Data Protection Law and Your Church

It’s the first morning of your church’s holiday club. Volunteers are buzzing around; parents and children are beginning to wander through the door. Excitement is mounting. You’re ready with your registration sheet to take names, addresses, phone numbers and dietary information so you can keep in contact with the family.

Or perhaps you’re looking through the new list of church members, updating addresses and phone numbers, trying to format it all.

Sound familiar?

But what do you do with the information you’re holding? How do you keep it? How do you make sure it’s safe? These questions will become even more important in 2018 when changes in data protection law come into force.

From 25 May 2018, the 1998 Data Protection Act will be replaced by the General Data Protection Regulation (GDPR).

This will mean changes for how your church handles personal information and it also means more consequences for you when information isn’t properly looked after. From May 2018 churches will have an even greater responsibility to care for the information that the mum from holiday club scribbled down on a registration form.

So what’s happening and what does it mean for your church? How can we love our church families and communities well as we seek to honour God in this? Here are some questions and pointers to get you thinking about how to approach this positively.

Review your current procedures

What personal information does your church keep? Addresses, phone numbers, email addresses or members or other contacts? Who uses this information? How do you store it?

Consent

One the major changes which will come in with GDPR is how you get consent for the information you hold. Consent will need to be given clearly in a separate form. Do you have a process for this?

Storing information securely

How do you store the information you hold? If it’s paper copies, are they securely stored? If it’s stored digitally, is it encrypted? Who has access to the information? GDPR will mean churches need to be more aware of securing information from any ‘data breaches’. Your church will be responsible for looking after the information that people trust you with.

Using information responsibly

Do you have someone who is responsible for data protection in your church? How long do you keep information for? Why do you keep it? Get thinking about how you can incorporate data protection in the planning level of all your events. Get used to factoring it into your planning and processes.

A note on Brexit and GDPR

As a regulation, GDPR came into force automatically across the European Union, without member states needing to pass additional laws. Brexit has not made any difference to the UK as the new Data Protection Bill repealed the Data Protection Act 1998 and incorporated the GDPR into UK law (the Data Protection Act 2018).

This may seem like a lot of information to take in, but don’t panic! We’ve done a lot of the thinking for you and you can read the details in this booklet. To help you implement these changes, we have produced a pack of model documents which are available for you to buy.

This pack includes:

• Data protection policy and guidance
• Information security policy
• Draft privacy notice
• Retention of records policy
• Complaints process
• Audit checklist for compliance
• Breach procedure

It’s available for £160 (ex VAT). To find out more and purchase the pack, visit the ECS website.

We hope this pack helps you to serve your congregations and communities in a God-honouring way as we navigate our way through these changes.

First published on 28/11/17 and last updated on 06/10/23.

This information has been provided by solicitors working for Edward Connor Solicitors. It is designed for the purpose of knowledge sharing only and does not constitute legal advice.