The new General Data Protection Regulation (GDPR) comes into force on 25th May 2018. Far from being a “game-changer”, GDPR updates and consolidates the existing legal obligations on organisations, such as the Methodist Church, to bring them into the twenty first century. The Methodist Church cares about the people whose data it holds and recognises the importance of this information to its work. GDPR provides a great opportunity to review exactly what personal information the Church holds, how it uses it and what steps we as a Church, need to take to protect each other’s privacy e.g. members, volunteers, employees, individuals that support the Church and third party users.
As a Connexional Church we are all working together to do what we can to protect privacy and keep information safe. If as a volunteer or employee in the Methodist Church you use or have access to personal information, you are responsible for ensuring that such information is handled in accordance with data protection legislation.
TMCP and the Connexional Team (as the two Data Controllers) are working together through the data protection working party (Working Party) to finalise a toolkit of resources (Data Protection Toolkit) to help you to be GDPR ready by 25th May 2018.
It isn’t long until 25th May – will everything be ready in time?
The Working Party has carried out a risk assessment to identify which GDPR requirements the Methodist Church needs to address as a priority before the 25th May 2018 and what can be addressed in the immediate aftermath.
The risk assessment has highlighted the policies that need to be put in place by 25th May and the action that Managing Trustees need to be taking including:
- record keeping;
- informing people about the use of their personal information (the Privacy Notice); and
- obtaining valid consent under GDPR when required.
As the Data Protection Toolkit has been created specifically for Managing Trustees a new resource type is being created on TMCP’s website with the intention that certain parts of the toolkit will only be available to Managing Trustees. TMCP will circulate details of the password needed to access these resources in due course. (There will be no need for Managing Trustees to create individual accounts or think up their own passwords.)
To accompany the risk assessment is a schedule of further policies, guidance and templates that will be produced after 25th May 2018. These include specific policies such as a CCTV Policy, Bring Your Own Devices Policy and Website Privacy Notice. We will continue to update you about new documents and guidance via TMCP’s News Hub.
What is the toolkit?
The “Data Protection Toolkit” is the collection of policies and templates that the Working Party has identified as needing to be in place by 25th May 2018. The key items should be available to download by Managing Trustees by the time of the upcoming Resourcing Mission Forum with the rest of the toolkit delivered in mid-May.
What is in the toolkit?
- Data Protection Policy - An overarching “policy” or “rulebook” that those handling personal data within Local Churches, Circuits and Districts need to follow clarifying what everybody’s responsibilities are. Read this policy carefully so that you know what your responsibilities are and understand the Methodist Church’s position with regard to privacy. It also sets out the responsibilities of the Data Controllers and where to go for help.
- Data Security Policy – Practical guidelines on keeping data safe.
- Subject Access Request policy – Step by step guide on how to deal with requests from individuals in relation to their data rights focusing on subject access requests e.g. requests for the information you hold about them.
- Breach policy – Practical guidelines on how to respond to the loss or unauthorised disclosure of personal information. The key points will be set out in a flowchart as part of the toolkit with further guidelines provided post 25th May 2018
Guidelines and Schedules
- Guidelines on Lawful Bases for Processing Personal Data (These are contained in the Lawful Bases Guidance Note which will be available later this week.)
- Retention Schedule – Use the categorised list to identify how long personal information should be kept.
Template Notices, Registers and Forms
- Mapping Form – An essential part of the toolkit and your 1st step in working out what data you have and what your responsibilities are. (Already available)
- Legal Bases Register – record which lawful bases you are relying on to use each category of information you use at your Local Church, Circuit or District.
- Template Fair Processing Notice – Template wording to give to people when you collect data from them (or receive their data from others) pointing them towards the more detailed Privacy Notice.
- Breach Register – Used to record all instances of breach however large or small i.e. whether or not you need to notify the individual concerned.
- Consent Form – If you need to rely on consent – perhaps because you are sharing personal information about church members with third parties (e.g. making directories available on websites) you must use the consent form. (Already available)
- Consent record – If you need to rely on consent you must record how and when consent was given and what was said using this record.
When will we know that the toolkit is ready?
Please look out for articles on the News Hub section of TMCP’s website and notification emails. District Chairs, District Property Secretaries and Superintendent Ministers will receive the toolkit directly into their email inbox.
Please note that some of the toolkit is already available:
- The Mapping Form has been available on the TMCP website since 6 March 2018
- The Consent Form has been available on the TMCP website since 20 March 2018.
What do we do in the meantime?
- Refer back to the 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR guidance note and complete any steps that are outstanding. Keep referring back to the Steps as they will help you to keep on top of your data protection responsibilities into the future.
- Make sure that you nominate a representative from your Circuit/District to attend one of the face to face data protection training sessions scheduled for 22nd May 2018 and 12th June 2018. Please refer to the flyer for these events for more information.
- Watch the data protection training webinars as these are released on TMCP’s website.
The first training webinar (GDPR Training Webinar 1 – Introduction to GDPR) provides an introduction to the GDPR and the steps to be taken by Managing Trustees.
New webinars in the form of questions and answers on consent, use of personal email addresses and data security are being filmed this week and will be available shortly.
If Managing Trustees have any queries then please contact TMCP (firstname.lastname@example.org) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (email@example.com).