Volunteers and Personal Email Addresses

It is recognised that many churches rely on the generosity of volunteers who give their time and energy to enable the church to work at its best. GDPR is not designed to get in the way, but rather to help organisations like churches keep track of the data they are processing, how it is stored, and what documentation they have.

We have received a lot of questions about the use of personal email addresses, which many volunteers use, as do some church officials who may forward emails to their own address from an official church address. The ICO have advised us in no uncertain terms that it is not good practice to use personal email addresses to work on sensitive information on the church's behalf. This is because the email provider will have no official relationship with the church (as a Data Processor would) and have no vested interest in the church as a Data Controller.

Example One:

Church A have their official emails hosted by Company B. The pastor forwards some emails (which may contain sensitive or special category data) from his official church email to his personal email, which is hosted by Company C. Company C then suffers a massive data breach.

Under Article 32 of the GDPR, Company B, in their official capacity as Church A's Data Processor, would have a legal obligation to inform the Church about the breach. However, Company C has no such obligation. They are obligated to inform the pastor, but not the church itself. If the pastor has forgotten that he has forwarded the emails, then this may leave the church vulnerable to a serious data protection failure. 

Example Two:

Church A allows Home Group Leader D to use her personal email address to keep records of pastoral conversations with members. Member E approaches the Church and makes a Data Subject Access Request. Home Group Leader D is out of the country on an extended holiday, and the church cannot get access to the information stored in her emails. Thus, they cannot comply with the Data Subject Access Request, and Member E makes a complaint to the ICO as a result.

If your church does not have official church addresses, services such as Google offer free email hosting to non-profit organisations which are registered as charities. You can look into Google's G-Suite for Non-Profits service here. Other services are available.

Another issue facing lots of churches is how to document and monitor the information which is held by volunteers outside of church offices or online services. Again, we recommend (based on the ICO's advice) that you do not allow data outside of church control. At the very least you should work towards this by having a written policy documenting who has access, where the data is kept, how long it is kept for, and in what format.

This does not mean that you cannot communicate with Data Subjects using their own personal addresses, but that you should use official church email addresses to do so.

For information about the use of personal computers, phones and other devices, the ICO have some existing guidance (albeit written with the DPA rather than GDPR in mind) here.

Terms and Conditions | Our Privacy Policy | Disclaimer