 
|
|
|
This guide was published in January 2001 by the Archbishop's Council. Though a couple of years old, the advice given is still valid...
The Data Protection Act 1998 has substantial implications for the Church of England which affect every parish. The Act is designed to protect the rights of identifiable living individuals concerning information about them (known as personal data). It covers basic factual information (such as names and addresses) and expressions of opinion (such as in references). This leaflet provides important advice which should be sufficient to enable most parishes to comply with the Act.
The new Act extends data protection to much of the personal data held in paper-based files (it previously applied only to information on computer). It also requires greater security where data is classified as sensitive (which includes a person’s religious affiliation) and where information is passed beyond the European Union either directly or by being placed on the internet.
Notification used to be known as registration and is the process whereby a data controller informs the Data Protection Commissioner (DPC) that they are processing (handling) personal data. Each incumbent and each PCC is considered to be a data controller since they are separate legal entities who will be processing personal data. Each needs to decide whether they need to notify. PCCs should be exempt from notification. Incumbents (or priests-in-charge) should not need to notify unless records of pastoral care discussions (relating to beliefs, relationships, opinions etc rather than dates of birth/ baptism and other factual information) are held on computer.
It should be stressed that, even if the PCC and/or incumbent are exempt from notification, the remainder of the Act (and of this leaflet) still applies to them and everyone in the parish handling personal data.
To notify, you should telephone the DPC notification helpline (01625 545740). You will be asked certain questions and then sent a form to complete and return with a fee of £35 (payable annually). Those who are already registered under the 1984 Act need do nothing until asked by the DPC to convert their registration into a notification. You will be asked if you have an information security policy but should not get into trouble for not having one as this is primarily aimed at larger organisations; at parish level the application of common sense should be sufficient.
The Act sets out eight principles under which personal data may only be obtained, held or disclosed to others if:-
Its use is fair and lawful.
From 24 October 2001 an individual will have the right to receive a copy of most paper-based information held about them by that organisation (‘data controller’) within 40 days of making that request. You may charge a fee of up to £10 for providing it. This covers all information held on computer and any correspondence and other papers from which that information might be deemed to be reasonably accessible. You do not, therefore, have to scour through minutes etc for any mention of the individual but you would have to produce accessible information held by any church officers.
The general principle is that as much information as possible should be shared with the individual. There are, however, limited categories of material that you may withhold from the individual in the interests of protecting the rights of other individuals to privacy and for the protection of crime etc. You are able to withhold any references that you have given (but not any you have received). When sharing with an individual the information that you hold about them, you must remove anything which would identify a third party. You may also be entitled to hold back information containing serious allegations (for example, of child abuse) if to reveal that information would compromise the proper investigation of those allegations. In such cases you should always seek advice from your diocesan registrar or diocesan office.
The Act came into effect on 1 March 2000. However, it was recognised that, especially for larger organisations, it is an immense task to examine all files held to determine whether or not they comply with the Act. As a result, the Act’s transitional provisions mean that in practical terms the new provisions of the Act (such as the extension to paper-based files) only apply from 24 October 2001. There is a limited extension to 2007 for paper-based files but there is no protection from subject access requests after October 2001 and so you are advised to be prepared from October 2001.
Incumbents and PCCs will therefore need (like other organisations throughout Europe) by October to:-
An individual has the right to complain to the DPC if they believe you have not handled their data properly. The DPC would then investigate and may require you to comply. Criminal offences apply in certain cases and the courts may impose fines. This, however, is most unlikely if you have made genuine attempts to comply with the legislation. You also need to bear in mind the pastoral difficulty that may result from honouring subject access requests if appropriate care has not been taken in what is kept on files.
In the first instance please contact your diocesan data protection officer at your diocesan office. If you wish to seek advice from the Data Protection Commissioner’s office direct, their general helpline number is 01625 545745 and their web site address is www.dataprotection.gov.uk.
This guide has been issued by the Archbishops’ Council of the Church of England and is the product of liaison with dioceses and with the Data Protection Commissioner’s office. No guide of this length can be comprehensive and you are advised to obtain further advice if appropriate. Liability rests with each legal entity concerned.
January 2001
