The General Data Protection Regulation (GDPR) came into force in May 2018 and consolidated existing legal obligations on organisations such as Yatton Methodist Church.
Yatton Methodist Church does what it can to protect privacy and keep information safe. If as a volunteer, minister or employee in the church you use or have access to personal information, you are responsible for ensuring that such information is handled in accordance with data protection legislation and in line with best practice.
This guide summarises what you need to do as a volunteer, minister or employee in the church to ensure that the information you hold is looked after carefully and kept safe.
What is personal information?
Any information identifying a living individual or information relating to an individual that can be identified from that information. Personal Data can be factual (for example, a name, email address, location or date of birth, photograph, disability, health or ethnicity data) or an opinion about that person’s actions or behaviour.
Code of Practice
1. Carefully read and follow the Yatton Methodist Church Data Protection Policy.
2. Review and keep under review the personal information you collect and use. What information do you have? Why? Who has access to it? Do you need to keep all the information you have?
If you do not need all the information you hold this could be a great opportunity to dispose of it in accordance with the guidelines.
There are six lawful bases for collecting data as follows. In the context of Yatton Methodist Church it will almost always be either A. or B.
A. legitimate interest;
This lawful basis is appropriate if . . .
- The church has a legitimate interest for using the data for the purposes proposed. Note that legitimate interests can range from the trivial to the compelling.
- The proposed use of the data is within the “reasonable expectations” of the individual, and the individual would understand why their personal information is being used for the particular purpose.
- The use of the personal information is targeted and proportionate to achieve the intended purpose.
where the individual has knowingly and freely given their clear consent to the collection and use of their personal information, and for the use (processing) of their information for the specific purpose in question. It can be written or verbal, but must be specific.
D. legal obligation;
E. vital interest (life or death scenarios);
F. public interest (mainly for public bodies);
4. Only use the personal information that you need and only for activities relating to the life and work of the Methodist Church.
e.g. do not use information from the Church Directory for your own private or business purposes, and only use personal information you actually need for the purpose required.
5. Only collect and use the minimum amount of personal information that you need for a particular task.
e.g. if you are arranging a pastoral visit, you only need to collect sufficient personal information to enable the pastoral visitor to provide pastoral support. The pastoral visitor is meeting the spiritual needs of the Church member rather than providing medical care requiring a full medical history.
6. Check the information you have is correct and up-to-date.
e.g. read back personal information given over the telephone, and update information when notified about changes in contact details.
7. Destroy/ delete personal information as soon as it is no longer needed by shredding hardcopies and/or deleting computer files (including backups) in accordance with the guidelines detailed in the Yatton Methodist Church church Data Protection Policy. i.e. do not keep hold of information longer than you need it.
8. Review how you collect and store personal information and update processes as necessary to ensure its safety.
e.g. do not leave personal information unattended in the vestry; store computer files on a password protected machine; do not print information unless you really need to and if you do store it somewhere safe.
9. If you lose or allow unauthorised access to personal information, immediately contact the Yatton Methodist Church Data Champion so that they can tell you what to do next.
Take any immediate action that you can to get the information back e.g. recall the email, ask the unintended recipient not to read it and delete the email, retrace your steps to find lost papers or contact the train or bus company if you think you left them on public transport
10. Respond to requests to exercise data rights e.g. to erase information or provide details of information held, without delay and notify the Yatton Methodist Church Data Champion.
e.g. if somebody asks for copies of all the personal information you hold about them or asks you to delete personal information.
Applying the Data Protection Policy
The Methodist Church uses personal information in many different ways but the following two purposes raise the most queries.
Directories and Circuit Plans
- You can rely on “legitimate interests” if the Directory or Circuit Plan is not shared with third parties.
- If you share the Directory or Circuit Plan with third parties e.g. they are published on your website or made accessible to third parties (left in the church foyer) you will need to obtain consent. Please note there is no need for consent to be obtained from Ministers in Full Connexion or probationers.
- If you have not obtained consent because you do not make the Directory or Circuit Plan available to third parties, ensure those members with a copy know they must keep the information confidential.
- When people give you their personal information to include in the Directory or Circuit Plan, destroy the completed forms; shred or tear up information handed to you in paper form and delete emails, or store the information securely only for so long as you need to. Keep in locked filing cabinets, locked cupboards or password protected files or anywhere that is considered safe and secure.
- You can rely on “legitimate interests” if the information belongs to the Church’s own members, former members, or persons with whom it has regular contact in connection with the Church and will not be shared with third parties.
- Keep any health information to a minimum. The person may want to share details of their illness with you but you do not need to take written records of this. What do you need to record? What information is essential for the pastoral records?
- As the information may include special category information e.g. health data, take special care of it. Keep any paper records in a locked filing cabinet (or cupboard) if possible, keep any computer records password protected, do not leave the files unattended and only share information with others involved in pastoral visits on a need to know basis.
Where to find more help?
Contact: Martin Buckley, Yatton Methodist Church Data Champion