural person?

(2) Criminal information – does it relate to an individual's criminal record?

YES
In the case of “special category” personal data both a lawful basis (or bases) AND a separate condition for processing under Article 9 of GDPR must be identified.

 

=> Refer to the Lawful Bases Fact Sheet 7 – Special Category Personal Data  for guidance on the conditions under Article 9);

 

OR

 

In the case of “criminal offence” data  both a lawful basis (or bases) AND a separate condition for processing needs to be identified. These separate conditions will be confirmed by UK legislation.

 

AND

 

=> Go to question 3 to check whether the Privacy and Electronic Communications Regulations (PECR) 2003 also need to be considered.

 

NO
One or more lawful bases to process the personal data still needs to be established.

 

=> Go to question 3 to check whether the Privacy and Electronic Communications Regulations (PECR) 2003 also need to be considered.

 

Q3.


Will use of the personal information involve sending or directing any advertising or marketing material to specific recipients by text, email or telephoning individuals registered with the Telephone Preference Service (TPS)?

YES
You should be aware of the additional requirements that will apply under the Privacy and Electronic Communications Regulations (PECR) 2003, namely consent to the same standard as GDPR will be required.

 

=>   Refer to the Lawful Bases Fact Sheet  8 - PECR for guidance on the requirements under PECR;

 

 => Go to question 4 to check whether your intentions for sharing personal information will impact on the availability of legal bases.

NO

One or more lawful bases to process the personal data still needs to be established.

 

=> Go to question 4 to check whether your intentions for sharing personal information will impact on the availability of legal bases.

Q4.


Will the personal information be shared outside of the Methodist Church e.g. printed with copies left in the church foyer or published on a website or social media?

YES
You should be aware of the implications this will have on the availability of the “legitimate interests” lawful basis at question 7.

 

=> Go to questions 5 to 8 in Chart 2 to see the process followed by the Methodist Church to establish the appropriate lawful basis (or bases) on which to collect/ use personal information lawfully.

 

NO

One or more lawful bases to process the personal data still needs to be established.

 

=> Go to questions 5 to 8 in Chart 2 to see the process followed by the Methodist Church to establish the appropriate lawful basis (or bases) on which to collect/ use personal information lawfully.


Chart 2 - Which lawful basis (or bases) is most appropriate?

 

Q5. Contractual?

 

Do you need to use an individual’s personal data to enter into or perform a contract with that individual e.g. to pay a lay worker under a contract of employment or invoice a licensee under a licence agreement?

 

Is the processing necessary to fulfil the contractual obligation/perform the contract?

YES
The “Contractual” lawful basis would be appropriate as a lawful basis for processing under Article 6(1)(b) of GDPR.


=> Look at the further information in the Lawful Bases Fact Sheet 1 - Contractual.


=> Go to question 6 to see whether an additional lawful basis would be appropriate in this case.

 

NO
You should consider if there is an alternative lawful basis that would be appropriate .

 

=> Go to question 6.

Q6. Legal obligation?

 

Are you under a legal obligation to use (process) the personal data in a certain way e.g. to provide National Insurance Numbers and wage information or gift aid details to HMRC?

 

Is the processing necessary to fulfil the legal obligation e.g. it cannot be fulfilled without using the personal data?

YES
The “legal obligation” lawful basis would be appropriate as a lawful basis for processing under Article 6(1)(c) of GDPR.


=> Look at the further information in Lawful Bases Fact Sheet 2  - Legal Obligation.


=> Go to question 7 to see whether an additional lawful basis would be appropriate in this case.

 

NO
You should consider if there is an alternative lawful basis that would be appropriate.

 

=> Go to question 7.

Q7. Legitimate interests?

 

Does the Methodist Church have legitimate interests for using (processing) the personal data? E.g. As a membership organisation the Methodist Church has a legitimate interest in using personal information for purposes including maintaining lists of members and providing pastoral support.

