Data Protection and GDPR

Data Protection

Information and guidance on Data Protection in the Methodist Church

https://www.tmcp.org.uk/about/data-protection 

Resources

Local churches, Circuits and Districts find themselves holding a variety of personal data including details of members and employees. The information accessible from this Data Protection page explains the obligations imposed on Managing Trustees in relation to this data under Data Protection legislation. The guidance helps Managing Trustees to identify what personal data is, how to hold it securely and for what purposes  that personal data can be used. This includes church and Circuit directories and the use of and recording of CCTV.

Current Developments

In 2018 we will see significant changes in Data Protection law with the introduction of the European General Data Protection Regulation (‘GDPR’). Managing Trustees need to be aware of the changes brought about by GDPR and how it will affect local church life.

 

TMCP and the Connexional Team are working together and have formed a Working Party which will oversee the transition from the current legislation to the new laws brought about by the GDPR which come into force in May 2018. For ongoing projects such as the Circuit Directories, steps will need to be taken to ensure compliance with the then current Data Protection law when data is next collected e.g. at the start of the next Connexional Year. Managing Trustees have time to ensure that appropriate processes are put in place.

 

Guidance and support will be rolled out to all Methodist Districts in the coming months to help Managing Trustees understand the steps that will need to be taken to comply with the new requirements.  This will enable Districts to provide practical help and guidance to their local churches and circuits.  This will run alongside target specific training provided by the Working Party which will come in the form of webinars, news bulletins, online articles and live training sessions at a number of different forums.

 

A whole host of policies and procedures have also been identified which will be made available to all Managing Trustees over the coming months by the working party to help ensure compliance with GDPR.

 

As well as identifying the policies and procedures that all local churches, Circuits and Districts will need for compliance with GDPR, the Working Party are also producing step by step practical guidance along with model documents and forms for use by the Managing Trustees.

 

A draft timeline has also been produced by the Working Party which identifies key dates which the Working Party are working towards in preparation of GDPR which includes a GDPR presentation at the District Chairs meeting in March.

 

Guidance for Managing Trustees on Data Protection

 

Managing Trustees will find it helpful to refer to the following guidance:

Guidance notes:

Articles:

Standard Documents and Forms:

  • Data Subject Access Request Form (SAR Form) – Sample Data Subject Access Request Form that can be used by individuals to request details of personal data held.
  • Data Mapping Form for Managing Trustees – Template form that Managing Trustees can use to help them to record what personal data they hold.

  • Non-Exhaustive List of Examples – Examples based on the results of the Working Party’s data mapping exercise to help Methodist Managing Trustees complete the Data Mapping Form .

  • Template Consent Form – Template form of wording that can be adapted for use by Managing Trustees where consent is required. Further guidance on lawful bases will follow but in the meantime please refer to the GDPR Myths article and FAQ 2.2 for guidance on consent and bear in mind that it is not always required.

Charts:

  • GDPR Changes at a Glance – Chart summarising the changes brought in by the General Data Protection Regulation (GDPR).

FAQs:

  • Data Protection FAQs – A sample of questions frequently asked by Managing Trustees about data protection issues.

Publications:

  • Data Protection Booklet  – Detailed guidance on the obligations on Managing Trustees under the Data Protection Act 1998 and the role of TMCP as data controller.

External guidance:

Practical guidance in the form of questions and answers is available via the Parishes Resources website in the Archbishop Council’s Parish Guide to the General Data Protection Regulation (GDPR). Although aimed at the Church of England and containing much of the same information as the General Data Protection Regulation (GDPR) Guidance Note  Managing Trustees may find the guidance of assistance.

Please watch this space for new and upcoming guidance on Data Protection. Further practical guidance will follow over the next few months together with a toolkit of policies, template documents and forms for Managing Trustees to put in place to get ready for the introduction of GDPR.

What do we do if we receive a data subject access request (SAR)?

Managing Trustees need to be aware that individuals have a legal right to know what data is being held about them by making a Data Subject Access Request (SAR). If you receive a SAR please forward this to TMCP immediately as TMCP currently acts as advisor on “Data Subject Access Requests”.

Although TMCP has devised the SAR Form for an individual to complete and submit, there is no specific format which a request for data should take.  If Managing Trustees receive an SAR from an individual then there is a statutory time period of 40 calendar days (note that this will be 30 days after the GDPR comes into force) in which they must respond and Managing Trustees must contact TMCP in its role as data controller at the earliest opportunity.  If Managing Trustees fail to take immediate action within the timescales, they could be liable to a fine or legal proceedings could be instigated as a result of non-compliance with the Act. Please refer to Section C3 of the General Data Protection Guidance Note  for details of the changes to be brought in under the GDPR.

Staying updated

The working party will be regularly updating the Church on developments so please keep referring back to this page and see the Methodist Church website.

You can also receive email alerts from TMCP if you “sign up” to receive notification of new articles published in the News Hub section on the TMCP website. Please sign-up to receive notifications from TMCP’s website to ensure that you receive notice of new and updated guidance on data protection. To do this please look out for the “Stay updated” banner appearing at the foot of each webpage, insert your contact email address and confirm you would like to receive notifications when you receive a welcome email from TMCP.
 
If you have any general queries on Data Protection please contact TMCP.