DATA PROTECTION POLICY

Why do I need to read this ?

The Data Protection Act 1998 has substantial implications for the Church of England which affect every parish. The Act is designed to protect the Rights of identifiable living individuals concerning information about them (known as personal data). It covers basic factual information (such as names and addresses) and expressions of opinion (such as in references). This leaflet provides important advice which should be sufficient to enable most parishes to comply with the Act.

What are the main differences from the 1984 Act?

The new Act extends data protection to much of the personal data held in Paper-based files (it previously applied only to information on computer). It also requires greater security where data is classified as sensitive (which includes a person's religious affiliation) and where information is passed beyond the European Union either directly or by being placed on the internet.

Do I need to notify (register) and if so how?

Notification used to be known as registration and is the process whereby a data controller informs the Data Protection Commissioner (D PC) that they are processing (handling) personal data. Each incumbent and each PCC is considered to be a data controller since they are separate legal entities who will be processing personal data. Each needs to decide whether they need to notify .PCCs should be exempt from notification. Incumbents ( or priests- in-charge) should not need to notify unless records of pastoral care discussions (relating to beliefs, relationships, opinions etc rather than dates of birth/ baptism and other factual information) are held on computer .

It should be stressed that, even if the PCC and/or incumbent are exempt from notification, the remainder of the Act ( and of this leaflet) still applies to them and everyone in the parish handling personal data.

To notify, you should telephone the DPC notification helpline (01625 545740). You will be asked certain questions and then sent a form to complete and return with a fee of £35 (payable annually). Those who are already registered under the 1984 Act need do nothing until asked by the DPC to convert their registration into a notification. You will be asked if you have an information security policy but should not get into trouble for not having one as this is primarily aimed at larger organisations; at parish level the application of common sense should be sufficient.

What are the restrictions on the use of personal data ?

The Act sets out eight principles under which personal data may only be obtained, held or disclosed to others if:-

1.       Its use is fair and lawful

2.      It is to be used only for specified purposes. Individuals should be told, in broad terms, what you are going to do with the information (unless it is obvious) before you use it and given the opportunity to opt out of it being so used.

3.      The information is adequate, relevant and not excessive in relation to the purpose for which it is to be used.

4.      It is accurate and up-to-date -so periodically all information held should be checked to ensure it remains accurate.

5.      The information is kept for no longer than necessary for the purpose - records of pastoral care discussions, for example, should not be kept for several years unless this can be justified.

6.      Individuals' subject access rights are honoured -see later.

7.      It is kept securely -addresses and phone numbers should not be left where they are open to abuse, and access to more sensitive information should be particularly restricted by either computer passwords or locks on filing cabinets etc as appropriate.

8.      Information should not be transferred to any country outside Europe without adequate data protection being in place.

What are subject access rights and how do they operate?

From 24 October 200 1 an individual will have the right to receive a copy of most paper-based information held about them by that organisation ('data controller') within 40 days of making that request. You may charge a fee of up to £10 for providing it. This covers all information held on computer and any correspondence and other papers from which that information might be deemed to be reasonably accessible. You do not, therefore, have to scour through minutes etc for any mention of the individual but you would have to produce accessible information held by any church officers.

The general principle is that as much information as possible should be shared with the individual. There are, however, limited categories of material that you may withhold from the individual in the interests of protecting the rights of other individuals to privacy and for the protection of crime etc. You are able to withhold any references that you have given (but nQ.1 any you have received). When sharing with an individual the information that you hold about them, you must remove anything which would identify a third party .You may also be entitled to hold back information containing serious allegations (for example, of child abuse) if to reveal that information would compromise the proper investigation of those allegations. In such cases you should always seek advice from your diocesan registrar or diocesan office.

When does this all come into effect?

The Act came into effect on 1 March 2000. However, it was recognised that, especially for larger organisations, it is an immense task to examine all files held to determine whether or not they comply with the Act. As a result, the Act's transitional provisions mean that in practical terms the new provisions of the Act (such as the extension to paper-based files) only apply from 24 October 2001. There is a limited extension to 2007 for paper-based files but there is no protection from subject access requests after October 2001 and so you are advised to be prepared from October 2001.

What do I therefore need to do to prepare for the Act?

Incumbents and PCCs will therefore need (like other organisations throughout Europe) by October to:-

1.      Identify a person responsible for compliance with the Act.

2.      Identify who holds what data and ensure clergy/ parish administrators/ youth leaders etc are all aware of the new requirements and only record information that could be shared if a subject access request is made.

3.      Work out whether or not you need to notify and do so if necessary .

4.      Destroy material that you cannot justify still holding, especially if making the information available to the individual(s) concerned would create difficulties (but do bear in mind the archivists of the future )

5.      Inform people broadly what information is held about them and the purposes for which it is used (for example if individuals' contact details appear on a parish web site this must be stated, and an opt-out offered). Also specify who should be contacted with any queries -this could be through a paragraph in a newssheet and/ or on the church noticeboard.

What are the penalties for not complying with the Act?

An individual has the right to complain to the D PC if they believe you have not handled their data properly. The D PC would then investigate and may require you to comply. Criminal offences apply in certain cases and the courts may impose fines. This, however, is most unlikely if you have made genuine attempts to comply with the legislation. You also need to bear in mind the pastoral difficulty that may result from honouring subject access requests if appropriate care has not been taken in what is kept on files.

Where do I seek further advice if I need it?

In the first instance please contact your diocesan data protection officer at your diocesan office. If you wish to seek advice from the Data Protection Commissioner's office direct, their general helpline number is 01625 545745 and their web site address is www.dataprotection.gov.uk.

This guide has been issued by the Archbishops' Council of the Church of England and is the product of liaison with dioceses and with the Data Protection Commissioner's office. No guide of this length can be comprehensive and you are advised to obtain further advice if appropriate. Liability rests with each legal entity concerned.

January 2001

Information Line 01625 545 745 
e-mail: mail@dataprotection.gov.uk

To notify 01625 545 740
e-mail notification: mail@notification.demon.co.uk

Switchboard 01625 545 700 
Fax 01625 524 510 

DX 20819 Wilmslow 

Postal address 
Data Protection Commissioner 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

or website: www.dataprotection.gov.uk

To send us an email and let us know what you think of this site click here: Feedback

To contact us click here: Contact

This site is Copyright © The Portsmouth Diocesan Board of Finance 2004-2008.

• The office of the Bishop of Portsmouth
  More ...
  
• 
  More ...
  
• Address to Bishop's Council - 6th June
  More ...
  
• Bishop's latest letter to clergy
  More ...
  
• 
  More ...
  
• Recent clergy and lay appointments
  More ...
  
• Diocesan Policies from Bishopsgrove
  More ...
  
• Liturgical Resources from the Diocese
  More ...
  
• Bishop Kenneth's Sermons and Speeches
  More ...
  
• Details of Vacant Parishes in the Diocese
  More ...
  
• Welfare and Financial Resources
  More ...