 

  • Is the use of the personal information necessary to achieve the Methodist Church’s legitimate interests i.e. is the proposed use of the personal information the only way to achieve the intended result?
  • Is it clear that the legitimate interests of the Methodist Church are not overridden by the interests, fundamental rights or freedoms of the individuals whose data is being used (data subjects)?
  • Is the use of personal information reasonably anticipated by the individual concerned? Would an individual expect the Local Church, Circuit or District to use their information in the way that is being proposed?

AND (unless the individual is a Minister in Full Connexion, probationer or an office holder whose contact details would need to be in the public domain to fulfil specific Church functions e.g. the treasurer or bookings secretary)

  • Will the personal information be kept within the Methodist Church / under the control of the Methodist Church? (e.g. it will not be made available to the general public by leaving printed copies available to pick up in church foyers or publishing on websites or in social media?)

YES
The “legitimate interests” basis would be appropriate as a lawful basis for processing under Article 6(1)(f) of GDPR.

 

=> Go to the further information in Lawful Bases Fact Sheet 3 – Legitimate Interests.


=> Go to question 8 to see whether an additional lawful basis would be appropriate in this case.

 

NO
You should consider if there is an alternative lawful basis that would be appropriate.

 

=> Go to question 8.

Q8. Consent?

 

Can you obtain freely given consent to process an individual’s personal data e.g. is the church member, relative, employee etc. (data subject) happy to give their consent?

  • Can the consent be freely given?
  • Can the individual refuse their consent i.e. is the giving of consent actually a choice?

YES
“Consent” would be an appropriate lawful basis for processing under Article 6(1)(a).


=> Go to the further information in the Lawful Bases Fact Sheet 4 - Consent.


=> Go to question 9.

NO
This would not be an appropriate lawful basis to use.

 

=> Go to question 9 if a different lawful basis or bases has been established.


=> Go to question 10 if no lawful basis has been established.

 

Q9.

 

Has a record been kept of the lawful basis being relied upon and privacy information provided?

You need to be careful that (1) a written record is kept of what lawful basis is being relied on and (2) provide the required privacy information to the individuals concerned (data subjects). This is called a “Privacy Notice” or “Privacy Policy”. The Working Party will provide such a Privacy Notice for Managing Trustees before 25 May 2018 as part of the “Data Protection Toolkit”.


In terms of which lawful basis (or bases) will be used, there is often not a right or wrong answer. You do however need to follow the guidance provided (including the policy set out in the Privacy Notice), be able to explain the reason for the decision reached, show a proper decision making process and justify the outcome. Recording the decision will help fulfil the accountability principle under GDPR.


The privacy information about how the personal information will be used includes details of the lawful bases being relied upon and purposes for using the personal information. Communicating this information will fulfil the requirements in relation to privacy information -  Step 3 of the 9 Steps.

Q10.

 

What happens if no lawful basis is available?

If you are unable to identify a lawful basis for processing personal data, consider whether there is an alternative to processing the personal data and/or contact TMCP Data Protection for further guidance.

  • Can the Managing Trustees limit the information they use and share to protect the privacy of individuals and avoid the need to find a lawful basis or fulfil the other requirements under GDPR? Do the Managing Trustees need to include details of people’s health conditions with prayer requests?
  • Can a general message be communicated via a poster or newsletter rather than contacting specific individuals e.g. avoiding the use of personal information; contact emails or personal addresses and names?

Section C - Lawful Bases Fact Sheets

Managing Trustees can use the Lawful Bases Fact Sheets in this Section C to help them to find out more about the lawful basis (or bases) being relied upon. Please use the information in the Fact Sheets and links to information on the ICO Website to check that the lawful basis (or bases) is/are appropriate to the particular circumstances.

Lawful Bases Fact Sheet 1 - Contractual

Lawful Basis: Contractual

GDPR says that this lawful basis is where processing is:
necessary for the performance of a contract” - Article 6(1)(b)

This means... the Managing Trustees need to use (process) an individual’s personal information to do something that individual wants them to do under a contract or before entering into a contract with them e.g. letting them know whether rooms are available to use under a licence and how much it will cost.

