GDPR FAQs

Frequently asked questions

Regarding the General Data Protection Legislation which comes into effect in May this year. To submit a question, please email gdpr@glosdioc.org.uk

Please find additional information from the Parish Resources website here.

Q1: Can we still publish our electoral roll?

Yes – the Church Representation Rules (CRR) require that “(11) The roll shall where practicable
contain a record of the address of every person whose name is entered on the roll . . .” and that “(3)
After the completion of the revision, a copy of the roll as revised shall, together with a list of the
names removed from the roll since the last revision (or since the formation of the roll, if there has
been no previous revision), be published by being exhibited continuously for not less than fourteen
days before the annual parochial church meeting on or near the principal door of the parish church
in such manner as the council shall appoint.”
The CRR require publication, this will, therefore, be considered to be a legitimate activity of a notfor-profit
body under the GDPR. So, data will still be able to be processed in this way. The CRR are
part of the Synodical Government Measure 1969 and they prescribe the relevant forms in relation
to administrative matters dealt with by the PCC. You will not be able to alter the forms unless the
amendments went through the synodical legislative process at the General Synod.
The forms themselves already state that the names of individuals will be published on or near the
church door. For instance, see “Form of Notice of Revision of Church Electoral Roll”. Indeed, under
r.2(1) this “Form of Notice” of the intended revision is itself published on or near the church door of
every church in the parish and every building licensed for worship and will remain there for a period
of not less than 14 days prior to the revision, making individuals aware that the revised roll will be
published, so giving them a chance to object. So, if they do not object, by applying to have their
name entered on the electoral roll they are already consenting to its publication in the manner set
out above.
Nevertheless, you can take the additional measure (if you so wish) of letting people know where
and for how long their details will be publicly displayed, by providing such information in a covering
letter with the enrolment forms.
If there are reasons why someone’s details cannot be made public they should let you know (e.g.
they are in a sensitive position (prison, policy, army etc.) where publication of these details could
cause harm or damage). It does say in the rules cited above “where practicable”.

Q2: Will we need to seek consent to publish the electoral roll?

No – As the CRR require publication, then this is a legitimate activity of a not-for-profit body under
the GDPR and so data can be processed in this way. In addition, by applying to have their name
placed on the electoral roll individuals are consenting to their personal data being processed in
accordance with the CRR. See answer above for further details.

Q3: Can we still send details of deanery synod elections and churchwardens elected etc. to the diocesan office. Will we need consent to do this?

Yes you can share this information with the diocese – managing and administering the elections
will require the dioceses to process this information, this is stipulated in the CRR. Consent will not
be needed for the data to be shared for this purpose. Indeed, if you stand for election you would
expect your data to be shared with the diocesan office. The Rules state that the results will be sent
to the Diocesan Electoral Registration Officer.

Q4: “Can you please clarify the statement “This allows religious (amongst others) not-for-profit bodies to process data without specific consent as long as it relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.” I am concerned that parishes
may think they don’t need consent for any processing of information.

The longer version of our guide to GDPR for parishes – http://www.parishresources.org.uk/wpcontent/uploads/Parish-Guide-to-GDPR.pdf provides more information on what can be processed without consent and what does need consent.

Q5: My parish is in a multi-parish benefice – how do the consent and privacy forms relate to
that situation rather than the single parish/benefice situation?

Provided you make it clear in your privacy notice and consent form that you are processing the data on behalf of the whole organisation – whether a single or a multi-benefice organisation then it will be ok to use a single privacy notice and consent form.

