We are approaching the time of year when the Methodist Church is preparing for the new Connexional year and many Managing Trustees are starting to collect data for inclusion in their member’s directories; whether that is for a local church, circuit or district.
In May 2018, the Data Protection Act 1998 will be replaced with the new European General Data Protection Regulation (GDPR). The GDPR makes several changes to existing Data Protection laws, details of which we will imminently be providing guidance upon and you will find the same on our website. One of those changes, however, is in relation to ‘Consent’.
Under the Data Protection Act 1998, Consent for inclusion of personal details in the local church, circuit and district directory may be given implicitly. This means that provided an individual knows that their personal data is being collected and why and how it is used, then written Consent is not required.
This will not be the case, however, under the GDPR as explicit Consent must be obtained. Explicit Consent does not necessarily mean that consent must be in writing, but it cannot be obtained by implication or assumed that it is ok to use the personal data and the Consent must be freely given.
Going forward, if you obtain the personal data of an individual by way of a manual data collection form then the individual must sign and date the form.
If the personal data is obtained electronically, e.g. by email then, by the very fact that the individual has provided their details, this may be taken to mean that consent has been given freely and explicitly. Although Managing Trustees should be aware that however the data is collected they must provide the individual with the following information:
- What personal data you require? e.g. name, address, email address etc.
- What the personal data is required for? e.g. circuit directory
- For what purpose is the directory used for? Is it merely a contact list? How will the individual’s contact details be used? Who are likely recipients of such personal data?
- Could it be used for any other purpose?
- Who will have access to the personal data, e.g. the directory? Is it published online?
- How the personal data is stored, e.g. computer/laptop/USB storage drive? To whom do the devices belong?
- That the individual may withdraw their consent at any time in writing
- That the individual is entitled to complain to the Information Commission should their personal data be used in an unauthorised way.
TMCP are in the process of making detailed guidance on the changes to data protection law available to Managing Trustees as well as providing example policies and procedures. We will notify you when then guidance is available through these updates and by contacting your Circuit Superintendent and District Property Secretary/Chair. In the meantime if you have any queries then please contact TMCP Legal for further assistance.