Data Protection and sharing churches
Section A - Introduction
This focus note looks at who should be the data controller ("Controller") under the General Data Protection Regulation (GDPR) in order to comply with the GDPR and the Data Protection Act 2018 when Methodist managing trustee bodies (usually a Local Church Council or Circuit Meeting) are party to a sharing agreement and/or are in an ecumenical relationship. It is important to consider the processing of personal information (personal data) across the denominations and ensure there is continuity and protection of individuals’ privacy. This means the denominations need to decide which ‘Church’s’ data protection policies, procedures and templates to use and, accordingly, who will be the Controller.
Section B – Who should be Controller?
The Controller is the legal entity responsible for ensuring compliance with the relevant data protection legislation. The Controller determines the purposes for which data is processed and the means by which it is processed.
Managing trustee bodies that are party to a sharing agreement and/or in ecumenical relationships with other Christian denominations need to decide who they want to be Controller.
TMCP and the Connexional Team recommend and consider it sensible for managing trustee bodies to follow the guidance which has been issued by Churches Together in England (CTE) for safeguarding and apply this guidance to data protection.
The CTE guidance for safeguarding states all types of shared churches apply the guiding principle. This principle is that those responsible for governing the shared church should agree to adopt the safeguarding policy of one of the denominations involved rather than trying to attempt to create one themselves. For further information please look at the CTE resources page on their website:
This means that managing trustee bodies need to decide, in consultation with their ecumenical partners, whether they want to follow:
(i) the data protection policies, guidance, procedures and templates produced by the Methodist Church. This would mean that the ‘Controller’ will be TMCP and The Methodist Church in Great Britain acting by the Connexional Team, as Controllers for the Methodist Church; or alternatively
(ii) use the guidance issued by their ecumenical partners and choose another denomination to act as the Controller.
It would be logical for Managing Trustees to adopt as its Controller the same organisation/denomination it follows for its safeguarding policies. Therefore, if the shared churches adhere to the safeguarding polices issued by the Methodist Church then it would make sense for them to adopt TMCP and the Methodist Church in Great Britain acting by the Connexional Team as their Controller and follow the policies, guidance, procedures and templates issued via the TMCP website.If the sharing churches adopt TMCP and the Methodist Church in Great Britain acting by the Connexional Team as the data controller then please consider the ‘Who are the Data Controllers and where to get help?’ guidance. This guidance will give you more detail on when to contact TMCP or the Connexional Team with Data Protection questions. Please also refer to the wealth of guidance, policies, procedures and templates that form the ‘data protection toolkit’ produced by the Methodist Church. Links to the resources in the toolkit are available from the Data Protection page on TMCP’s website.
Section C – What about Single Congregation Local Ecumenical Partnerships (SCLEP)
A Single Congregation Local Ecumenical Partnership (SCLEP) is a separate legal entity with its own constitution. A Local Methodist Church Council will partner with other denominations in a SCLEP, but the SCLEP Trustees do not and cannot replace the Local Methodist Church Council, even when there are sharing arrangements in place. In any ecumenical relationship the Local Methodist Church Council will remain in existence. For guidance on the role of the Local Methodist Church Council in ecumenical situations please refer to the article on the TMCP website – Standing Orders 610 and 611.
Managing Trustees need to also note that those responsible for the governance of the property in sharing arrangements are the parties named in the Sharing Agreement not the SCLEP Trustees and it is they who will decide which denomination’s Data Protection guidance to follow and who will act as Controller.
The SCLEP governs the day to day life of the shared worship arrangements and mission of the partner denominations. It is likely, however, that the SCLEP would choose the same Controller as the parties to the Sharing Agreement.
A SCLEP can use the guidance produced by the Mthodist Church but as it is a separate legal entity from the denominations who are party to a Sharing Agreement it will need its own Controller.
Section D – What if another Christian denomination is chosen to be Data Controller?
If managing trustee bodies who are party to sharing agreements and/or are in ecumenical relationships decide choose to adopt another denomination as Controller and follow the guidance issued by that denomination rather than TMCP and the Methodist Church in Great Britain acting by Connexional Team then you must inform TMCP at dataprotection@tmcp.org.uk. You can also contact us if you have any additional queries on this subject or any other Data Protection query.
If you have any queries in relation to the guidance in this document please contact TMCP Data Protection for further assistance.