Last Updated: 14th December 2018
The Data Protection Act 1998 (the “Act”) regulates the way in which information about living individuals (referred to as ‘data subjects’) is collected, stored or transferred. Compliance with the Act is important, because a failure to adhere its terms will potentially expose Urquhart & Glenmoriston Church of Scotland congregation (‘the Congregation’) or indeed in exceptional circumstances, office bearers as charity trustees and employees, to complaints, large fines and/or bad publicity. It will also impact upon the Presbytery who have the role technically of being the “data controller” for the congregation.
This policy therefore sets out what office bearers and employees must do when any personal data belonging to or provided by data subjects, is collected, stored or transmitted onwards; it also seeks to provide general guidance in what is a very technical area of the law.
The Urquhart & Glenmoriston Church Kirk Session and Congregational Board requires all its office bearers and employees to comply with the Act and this policy (both as may be amended from time to time) when handling any personal data. A serious or persistent failure to do so may be regarded as misconduct and may be dealt with in accordance with Act 1, 2010 in the case of office bearers and in terms of the disciplinary policy applicable to them in the case of employees. If asked to do so, office bearers and employees must therefore attend training on Data Protection issues.
Any office bearer or employee who considers that this policy has not been followed in any instance should contact the Urquhart & Glenmoriston Church Data Protection Officer Graham Fraser or Kirk Session Clerk or Congregational Board Clerk.
Notification to the Information Commissioner
It is necessary to notify the Information Commissioner on an annual basis of the Church bodies that are processing personal data. Although there are some exemptions, where data is being processed for pastoral reasons or where CCTV has been installed, notification is always required. This notification for the Congregation is the umbrella registration of the Presbytery of Inverness as the ‘Data Controller’. The Presbytery’s entry can be viewed at: www.ico.org.uk
The Local Church Data Protection Officer Graham Fraser should be advised in writing of any plans to process data of classes or purposes not covered in the registered entry or of any amendments required to it as early as possible. He/she in turn will pass this information to the Presbytery Clerk. A failure to do so, or to knowingly process data other than in accordance with the registered entry, may constitute an offence under the Act.
Data Processing: The 8 Data Protection Principles
The Data Protection Act imposes a requirement only to process personal data in accordance with certain principles. These require that all personal data must:
Personal Data: Definition
Personal data is data which relates to a living individual who can be identified from:
This definition also includes any expression of opinion about the individual data subject and any indication of the intentions of the data controller or any other person in respect of the data subject.
Personal data may either be held electronically or in paper records.
Sensitive Personal Data: Definition
Sensitive personal data is personal data about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, details of the commission or alleged commission of any offence and any court proceedings relating to the commission of an offence.
Sensitive personal data can only be processed under strict conditions.
A significant amount of information held by a Church of Scotland congregation will be sensitive personal data as it is likely to be indicative of a person’s religious beliefs. Office bearers and employees are therefore urged to be extra vigilant when dealing with any such information, as the Information Commissioner is likely to view a breach of the Act in relation to such data as a more serious contravention than a similar breach in relation to “non-sensitive” personal data.
Transfer of Personal Data outside European Economic Area (“EEA”)
The transfer of personal data to any country or location outside of the EEA is a breach of the Act unless:
Given the links that the Church of Scotland maintains with other countries around the world, some personal data may fall into this category. Before transferring such information outside the EEA or giving anyone outside the EEA access to personal data you should contact the Urquhart & Glenmoriston Church Data Protection Officer Graham Fraser, who will check the position with the Law Department, if required.
Type of Personal Data
The type of data processed by the Congregation, its office bearers and employees is likely to fall into one of the following categories:
When an individual provides you with their contact details which it is intended be recorded for future use in connection with the work of the congregation, you must hold, process and use that person’s details in accordance with this policy and the 8 Data Protection Principles. In order to put the principles into practice the office bearer concerned must also be aware of the type of information which is being collected, held or processed and therefore take into account the definitions of personal data and sensitive personal data above.