This lawful basis is appropriate if...

  • The use of the personal information (processing) is necessary to enter into or carry out obligations under a contract e.g. there is no alternative way to achieve the intended purpose.

This lawful basis is not appropriate if...

  • There is no contractual obligation requiring use of the personal information in the way intended e.g. the existence of a licence agreement for a knitting group to use the church hall could require use of personal information to invoice the couple running the group for the licence fees but not to contact them about Local Church events. However, an alternative lawful basis could be identified for that purpose e.g. legitimate interests and/or consent depending on the circumstances.
  • It is not necessary to use the personal information in the way intended i.e. although there is a contractual obligation to do something, Managing Trustees can achieve the same result without using the personal information.

This lawful basis has the following implications in terms of the individual’s privacy rights:

  • The right to object does not apply where this lawful basis is being relied upon.
  • The right to request the transfer of personal information to a third party (data portability) applies where this lawful basis is being relied upon. It is however difficult to see how this could be used in the context of the Methodist Church.

 

Next steps:

1. Record the fact that the managing trustee body is relying on this lawful basis and justify this decision e.g. if the individual or the ICO asked the Managing Trustees why they were using this lawful basis what reason would be given?

  • What contract is being relied upon?
  • What obligation under that contract requires use of the personal information for this purpose?
  • Why do the Managing Trustees think the use is necessary under the contract?
Helpful to note: A template record is being produced  by the Working Party.

2. Inform the individuals involved (data subjects) about how their data will be used in a privacy notice.

Helpful to note: A Privacy Notice is being developed by the Working Party for Managing Trustees to use.

3. Keep the use of the personal information under review. The requirements under GDPR are ongoing and it is important to keep everything under review as part of the accountability principle .

 

Practical Examples:

The results of the Working Party’s data mapping exercise suggest that Managing Trustees could rely on the contractual lawful basis to collect and use (process) personal information for the following purposes:

  • Pay employees and make pension contributions to lay employees (employment contracts).
  • Manage room bookings and the allocation of rooms (licence agreements with third party user groups).
  • Invoice third party users of church premises (licence agreements with third party user groups)

Refer to the Privacy Notice being prepared as part of the Data Protection Toolkit.

Further information:

 

Lawful Bases Fact Sheet 2 - Legal Obligation

Lawful Basis: Legal obligation

GDPR says that this lawful basis is where processing is:
necessary for compliance with a legal obligation” - Article 6(1)(c)

This means... the Managing Trustees have no choice but to use the personal information in order to comply with a legal obligation e.g. to provide personal information relating to gift aid donations to HMRC.

This lawful basis is appropriate if...

  • The managing trustee body is under a legal obligation to collect or use (process) personal information under EU or domestic law (or the law of another member state) and the processing is necessary to comply with that legal obligation.

This lawful basis is not appropriate if...

  • The obligation is not legally mandatory e.g. the Managing Trustees are not legally obliged to use the personal information for the intended purpose. It could be that HMRC has asked for some information e.g. to help complete a survey, but there is no legal obligation on the Managing Trustees to provide it. Another lawful basis would need to be identified.
  • The obligation is in fact contractual – In this case please refer back to question 5 in Section B of the Lawful Bases Guidance Note and Lawful Bases Fact Sheet 1 – Contractual.
  • The Managing Trustees can comply with the legal obligation without using (processing) the personal information. In such a case there would be no processing of personal information and the Managing Trustees would be able to fulfil the obligation without having to comply with the formal requirements under GDPR. There may however be other considerations for them to take care of.

This lawful basis has the following implications in terms of the individual’s privacy rights:

  • The right to erasure (sometimes referred to as the right to be forgotten, to have personal information removed or amended), the right to data-portability (request the transfer of personal information to a third party) and the right to object do not apply where this lawful basis is being relied upon.

 

Next steps:

1. Identify the specific legal obligation being relied upon or source of advice leading the Managing Trustees to this conclusion.

