Truro Diocese DATA PROTECTION
1 Data Protection Act 1998
The Data Protection Act 1998 is designed to protect the rights of identifiable living individuals concerning information about them. Any person who handles such information either in computer records or paper records which are part of a filing system or other accessible record must abide by eight principles, and may have to register with the Information Commissioner, and may be subject to rights of access by the individuals concerned.
The Truro Diocesan Board of Finance, Ltd (the Board) needs to collect and use certain types of information about the people (data subjects) who come into contact with it in order to carry on our work. This personal information must be collected and dealt with appropriately– whether on paper, in a computer, or recorded on other material - and there are safeguards to ensure this under the Data Protection Act 1998. The person responsible for ensuring that it follows its data protection policy (the Data Protection Officer) and complies with the Data Protection Act 1998 is the Diocesan Secretary.
2 Data Protection Principles
There are eight principles under which personal data may only be obtained, held or disclosed to others. Those principles are:
1. Personal data shall be processed fairly and lawfully.
In practice, that means that you must:
ï‚· have legitimate grounds for collecting and using the personal data;
ï‚· not use the data in ways that have unjustified adverse effects on the individuals concerned;
ï‚· be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
ï‚· handle people’s personal data only in ways they would reasonably expect; and
ï‚· make sure you do not do anything unlawful with the data.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
These principles apply whether or not you are obliged to notify the Information Commissioner.
3 Registration
By this process, a data controller (a person who controls the data) informs the Information Commissioner that he or she is processing personal data (information about a living person). Clergy will probably have to register if they keep records of pastoral care discussions. PCCs will probably be exempt from registration if all of the processing is covered by the following provisions:
ï‚· The processing is only for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit or providing or administering activities for individuals who are either members of the body or association or who have regular contact with it.
ï‚· Your data subjects (the people about whom you hold data) are restricted to any person the processing of whose personal data is necessary for this exempt purpose.
ï‚· Your data classes (the type of information you are processing) are restricted to data which are necessary for this exempt purpose.
ï‚· Your disclosures (the giving out of the information) other than those made with the consent of the data subjects are restricted to those third parties which are necessary for this exempt purpose.
ï‚· The personal data are not kept after the relationship between you and the data subject ends, unless and for so long as it is necessary to do so for the exempt purpose.
ï‚· In addition, processing is for staff administration, advertising, marketing and public relations or accounts and records.
You notify or register on line www.ico.org.uk/for_organisations/data_protection/registration
4 Subject Access Rights
An individual will have the right to receive a copy of most information held about him by an organisation within 40 days of making a request. You may charge a fee of up to £10 for providing it. This covers all information held on computer and any correspondence and other papers which are reasonably accessible.
You do not, therefore, have to scour through minutes etc for any mention of the individual but you would have to produce accessible information held by any church officers.
The general principle is that as much information as possible should be shared with the individual. There are, however, limited categories of material which you may withhold from the individual in the interests of protecting the rights of other individuals to privacy and for the protection of crime etc. You are able to withhold any references that you have given (but not any you have received). On sharing with an individual the information that you hold about them, you must remove anything which would identify a third party. You may also be entitled to hold back information containing serious allegations (for example, of child abuse) if to reveal that information would compromise the proper investigation of those allegations. In such cases, you should always seek advice from the Diocesan Secretary.
5 What should PCC Secretaries do?
ï‚· Identify a person responsible for compliance with the Act.
ï‚· Identify who holds what data and ensure that everyone is aware of the requirements and they only record information that could be shared if a subject access request is made.
ï‚· Work out whether or not you need to register and do so if necessary.
ï‚· Destroy material that you cannot justify still holding, especially if making the information available to the individual concerned would create difficulties.
ï‚· Inform people broadly what information is held about them and the purposes for which it is held. Tell them who they should contact with queries. This could be done in a paragraph in a news sheet or pew leaflet and/or on the church notice board.
For more information please contact our Diocesan Registrar Mr Martin Follett (01392 687 415) or the Diocesan Secretary (01872 274351). Alternatively you can also visit the Information Commissioners website at http://www.ico.org.uk/ or call 0303 123 1113 for further guidance.
In the Land’s End Benefice
We would not expect the Parochial Church Councils (PCC) in the Land’s End Benefice to need to register under the Data Protection Act.
The Data Controllers are:
Secretaries to the Parochial Church Councils in the Benefice
Details they hold: addresses of the members of the PCC, accurate minutes of meetings.
Amongst others those who hold information about individuals are:
Treasurer and/or Gift Aid Secretary: details of those who support the parishes regularly and claim gift aid on their donation.
Electoral Roll Officers in the parishes of the Benefice: they hold details associated with maintaining the role of members of the parish church
Youth Workers in the Benefice: hold information including contact details of the members and their parents/carers. This is renewed in September every year and updated during the year as necessary.
Messy Church Co-ordinator: holds contact details of those who have signed up to receive information about the next Messy Church event.
Pews News Editor: holds contact details of those who have signed up to receive information about the benefice.
Website Editors: who receive emails from the websites on behalf of the parishes.
Each of these data administrators will be expected:
To only keep records for the current year on their computers
To dispose safely of any personal details
To ensure that personal contact details are not shared with others unless express (usually written) permission is given to pass on the details to a third party.
Other Data
Occasional Offices: Weddings, Baptisms and Funerals
Registers are public documents and therefore available to view on request. Our responsibility is to ensure they are kept safe, and filled in accurately.
Minister’s details are available with permission on the websites and newsletters.
Contact Details from PCC Secretary
This policy needs to be read in conjunction with the Land’s End Benefice Safeguarding Policy and Social Media Policy.