Q: Can we still stream church services, or put pictures of church attendees on our website?

The short answer is: yes! However, you will need to carefully consider whether or not your should gain permission from the subjects first. Our article goes into more detail here.

Q: Why do you advise that volunteers should not use their personal email addresses?

A: We don't offer legal advice, and nothing on this website should be taken as such. Our information about this issue is based on conversations with the ICO, who have advised us that the use of personal email addresses to handle sensitive church data is not good practice. We have an article which offers examples here. 

Q: What about personal devices?

A: The use of personal devices is not prohibited. The ICO have advice about this here, which has not yet been updated to reflect GDPR ,but based on our conversations with them we understand that it should more or less still be accurate.

Q: We have a church directory and everyone has a copy. Do we need to stop doing this?

A: We don't recommend that you routinely give everyone access to large amounts of personal data. However, where you do rely on directories for phone trees or similar, consider the format you are using. It may be more secure to hold it in cloud-based software and give people access to that, than to print a copy out which could easily be left out on a coffee table or even on the bus!

Q: Some of our ex-members may still have data on their computers. What should we do about this?

A: When people leave the church, you should make a reasonable effort to retrieve any printed or computer-held records to which they may have access. When you first make this information available, consider asking recipients to sign an agreement stating that they will return the information should they leave the church.

Q: Are we allowed to share data with other branches of our church outside the EU?

A: The ICO has advice about the international transfer of data here. Sharing data is not prohibited, but you should ensure that there are appropriate safeguards in place, and get consent from individuals to send their data internationally. Remember, this legislation applies to EU subjects no matter where the institution is based.

Q: Can we use disclaimers on forms or in signage around the church instead of getting consent?

A: The short answer is: no. This is because a disclaimer does not give Data Subjects the opportunity to give explicit, opt-in consent. You may also find yourself contravening the GDPR stipulation that you should avoid making consent a precondition of service i.e. telling people that they have to give consent if they want to be part of the church.

Q: What do we do if someone declines consent? What if they don't respond at all?

A: If they decline consent, and you do not have another lawful basis for holding or processing their data, then you should delete them from your records. If they don't respond at all, and you have made reasonable efforts to contact them, then you should also delete their records. Remember, this only applies if consent is the appropriate lawful basis.

Q: What counts as 'large scale' in terms of the requirements for a DPO?

A: There is currently no specific guidance on this. An example the ICO gave to us during a conversation was that a GP surgery processing the health records of a few hundred patients would likely not need a DPO, but a hospital processing the health records of thousands of patients most likely would.

Terms and Conditions | Our Privacy Policy | Disclaimer