Data Protection and GDPR
What is GDPR?
On the 25th May, 2018 new regulations came into force in the UK. These regulations known as the General Data Protection Regulations (GDPR) are accompanied by a new UK Data Protection Act, 2018.
The new law is intended to update previous legislation on the collection, storage and use of personal data (also known as personal information). The legislation requires organisations, including churches and charities, to be transparent in explaining how we use data allowing them to make personal choices. It also requires us to keep information secure and only collect the minimum amount of personal data necessary for us to carry out our legitimate functions for as long as it is required or securely destroyed.
What is personal data?
Personal data is defined as any data relating to a living individual who can be identified by the data, or a combination of that piece of data and other data held. Explicit consent is needed to process, or hold, sensitive data. Some data held by a parish will be considered sensitive. Sensitive data is information about an individual’s:
- racial or ethnic origin
- political opinions
- religious beliefs
- trade union membership
- physical or mental health
- sexual life
- criminal record
- criminal proceedings
Personal data must be kept in locked filing cabinets, which should be fireproof, or, if kept on computer, must be protected by passwords. Access to passwords must be given only to authorised personnel. Office doors should be kept locked when not in use. Records must be destroyed by shredding when they are no longer required or necessary for the purpose for which the information was obtained. Regular back-up procedures must be in place for information stored on computer, and back-up disks must be kept at a separate location and under lock and key.
Data Protection Incidents
The Diocese and its parishes hold a lot of personal data including information on our clergy, employees and parishioners. If that data is lost, stolen, corrupted or released to unauthorised persons, the Data Protection Officer must be informed immediately.
A potential data protection breach could be:
- Loss or theft of a device containing personal data such as USB devices, laptops and smart phones.
- Successful ‘phishing attempts’ via email.
- Paper documents that have been lost or stolen from home, a car or left on the train.
In order to support parishes implement measures to protect data and inform people about their rights, a series of template documents are provided here. These will be revised and updated from time to time along with additional information, instruction and training.
Contact – Data Protection Officer
For more information on data protection, please contact the Data Protection Officer on:
Post: Data Protection Officer, Cathedral Centre, 3 Ford Street, Salford, M3 6DP