What do I do if there is a data breach?
You should, as a matter of course, be regularly assessing the risks associated with your processing of personal data, seeking to identify those areas of activity which represent the highest risk (a combination of likelihood of something going wrong and the impact if it should go wrong). Our working practices, technology use and the people involved will change over time and you should consider changing the way you process data in order to minimise the risk of data being accidentally disclosed, corrupted or lost.
A data breach is when data is lost, damaged or inappropriately disclosed. You should keep a record of all data breaches, however small, and review them on a regular basis so that you have information about where the greater risks might lie.
If a data breach results in a high risk to individuals – perhaps the possibility of identity theft – the GDPR makes informing the ICO and the individuals affected compulsory – and within 72 hours. If you have a serious data breach and need advice you should contact your diocesan registrar without delay.
Can I rely on consents already in place?
You should review any consents you have on record to check whether they comply with the stricter rules under the GDPR. Consent must be specific, informed and active – silence or inactivity is not sufficient. Individuals must be able to withdraw consent. Consent to process sensitive personal data must be explicit, however, consent to process other types of personal data does not need be explicit. The basic rule is that if consent was obtained using an opt out box or is ambiguous you cannot rely on it.
Do I need to register with the ICO?
The ICO maintains a register of Data Controllers, although many charities and not-for-profit organisations are exempt from registering. Those who do need to register will also pay a fee, although again there are exceptions for small charities. In general, churches fall into the exempt category, unless they operate CCTV for the purposes of crime prevention (in which case registration is mandatory).
The ICO has online questionnaires to help you work out if you need to register and pay a fee:
Are there special rules relating to children?
Under the GDPR, parental consent is required for the processing of personal data of children under 16. You have to be able to show that you have been given consent lawfully and so when collecting children’s data, you must make sure that your privacy/data protection notice is written in a language that children can understand. You must keep copies of consents.
Do I need to appoint a Data Protection Officer?
Data Protection Officers are specifically required in certain circumstances under the GDPR, such as where organisations process sensitive personal data on a “large scale”. The processing of sensitive personal data by the PCC and/or incumbent is unlikely to be classed as “large scale”. Parishes are highly unlikely to be required to have a Data Protection Officer.
Are there special arrangements for CCTV?
Parishes with CCTV should check whether there are adequate signs erected containing the right level of detail. The ICO has a code of conduct for CCTV users which recommends a sign is erected notifying visitors they are being recorded. Parishes should revisit the signs to ensure full transparency – for example does the sign state that automatic number plate recognition software is used and list all the purposes the data collected will be used for.