2. Record the fact that the managing trustee body is relying on this lawful basis and justify this decision e.g. if the individual or the ICO asked why this lawful basis was being used, what reason would be given?

  • Why do the Managing Trustees believe use of the personal information is necessary and there is no other way to comply with the legal obligation but to use the personal information for the purpose intended?
Helpful to note: There is often not a right or wrong answer, Managing Trustees do however need to be able to explain the reason for the decision reached.

A template record is being produced by the Working Party.


3. Inform the individuals involved (data subjects) about how their data will be used in a privacy notice.

Helpful to note: A Privacy Notice is being developed by the Working Party for Managing Trustees to use.


 4. Keep the use of the personal information under review. The requirements under GDPR are ongoing and it is important to keep everything under review as part of the accountability principle.

 

Practical Examples:

The results of the Working Party’s data mapping exercise suggest that Managing Trustees could rely on legal obligation to collect and use (process) personal information for the following purposes:

  • Keeping records of marriages.
  • Keeping records of and supplying information to HMRC regarding VAT, gift aid and PAYE.
  • Carrying out “right to rent” checks when entering into residential tenancies and keeping records/ copy documentation. (Please see the Residential Tenancy (Statutory Requirements) Focus Note for details about this legal obligation).
  • Financial accounting.
  • Complete tax returns.

Refer to the Privacy Notice being prepared as part of the Data Protection Toolkit.

Further information:

•    ICO guidance on Lawful Basis For Processing – Legal Obligation

 

Lawful Bases Fact Sheet 3 - Legitimate Interests

Lawful Basis: Legitimate Interests

GDPR says that this lawful basis is where processing is:
necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child” – Article 6(1)(f)

This means... the Methodist Church has a legitimate interest in using the personal information for a particular purpose and balanced against the interests of the individuals, the Managing Trustees are satisfied the Church has a legitimate interest and is using it properly.

This lawful basis is appropriate if...

  • The Methodist Church has a legitimate interest for using the data for the purposes proposed.
    Note that legitimate interests can range from the trivial to the compelling. The more trivial the greater consideration would need to be given to the individual's rights and freedoms when carrying out the balancing exercise.
  • The proposed use of the data is inside the “reasonable expectations” of the individual (data subject)/ the individual would understand why their personal information is being used for the particular purpose.
  • The use of the personal information is “necessary” i.e. it is a “targeted and proportionate” way to achieve the intended purpose.

This lawful basis is not appropriate if...

  • The interests, fundamental rights or freedoms of the individual whose data is being used (affected data subject) override the Church’s “legitimate interests”.
  • The affected data subject is a child – while this lawful basis can still be used there is a greater burden to demonstrate that the balance of the legitimate purposes against the interests, rights and freedoms of the individual, favours the Church’s legitimate interests.
  • The proposed use of the data is outside the “reasonable expectations” of the individual (data subject)/ they would not understand why their personal information is being used in this way.
  • There is a less intrusive way to achieve the same result.
  • The proposed use is high risk and likely to cause harm (and is not outweighed by the legitimate interests).


This lawful basis has the following implications in terms of the individual’s privacy rights:

  • Right to object
    • Individuals (data subjects) have the right to object to the use (processing) of their personal data where “legitimate interests” is being relied upon. This means that Managing Trustees would need to stop using the data unless they can:

      (1)    Demonstrate compelling legitimate grounds for the processing (which override the interests, rights and freedoms of the individual) OR

      (2)    Require the data in order to establish, exercise or defend legal rights.
  • Right to restrict while an objection is being considered.

 

Next steps:

1. Carry out a balancing test to demonstrate why this lawful basis can be relied upon. This is known as a Legitimate Interests Assessment or LIA.

