When we published our last Data Protection update on the 27th March 2020, we were at the beginning of what has now become 13 weeks of lockdown and counting.  The Governments across England, Wales and Scotland are now starting to lift the restrictions and life is beginning to return to some form of normality.

As we start to move back into our buildings, especially due to the continuing focus on COVID-19 and staying safe, it is important that data protection remains at the forefront of people’s mind.  We must remember the six principles of GDPR and data protection legislation:

1.

Lawfulness, Fairness & Transparency:
When processing any information about another individual, you must have a legal basis for doing so.  Reasons for processing personal data must also be consistent with the purposes of the Methodist Church.  You must always ask yourselves ‘Why are we processing or holding this information’?  ‘What are we going to do with it’?

 

Refresh your understanding on Lawful Bases for processing personal data by visiting the guidance already produced for Managing Trustees.

2.

Purpose Limitation:
Information regarding individuals must only be used for the purposes for which that information was collected.  Managing Trustees must not collect information about individuals just because they “may” have a use for it in the future.

 

For example, a register of a Local Church’s pre-school cannot be used for any purpose other than for contacting parents of pupils attending the pre-school about pre-school matters.

3.

Data Minimisation:
Managing Trustees must only collect the information they need in order to fulfil any given purpose.  The chances and severity of data breaches are heavily reduced the smaller amount of information you hold.

 

If Managing Trustees are holding additional information about individuals, perhaps through a necessity to work from home during the lockdown, then now is the time to consider whether or not that information is still needed.

4. Accuracy:
The information that Managing Trustees hold about other individuals must be as accurate and up to date as possible.  A lot may have changed during the three months of lockdown.  Check that the information you are holding is still relevant to you and is correct.
5.

Storage Limitation:
No doubt Managing Trustees will have taken copies of files and other paperwork, either physically or electronically, in order to deal with the changing working practices.  As Managing Trustees start to return to offices and church buildings etc. they need to assess whether or not these copies are still required.  In relation to the information that enabled you to work from home, do you still need it once you are back in the office?  Has the purpose for which you held the information been fulfilled?

 

You must not hold onto information for longer than absolutely necessary.

 

Remember, the more information you hold, the more you will need to find should an individual exercise their right to access their personal data.

6.

Security:
As we seek to restore some form of normality and begin to open our buildings to members, users and third parties, Managing Trustees must ensure that the information relating to individuals is kept and stored safely. Please refer to the Data Security Policy for details of steps to take.

 

Offices and filing cabinets must be locked when the property is being used by other groups.  All electronic files and equipment must be password protected and encrypted if possible.

 

Do not leave personal data belonging to another individual open to be seen by other users of the property.

 

It is tempting, as part of our risk assessments for keeping our buildings safe as and when restrictions ease, to keep a note of who is in the building and when.  You must not obtain this information by way of an open record or register unless you are able to hide the information relating to other individuals.  Please see Data Protection FAQ 10.1 on Visitor Books for further information.

 

Managing Trustees will naturally want to be as helpful as possible to their members, employees, property users etc. but the privacy and rights of individuals must always be protected in accordance with data protection legislation.  The UK Government has introduced its own ‘Test & Trace’ scheme and you can find out more about this incentive by visiting its website, in particular:

https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works
https://www.nhsx.nhs.uk/covid-19-response/nhs-covid-19-app/

From a data protection aspect, there is no reason for Managing Trustees to collect any additional information from church users to that which is already processed by them in relation to church groups etc.

Further, People’s health information is classified as Special Categories of Data and there are additional safeguards in place in order to protect this.  This includes any information about persons either being in contact with the Coronavirus or having actually contracted it.  Managing Trustees can generally only process or share this information with the explicit consent of the individual(s) involved.

Once again, we appeal to the Districts that do not currently have District Data Champions to appoint somebody to this important role. Managing Trustees still face uncertain times in the coming weeks because of COVID-19 and the support of the District Data Champions is another resource which will help the Methodist Church through these unprecedented times.

If Managing Trustees have any queries then please contact TMCP (dataprotection@tmcp.org.uk) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (dataprotection@methodistchurch.org.uk).