What is the GDPR?
Data Protection: “GDPR”
The General Data Protection Regulation (GDPR) will take effect in the UK from 25 May 2018. It replaces the existing law on data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations.
- Personal data is information about a living individual which is capable of identifying that individual.
- Processing is anything done with/to personal data, including storing it.
- The data subject is the person about whom personal data are processed.
- The data controller is the person or organisation who determines the how and what of data processing, in a parish usually the priest.
The law is complex, but there are a number of underlying principles, including that personal data:
- will be processed lawfully, fairly and transparently.
- is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
- collected on a data subject should be “adequate, relevant and limited.” i.e. only the minimum amount of data should be kept for specific processing.
- must be “accurate and where necessary kept up to date”
- should not be stored for longer than is necessary, and that storage is safe and secure.
- There are several legal bases for processing data, of which consent is one. Others include legal obligation (e.g. processing Gift Aid or publishing the Electoral Roll), contract (e.g. letting out the church hall), or legitimate interest (routine church management involving rotas, lists of group members etc). For each area of processing, you will need to be clear on your legal basis for carrying out that processing.
- You may need to have consent from people for some data processing; e.g. some email communications, or where data is shared with church members such as in a church directory. This will need to be clear and unambiguous – some form of positive action to ‘opt- in’. You must ensure you have this consent before processing.
- Data subjects have a number of rights, including that of knowing how data is used by the data controller, of knowing what data is held about them, of correcting any errors and generally the right ‘to be forgotten’. The church will need to make provision for people to exercise these rights, including developing a Privacy Notice.
- The GDPR introduces a stronger requirement on accountability for data controllers. This means that you must be able to show that you are complying with the principles by providing evidence. For example, where you process on the basis of consent, you should to store those consents. Since consent should be specific to a “purpose”, you may need separate consent to cover different areas of data processing within the life of the church.
- Where data “reveals religious belief” it becomes special category data – which requires additional care with regard to processing. Belief cannot be assumed simply because someone attends church or church events, becomes a “friend” or gives money to a church. However, where someone is required to have affirmed belief (e.g. that they are baptised or that they are a member of the Church), then this could be argued to reveal religious belief.
- Note that each incumbent or priest-in-charge is considered to be a separate data controller.
Accountability – What is it and how do I comply?
The new accountability principle means that you must be able to show that you are complying with the principles. In essence, you cannot just state you are compliant; you have to prove it and provide evidence. To do this there are a number of actions you should take, such as documenting the decisions you take about your processing activities and various other ways that show compliance – such as attending training, reviewing any policies and auditing processing activities.
How do we show that we are processing personal data lawfully?
Under the GDPR, it is now necessary to explain the lawful basis for processing personal data in your privacy notice and when you respond to Data Subject Access Requests. The lawful bases for processing personal data are broadly similar to the processing conditions contained in the 1998 Act. It should be possible to review the types of processing activities you carry out and identify your lawful basis for doing so. These lawful bases should be fully documented, which will help in complying with the accountability requirement.
Much of the personal data processed will be classed as sensitive (called special category personal data under the GDPR) because it relates to “religious belief” and therefore, you will need to identify additional bases for processing the personal data. In a parish context the most relevant being:-
- Explicit consent from a person; or
- Where the processing is a “legitimate activity” and relates to either members or former members or to individuals with whom there is regular contact, but is not disclosed to any third parties without consent.
For example, the processing of personal data in relation to the electoral roll. In this case, the personal data processed is likely to be sensitive (by implication, if not directly, it relates to “religious belief”) but it relates to members (or individuals in regular contact with it). It can be said to be a legitimate activity of the parish, under the Church Representation Rules. Of course, if you wanted to share this data with another party, you would require the consent of any relevant individual(s).
Where you rely on consent as the lawful basis for processing any personal data, you need to be aware that to be valid under the GDPR, consent must be freely given, specific, informed, unambiguous and able to be withdrawn. Also, you will need to record how and when the consent was obtained (and review this over time). As much of the data processed by a parish is sensitive (relates to “religious belief), if consent is needed this will have to be explicit consent. Consent will require “clear affirmative action” and the ICO has noted that there is little difference between “explicit” and “unambiguous”. Silence, pre-ticked boxes or inactivity will not constitute consent.