Q6: Children and GDPR

With regard to children, the ICO has stated that if an organisation offers services over the internet directly to children (in the UK, under the draft Data Protection Bill, this will be anyone under the age of 13), then you will need parental consent in order to process their personal data lawfully.
Other than this, there is little fundamental change to the rights of children, who are considered as individuals in the own right. Children’s data, (where on-line services are not involved) is covered by the fact that children are considered to be a vulnerable group and therefore warrant specific
consideration and protection (i.e. they must be provided with clear information about what, why, how etc, and must be able to understand the risks, consequences and safeguards and their rights),
but otherwise are accorded the same protections as adults in the DPA and the GDPR.
Specifically:
a. You must have clear and age-appropriate privacy notices for children.
b. The right to request erasure is particularly relevant when consent was given when the
individual was a child.
c. The concept of competence remains valid under GDPR – you may wish to give an individual
with parental responsibility for a young child the ability to assert that child’s data protection
rights on their behalf or consent to processing their data.
d. If an older child is not deemed competent to consent or exercise their own rights you may
allow an adult to do this.
e. You can still process a child’s data under legitimate interests.
f. Privacy by design is the same and should be properly considered when processing children’s
data.
g. So for example with regard to a youth group mailing list – parental consent may be
considered appropriate depending on age and competence i.e. do the children understand
the implications of the collection and processing? If yes, they can give their own consent
unless it is clear they are acting against their own interests.

Q7: We have paid staff and the payroll is provided by another organisation (e.g. a diocese or
payroll service provider) – can we still share information with them?

Yes – The 3rd party is processing data on your behalf. You do though need to make sure that the
contract you have with them is compliant with the GDPR (speak to your diocesan registrar and/or
data protection officer at the diocesan office), in particular it will need to set out in clear terms what
the organisation is doing with the data on your behalf and its location and security.

Q8: Do we need to get all of our existing consents with people renewed?

Not necessarily. Where you rely on consent, the ICO has stated that it will not be required to
obtain fresh consent from individuals if the standard of that consent meets the requirements of the
GDPR, i.e. consent has been clearly and unambiguously given and you have a record of that
consent.

Nevertheless, it is important to review all consent mechanisms to ensure that they meet the
standards required under the GDPR. If you cannot reach the high standard of consent as set out in
the GDPR, you must look for an alternative legal basis for processing the data or stop processing the
data in question. Under the GDPR, consent must be verifiable. This means that some form of
record must be kept of how and when consent was given. Consent must be freely given, specific,
informed and unambiguous (i.e. consent requires clear affirmative action from an individual (i.e. the
data subject)). Silence, pre-ticked boxes or inactivity (e.g. just staying on a website or not
responding to a request) will not be sufficient. Individuals must also be informed of their right to
withdraw consent at any time and how they can do this. In fact, it should be no more difficult to
withdraw consent as it is to grant it.

Q9: What are the implications of the incumbent being a separate date controller?

The incumbent is responsible for ensuring that he/she manages personal data provided by data
subjects in line with GDPR, so all of the guidance provided is applicable to incumbents as well as
PCCs.

Q10: Safeguarding advice appears to be – keep everything. A diary or parish magazine from twenty years ago can show that someone was not where it is alleged they were, or was not a churchwarden when they claimed to be. Is this in conflict with the right to be forgotten?

“The right to erasure”, also known as the right to be forgotten, in the GDPR is the right to request
the erasure of personal data in certain limited situations, such as where the personal data is no
longer necessary for the purposes for which it was collected or processed or where the data subject
withdraws consent to the processing, where consent is the legal basis relied upon to process the
personal data. Therefore, all personal data that can be legitimately held will continue to be so,
unless and until one of the provisions permitting erasure of personal data under the GDPR applies,
(such as the purposes for which it is being processed have ceased (or consent withdrawn, (where
relevant) etc.). The Independent Inquiry into Child Sexual Abuse (IICSA) has certain statutory powers
under the Inquiries Act 2005 and using its statutory powers it has already stated that we should not
destroy any personal data that might be relevant to the inquiry and the ICO has agreed this too.
Secondly, with regard to material, such as the parish magazine, which is already in the public
domain the so called “right to be forgotten” will be irrelevant because the material in question is
already publicly available. Indeed, it would be completely impractical to request individuals destroy
material, such as parish magazines, that has been made publicly available.

 

Share this article:

Leave a Reply

Most popular articles today: