In an earlier life I was a teacher of science and computing. I entered ministry in 1986 when personal computers first began to be affordable (anybody else remember the Amstrad PCW8256?) and we were one of the very first churches to be keeping our members’ details on computer. Ever since then, other ministers, churches and charities have been asking me for advice on such things. Since I serve on the Eastern Baptist Association Council with the brief for Finance and Administration, last year EBA sent me on a training day for charity trustees run by the BU Solicitors Anthony Collins and one of the very helpful sessions was on Data Protection. So I am the logical person to write something on the General Data Protection Regulations which come into effect this month on May 25th.
These new laws replace the 1998 Data Protection Act and are in certain areas much stricter. The BU website has a very helpful guidelines document L13 on Data Protection which you can find at https://www.baptist.org.uk/Articles/368695/BUC_Guideline_Leaflet.aspx I urge you to have read this leaflet carefully, since ignorance of the law will not be a defence. This brief article sums up a few of the key things you will need to have in place before May 25 in order to comply with GDPR.
GDPR is concerned with information the church and ministers may wish to store and use about members, congregation and friends of the church. It does not matter whether you keep the information electronically or on pieces of paper – the law applies equally. For some purposes you can say that you are holding the information on the grounds of necessity for their legitimate interest. Specifically you can say your church needs to keep a list of who your members are and of ways to contact them, in order to offer them appropriate care and support. However, while that allows you to use their information for those purposes, it does not allow you to use it for other purposes. So, if e.g. you want to produce a church directory to circulate among church members and congregation, or if you want to use the data to send regular emails to folk who are not currently members of the church, then you will need to get their specific permission to do those things.
Data means not only names, addresses, phone numbers etc but also anything which can be identified with a living person, including for example photographs or voice recordings of them. So it is important to have written permission before you use any photographs with recognisable faces in church publicity either in print, or online, or even pinned up on the walls of the church (since those photos might be removed by users of the church). You need to be particularly careful about kinds of information which are deemed to be “sensitive data.” This would include information on a person’s “religious affiliation,” which you are not allowed to share, which is why printing a photo of that person in a church service would need their permission.
Other “sensitive data” would include pastoral details on a person, such as any minister’s notes of pastoral visits, or reports on their medical condition etc. Such information should never be shared without explicit permission and is better not put in print on newsletters or church/deacons’ meeting minutes or in emails.
Here come the really boring bits ☹ There is a whole page on the BU website on GDPR matters, with most of the materials you will need and a useful FAQ link, at https://www.baptist.org.uk/Groups/304642/Data_protection_documents.aspx
The very legal bit – many churches will need to register as Data Controllers with the Information Commissioner’s Office. There is an exemption for not-for-profit organisations including churches, which only store data in order to establish and maintain membership. Small churches (like my own) can rely on this exemption, but many cannot. You should read the FAQ document on the BU website and then to be sure visit the ICO webpage at https://ico.org.uk/for-organisations/register and take their quick self-assessment survey to see whether you need to register or not. In particular, if you use CCTV, or if you are ever keeping sensitive pastoral information (more than just membership/contact details) then you will need to register.
Below are key things every church need to do.
Each church needs to have a Data Protection Policy. There is a template on the BU page for you to adapt (it is 14 pages long!).
Each church need a Privacy Statement describing what data it holds and how it uses it. There is a sample for you to adapt, and you will probably need to vary it for the different groups of people you hold information about.
You will need a Contact and Consent Form – again the page has an example. These will need to be signed and then stored somewhere secure (e.g. a locked filing cabinet).
You can rely on the BU sample documents but you may decide you need to adapt them. Since they may be of interest, below are the versions of the Privacy Notice and Consent Forms which we are using at NSBC, together with the different versions of those which apply to our Toddler Group. We also have other versions for those who give including Gift Aid and those who pay us for use of our premises or who we pay for services from time to time.
Nobody enjoys GDPR (not even us geeks) but the Information Commissioner’s Office has big teeth and in today’s world, sadly, there are people who would enjoy making mischief for churches which have failed to follow the legislation. I will be happy to give an informal response to queries by email if you need help understanding all the documents.
So I wish you well as you prepare for May 25th. That’s just 3 weeks away!
peter@collegeofbaptistministers.com
Treasurer of The College of Baptist Ministers
North Springfield Baptist Church
CONTACT DETAILS FOR MEMBERS AND FRIENDS OF THE CHURCH
PRIVACY NOTICE
Under Data Protection legislation the church Charity Trustees of North Springfield Baptist Church are the Data Controller and the Minister acts as our Data Protection Officer. We are collecting this information to enable the church to keep in touch with you and provide pastoral support as appropriate. Data Protection legislation allows us to process this information as we regard it as being in the church’s legitimate interest.
Your name and contact details will be entered into our password-protected church database which is administrated by the Church Secretary and held on her personal computer, (who will also keep this form). This will be shared only with the Minister, the Church Secretary, the Trustee Responsible for Safeguarding and the Treasurer. Your contact details will be removed from the database if you are no longer involved with the church.
The minister’s appointments diary may retain contact details for other people he has met with or visited which will not be shared with anybody else. For legal reasons this information will be retained indefinitely.
With the exception of confirming whether an individual is a member of the church and/or has been baptised as a believer, the church keeps no record of sensitive data.