Therefore, if you wish to rely on consent, you will have to make sure that any consent wording is sufficiently strong to allow you to show that the consent given is unambiguous and the person knows exactly to what he/she is consenting. You will also have to tell individuals that they have the right to withdraw consent at any time and ensure that the procedure for withdrawing consent is just as simple as granting consent, (e.g. by sending an email or (un)ticking a box).
For example, you cannot use the personal data from the electoral roll to send mail to individuals about events at the church without seeking consent first. If you have not obtained consent from individuals to do this, you will not be able to use their personal data in this way. You will need to keep records of all consents received and periodically review them to ensure that they are still valid.
You should note that consent may not be appropriate in every case. Remember there are other lawful bases for processing personal data. For example, you would not have to obtain consent to share the names of individuals on the Readers rota or after service tea/coffee rota with other church members. In that instance, the information is shared with others in order to carry out a service to other church members. Of course, if it was intended to share the names outside the church for another purpose, then you would need to obtain consent.
Processing personal data about children – What do I need to do?
The GDPR brings into effect special protection for children’s personal data, particularly in relation to commercial internet services, such as social networking. If you offer online services to children and rely on consent to collect their information, you may need a parent’s or guardian’s consent in order to lawfully use that data. The GDPR sets the age when a child can grant consent at 16, (although the UK Government has proposed in its Data Protection Bill, currently going through parliament, that this be reduced to 13).
You should also remember that you have to be able to show that you have been given consent lawfully and therefore, when collecting children’s data, you must make sure that your privacy/data protection notice is written in a language that children can understand and copies of consents must be kept.
What do we need to do if there is a data breach?
A personal data breach is one that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Currently, data breaches do not have to be routinely notified to the ICO or others (although the ICO recommends that it is good practice so to do). The GDPR makes informing the ICO and the individuals affected compulsory in certain circumstances, (e.g. where there is a high risk to the individuals involved, for instance, through identity theft). Under the GDPR, you will have to notify the ICO of a data breach within 72 hours of finding out about this. It is important that those in the parish note this deadline.
What are the penalties for not complying with the GDPR?
There has been much publicity about penalties under the GDPR. What is important is that there has been a substantial increase in the maximum possible fines (in the UK it is currently £500,000)
Under the GDPR some examples:
- For a failure to get parental consent where personal data are collected about a child in the process of providing an “information society service”, (e.g. online magazine/newspaper, buying/selling online), a fine of up to 10 million Euros or 2% of the data controller’s annual worldwide turnover for the previous year;
- For a failure to provide adequate information to data subjects or to allow subject access, or to comply with the right of erasure (see above), a fine of up to 20 million Euros or 4% of the data controller’s annual worldwide turnover for the previous year
What is the ‘legitimate interests’ basis?
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.
What is a Data Protection Impact Assessment?
One way of ensuring compliance, is by carrying out a data protection impact assessment (“DPIA”). A DPIA will become compulsory under GDPR for certain types of processing, (e.g. the large-scale processing of sensitive personal data). Although it is unlikely that parishes will be processing sensitive personal data on a large scale, it is still worth considering carrying out a DPIA, at the start of a project, to ensure compliance and that appropriate security is in place.
A DPIA assesses the impact of any proposed processing operation, for example the use of new technology, on the protection of personal data. A DPIA should be carried out before the processing of the personal data starts and then updated throughout the lifetime of any project.
As a minimum, the GDPR requires that a DPIA includes: –
- A description: of the processing activities and their purpose;
- An assessment: of the need for and the proportionality of the processing; and
- the risks arising and measures adopted to try and prevent any risks, in particular any safeguarding or security measures to protect personal data and comply with the GDPR.
- The EU guide on GDPR implementation: https://www.eugdpr.org
- Information Commissioners Office: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
This guide is for general purposes only. For legal advice you must contact a qualified legal advisor.