As you may be aware, all businesses and charities need to get ready for the new law around data protection, which is called the General Data Protection Regulation (GDPR). The GDPR will replace the current Data Protection Act and comes into force on 25 May, 2018.
Regulated by the Information Commissioners’ Office (ICO), the GDPR aims to strengthen the rules around personal data and requires organisations to be more transparent and accountable. It also gives people greater control over their own personal data.
All diocesan offices and parishes must comply with its requirements, just like any other charity or organisation. We are currently therefore updating all of our processes which includes new confidentiality agreements for all volunteers and privacy statements on all documentation. We have included some information to frequently asked questions/ categories of interest which we hope will be helpful.
What is personal data?
Personal data is defined as data relating to a living individual who can be identified by the data, or a combination of that piece of data and other data held. Explicit consent is needed to process, or hold, sensitive data. Some data held by a parish will be considered sensitive. Sensitive data is information about an individual’s:
racial or ethnic origin
trade union membership
physical or mental health
Personal data must be kept in locked filing cabinets, which should be fireproof, or, if kept on computer, must be protected by passwords. Access to passwords must be given only to authorised personnel. Office doors should be kept locked when not in use. Records must be destroyed by shredding when they are no longer required or necessary for the purpose for which the information was obtained. Regular back-up procedures must be in place for information stored on computer, and back-up disks must be kept at a separate location and under lock and key.
I don’t use a computer and only keep paper records does it affect me?
YES – The Data Protection Act 1998 covers all data held on computers and manually in a retrievable form. The 1998 Act extended coverage under the 1984 Act from electronic media to include paper records as well.
What are the Data protection principles?
data must be obtained, processed, held and used fairly and lawfully;
data may be obtained and processed for specified purposes. It may not be obtained for one purpose and used for another, nor passed to an outside party;
data must be adequate, relevant and not excessive for the specified purpose;
data must be accurate and kept up to date;
data must not be kept for longer than is necessary;
data must be kept in a secure manner and there must be measures in place to guard against unlawful access or destruction of the data;
data must not be transferred outside the European Economic Area unless the country concerned ensures adequate protection for the rights and freedoms of individuals; and
individuals about whom data is held have a legal right of access to that data.
In the past, the parish has carried out a census, gathering a register of information about our current, past and former parishioners. The information we hold comprises: name, age, gender address, telephone number, email address, family members, religious affiliation, sacraments received and marital status. This information helps the parish in its work in the community, to provide a better service to its parishioners and to realise its objectives. The information is held securely in locked filing cabinets, and where it is held on computer it is password protected. Access to the information will be restricted to the parish priest and lay people authorised by him. It is intended to renew this information every five years, but should you wish to have your data removed from the register, please contact Father Richard or the Parish Office.
Planned Giving and Gift Aid
Planned Giving and Gift aid Personal data obtained to enable the recovery of tax paid from the Inland Revenue on the donations made under Deed of Covenant or Gift Aid by tax paying individuals is also confidential. It will be held securely and will be disclosed only to the Parish Priest, Diocesan Finance Office, Gift Aid Co-Ordinator, Inland Revenue and Auditors. If any of your personal details have changed, please inform the Gift Aid organiser via the parish office. The parish will otherwise assume that the information it holds is accurate.
Baptism and Confirmation Registers
Applicants for Baptism are often asked to complete a Baptism application form with the information of babies and children being provided by parents. Godparents also complete an application form. If adults are baptised they give their own name and date of birth. For those who are required to attend a Baptism preparation course, their details ( with consent) which include their name, a contact number and email address will be sent to the Baptism Catechist so that they may be contacted with further details of the course.
Once baptised the information on the forms is transferred into the Church Baptism register which is kept locked in a secure fireproof safe and the paper forms shredded. Also recorded is the current surname and maiden name of the mother and if unmarried, and the mother wishes, the name of the father are in the register. Names of Godparents and celebrant are also recorded in the register.
Register of reception of baptised Christians –
This is a separate register which will contain the name and address of the person received, name of parent, date, place and Church of baptism, name of sponsor at reception and name of celebrant at reception
Marginal notes are made in the Baptism register when other sacraments have been received which can include:
First Holy Communion, Confirmation, Marriage, Holy Orders, Marriage Nullity, Laicisation, Death, notification of having left the Church
Who can receive a copy of my Baptism or Confirmation Record?