NAME ___________________________________________________________
Street Address _________________________________________________________
Email Address _________________________________________________________
Phone _________________________________________________________
Signed ___________________________ Date ___________
CHURCH DIRECTORY
We would also like to include your name and contact details (street address, email address and phone number and whether a person is a church member) in our Church Directory listing members and friends. This will be kept electronically in a password-protected file by the Church Secretary which will only be shared with the Minister, the Church Secretary, the Trustee Responsible for Safeguarding and the Treasurer. The Church Directory will be distributed on paper to all those Church Members and friends who have given permission for their names to appear in it. We will not give copies of the Church Directory to anyone else and those who have a copy will not be allowed to share information from it with anybody else. Inclusion in the Church Directory implies permission for the church to contact you using those contact details to inform you of church events and activities. The Directory will be renewed at least once a year and previous copies destroyed. You can ask for your details to be removed from the electronic file at any time and they will not be printed from that point. Please note – you are under no obligation to agree for your details to appear in the Church Directory. If you are happy to give us consent for your details to be included in this Church Directory please indicate so below.
I am happy for my details to be included in the NSBC Church Directory.
Signed ___________________________ Date ___________
You have the right to ask to see any information we hold about you by submitting a ‘Subject Access Request’ to the Church Secretary. You also have the right to ask for information which you believe to be incorrect to be rectified. If you are concerned about the way your information is being handled please speak to our Data Protection Officer – contact Rev Peter Thomas at the church or peter@northspringfieldbaptistchurch.org. If you are still unhappy you have the right to complain to the Information Commissioners Office.
CONSENT FOR PHOTOGRAPHS AT NSBC CHURCH SERVICES AND EVENTS
We may sometimes take photographs during church services, events and activities. The original digital images would be kept secure and would never be shared with anyone except in the process of the purposes below. Adults and children will never be identified by name alongside any photographs.
1 Some photographs may be shared for publicity purposes beyond the church but only if they contain no recognisable individuals: e.g. if the photo shows a rear view of a group but with no faces or identifiable garments, or if the printed or online image is too small to allow identification of individuals. We will let you know if we are wishing to take a photo for this purpose to allow you to remove yourself from the picture.
2 We may wish to use other photographs including recognisable faces in church publicity, for example on our Notice Sheet or Haven News, or online on our website or Facebook page. We will only use photographs including you or your children for this second purpose if you have given us permission which will be specific for each occasion, by signing below.
PLEASE NOTE: you are not obliged in any way to give your consent for photographs under purpose 2.
I give permission for photographs including myself and/or my children to be used in church publicity under the terms of purpose 2 above. The consent given below applies only for the specific photographs taken on / / .
SIGNED ___________
TODDLER GROUP
Registration Form
PRIVACY NOTICE
Under Data Protection legislation the church Charity Trustees of North Springfield Baptist Church are the Data Controller and the Minister acts as our Data Protection Officer for all information held by the Church. We are collecting this information to enable the church to keep in touch with you and support you as appropriate. Data Protection legislation allows us to process this information as we regard it as being in the church’s legitimate interest. Toddler Group information will be kept on these forms securely in a locked cabinet. It will only be accessible to the Toddler Group Leaders, the Minister, the Church Secretary and the Trustee Responsible for Safeguarding. Your contact details will be removed from the database once you are no longer involved with Toddler Group.
You have the right to ask to see any information we hold about you by submitting a ‘Subject Access Request’ to the Church Secretary. You also have the right to ask for information which you believe to be incorrect to be rectified. If you are concerned about the way your information is being handled please speak to our Data Protection Officer – contact Rev Peter Thomas at the church or peter@northspringfieldbaptistchurch.org. If you are still unhappy you have the right to complain to the Information Commissioners Office.
Date……………………………..
Name of Parent/Carer ………………………………..…………………
Telephone Number………………….……………………………….……..
Address………………………………………………………………………..
e-mail (please print carefully)……………………………………………………
Relationship to child/children……………………………
Child 1 Name………………………………………..…….
Date of birth………………………
Address if different from above (for birthday card only)
Child 2 Name…………………………..………….
Date of birth………………………
Address if different from above (for birthday card only)
Name…………………………………………………………..….. Signature ……………………..
If our register is full then you will be notified as soon as a place becomes available.
CONSENT FOR PHOTOGRAPHS AT TODDLER GROUP
We may sometimes take photographs during Toddler Group activities. The original digital images would be kept secure and would never be shared with anyone except in the process of the purposes below. Adults and children will never be identified by name alongside any photographs.
1 Some photographs may be shared for publicity purposes beyond Toddler Group but only if they contain no recognisable individuals: e.g. if the photo shows a rear view of a group but with no faces or identifiable garments, or if the printed or online image is too small to allow identification of individuals. We will let you know if we are wishing to take a photo for this purpose to allow you to remove yourself from the picture.
2 We may wish to display some photographs including recognisable faces at Toddler Group sessions. These would be mounted on a board which would be securely locked away at all times except during Toddler Group sessions. These photos will never be shared with anybody either online or on paper. We will only use photographs including you or your children for this second purpose if you have given us permission.
PLEASE NOTE: you are not obliged in any way to give your consent for photographs under purpose 2.
I give permission for photographs including myself and/or my children to be displayed only at Toddler Group sessions under the terms of purpose 2 above.
Signed _________________________________
Date ________________________
Categories: