The General Data Protection Regulation GDPR parish workshop

GDPR – to cover What is the GDPR? What does it mean to parishes? What changes will it bring? How should parishes make these happen? Q&A and opportunity for discussion

GDPR – What is the GDPR? The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

GDPR – Effective date

GDPR – who knows what? With the introduction of the GDPR, we are dealing with a developing situation ICO* are still shaping it & working on guidance The lawyers are still working out what parts of it mean in practical terms * ICO is the Information Commissioner’s Office

GDPR – key definitions Personal data is information about a living individual which is capable of identifying that individual. E.g. name, address, IP address. Processing is anything done with/to personal data, including storing it.

GDPR – key definitions Data subject is the person about whom data is processed. Data controller is the person or organisation who determines the how and what of data processing. (In a parish, this is usually the PCC or parish priest).

GDPR – Data protection principles used lawfully, fairly and with transparency collected and used for specified, explicit and legitimate purposes used in a way that is adequate, relevant and not excessive accurate, and kept up to date where necessary

GDPR – Data protection principles kept for no longer than is necessary, for the purposes for having the data used and kept in a way that ensures security and protection Being able to demonstrate compliance with all of the principles (‘accountability’)

GDPR – What the GDPR means for us A cultural shift in our approach to data protection. Need to be more conscious of and intentional about data protection than before.

The General Data Protection Regulation Overview of Key Changes

GDPR – Overview of Key Changes Accountability – we must be able to demonstrate our compliance as well as be compliant. We must know what personal data we hold, and be able to account for it. Gone are the days when you can have something in a cupboard that you don’t know about; in a partially deleted file you may or may not know exists or in a data cloud somewhere…

GDPR – Overview of Key Changes 2. Changes to Privacy Notices (also called Data Protection Notices) GDPR requires more detail and more specific application of the notice. Parishes have 2 Privacy Notices. 3. Lawful basis and consent for processing activity. Now need to identify the lawful (or legal) basis (there are 6) for processing activity. Consent is one.

GDPR – Overview of Key Changes 4. Data Breaches Breaches must be identified, recorded and in more cases reported to the ICO, within 72 hours. Mechanisms needed to handle these. 5. Increased Individual Rights Includes new shorter response time to ‘Subject Access Requests’. 1month (used to be 40 days).

GDPR – Overview of Key Changes Everyone will need to be more aware and consider:- Is what I am doing in accordance with the Data Protection principles? Am I upholding the terms of the Privacy Notice? If a person were to ask to see what we are holding on them, is there anything I would wish I had done differently, or that I would find hard to justify?

The General Data Protection Regulation Key changes in more Detail

GDPR - Key Changes in more detail Next we will consider How these key areas will impact on parishes? What parishes need to do to comply?

The General Data Protection Regulation Data Audit and Recording

GDPR – Data Audit and Recording Who is involved in a Data audit? All of the key data users coming under the ‘data controller’, i.e. the PCC. So, in parishes, that will include the parish clergy, PCC officers, staff and volunteers. Are we in the Diocese the only ones who this concerns? No, all organisations (charities, businesses etc.) in the UK and EEA are affected.

GDPR – Data Audit and Recording Why is it necessary? The GDPR requires us to know what data we are holding about people that we deal with, informing them what we have, why, and reassuring them that their data is secure. We are also required to be able to give a report at any time, e.g. to our Trustees, the data protection authorities. What happens if we don’t do it? Not knowing what you have is ‘dangerous’, as you can’t control it or account for it. NB – An organisation was fined when data it didn’t know it had was wrongfully accessed and used.

GDPR – Data Audit and Recording Data audit and recording begins with the following questions…

GDPR – Data Audit and Recording You need to be asking… What personal data do we hold? Where is it being held (including all electronic, (incl. mobile) and paper based locations)? Where has the data come from?

GDPR – Data Audit and Recording What is the data being used for? Who has access to the data, and for what reason? Which 3rd parties is the data shared with, how, and with what clearance?

GDPR – Data Audit and Recording Further action - you may need to Identify a key place for data Move data to different location or device Take steps to improve data security Delete certain data Check whether a Data Privacy Impact Assessment (DPIA) is required

The General Data Protection Regulation Data Breaches We now turn to: Data Breaches

GDPR – What is a data breach? A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

GDPR – Data breaches Data breaches caused by the transmission of emails are amongst the most prevalent. Email/and or attachments being sent to the wrong person (or several people). Paper files being accessed by unauthorized persons. Loss or theft of a laptop or memory stick.  

GDPR – Data breaches Confidential waste not disposed of correctly. Confidential data left on top of printers/photocopiers Computer screens left with personal data on view. Intruder penetrating the computer Systems.  

