Data Protection

The General Data Protection Regulation (GDPR) is the European Union’s new legislation to protect the personal data of EU citizens.

It comes into effect on the 25th May 2018, following a need to regulate data protection throughout the European member states by updating the existing 1995 Data Protection Directive (DPD).

Under the GDPR, the data protection principles set out the main responsibilities for organisations. The principles are similar to those already in legislation, but with added detail at certain points and a new accountability requirement.

More information can be found on the Information Commissioner’s Office at https://ico.org.uk/for-organisations/data-protection-reform/


An overview of the changing law in this area and what it means for you, prepared by the Diocese of Ely, is included below.


Introduction

The law relating to data protection is changing. This will affect all organisations in the UK, including businesses and charities, from 25 May 2018. On this date, a new EU regulation called the General Data Protection Regulation (GDPR) comes into force.

As a registered charitable business, which holds data about clergy, licensed ministers and people holding positions within parishes – such as churchwardens and PCC secretaries – the Diocese of Ely[1] will be legally required to review and refine how it collects, holds, processes, uses and publishes this data.

More information on GDPR can be found on the Information Commissioner’s Office (ICO) website here - https://ico.org.uk/for-organisations/data-protection-reform/

Further advice, specifically for parishes is also available on the Parish Resources website here - http://www.parishresources.org.uk/gdpr/

The purpose of this note is to introduce the GDPR, direct readers to sources of information so they can learn more and prepare their own parishes, and to provide an overview on why and how the Diocesan office processes information.

Why the Diocesan office processes personal details

  • The staff at the Diocesan office need to be able to get in touch with the key people in parishes and deaneries across the Diocese to help us provide a proper service to you.
  • The services and daily legitimate activities we offer/undertake include:
    • ministry and mission support (including the filling of vacancies);
    • financial advice and support;
    • legal advice relating to trusts and other matters;
    • work relating to pastoral reorganisation and the Church Representation Rules;
    • advice relating to church buildings, their development and maintenance;
    • work relating to parsonages and other housing and property management;
    • provision of safeguarding training and advice;
    • educational work both in our church schools, academies and beyond;
    • publication of the Diocesan newsletter and all the news and guidance on our website;
    • and much more besides – which we cannot do if we cannot contact or identify you!
  • In addition, we are legally required to consult with key office holders such as clergy, PCC Secretaries and Churchwardens in parishes on a number of matters affecting the Diocese, and need to be able to write to these people directly.

Type of information processed

  • We process information relevant to the above reasons and purposes.
  • This information may include: Personal details, Family detail (such as a spouse’s name), Membership details, Qualification and training records, Financial details in order to make payments.

How long will we keep your information?

  • We will only keep information for as long as necessary. If after the APCM you no longer hold a formal role within the parish, please tell us and your information will be archived.
  • Clergy information will be held for the duration of service in post and thereafter archived.
  • We will hold information for the duration of a recognised role in the Diocese - ALMs, LLMs, PTO
  • We will retain archived information to ensure a consistent and historical record is kept to support of the work of the Diocese
  • Some personal information may be retained to ensure compliance with our legal safeguarding requirements.

Sharing information

  • We may need to share some of the personal information we process with the individual themselves, other individuals and also with other organisations.
  • Information might be shared with individuals or organisations including: Members and their families, Employees, Prospective employers, other church bodies (eg. The Archbishops Council), other such recipients where it is necessary to share data to discharge Diocesan obligations.

Where we keep this information?

  • Information will remain inside the EU. It will be encrypted and securely held on password protected servers with no permitted access to anyone unless they have an operational/Diocesan business need to do so.
  • If a data subject permits us to do so, contact information will be made available through the Diocesan website or within the online and printed Diocesan Directory. It should be noted this information will then be visible outside of the UK.
  • Diocesan teams make use of third party services to keep you updated (such as MailChimp for subscription e-newsletters), and this information is stored under the conditions laid out by that provider and may be held outside of the UK.
  • You have the right to see the information we hold about you
  • You have the right to alter the information we hold about you
  • You have the right to request us to delete your information (subject to safeguarding requirements)
  • You have the right to complain to the Information Commissioner's Office should you be unhappy with how we are handling your information.

What is required?

  • This Diocese will continue to process your information for the purposes of undertaking Diocesan business as described above. This activity will include that essential to undertake Diocesan duties, such as processing Clergy Pay, issuing Statutory Notices during Pastoral reoganisation, or processing Gift Aid submissions.
  • In order to continue to publish or share your contact information (such as on the website or Diocesan Directory) or with a colleague within the wider diocese, i.e. giving an LLMs phone number to a member of the Clergy for Diocesan business, a record of having obtained your unambiguous consent to do this (known as a ‘data subject’) will be required.

Your rights

Your rights under the GDPR are the same as the rights you enjoy under the Data Protection Act. They are summarised below. The Diocese is committed to ensuring that the information we hold is treated in accordance with the best practices of data protection.

