Data Protection

Data Handling: FAQs and Example Scenarios

This section provides the brief answers to some frequently asked or predictable questions about how Data Protection affects St Bene’t’s Church. Some of the answers are worked through in a different way in a set of “scenarios” at the end of the document.

By its nature this document is subject to modification, so please check that you are reading a recent copy by checking the date indicated above. If in any doubt please contact the Church Office, Wardens or Vicar.

Frequently Asked Questions about the General Data Protection Regulations (GDPR)

  1. Do we have to change everything we currently do to be compliant with GDPR?

Absolutely not – in large part, if we have been acting in line with current regulations we will be largely compliant with GDPR. There are a few new, specific requirements in GDPR, but “good data practice” remains broadly unchanged: the new regulations seek to make good practice more transparent and unambiguous.

  1. Does everything have to be completely GDPR compliant from May 2018?

No, although this is our goal.

The Information Commissioner’s Office (ICO) permits that we have made efforts to be compliant, and if our programme of changes is not fully complete, so long as we show that we have a plan to be so, this is acceptable

  1. Does everything require a specific consent form?

No – it needs to be legal under the relevant articles (Article 6, and/or 9 and/or 10) of GDPR which may or may not require written consent. We will provide a generic consent form for completeness.

Much of our data processing is legal because it falls within our “legitimate interests” and not because we have “consent” as a justification- that is, we use the information needed to reasonably fulfil our primary and defined purpose without unnecessarily invading people’s privacy.

Consent or refusal may also be expressed in many forms, including “implicit” or “explicit” – for example, if you provide forms or a sign-up sheet in church and somebody provides information, they have implicitly given their consent to us using them, so long as the purpose is clearly stated, and we have an easily available Privacy Statement.

There are also some pieces of information we are obliged to use and, in some cases, share with other bodies or make public. This would include our Electoral Roll; DBS checks for the PCC and Children’s volunteers; or reading of Banns of Marriage, for example.

  1. Can we still place sign-up sheets for events at the back of church?

Yes – when somebody fills in a sign-up sheet placed in church, we consider it reasonable that they consent to the information remaining visible to other congregants during service times. We would not leave sign-up sheets easily visible to the general public in the church, i.e. outside of service times.

  1. Can we read out the names of the unwell, bereaved or those who have died in our Intercessions during services?

This is a part of our tradition and something we offer to support anybody in difficult times. Please be mindful that to in order to pray for somebody in public it is not necessary to reveal specific information about their personal situation and this should be avoided; and if possible, please ask them if they would like for us to offer Intercessions on their behalf. Of course, we do not require a “consent form” for this. If this is impractical we should act in accordance with their best interests – and anybody uncertain should ask the Incumbent or a Church Warden before offering a public prayer.

  1. Can we use contact details for fundraising?

This will require us to think about what sort of fundraising we are performing.

We can use contact details to update our members about events the church is organising – regardless of whether donations might be made at the event itself, for St Bene’t’s Church or other causes we nominate. If we are specifically using information for a Stewardship campaign (i.e. to raise church funds) the PCC and Incumbent have decided that we should gain separate, specific consent regardless of the type of contact details used (i.e. we adopt a “universal opt in” even if we could justify communication by another GDPR-approved basis). Therefore, by our own rule we would not use the Electoral Roll for fundraising, for example.

  1. Can we respond to requests for information about our members?

We certainly cannot hand out information about our members to 3rd parties without permission. We also should not confirm or deny if somebody is a regular attender at St Bene’t’s Church if they are not on the Electoral Roll. The Roll is in the public domain so does not fall under this restriction.

However, we can take the contact details of the inquirer, stating that we will provide them to the intended recipient if within our power, and make them available to the relevant member(s) of the congregation which will allow them to proceed as they choose.

  1. What happens if somebody requests to have their data erased?

In most cases we will be able to do this simply, without issue, if the data subject tells us in what capacities they provided the information.

If we are unable to erase details because we are required to keep them by regulation/law or because it is impracticable or unreasonably onerous for us to do so we will delete all we can/are allowed to and inform the subject of what information we have deleted, and highlight what sorts of data we do not remove.

  1. Do we have to use blind carbon copy (Bcc) for all emails?

No – this requires a common-sense approach to decide what is most appropriate.

