Transcript Slide 1

Data Protection for Church
of Scotland Congregations
How many of the following
have happened to you?
• You have received junk-mail which used your name and
address.
• An unsolicited telesales call has been made to your
home.
• Your bank has alerted you to ‘unusual’ activity in relation
to your account.
• Your car has been ‘cloned’ and you have received
speeding fines that you weren’t due.
Some questions that are
worth asking:
• How did these people get access, or why do they want
access, to your personal data?
• Who else holds personal information about you?
• How might that information be used or misused?
• What rights do you have in relation to personal data and
privacy?
Some reasons for having
‘Data Protection’ legislation
Information is…
everywhere!
Some reasons for having
‘Data Protection’ legislation
• To safeguard personal privacy.
• To prevent information about individuals from being used
unfairly or fraudulently.
• To ensure that bodies which hold personal information
respect confidentiality and observe good practice.
• To give individuals the right to know what information is
held about them.
What does this mean for
the Congregations?
• The Church is a body which holds personal information
about individuals.
• As office bearers you have an obligation to behave
responsibly in relation to the information that is held.
• The Church must observe good practice and also abide
by the provisions of the Data Protection Act 1998,
where it applies to use of personal data.
The Data Protection Act 1998
Key Themes
Transparency
Choice
Data Quality
Security
Individual rights
What is ‘Personal
Data’?
Data
Information
Information which relates to a living individual identified:
– from that data
– from that data and other information which is or is likely
to be in the possession of the Data Controller
– held electronically or manually in a relevant filing system
E.g. Name, job title, telephone number, email address, date
of birth, postal address.
Sensitive Personal Data
Personal Data consisting of information on:
• racial or ethnic origin
• political opinions
• religious or similar beliefs
• trade union details
• health data
• sexual orientation data
• offences or alleged offences
• court proceedings
Sensitive Personal Data
Before a congregation uses any data of this nature, the
following conditions must be satisfied:
EITHER
• the data must be used in the course of the congregation’s
legitimate activities and be ‘not for profit’;
• the data must be used with appropriate safeguards for the
rights and freedoms of the people concerned;
• the data must be restricted to those who are members or
who have regular contact with the Church; and
• the data must not be disclosed to any third party.
OR
• the data subjects must have given explicit consent for this
particular use
Who are Data Subjects?
• The Individual to whom Personal Data relates, for
example:
• An Employee
• A Job applicant
• A Former employee
• A Minister
• An Office Bearer
• A Committee Member
• A Church Member
• An adherent
Data Processing
Processing is handling data in any way:
– collecting personal data;
– storing in a database;
– ordering in a filing system;
– editing data records;
– transmission onwards to a third party.
•A “Data Processor” any person or organisation
who processes personal data on behalf of the data
controller
Data Controller
• Data Controller: is a person or organisation that
determines the purposes for which and the manner in
which personal data will be processed.
• For congregations this is the Presbytery Clerk.
• It is necessary to notify the Information Commissioner on
an annual basis.
• Small exemption for ‘not for profit’ organisation.
• But remember CCTV!
The Basics
The Act does not prohibit the
use or distribution of
information, rather it governs
the way information and
people are treated.
The Basics
What are the 8 data
protection principles?
Data Protection Principles
•
Be processed fairly and lawfully;
•
Be obtained for specific and lawful purposes;
•
Be kept accurate and up to date;
•
Be adequate, relevant and not excessive in relation to
the purpose for which it is used;
Data Protection Principles
• Not be kept for longer than is necessary for the purpose
for which it is used;
• Be processed in accordance with the rights of Data
Subjects;
• Be kept secure to prevent unauthorised processing and
accidental loss, damage or destruction; and
• Not be transferred to any country outside the EEA.
Sanctions?
The Information
Commissioner’s Office
•
•
•
•
•
•
“The UK’s Independent authority set up to uphold
information rights in the public interest, promoting
openness by public bodies and data privacy for
individuals.”
The ICO:
Promotes good practice,
Produces guidance on various topics,
Makes rulings on complaints against organisations, and
Takes action where there are breaches of the Act.
The Information Commissioner
• Enforcement Notices
• Criminal Sanctions
• Fines – up to £500,000
• Brighton and Sussex NHS Trust: £375,000
• Ealing Council
Hounslow Council
A4e Limited
£80,000
£70,000
£60,000
• Norwood Ravenswood £70,000
Don’t get caught out!
Recommendations for Congregations
The ICO Study
Areas of Good Practice:
Areas for Improvement:
•
•
•
•
•
•
•
•
•
Access to IT
Building Security
Confidential Waste
Implement a Data
Protection Policy
Password security
Clear Desk Policy
Home working?
IT Security features
Training
Recommendations for Congregations
DATA PROTECTION PACK FOR
CONGREGATIONS
http://www.churchofscotland.org.uk/resources/
subjects/law_circulars
Recommendations for Congregations
Conduct an audit of your current data
handling:
• Take time and care to draw up a list of all areas of
Church life where personal data is held and used.
• For each of these, consider whether you can
observe better practice in line with the eight
principles, the areas of good practice and areas of
improvement in the ICO Report.
• Always take special care over any data which
would be classed as ‘sensitive’.
• Do not use data for any ‘broader’ purpose, without
first consulting the Presbytery Clerk.
Recommendations for Congregations
Carry out a review of any historical records that
your congregation holds, in either electronic or
manual form.
• Archive any records that you are obliged to keep – e.g.
minute books and baptismal registers.
• Consider deleting or destroying any records that are
no longer required. Take care over how you dispose of
these.
• Consider deleting any information that you would be
embarrassed to disclose if you received a ‘data
request’.
DON’T
PANIC!
Any Questions?