Why should your details be included on the Diocesan website and in the Directory?

  • We are often asked by those serving within and parishioners throughout the Diocese for a full Diocesan directory, and receive lots of complaints when people’s contact information is missing, out of date or incomplete.
  • Part of the inherent responsibility that comes with holding an office or position within the Diocese is a willingness to be contacted and accessible with respect to the role you have – therefore, we ask you to enable us to use and publish your information on the website and in the Directory as we cannot do this without your permission.
  • If your details are not publically available to people in your parishes, they have no way of being able to contact you to arrange weddings, funerals, baptisms and other services and events.
  • In case of emergency – such as fire or break-in at the church – those people connected to the church need to be readily accessible to other church officers, parishioners and members of the public.
  • For more information, or to raise any concerns, please contact the Diocesan Secretary, Paul Evans, on paul.evans@elydiocese.org or telephone 01353 652703.

Commonly Asked Questions

What does ‘data protection’ mean?

The term ‘data protection’ refers to how personal information or data is held, processed and used by organisations. It aims to prevent harm to individuals by misusing or failing to look after their personal data.

What is the legislation governing this area?

In the UK the Data Protection Act 1998 (DPA) sets out the current requirements for all businesses, charities and other organisations in how they hold, process and use such data. On 25 May 2018 a new EU law, the General Data Protection Regulation (GDPR), will come into force and will be applicable to all organisations in the UK regardless of the UK’s vote to leave the EU.

The GDPR reinforces and adds to the DPA, requiring all organisations to review and improve how they collect, hold, process and use personal information. The Information Commissioner’s Office (ICO) regulates the handling of data by organisations throughout the year; the Diocese submits annual returns detailing how it handles its data – these are publicly available via the ICO website: https://ico.org.uk/.

What is the Diocese of Ely doing about the change in the law?

The Diocese is required to review the personal information or data of ANYONE whose personal details are stored on the Diocesan database and/or website – these will be people who have positions and roles within parishes and deaneries such as clergy, licensed ministers, churchwardens, PCC secretaries and treasurers, etc.

We need your consent to continue to publish your contact information (e.g. within the Diocesan Directory). We are working to ensure that the information we hold on our database and in our paper files is secure and accessible only to staff who properly need it.

What is ‘personal data’ or ‘personal information’?

The definitions of personal data in both the DPA and GDPR are lengthy and complex, but essentially it is any information which makes a living person identifiable – this includes names, addresses, names of spouses and so on. We also hold information about clergy qualifications and training records and limited financial information so that we can pay expenses to those who regularly claim them.

This is different to ‘sensitive data’ which includes information about ethnicity, sexuality, political and religious beliefs, health, criminal records and other, more sensitive, financial information. More can be found on the ICO website.

Where and for how long does the Diocese keep my personal information?

Information stored on our database is encrypted and securely held on password protected servers. Access is available only to specific staff who need it for operational purposes. If you have given consent for some of this information to be made public, it will be available via the ‘search’ function of the Diocesan website and in the directory, when published. Information will be retained for as long as required in order to perform Diocesan duties, and on occasion for the purposes of keeping a historical record.

Who at the Diocese of Ely is responsible for handling my personal data?

The staff at the Diocese who are responsible for dealing with personal information or data are:

  • The Diocesan Secretary, who is the Data Protection Officer and the Data Controller under the DPA; and
  • The Diocesan Data Officer, who is a Data Processor under the DPA.

The Bishop of Ely is the Data Controller for the personal information held at his office.

Can I request to see or change the information held about me by the Diocese?

Yes. You can also ask for information about how we process and share the data we hold – not just what we hold. This is described by the ICO as a “Data Subject Access Request”, the ICO website sets-out the process in making such a request and gives guidelines on the potential costs you can expect to be asked to meet.

The Diocese is committed to following best practice as to the processing of personal data.

You can request to have your details changed if they are incorrect or out of date, and you can ask for them to be deleted (subject to certain requirements) when you leave office.

Will parishes have to review the data they hold about people in order to comply with GDPR?

Yes, you will. The GDPR affects ALL organisations, including PCCs and charities, even if they are not registered with the Charity Commission. This will most notably affect parish records of parishioners on the electoral roll and for events and fundraising.

Further guidance for parishes, provided by the central Church of England team, can be found on the Parish Resources website at http://www.parishresources.org.uk/gdpr/.

The ICO website (https://ico.org.uk/) also contains advice on how you can best prepare for GDPR.

Remember, it remains each parish’s responsibility to ensure it complies with the data protection regulations.

For more information on how the Diocesan Offices processes your information please contact the Diocesan Secretary: paul.evans@elydiocese.org, 01353 652703


[1] The Diocese of Ely is the operational name of Ely Diocesan Board of Finance, a registered charitable business limited by guarantee