If the purpose of sending an email is to allow a group to organise themselves or keep each other up-to-date it is appropriate to have all emails visible to the group, as this is part of the purpose and it is not unnecessarily invasive, and would reasonably be expected by participants. For example – sending out emails about organising a rota or church event could have all emails visible.

However, if you could achieve all you are aiming to without having all recipients visible to the group it is more appropriate to use Bcc – for example if we are just informing people of an opportunity. This is particularly important if an email is being sent to a group of individuals who may not be aware, or may not wish others to be aware, who else might be interested or involved – for example, a list of those exploring vocations, or support groups for those with particular difficulties that might be exposed by a group email. Again- anybody uncertain should ask the Wardens, Church Office or Incumbent for advice.

  1. Do we make assumptions about the capacity of our respondents?

The PCC and Incumbent of St Bene’t’s do not consider themselves competent to make a formal assessment of capacity- this is a medico-legal decision. In general, the Mental Capacity Act suggests assuming capacity unless proven otherwise; and “capacity” depends on the type of information being given. (For example – deciding to give an email address to be updated about service times is a very different decision to one relating to making a large financial donation). However, if we have any reason to doubt the capacity of an individual providing information, based on our observation of them or any concerns from those that know the individual well or represent them by legal arrangement, we would seek further advice on how to proceed from qualified sources. This may involve limited sharing of information, with boundaries of professional confidentiality having been agreed.

In general, any person under 18 requires the consent of their parent or guardian for us to hold their data. If a person under 18 wishes to act as independent from their parent or guardian we will consider this on a case by case basis. One exception to this is signing up to the Electoral Roll – the Church of England has declared that those 16 years and older may sign onto the Roll independently.

  1. How do we make sure respondents are informed in their decision making?

We achieve this by:

  1. Having an up-to-date Privacy Statement and Data Handling Summary that lets people know how we use data we collect
  2. Providing relevant information at each request for information – verbally and in writing (for example, in Tidings Newsletter) – to explain why in this instance we need the information

We are a little unusual in that we tend to ask people to provide information for single purposes only, that we explain individually, and do not hold it for future use. This helps to ensure that we do not use data inappropriately. (For example – each church event tends to have a new sign-up sheet asking for contact details, which is then subsequently destroyed and not stored as a basis for future contact or fundraising.)

Examples of Worked Scenarios

  1. A couple get married in St Bene’t’s Church and after the event, a friend who was unable to attend wishes to send them a congratulatory note. They contact us to ask for an email address. What do we do?

We cannot give out contact details for the married couple (even though theirs Banns of Marriage were a matter of Public Record), or confirm or deny if they are attending the Church (unless they are on the Electoral Roll). We can, however, offer to take the inquirer’s details and provide them to the married couple if we are in contact in future.

  1. A member of the Church several years ago agreed to their email appearing in Tidings Newsletter as the organiser of an All Ages event. They contact us and ask to exercise their “Right to be forgotten”. What do we do?

Within 1 month, we must delete all the information we hold about them, though it is wise to keep a separate, very brief record that the request was made and fulfilled to demonstrate receipt and compliance with the request. (For example – a date of receipt, initials of the requestor and the action taken in a spreadsheet with a completion date – this would be informative later if further context were provided but not in isolation).

The newsletter itself has been placed in the public domain with the consent of the individual at the time. As a goodwill gesture we could either remove the issue from the website or alter it to remove the contact details of the individual – and as this is simple to do, we should do so. However we are NOT obliged to track down all copies of this issue of Tidings and ensure they are destroyed. Once in the public domain it is unreasonable to expect us to ensure no record remains. We may also keep a record of those who organised or played a significant role in an event, for safeguarding purposes in line with current Church of England guidance. These limitations should be explained to the individual involved.

  1. We have decided to post photographs of individuals from the PCC to make it easier for the congregation to recognise us. Do we need a written consent form for each PCC member?

No – although photographs are a) publicly displayed in the Church at all times and b) more sensitive data than, for example, addresses, we do not need to have a written consent form for each PCC member. The motion was discussed and approved at a quorate meeting, and a request sent out to individuals to request photographs if they were happy to do so. By responding to the request, individuals consent to their photographs being displayed. They have been informed of how we will use the photographs in the PCC discussion and subsequent minutes and in the email requesting the images. This principle extends to most requests for data that we will make, if the reasoning behind the request is explained and legitimate, and not unnecessarily invasive.

May 2018