GDPR – Document and Report Under GDPR:- Not all personal data breaches have to be reported. However, it is mandatory for the data controller (i.e. the PCC) to ensure that a personal data breach is reported to the ICO if it is likely to result in a risk to a person’s rights and freedoms. A record must be kept of data breaches, together with a report on the breach. Where a personal data breach has to be reported to the ICO, this must be done without undue delay, and not later than 72 hours after becoming aware of a breach.

GDPR – avoidance To avoid data breaches Pause and check the recipient email address before ‘send’ – watch out for ‘autocomplete’. Use BCC (blind carbon copy) if the recipients should not be seeing each other’s email addresses. To fail to do so will cause a breach. Consider the nature of any attachment to the email Secure locking of cupboards and office areas. Be aware of computer screens, e.g. in the vestry, and of papers left unattended in open areas. Ensure adequate computer security is in place.

GDPR – in the event of a data breach Immediately recall the email (if applicable). Even if the email is not recalled, this has the benefit of signalling to the unintended recipient that the email has been sent in error. Contact the lead Data Protection person for the parish, and also gather key people around for their input/judgement. The lead Data Protection person will ask for details of what happened, and any action taken. He/she will give you instructions which you should carry out straight away, unless told otherwise. 5. Keep the lead Data Protection person informed of updates.

The General Data Protection Regulation Individuals’ Rights Now we turn to Subject Access Requests

Individuals’ Rights 1. To be informed 2. To access data 3 Individuals’ Rights 1. To be informed 2. To access data 3. To rectify mistakes 4. To have data erased (‘be forgotten’) 5. To restrict processing 6. To make data portable 7. To object to processing 8. To object to automated decision-making

GDPR – Subject Access Requests (SAR) The 2nd of the listed rights which individuals have, is to access their personal data to see what is being held, and to check the lawfulness of the use, and accuracy of the data. The Data controller has 1 month from the receipt of a SAR to comply. (used to be 40 days). No charge (used to be £10 admin fee). SARs to most parishes have been infrequent to date. Informed opinion is that SARs may increase.

GDPR – Subject Access Requests (SAR) What to do if a SAR is received. 1. Recognition of the receipt of Subject Access Request. 2. Having recognised that you have received a SAR (or if in any doubt), get in touch without delay with the Data Protection Compliance Officer for your parish. 3. Take action to ensure the request is responded to within one month.

The General Data Protection Regulation Privacy Notices and Consent Now we turn to Privacy Notices

GDPR – Privacy Notices and Consent What are these and what do they involve? Individuals continue to have a right to be informed about the processing of their data. This is through a privacy/data protection notice. Under the GDPR parishes must send (or give a link to) a Privacy notice to all individuals whose data is being processed (including data being stored).  

GDPR – Privacy Notices and Consent Privacy Notices are now lengthy and must include:- Purpose and lawful basis for processing Third parties to whom their data will be transferred Data retention periods or criteria used to determine retention period e.g. whilst in employment Individuals’ right to lodge a complaint with the ICO Data controllers must uphold what is stated in their Privacy Notices.

GDPR – Privacy Notices and Consent Parishes have 2 Privacy notices: Role holders in the parish (e.g. PCC members, Safeguarding officers) Non-role holders (i.e. a general privacy notice, for everyone else). Key difference - Role holders privacy notice reflects the role holders’ data being passed, without their consent being required, to the diocesan and bishops offices, to enable and support the role holders in carrying out their role. No response is required to privacy notices. They contain everything a parish needs. They don’t need to be signed. They must be made available, e.g. on parish website, put up on the notice board Also to be invited to give their ‘consent’ to use their data where required.

GDPR – Privacy Notices and Consent The GDPR brings increased requirements around the need to obtain consent. Parishes need the consent of ordinary churchgoers and electoral roll members to whom the PCC wishes to send e.g. newsletters, or information about church activities. This should be made known e.g. at APCM, church services, and forms (with link to Privacy Notice) included in welcome packs, and at back of church. Consent must be capable of being freely given (by ‘opt-in’ not ‘opt-out’ method) and easily withdrawn. Parental/guardian consent is needed for children under 13 (in accordance with a UK Bill; the GDPR actually states 16) A record of consent given must be retained.

The General Data Protection Regulation Contracts Now we turn to policies on data protection

GDPR – Contracts The GDPR requires that a parish Updates its contracts to ensure they are GDPR compliant e.g. remove reference to consent in employee contract templates Recognises when others are processing its personal data; ensure they do so securely Consider how data processors, e.g. digital service, payroll or pension providers are selected Ensure there is a written contract in place which imposes GDPR obligations; clear liabilities

GDPR – Contracts Obligations placed on data processors require that those processing the parish’s data: Does so under the parish’s instruction Ensures confidentiality Keeps the parish’s personal data secure