Maintain Privacy & Confidentiality

Making It Easier > Processes > Governance/Regulation > Data Protection

We expect all parishes to abide by the principles of Data Protection

Mostly this is names and addresses of parishoners and the information on the electoral roll. It may be stored on a computer or in card index or similar. However, it is recorded it is subject to the Data Protection Act 1998. This page gives some information about the act and some links to where you can get further information.

The Data Protection Act 1998 (“the 1998 Act”) gave individuals the right to know what information is held about them and provides a framework to ensure that personal information is handled properly. It also states that organisations need to uphold 8 principles of good information handling.

Notification to the Information Commissioners Office (ICO)

We can confirm that general Church administration is exempt from notification, however, if the Church operates CCTV notification is required.
Also, if a member of the clergy records pastoral care notes electronically, they must notify the ICO
For details of the exemptions please refer to our on-line Notification Exemptions – self-assessment guide at      
Data Controllers must comply with the provisions of the 1998 Act even if they have decided that they are exempt from notification. The eight Data Protection Principles can be found at

At this stage parishes are not subject to the Freedom of Information Act

For more information visit the information commissioner's website at

For specific information aimed at charities visit
Get ready for the General Data Protection Regulation
Clergy and PCCs need to make preparations for the General Data Protection Regulation (GDPR) which comes into force on May 25th 2018. And the best way to start is to follow our simple steps.

The General Data Protection Regulation is a stronger version of the Data Protection Act which we are already legally obliged to comply with.  It takes into account the massive changes in technology since the Data Protection Act was introduced in 1988. The GDPR enhances and strengthens an individual’s rights.

All parishes and clergy must comply with GDPR. As soon as you gather information – on an electoral roll or mailing list for instance – then you need to comply.  The GDPR does not prevent you from holding data provided you treat it responsibly.

You will need to comply if you hold information that can identify a person by reference to any of these things
  • Name
  • An identification number
  • Address
  • Email address
  • Sensitive personal data (health, sexual orientation)
Your first simple steps
You must take this seriously but you don’t need to panic. We will be issuing plenty of guidance and forwarding information from the national church and Information Commissioners Office (ICO). But for now take these simple steps.

Step One: First you need to appoint a “Data Compliance Officer”. That may be your PCC Secretary or employee. They need to be your expert (and a key person for us to send information to. When you have chosen this person ask them to email so we can keep them up to date with information

Step Two: Talk about GDPR at your PCC so all your trustees share in the responsibility for making this happen

Step Three: Review the personal information you hold. You can use this form to help you.
You will then need to do some work around how you seek consent, keep and delete data, how you manage requests for information and other elements of this. We will be putting together further briefing about this over the next few weeks.

Click here for more detailed guidance


Useful Resources

Government advice

For general advice about data protection adn the 1998 Act.

Care of Records - Church of England

This has useful information for the care and upkeep of parish records.