This page holds some questions and answers regarding the GDPR:
Q: We publish Mass intentions in newsletters/online/social media which includes deceased and living peoples names – how does the GDPR affect this?
On looking through the legislation it is clear that ‘Personal Data’ relates only to a living individual, therefore Mass intentions for a deceased person could be published.
It would not be prudent to publish a Mass intention (in any format) for a living individual as this would breach a ‘Data Subjects’ right to privacy (unless you had explicit, informed and recorded consent from the data subject). However, there would be a case to say you have a Legitimate Interest to publish the name of the person who requested the Mass intention – as they specifically asked you to conduct the intention and there is historic practice that we publish Mass intentions. Therefore you could publish a statement such as ‘Mass Intention requested by Mrs Jones’ rather than naming the specific Mass Intention.
Q: I would like to include photographs of a recent event in the parish newsletter/online – do I need consent to do this?
If the photograph is of the event in general, as opposed to a photograph of somebody close up, you do not need consent. It would be good practice to put a notice up that is clearly visible in the event room informing guests that photographs will be taken and where they will be used. You should also provide the details of who to contact should a guest not wish to be included.
Q: Are we allowed to process emergency contact details?
Yes. It is up to the person giving you the details to make the emergency contact aware that you have their details and to make sure they’re kept up to date and accurate. Make a note that you haven’t received this information directly from the data subject but from a third party.
Q: Can we still display rosters like the tea and coffee rota in the church?
Any rosters that are connected to running the activities of the church can be considered as legitimate interest, so you would not need consent to collect or display such data. Do make sure that it is outlined in your privacy notice though.
Q: Our parish is multi-parish – how do the consent and privacy forms relate to that situation rather than the single parish?
Provided you make it clear in your privacy notice and consent form that you are processing the data on behalf of the whole organisation – whether a single or a multi-parish organisation then it will be ok to use a single privacy notice and consent form.
Q: Do we need to get all our existing consents renewed?
Not necessarily. Where you now rely on consent to process the data, the ICO has stated that it will not be required to obtain fresh consent from individuals if the standard of that consent meets the requirements of the GDPR, i.e. consent has been clearly and unambiguously given and you have a record of that consent. If you cannot reach the high standard of consent as set out in the GDPR, you must stop processing the data in question. Under the GDPR, consent must be verifiable.
Q: What about processing children’s data?
With regard to children, the ICO has stated that if an organisation offers services over the internet directly to children (in the UK, under the draft Data Protection Bill, this will be anyone under the age of 13), then you will need parental consent in order to process their personal data lawfully. Other than this, there is little fundamental change to the rights of children, who are considered as individuals in the own right. Children’s data, (where on-line services are not involved) is covered by the fact that children are considered to be a vulnerable group and therefore warrant specific consideration and protection (i.e. they must be provided with clear information about what, why, how etc, and must be able to understand the risks, consequences and safeguards and their rights), but otherwise are accorded the same protections as adults in the DPA and the GDPR. Some points to note:
- You must have clear and age-appropriate privacy notices for children.
- The right to request erasure is particularly relevant when consent was given when the individual was a child.
- The concept of competence remains valid under GDPR – you may wish to give an individual with parental responsibility for a young child the ability to assert that child’s data protection rights on their behalf or consent to processing their data
- If an older child is not deemed competent to consent or exercise their own rights you may allow an adult to do this.
- You can still process a child’s data under legitimate interests.
- So for example with regard to a youth group mailing list – parental consent may be considered appropriate depending on age and competence i.e. do the children understand the implications of the collection and processing? If yes, they can give their own consent unless it is clear they are acting against their own interests.
We have now produced a draft ‘easy read’ privacy note that can be used in conjunction with the official note to assist young/vulnerable people in making a decision on wether we can or cannot use their data. It can be found here.
This guide is for general purposes only. For legal advice you must contact a qualified legal advisor.