When we published our last Data Protection update on the 27th March 2020, we were at the beginning of what has now become 13 weeks of lockdown and counting. The Governments across England, Wales and Scotland are now starting to lift the restrictions and life is beginning to return to some form of normality.
As we start to move back into our buildings, especially due to the continuing focus on COVID-19 and staying safe, it is important that data protection remains at the forefront of people’s mind. We must remember the six principles of GDPR and data protection legislation:
1. | Lawfulness, Fairness & Transparency:
Refresh your understanding on Lawful Bases for processing personal data by visiting the guidance already produced for Managing Trustees. |
2. | Purpose Limitation:
For example, a register of a Local Church’s pre-school cannot be used for any purpose other than for contacting parents of pupils attending the pre-school about pre-school matters. |
3. | Data Minimisation:
If Managing Trustees are holding additional information about individuals, perhaps through a necessity to work from home during the lockdown, then now is the time to consider whether or not that information is still needed. |
4. | Accuracy: The information that Managing Trustees hold about other individuals must be as accurate and up to date as possible. A lot may have changed during the three months of lockdown. Check that the information you are holding is still relevant to you and is correct. |
5. | Storage Limitation:
You must not hold onto information for longer than absolutely necessary.
Remember, the more information you hold, the more you will need to find should an individual exercise their right to access their personal data. |
6. | Security:
Offices and filing cabinets must be locked when the property is being used by other groups. All electronic files and equipment must be password protected and encrypted if possible.
Do not leave personal data belonging to another individual open to be seen by other users of the property.
It is tempting, as part of our risk assessments for keeping our buildings safe as and when restrictions ease, to keep a note of who is in the building and when. You must not obtain this information by way of an open record or register unless you are able to hide the information relating to other individuals. Please see Data Protection FAQ 10.1 on Visitor Books for further information. |
Managing Trustees will naturally want to be as helpful as possible to their members, employees, property users etc. but the privacy and rights of individuals must always be protected in accordance with data protection legislation. The UK Government has introduced its own ‘Test & Trace’ scheme and you can find out more about this incentive by visiting its website, in particular:
https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works
https://www.nhsx.nhs.uk/covid-19-response/nhs-covid-19-app/
From a data protection aspect, there is no reason for Managing Trustees to collect any additional information from church users to that which is already processed by them in relation to church groups etc.
Further, People’s health information is classified as Special Categories of Data and there are additional safeguards in place in order to protect this. This includes any information about persons either being in contact with the Coronavirus or having actually contracted it. Managing Trustees can generally only process or share this information with the explicit consent of the individual(s) involved.
Once again, we appeal to the Districts that do not currently have District Data Champions to appoint somebody to this important role. Managing Trustees still face uncertain times in the coming weeks because of COVID-19 and the support of the District Data Champions is another resource which will help the Methodist Church through these unprecedented times.
If Managing Trustees have any queries then please contact TMCP (dataprotection@tmcp.org.uk) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (dataprotection@methodistchurch.org.uk).