When information is requested in writing about a baptismal record, it is provided only to the person baptised (or their parent/guardian if they are under 18) or to a Parish Clergy of a Parish where that person has asked for a further Sacrament. Unless the information is requested by a Parish Clergy/Deacon, the person requesting the information should provide evidence of identity. This could be either:
A. Baptismal register – Date of birth and name and parents’ names and approximate date of baptism and names of Godparents or Register of Reception of Baptised Christians – date, place and Church of baptism and name of sponsor at reception
B. A photocopy of a driving licence/passport and (if the information is to be posted, rather than collected) evidence showing that person at the address to which the information is to be posted, e.g. a utilities bill or bank statement.
Marriage Register Information
The data held in a Marriage register will include that of the Bride and groom – name of both and address(es) at the time of marriage, name of a parent of bride and a parent of groom,names of witnesses, name of the Priest and that of the Registrar.The Church is required by law to provide information about weddings which have taken place within a Catholic Church to the civil authorities.Those being married expect to receive a marriage certificate and have since May 2018 explicitly been informed about what information will be kept in the register, that it is kept locked and the limited circumstances in which information is divulged is explained.The privacy impact on those whose personal data is recorded in the register is minimal because the register is kept securely and the information is divulged only in very limited circumstances. The Parish Clergy will normally notify the parish in which each spouse was baptised when the marriage has taken place so that the marriage can be noted on the baptismal register entry for each spouse. At the wedding the civil register is completed and a quarterly return is made to the civil authorities with such information about the wedding as is required by law. The Marriage register is kept indefinitely even after death because these are physical registers with multiple entries per page and individual entries cannot be removed
What about Volunteers who may come across sensitive information?
If as an individual you very kindly volunteer for the Parish, you may come across sensitive information that we need to protect. In line with the general data Protection regulations, to volunteer your services you are required to please read, sign and return the below attached Confidentiality agreement which will be kept on file in the Parish Office for GDPR Audit purposes.
Confidentiality Agreement Please click on link to open
I sometimes use my own computer for Parish Activities do I have to do anything?
If you also use your own computer or any other equipment for any parish work or send personal data which would include emailing information regarding Parishioners on rotas, you must have permission from the Parish Priest to do so. Please also read the Parish Computer Code of Practice, sign and return to the office or via Fr Peter. Hard copies of the forms in the Sacristy for you if this is easier. If you require the use of a Diocesan email address please speak with Fr Richard for authorisation.
Parish Computer Code of Practice Please click on link to open
What about the data on the Rotas for Extraordinary Ministers, Readers, Musicians, Welcomers, Refreshment Teams etc?
Rotas are used to communicate with Volunteers but may be seen by members of the public visiting the Church or looking at the website. Contact details therefore must be kept in a locked cabinet if a paper system or if kept electronically must be password protected with limited access. Rotas will run for a specific period and so paper copies should be destroyed a month after the last date and electronic copies deleted from the computer and then deleted from the deleted items folder within one month after the end of the rota period.
Copies of the rota which are available on notice boards or to be collected from Church should not have any contact details on them.
In order to protect your privacy,each rota will have a privacy disclaimer on it explaining that personal details will be held on file/ stored on the parish computer and that details will be shared with other members only on that particular group i.e. Eucharistic Ministers, readers etc. in order to arrange cover and not used for any other purpose. Those details should only be shared with others on the rota if consent has been given. If you do not wish your details to be shared, please let the organiser/parish priest know. Consent can be withdrawn at any time.
Diocesan Safeguarding Policy
We would also like to remind you of the Diocesan Safeguarding Policy which includes having an up to date DBS check every 2 years when you are in a role working with Children, young people or vulnerable adults i.e. a Eucharistic Minister visiting the Sick and Housebound, a helper at the Children’s Liturgy group or are a Catechist etc. This supersedes the ‘old CRB forms’ and is now all completed ‘ online’ being very quick and easy to do. We continually check all of the records held by the Diocese Safeguarding Team to also see who requires an update check, but if you know that you are ‘ overdue’ please speak to your safeguarding representative or alternatively please come and see or call Debbie in the parish office so that she can talk you through the process and send you the relevant DBS link online with any Diocesan forms that you may require.