Presentation on theme: "Data Protection for Church of Scotland Congregations"— Presentation transcript:
1 Data Protection for Church of Scotland Congregations
2 How many of the following have happened to you? You have received junk-mail which used your name and address.An unsolicited telesales call has been made to your home.Your bank has alerted you to ‘unusual’ activity in relation to your account.Your car has been ‘cloned’ and you have received speeding fines that you weren’t due.
3 Some questions that are worth asking: How did these people get access, or why do they want access, to your personal data?Who else holds personal information about you?How might that information be used or misused?What rights do you have in relation to personal data and privacy?
4 Some reasons for having ‘Data Protection’ legislation Information is… everywhere!
5 Some reasons for having ‘Data Protection’ legislation To safeguard personal privacy.To prevent information about individuals from being used unfairly or fraudulently.To ensure that bodies which hold personal information respect confidentiality and observe good practice.To give individuals the right to know what information is held about them.
6 What does this mean for the Congregations? The Church is a body which holds personal information about individuals.As office bearers you have an obligation to behave responsibly in relation to the information that is held.The Church must observe good practice and also abide by the provisions of the Data Protection Act 1998, where it applies to use of personal data.
7 The Data Protection Act 1998 Key Themes TransparencyChoiceData QualitySecurityIndividual rights
8 What is ‘Personal Data’? InformationInformation which relates to a living individual identified:– from that data– from that data and other information which is or is likely to be in the possession of the Data Controller– held electronically or manually in a relevant filing systemE.g. Name, job title, telephone number, address, date of birth, postal address.
9 Sensitive Personal Data Personal Data consisting of information on:racial or ethnic originpolitical opinionsreligious or similar beliefstrade union detailshealth datasexual orientation dataoffences or alleged offencescourt proceedings
10 Sensitive Personal Data Before a congregation uses any data of this nature, the following conditions must be satisfied:EITHERthe data must be used in the course of the congregation’s legitimate activities and be ‘not for profit’;the data must be used with appropriate safeguards for the rights and freedoms of the people concerned;the data must be restricted to those who are members or who have regular contact with the Church; andthe data must not be disclosed to any third party.ORthe data subjects must have given explicit consent for this particular use
11 Who are Data Subjects?The Individual to whom Personal Data relates, for example:An EmployeeA Job applicantA Former employeeA MinisterAn Office BearerA Committee MemberA Church MemberAn adherent
12 Data Processing Processing is handling data in any way: – collecting personal data;– storing in a database;– ordering in a filing system;– editing data records;– transmission onwards to a third party.A “Data Processor” any person or organisationwho processes personal data on behalf of the data controller
13 Data ControllerData Controller: is a person or organisation that determines the purposes for which and the manner in which personal data will be processed.For congregations this is the Presbytery Clerk.It is necessary to notify the Information Commissioner on an annual basis.Small exemption for ‘not for profit’ organisation.But remember CCTV!
14 The BasicsThe Act does not prohibit the use or distribution of information, rather it governs the way information and people are treated.
15 protection principles? The BasicsWhat are the 8 dataprotection principles?
16 Data Protection Principles Be processed fairly and lawfully;Be obtained for specific and lawful purposes;Be kept accurate and up to date;Be adequate, relevant and not excessive in relation to the purpose for which it is used;
17 Data Protection Principles Not be kept for longer than is necessary for the purpose for which it is used;Be processed in accordance with the rights of Data Subjects;Be kept secure to prevent unauthorised processing and accidental loss, damage or destruction; andNot be transferred to any country outside the EEA.
19 The Information Commissioner’s Office “The UK’s Independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”The ICO:Promotes good practice,Produces guidance on various topics,Makes rulings on complaints against organisations, andTakes action where there are breaches of the Act.
20 The Information Commissioner Enforcement NoticesCriminal SanctionsFines – up to £500,000Brighton and Sussex NHS Trust: £375,000Ealing Council £80,000Hounslow Council £70,000A4e Limited £60,000Norwood Ravenswood £70,000
22 Recommendations for Congregations The ICO StudyAreas of Good Practice:Areas for Improvement:Access to ITBuilding SecurityConfidential WasteImplement a Data Protection PolicyPassword securityClear Desk PolicyHome working?IT Security featuresTraining
23 Recommendations for Congregations DATA PROTECTION PACK FOR CONGREGATIONS
24 Recommendations for Congregations Conduct an audit of your current data handling:Take time and care to draw up a list of all areas of Church life where personal data is held and used.For each of these, consider whether you can observe better practice in line with the eight principles, the areas of good practice and areas of improvement in the ICO Report.Always take special care over any data which would be classed as ‘sensitive’.Do not use data for any ‘broader’ purpose, without first consulting the Presbytery Clerk.
25 Recommendations for Congregations Carry out a review of any historical records that your congregation holds, in either electronic or manual form.Archive any records that you are obliged to keep – e.g. minute books and baptismal registers.Consider deleting or destroying any records that are no longer required. Take care over how you dispose of these.Consider deleting any information that you would be embarrassed to disclose if you received a ‘data request’.