Managing Trustees need to:

  • Identify a legitimate interest e.g. the Methodist Church’s interest in maintaining membership information to further Mission and serve its members (purposes test).
  • Show that the use of the information (processing) is necessary to achieve this legitimate interest and is a targeted and proportionate (reasonable) way to further the interest (necessity test); and
  • Balance the Methodist Church’s legitimate interest against the interests, rights and freedoms of the individual e.g. the member, volunteer or employee whose personal information is being used (balancing test).

2. Record the fact that this lawful basis is being relied upon and justify this decision e.g. if the individual or the ICO asked why this lawful basis was being used, can the Managing Trustees show that they have carried out the balancing test discussed at step 1 and the use of the personal information for the particular purpose is within the individual’s reasonable expectations?

Helpful to note: There is often not a right or wrong answer, Managing Trustees do however need to be able to explain the reason for the decision reached, show a proper decision making process and justify the outcome.

 

A template record is being produced by the Working Party.

 

3. Inform the individuals involved (data subjects) about how their data will be used in a privacy notice.

Helpful to note: A Privacy Notice is being developed by the Working Party for Managing Trustees to use.

 

4. Keep the use of the personal information under review. The requirements under GDPR are ongoing and it is important to keep everything under review as part of the accountability principle .

 

Practical Examples:

The results of the Working Party’s data mapping exercise suggest that Managing Trustees could rely on legitimate interests to collect and use (process) personal information for the following purposes subject to satisfaction of the 3 stage test:

  • Collecting membership information to be shared amongst members only e.g. lists of the womens’ and mens’ fellowships.
  • Communicating details of Church services and other activities to members or those in regular contact with the Church through the Circuit Plan and church notices.
  • Ensuring volunteers know when they are volunteering by contacting them and displaying lists on the Local Church noticeboard. Managing Trustees should consider how much information in required to achieve the intended purpose and whether safeguards can be put in place to protect volunteers’ privacy e.g. not displaying personal information where it can be seen by the general public.
  • Publicising fundraising activities by communicating with members or those in regular contact with the Church via the post (note the requirements under Privacy and Electronic Code Regulations if electronic means of communication are used or telephone preference numbers – see Lawful Basis Fact Sheet 8 - PECR).

Refer to the Privacy Notice being prepared as part of the Data Protection Toolkit.

Further information:

•    ICO guidance on Legitimate interests.

 

Lawful Bases Fact Sheet 4 - Consent

Lawful basis: Consent

GDPR says that this lawful basis is where:
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” - Article 6(1)(a)

This means... the individual has knowingly and freely given their clear consent to the collection and use of their personal information for the use (processing) of their information for the specific purpose in question.

If the purpose changes, consent will need to be confirmed for that new purpose.

 

This lawful basis is appropriate if...

  • Real choice is being offered - the Church member, relative, employee etc. (data subject) has a genuine choice as to whether to give their consent. This means they can decide not to give consent and the Managing Trustees would not be able to use the data anyway under a different legal basis e.g. “contractual” under the employment contract.
  • The Managing Trustees want to use personal information for a particular purpose and there is no other lawful basis on which to justify the use of personal information e.g. making personal information in the Circuit Directory available to third parties by leaving copies in church foyers.

This lawful basis is not appropriate if...

  • Consent is difficult to obtain.  The ICO suggests this is a sign that consent is not appropriate and an alternative lawful basis should be found.
  • Consent is a pre-condition e.g. consent is being asked for as a pre-condition to services being carried out under a contract.
  • Consent cannot be freely given e.g. if a lay employee feels that they have to consent to use of their personal information otherwise the Circuit will terminate their employment. The ICO warns employers that they need to take extra care to show that consent has been freely given in an employment context and to avoid “over-reliance” on consent. Would another lawful basis such as legitimate interests or contractual be more appropriate?

Consent is also important..

