Here are 7 key steps for PCCs to take.
1.Review all the personal data held.
· What data do you hold?
· Why do you hold it?
· Who has access to the data?
· How is the data secured?
Carry out a Data Audit Exercise. Examine the various types of data processing carried out, identify the legal basis for carrying it out and document it.A simple table listing what you hold and why etc.will highlight where the gaps in your compliance are.This review process is a good way to capture all the data held and will be a good point of discussion at a PCC meeting to decide what needs to be done next.
Who has access to the data should be clear. Only those that need to see it should have access.
2.What policies and guidance do you already have in place?
The Church of England website has a wealth of guidance policies on its Record Management
page and these should be referred to by PCCs to form the basis of their own policies.
A clear policy for the retention of data is essential and personal data must be erased, without delay when:
· it is no longer necessary for purpose
· the data subject withdraws consent
· there is no longer any legal grounds to hold or process that data
Data cannot be kept indefinitely and PCCsmust remove data, when asked by the data subject. There are exceptions to this removal request:
· For vital interests or public interest
· Archiving in relation to public interest, scientific/historic and statistical research
· Exercise of legal claims
If you already have Data Protection and retention policies in placereview existing policies and think about where the data is collected and how its usage is defined. Do the policies need to be amended to comply with GDPR?
3.Where is your data held?
Think about where your data is held and its security.
· Does it reside with 3rd
parties on IT systems such as cloud suppliers, church members homes etc.?
· Of the data you hold about data subjects are these records electronic or paper based?
· How are theIT or paper system protected? (Passwords, encryption, lockable drawers, safes).
· Who needs authorised access to this data and information?
Any systems used to store or process data need to consider security as part of their implementation. You should only collect the data you need and keep it only as long as needed in order to fulfil an agreed purpose and then delete it.
This means PCCs need to think very carefully about what data they have on people, where it is and who has access to it. This will include the technology used and security in place. For example, data encryption would be one way in which computer data held can be secured.
Under GDPR, Consent cannot be assumed and must be laid out in simple terms in the forms individuals complete. Active consent is required and inactivity does not imply consent. Written consent is the recommended option because evidence of consent must be provided when asked by either individuals or the ICO. The person consenting must know exactly what the PCC propose to use their data for. If the data subject is under 16 then you must obtain parental consent. PCCs need to think about how they will handle requests to have data removed and how this would be done.
In order to achieve clear unambiguous consent from individuals to hold their data PCCs will probably need more than one consent form. One size will not fit all. Consent forms should clearly indicate how long the data will be held.
Children. GDPR sets the consent age at 16. Parental or guardian consent will be required if the person is under 16.
GDPR does not mean you cannot conduct “business as usual”.
What it does mean is that when you do hold individual’s personal details, protecting these details is paramount andthe consent form must make clear what the data will be used for and for how long.
PCCs cannot collect data from parishioners to inform them about services and then use that data to fundraise. PCCs cannot profile certain people to target for fundraising. If you wish to use the personal information to contact individuals on fundraising the wording on the consent form must make this clear.
Information obtained from the Electoral Role cannot be used to direct mail individuals about events taking place unless you have explained this is what the information will also be used for and have the individuals explicit consent to contact them.
Personal data given for baptism, weddings and funerals cannot be used to mail individuals about services in the year unless the consent form makes it clear. In this case the form could say “ we would like to keep in touch with you for the next two years about all our children’s services or children’s events in the parish. Do you consent to your data being held for this additional purpose?” A clear yes I consent box or no I do not consent tick box and space for a signature would also be required together with a process in place to remove the data after the two years have lapsed.
The Youth Worker stores the contact details of the under 16 youth group on an excel spreadsheet on his/her laptop. In this example the consent would be needed from the parent, and the reason it is collected is so the youth worker can communicate about events by email or phone. The PCC should however be aware that personal data is stored on laptop, who has access to it and what security measures are in place on the device to secure the data.
Under GDPR consent can be withdrawn at any time by individuals andPCCs must act on these requests immediately and remove the data/paper files for their records.
5. 3rd Party Risk
Is data shared with people/ organisations outside of your PCC?
If any personal data you hold is “processed” by another company you would be wise to confirm the company complies with data protection and GDPR. For clarity, if they are breached and a complaint is upheld, you as the data controller (owner) remain equally liable. You will also need to review contracts held with companies that process data on your behalf. It is the PCC’s responsibility to ensure the “processor “processes the data you give them, in accordance with GDPR.
Contracts with third parties that have access to the personal data you hold should have a statement within the contract confirming they comply with GDPR. Companies must demonstrate that they have the appropriate policies and security measures in place to protect the data. In these circumstance the PCC is the controller of the data and the 3rd Party Company is the “processor” of the data.
6. Subject Access Requests (SAR)
IT databases, IT systems.
CCTV. If that is managed by a third party off site and they have the recordings or have access to it. PCCs will need to obtain written confirmation that their company complies with the new GDPR rules. Full information on CCTV is in Appendix B
Individuals have the right to request a copy of all the personal data held. This means providing copies of all electronic and paper documents that contain their details or reference to them.
Personal data also includes footage held on a CCTV system, where the individual is the focus of the footage and/or they are clearly identifiable.
You will also need to provide some additional information to peoplemaking requests, such as your data retention periods and the right tohave inaccurate data corrected.
The Data Compliance Officer (PCC Secretary is the obvious choice, but it could be a named employee) who will be the contact for any Subject Access Requests.
If the SAR request is valid and permissible the data has to be supplied within 30 days of the request being deemed valid. You should therefore ensure that the PCC and the Data Compliance Officer have procedures in place to comply with these requests promptly. Charging for requests is generally not permitted. Excessive requestscan be charged for or refused. If you want to refuse a request, you willneed to have policies and procedures in place to demonstrate why therequest meets these criteria.
What to do if you identify a breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
If your data is breached and the data breached could cause material or emotional harm to the individual you have just 72 hours to declare it to the ICO and if severe then also the data subject. You need to do this from the point that you are aware. Note: If the data is breached but is encrypted, i.e. it cannot be accessed by anyone and therefore will not cause harm you do NOT need to declare the breach.
If a spreadsheet containing names and addresses of people under 16 was accessed by someone unauthorised that is a breach. For example, allowing someone other than the approved members of the PCC to view personal data, is a breach. Other breaches such as Malware (IT) attacks, equipment theft, ID credentials compromised are equally relevant.
The fines that can be imposed due to non-compliance depend on the severity of non-compliance. Examples of fines are:
A warning in writing in cases of first and non-intentional noncompliance
A fine up to 20 000 000 EUR