The Managing Trustees’ Privacy Notice (MT Privacy Notice) is now available on TMCP’s website. You have no doubt been receiving many emails over the last few weeks from anybody you have ever donated to or bought goods from telling you how important your privacy is to them and notifying you about their new privacy notice. This time you need to let everybody know about your new MT Privacy Notice. The MT Privacy Notice is not a template – it is here and ready to use.
Immediate action is required to provide those individuals whose personal information (personal data) you handle (data subjects), the information that must be given to them under the General Data Protection Regulation (GDPR).
What is a privacy notice?
A privacy notice is a statement which gives data subjects all the information the GDPR says must be given to them about the use of their personal data under Articles 13 and 14 of GDPR (see paragraph “What Information is in the Privacy Notice?”). It basically tells people how their personal data is used by the Church, why/on what lawful bases and what rights they have.
The MT Privacy Notice has been specifically drafted for use by Local Churches, Circuits and Districts within the Methodist Church in Great Britain. It is tailored to the Church’s use (processing) of personal data identified in the data mapping exercise.
Why do we need one?
All Local Churches, Circuits and Districts process personal information relating to living individuals - personal data - even if it is limited to the members roll and gift aid register. This means you have to provide the privacy information required under GDPR. A “privacy notice”, also referred to as a “privacy policy” is the most transparent way to do this.
Do not confuse getting in touch with people about the MT Privacy Notice with asking for consent! You are just letting people know how you use their personal data and about their privacy rights. If (and only if) the MT Privacy Notice says you are relying on consent for a particular processing purpose (see the Annex to the MT Privacy Notice) then this is something that you would deal with the next time you carry out the processing activity e.g. collecting personal data from non-Ministers, probationers or office holders for a Directory that will be made publicly available – see the Lawful Basis Fact Sheet 1 – Consent and Data Protection FAQs 2.1 and 2.2. This is not a case of “give consent or you will not hear from us again” – this is a case of we want to give you information about your privacy rights and here it is. |
What do we do with the MT Privacy Notice now?
=> Tell people about it!
You could for example:
- Email your contact list with this link to the MT Privacy Notice (https://www.tmcp.org.uk/about/data-protection/managing-trustees-privacy-notice);
- Pin a physical copy of the MT Privacy Notice to the noticeboard at your Local Church, Circuit or District premises;
- Download a copy from TMCP's website, print it and pin it where people can see it.
- Put a link to the MT Privacy Notice on your Local Church, Circuit or District website.
- Tell people, perhaps in the Local Church notices, over coffee or in AOB at your next meeting, that a notice telling them about their privacy rights and what the Church does with their information is available for them to see on the noticeboard or via the local or TMCP’s website.
Use the information from your data mapping exercise (see Step 2 of the 9 Steps for Methodist Managing Trustees to Take Now) to identify who your data subjects are and how you can best let them know about the new MT Privacy Notice. |
==> Don’t forget to make sure all those handling personal data in your Local Church, Circuit and District are familiar with the MT Privacy Notice. It tells people how you use their data so make sure you are following the rules.
Why do we have to use the privacy notice prepared by the Working Party?
TMCP and the Connexional Team have been working together closely to prepare for GDPR through the data protection working party (Working Party) and have produced the toolkit of documents to help you (please see the Data Protection Toolkit Article and the list of available documents and guidance on TMCP’s Data Protection Page). As data controllers (“controller” under GDPR) TMCP and the Connexional Team need to set out the privacy information and this must be consistent across the Connexion. The information you provide, your privacy notice, must be consistent with that provided by other Local Churches, Circuits and Districts.
There are two controllers for Local Churches, Circuits and Districts within the Methodist Church in Great Britain with distinct remits (explained in the Who are the Controllers in the Methodist Church?) and one privacy notice ready for you to use. You need to use the MT Privacy Notice.
However, this is very much a working document and if there are processing activities that are not covered under the Annex to the MT Privacy Notice please let TMCP Data Protection know as a matter of urgency. We can then add new processing activities to the MT Privacy Notice as necessary.
Please also note that due to the specific nature of certain processing activities such as websites, Managing Trustees will need to create their own privacy notices specific to their website etc. These would still need to be consistent with the MT Privacy Notice however and templates for you to use and adapt to your specific websites etc. will be produced by the Working Party after 25th May 2018.
What does the MT Privacy Notice say?
Article 13 and Article 14 of GDPR stipulate the precise information that must be included in a privacy notice.
To help you to find your way around the MT Privacy Notice, the ICO’s checklist of the information that must be included in a GDPR compliant privacy notice is set out below with details of where this information is found in the MT Privacy Notice.
The MT Privacy Notice sets out the lawful bases that have been identified by the controllers as applicable to the general purposes for which the Church uses personal data. You may find it helpful to refer to the guidelines on lawful bases for processing personal information set out in the Lawful Bases Guidance Note for an explanation of how the lawful bases set out in the MT Privacy Notice have been reached as well as confirming which general heading your specific purposes fall under.
What information must be supplied? | Data obtained directly from the Data Subject / Data not obtained directly from the Data Subject | This is dealt with in the MT Privacy Notice at Section: |
---|---|---|
Identity and contact details of the data controller and the data controller’s representative.
| Yes / Yes | Section 1 – Important Information and Who we are |
The purpose of the processing and the legal basis for the processing.
| Yes / Yes | Section 4 – How we use your data
|
The legitimate interests of the data controller or third party, where applicable. | Yes / Yes | The Annex – where legitimate interests is being relied upon this information is included in brackets |
Categories of personal data | No / Yes | Section 2 – The data we collect about you
|
Any recipients or categories of recipients of the personal data.
| Yes / Yes | Section 5 – Disclosures of your personal data |
Details of international data transfers | Yes / Yes | Section 6 – Transfer of personal data outside of the European Economic Area |
Retention period or criteria used for determining the retention period. | Yes / Yes | Section 8 – Data retention
Retention periods are set out in the retention schedules available on the Methodist Church website. |
The rights of the data subject.
(This is one of the important themes of GDPR - making data subjects aware of their rights.) | Yes / Yes | Section 9 - Your legal rights |
The right to withdraw consent at any time, where relevant. | Yes / Yes | Section 9 - Your legal rights (1st bullet point) |
The right to lodge a complaint with the supervisory authority. | Yes / Yes | Section 9 - Your legal rights (last bullet point) |
The source where the personal data originates and whether it came from publicly accessible sources. | No / Yes | Section 3 – How is your personal data collected?
Section 3 breaks down the different ways that personal data is usually collected; directly from the data subject, via automated technologies or interactions such as local websites and via third parties and publicly available sources. |
Whether the provision of personal data is part of a statutory/legal or contractual requirement or obligation, and the possible consequences of failing the provide the personal data. | Yes / No | Section 2 – The data we collect about you (final paragraph)
Refer to the heading “If you fail to provide personal data” |
The existence of automated decision making, including profiling and information about how decisions are made, the significance and consequences. | Yes / Yes | This is not covered in the MT Privacy Notice as automated decision making is not something that the data mapping exercise identified as being used by Local Churches, Circuits and Districts. If it did ever come into play then you must inform TMCP Data Protection so that the policy can be updated. |
The Privacy Notice forms part of the suite of policies, guidelines, schedules, templates, detailed guidance and training (Data Protection Toolkit) being produced by the Data Protection Working Party (Working Party) in the run up to 25th May 2018.
If Managing Trustees have any queries then please contact TMCP (dataprotection@tmcp.org.uk) for further assistance regarding general data protection matters and the Conference Office for queries specifically relating to safeguarding or complaints and discipline matters (dataprotection@methodistchurch.org.uk).