As highlighted in the GDPR Myths article, the General Data Protection Regulation (GDPR) does not mean that Managing Trustees need to obtain consent for everything. Consent is just one of six legal grounds (lawful bases) on which Managing Trustees can deal with (process) personal information. (See FAQ 2.1).
However, there will be some occasions when it is necessary for Managing Trustees to obtain consent. Consent is required wherever an individual’s information (personal data) is likely to be passed or transferred to a third party outside of the Methodist Church or Managing Trustees cannot rely on a different legal reason (legal basis) for using someone’s personal data. Steps 5, 6 and 7 of the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR provide some examples of when consent may be required.
Managing Trustees often want members of the public to engage with the Church, but people need to be aware of how their details are being used and given the opportunity to withhold their consent or limit the personal information that is made available. Individuals may choose not to have their home or personal email addresses published for example, but could be happy for their name and telephone number to be published. One such example of a document which is often made publicly available is the Local Church or Circuit Directory.
An updated Template Consent Form has been produced for Managing Trustees to use and adapt where consent is required. Download this form by clicking on the link below. Please also refer to FAQ 2.3 for guidance on when consent is required for Directories.
The updated Consent Form uses a ‘key code register’ system to allow individuals to provide details of their various consent preferences. For example, an individual may consent to their full contact details being published in a Church Directory that is not made publicly available but may wish to limit their contact details to their name and email address only for Directories that are made openly available to members of the general public.
The contact details are listed as follows:
N = Name
A = Address
E = Email address
P = Phone number
M = Mobile number
O = Other contact details e.g. FaceBook ID
The Consent preferences are as follows:
1 = Publicly available Directories
2 = Fundraising events
3 = Publicly available Newsletters
4 = Inclusion on social media platforms
5 = Publication of photographs
6 = Receiving birthday cards
7 = Receiving birthday cards for children
8 = Invitations to memorial services
Therefore, taking the example above where an individual only consents to their name and email address being printed in a publicly available Directory, their consent preferences would be confirmed as:
1 (Directory N (name), E (email address)
Managing Trustees must remember to only collect information that is relevant and should not be holding excessive information. A record should be kept of the consents which have been given by individuals and the purposes for which that consent has been given. The records should also be kept up to date. Please click here for the Template Consent Record.
If Managing Trustees have any queries then please contact TMCP (firstname.lastname@example.org) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (email@example.com).