Data must be obtained for a specific use and be kept accurate and up to date
People must be informed that you are holding the information, what is held, why it is held and how it will be used. Where possible, when obtaining new contact information or other personal data or communicating with a contact for the first time, the relevant office bearer should:
Data must be held for no longer than necessary
Members, office-bearers, employees must monitor their own individual contacts (e.g. in Outlook and/or other databases) and update or remove details where appropriate. If the responsible party notices that the database is out of date, he/she should ensure that this is updated immediately. If someone specifies that they do not wish a particular form of contact with them or indeed that there is to be no contact with them at all, then the instruction must be complied with at once and all databases updated.
Personal data must only be disclosed to those organisations and individuals who the individual has agreed may receive his or her data, or to organisations that have a legal right to receive the data without consent being given. Care must therefore be taken to ensure that information such as names, addresses and telephone numbers of members are not disclosed either over the phone or in writing to non-Church personnel, without such consent being in place. Care should be taken with records such as the Baptismal Register so that only the entry relating to the person concerned is exhibited to him/her and not also those of others who may still be alive.
Action to be taken if data goes missing
The Presbytery Clerk as Data Protection Compliance Officer must be informed immediately if any confidential or sensitive data goes missing. An immediate investigation will be launched by the Urquhart & Glenmoriston Church Protection Officer Graham Fraser who will also inform the Congregational Board. Depending on the circumstances, consideration should also be given to making a report to the Information Commissioner but before doing so guidance should be obtained from the Law Department.
Negligent transfer of data
If an office bearer or employee has been negligent in transferring sensitive and confidential personal data this will be conduct which may result in disciplinary action having to be taken and indeed in the case of an employee could be considered to be gross misconduct, which could result in summary dismissal. This is particularly likely to be the outcome if:
Upon receipt of a written request from a data subject to see any personal data held which relates to them, contact should be made immediately with the Presbytery Clerk who will make arrangements for a response to be made within the statutory 40 day deadline.
Good employment practice dictates that, the Kirk Session/Congregational Board as an employer, will need to keep information for purposes connected with an employee’s employment during employment and for as long a period as is necessary following the termination of that employment.
The data recorded may include:
The Kirk Session/Congregational Board values the privacy of its staff and is aware of the responsibilities under the Act. The Kirk Session/Congregational Board shall therefore process any personal information relating to staff fairly and lawfully and shall endeavour to comply with the Information Commissioner’s code of practice on the use of personal data in employer/employee relationships.
The information held will be for the Kirk Session/Congregational Board’s management and administrative use only, but from time to time, the Kirk Session/Congregational Board may need to disclose some information held about employees to relevant third parties or to another organisation, solely for purposes connected with an employee’s career or the management of the organisation.
Any personal data which is recorded or used in any way whether it is held on paper, computer or other media will have appropriate safeguards applied to it to ensure that it is in compliance with the Act.
The Kirk Session/Congregational Board should make every effort to ensure that the information held is accurate and kept up to date but ultimately it is the responsibility of each individual employee to notify any changes. In the absence of evidence to the contrary, it will be assumed that the information is up to date.
Office bearers and employees who wish further information about data protection should look at the circular on the Church of Scotland website:
Specific queries should be raised with the Urquhart & Glenmoriston Church Data Protection Officer or Session Clerk or Clerk to the Congregational Board who, if appropriate, will take advice from the Law Department.
The Kirk Session/Congregational Board will review this policy on an on-going basis to ensure its continuing relevance and effectiveness in the light of any legislative or other developments. Any substantive changes will only be introduced after appropriate intimation has been given to all concerned.
Appendix 1- suggested form of letter to communicate details of information being held on a person and how it may be used
[I/we] believe the information set out below to be correct. Please do advise [me/us] immediately if our understanding is incorrect or if the details change.
Some examples of purposes – these are not exhaustive:
* a survey relating to the need for additional youth activities for teenagers living in our Parish area.
*for mailing you information about our congregation.
Note: The Presbytery Data Protection Controller has suggested the following definition
‘Pastoral Care, communication and administration purposes’
as a suitably wide definition which will encompass most church purposes.