  • To legitimise use of special category personal information. Refer to Lawful Bases Fact Sheet 7 – Special Category Personal Data  for more details about special category personal information. In short such information can only be used if a lawful basis can be established and one of the conditions in Article 9 of the GDPR  is satisfied. Consent is one of these conditions and the consent obtained must satisfy the GDPR requirements.
  • For direct marketing activities e.g. publicising church events and/or fundraising campaigns to named individuals by email, text or calls to numbers registered with the telephone preference service. Refer to Lawful Basis Fact Sheet 8 - PECR for information on the requirements under the Privacy and Electronic Communications Regulations (PECR) 2003.
  • When personal information is shared with the general public/ put outside of the control of the Methodist Church e.g. Directories published online or left in church foyers. However, please note there is no need for consent to be obtained from Ministers in Full Connexion or probationers or an office holder whose contact details would need to be in the public domain to fulfil specific Church functions e.g. the treasurer or bookings secretary.
To be valid under GDPR consent must be:
  • Unambiguous – it must be clear that consent has been given. If the Managing Trustees are unsure (whether an individual has given their consent or not) the consent is not unambiguous. The individual will need to be asked to confirm whether they are happy to consent.
  • Freely given – the individual must be offered real choice as to whether to give their consent or not.
  • Specific – it must be given to use of personal information for a specific purpose. General or blanket consent is insufficient.
  • Informed – the individual giving consent must be given clear information in plain language (written or spoken) about why the Managing Trustees want their consent and what purpose it will be used for. The individual needs to understand that they are being asked to give consent, the request needs to be obvious and separate from other terms and conditions e.g. not included as part of the terms and conditions in a licence agreement or lease.
  • Positive – consent must be expressed by the Church member, relative or employee etc. (data subject) by a positive action e.g. by ticking a box or saying they were happy for their information to be used for a particular purpose.

 


This lawful basis has the following implications in terms of the individual’s privacy rights:

  • Individuals can withdraw their consent and request the deletion of their data; “the right to erasure” or “to be forgotten”. Individuals must be informed of this right, offered easy ways to withdraw their consent and told how to do it. Managing Trustees will need to ensure that systems are in place to act on withdrawals of consent without delay.
  • The right to request the transfer of personal information to a third party (data portability) applies where this lawful basis is being relied upon. It is however difficult to see how this could be used in the context of the Methodist Church.
Wherever possible the Methodist Church seeks to rely on another lawful basis. In part this is due to an individual’s right to withdraw consent.


Next steps:

1.  Review the way that consent is obtained to make sure that it meets the requirements under GDPR (Step 7 of the 9 Steps Focus Note):

  1. Is consent given to a specific process?
  2. Is clear information given to the individual e.g. the member or volunteer?
  3. Is consent indicated by a positive action i.e. ticking a box to opt in?
  4. Is the consent recorded/ documented?
  5. Can it be easily withdrawn? Has the individual been told how they can withdraw their consent?
Helpful to note: Managing Trustees can use the ICO's Consent Checklist to check that the consent requirements for GDPR have been fulfilled and use the Template Consent Form produced by the Data Protection Working Party to obtain consent.

 

2. Keep clear records of consent, even if consent is confirmed over the telephone or in person. Managing Trustees need to keep a record of who gave consent, when, how (e.g. ticking a box or confirming consent in person) and what the individual was told at the time (e.g. what they were told consent was being given for). Record why this lawful basis is being relied upon.

Helpful to note: A Template Consent Record is being developed by the Data Protection Working Party for Managing Trustees to use.

 

3. Inform the individuals involved (data subjects) about how their personal information will be used in a privacy notice.

Helpful to note: A Privacy Notice is being developed by the Working Party for Managing Trustees to use.

 

4. Review and refresh consent. Keep consents under review to check that the ways in which the personal information is used and what it is used for do not change. Refresh consents when required such as if there are changes the Managing Trustees decide that it is time to obtain new consents. The requirements under GDPR are ongoing and it is important to keep everything under review as part of the accountability principle.

5. Review process to withdraw consent. It is important to ensure that consent can be easily withdrawn and such requests acted upon quickly. If the managing trustee body receives a request to withdraw consent, whose job will it be to record and act upon the request? What steps will need to be taken to ensure that the request is acted upon?


Practical Examples:

The results of the Working Party’s data mapping exercise suggest that Managing Trustees may need to rely on consent to collect and use (process) personal information for the following purposes:

  • Collecting information about members and providing contact details in Circuit and District Directories where the information will be shared with third parties e.g. where Directories are available for all to read in church foyers.
  • Publicising details about members and church activities including personal information publically on church websites or social media pages.

Refer to the Privacy Notice being prepared as part of the Data Protection Toolkit.

Consent may also be needed for marketing and fundraising mailshots addressed to particular individuals if sent by email, text or to preference telephone numbers under PECR and to legitimise the use of special category personal information e.g. keeping pastoral records containing details of illness.

 

Further information:

 

Lawful Bases Fact Sheet 5 – Vital Interests

Lawful Basis: Vital interests

GDPR says that this lawful basis is where processing is:
necessary in order to protect the vital interests of the data subject or of another natural person” Article 6(1)(d)

This means... The Managing Trustees are in a situation where it is necessary to use (process) the personal information to protect the "vital interests" of the individual (data subject) (or another person (such as a child of the individual)) in a life-or-death situation.

This lawful basis is appropriate if...

  • The life or death of an individual is in danger.

This lawful basis is not appropriate if...

  • The situation is not one of "life or-death".

Practical Examples:

It is unlikely that this lawful basis would be used on a day to day basis in the context of the Methodist Church. However, if a life or death situation were to arise, in the unfortunate event of emergency services needing to be called, this lawful basis could be a possibility.

Further information:

 

Lawful Bases Fact Sheet 6 – Public Task

Lawful Basis: Public task

GDPR says that this lawful basis is where processing is:
necessary for the performance of a task carried out in the public interest or in the exercise of official authority” - Article 6(1)(e).

This means... the use is necessary to carry out a specific task in the public interest which is laid down by law or by a public body exercising its official authority laid down by law.

This lawful basis is appropriate if...

  • The use of the personal information (processing) is necessary to carry out a specific task in the public interest.
  • The purpose has an underlying basis in common law or statute.

This lawful basis is not appropriate if...

  • There is an alternative and less intrusive way to achieve the same purpose.

This lawful basis has the following implications in terms of the individual’s privacy rights:

  • Individuals (data subjects) have the right to object to the use (processing) of their personal data where “public task” is being relied upon.

Practical Examples:

It is unlikely that this lawful basis would be used on a day to day basis in the context of the Methodist Church. However, particularly in light of amendment 85 to the Data Protection Bill currently going through parliament, the “public task” lawful basis could be used for the processing of safeguarding information (data) on the basis that the Church would be performing a task in the public interest. Managing Trustees finding themselves in the latter in case should make immediate contact with their District Safeguarding Officer.

In many cases Managing Trustees would be able to rely on legitimate interests or legal obligation to achieve the same purpose.

Further information:

 

Lawful Bases Fact Sheet 7 - Special Category Personal Data

 

What do Managing Trustees need to be aware of?

Special category personal information can only be processed in accordance with Article 9 of the GDPR (see below). Managing Trustees wanting to collect or use (process) sensitive personal information to establish both:

  • a lawful basis; AND
  • a condition under Article 9.

What is special category personal data?

This is broadly similar to “sensitive personal data” under the Data Protection Act 1998. It is information about a living individual regarding their race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and sex life or sexual orientation. The results of the Working Party’s data mapping exercise suggests that the most common “sensitive personal data” that Managing Trustees collect and use (process) is information relating to health e.g. pastoral records and prayer requests. Further guidance will be provided on this in the Data Protection FAQs.

As explained on the Data Mapping Form for Managing Trustees, the Working Party awaits clarification from the ICO about whether information relating to individual’s religious belief i.e. Christianity needs to be treated as “special category” data in the context of the Methodist Church. Managing Trustees will be informed of the outcome.

 

Special category data also includes the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person but it is difficult to see why Managing Trustees would hold such data.

What are the conditions under Article 9?

In additional to establishing a lawful basis, Managing Trustees need to satisfy one of the conditions under Article 9 of the GDPR. The Article 9 conditions most applicable to Managing Trustees are set out here:

Charity or not-for-profit bodyArticle 9(2)(d)

 

Managing Trustees can process sensitive personal information in the course of the legitimate activities of the charity with respect to its own members, former members, or persons with whom it has regular contact in connection with its purposes, only.

 

Note that consent will be required if the information is shared with a third party.

 

This condition is likely to be of most assistance to Managing Trustees dealing with sensitive category data but an alternative condition will need to be found if the individuals are not members or former members or are in people with whom the charity is not in regular contact.

 

Explicit consent – Article 9(2)(a)


The data subject has given explicit consent.

 

Employment lawArticle 9(2)(b)

 

The processing is necessary in the context of employment law, or laws relating to social security and social protection.

 

Data made public by the individual (data subject) Article 9(2)(e)


The processing relates to personal information that has been made public by that individual (data subject) e.g. a church members has a public profile on Linked In which includes the sensitive personal information in question.

 

Article 9 refers to the laws of member states. In the UK additional conditions and safeguards will be set out in the Data Protection Bill which is still going through parliament. Guidance on any additional considerations for Managing Trustees will follow once the content of Bill is known.

Next steps

Managing Trustees collecting and using (processing) sensitive category personal information will need to be careful to record the Article 9 condition being relied upon in additional to the lawful basis identified.

Under GDPR personal information should be “adequate, relevant and limited to what is necessary”. Managing Trustees may want to take the opportunity to consider whether all the “special category” personal information they are accustomed to collecting and using (processing) should be e.g. in pastoral records. Any such review would be driven by a desire to protect the privacy of members and their relatives rather than to reduce the obligations under GDPR. Do the presbyters or volunteers carrying out pastoral visits need to see or keep records of detailed medical information? Do church newsletters made available to third parties need to include details of members illnesses?

 

Lawful Bases Fact Sheet 8 - Privacy and Electronic Communications Regulations (PECR) 2003

 

What does PECR apply to?

PECR applies to material falling under the wide definition of direct marketing material. In the case of Managing Trustees this could include sending leaflets or newsletters as well as information about particular fundraising projects to named individuals e.g. addressing material to individuals.

What does PECR say that would concern Methodist Managing Trustees?

Direct marketing sent by electronic means such as email or text, or calls to telephone preference numbers may be permitted under the legitimate interests lawful basis under GDPR but would still require consent (on the same standards as consent under GDPR) under PECR.

Next steps

Review the channels of communication used for material that could fall under direct marketing and if these are email, text or calls to telephone preference numbers, ensure that consent is obtained.

Alternatively limit channels of communication to post and live telephone calls to non telephone preference numbers, leave newsletters in the foyer or hand them out rather than emailing them to specific members or third parties.

Ensuring consent is valid

Refer to the guidance in Lawful Bases Fact Sheet 4 - Consent and use the template consent form to obtain consent.
Further information:

  • ICO guidance on PECR.

 

If Managing Trustees have any queries then please contact TMCP (dataprotection@tmcp.methodist.org.uk) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (dataprotection@methodistchurch.org.uk).

 

 

Disclaimer

 

Please note that this document is to provide guidance and assistance to Managing Trustees and their professional advisers. This guidance note is general in nature, may not reflect all recent legal developments and may not apply to the specific facts and circumstances of any particular matter.

 

Also note that nothing within the documents and guidance notes provided by TMCP nor any receipt or use of such information, should be construed or relied on as advertising or soliciting to provide any legal services. Nor does it create any solicitor-client relationship or provide any legal representation, advice or opinion whatsoever on behalf of TMCP or its employees.

 

Accordingly, neither TMCP nor its employees accept any responsibility for use of this document or action taken as a result of information provided in it.

 

Please remember that Managing Trustees need to take advice that is specific to the situation at hand. This document is not legal advice and is no substitute for such advice from Managing Trustees' own legal advisers.