Our church is now processing a claim under gift aid where personal details are included. So before I can submit a claim do I have to obtain permission from every member first? If so do we not need a form to use? Expand A standard Gift Aid Declaration should be signed by anyone who is eligible to donate under the scheme. More information on gift aid can be found here. Any personal data on the gift aid forms must be kept securely to protect it.
In the case of patients attending for healing, do they really need to sign to say they accept the privacy statement, as Healing and the Law goes a bit further than GDPR? Expand Patients need to be made aware of the Privacy statement which states by submitting your personal data you declare that you have read, understood and accepted the statements set out in this data protection clause and are giving your consent to the processing of the information submitted in relation to membership or services. Therefore by signing the healing card they are acknowledging acceptance of the privacy statement.
Some Churches in our DC have memorial books, plaques, dedications etc. I have been asked the question what happens with these under GDPR? Expand The GDPR/Data protection does not apply to data of someone who has passed/deceased although the standard requirements of confidentiality should be maintained when dealing with any persons who may have passed.
I am reliably informed that this act is an EU directive and so when we leave the EU next March it will no longer apply. Expand This is incorrect as the UK Government confirmed they would adopt the GDPR regulations in 2016, before the regulation was implemented, and the terms of GDPR have been incorporated into the UK’s Data Protection Act 2018.
Will there be any new record cards to accommodate the GDPR? Expand The current card is appropriate for an adult patient a card for children patients will be circulated shortly to accommodate parental consent and additional retention period.
At the end of the form it says to destroy the form after 2 years. Isn't it necessary to keep it in perpetuity if the roll book keeps their information in perpetuity ? Expand The form is likely to contain more personal data than the Roll book although it is recognised that the Roll Book may hold more personal data than just the name and date. Although the Roll book is a historical record that should be retained, where someone requests their name to be deleted from the Roll book, we would need to comply. The Union is looking into the feasibility of providing a simple Roll book that is compliant with GDPR.
Will the new requirement for us to get a health and safety representative on committee and to return the signed segment of the policy paper a requirement of being given a church representative card at conference? Expand This is not a new requirement and the process of issuing Church Representative cards remains as it is.
There is a discrepancy between documents circulated regarding retaining membership details please clarify Expand We advise members that we will keep their information until they resign or do not renew the 2 years statement is to keep the information for 2 years after they resign or do not renew. Should someone request their details to be deleted earlier then we would have to comply with this. Consideration has been given to those who may be studying for an award or have an intention to as they may need to provide details of their Church membership. A retention document has now been completed for Churches and the period has been confirmed as 2 years.
What if a member refuses to complete a consent form? Expand If they refuse then they will not be able to be a member. Under article 6 lawful processing we are required to obtain the information as it is necessary for the SNU to comply with our legal obligations.
Does the new EU regulations also cover use of cameras? Expand The GDPR does not specifically refer to personal cameras however some guidance to consider is: Let people know before you start recording. In some scenarios this is going to be quite easy because you will know everyone within close view (for example, if you are taking a group photo at a family barbeque). In other scenarios, for example at the beach or the park, this is going to be much more difficult so you’ll need to apply some common sense before you start. Think before sharing. Think carefully about who’s going to be looking at the images, particularly if you’re thinking about posting them on social media. Avoid sharing images that could have unfair or harmful consequences. Keep the images safe. If they are not necessary, then don’t keep them. If you do want to keep them, then make sure they are kept in a safe place. Organised events. If you are hosting an event and wish to take photographs of people attending you must declare that you may share these on social media, Church/Centre Newsletter, SNU Today etc as this will enable those who do not wish their photograph to be shared to make a decision not to be in the photograph.
Can we read out the names of people in the healing booking? Expand Yes you can read the names of people placed in the healing book, but it must only be the name. A new notice to be placed on the healing book has been circulated to churches which will inform people when placing names into the book. A copy of the notice can be found here.
How long should certain records be kept? Expand Document retention Policy has been compiled and circulated you can also find a copy here.
We run an education scheme at our church how long should we keep these records? Expand Education records should be kept for 6 years after the completion of the course
Can a patient ask for their healing card to be deleted or returned to them? Expand As we are legal obliged to keep records for 8 years (until they are 26 for children) for insurance purposes a patient cannot ask for their healing card to be deleted until this time period has passed.
How long should healing cards be kept? Expand Healing cards are to be kept for up to 8 years after the last visit of the patient. This is lawful processing under article 6 of GDPR as we have legal obligations to our insurance company. Once the 8 years has passed the documents should be destroyed by shredding of the healing cards. For Children healing cards must be kept until they are 26 years of age
How should healing cards be stored? Expand All healing cards should be kept in a locked cupboard or filing cabinet with access restricted to the the President of the Church or a member of the Healing Group. Any other individual who has a legitimate need to access the records must have authorisation from the National Executive Committee.
I use Excel to store all the contact details for mediums. I store the workbook on the cloud so I can easily access the data from different devices. How will GDPR effect this? Expand The ICO has produced guidance on using Cloud computing and it is possible to continue using this. However, you would need to undertake significant checks to see what a provider’s level of security is and who/how they share personal data. The problem with cloud storage is that, even although an accidental sharing or loss of data may be the fault of the provider the responsibility remains with the owner of the personal data (Data controller) in this case the church. The risk will be determined based on the type of data stored and whether loss, accidental deletion or unauthorised access is likely to result in a risk to people’s rights and freedoms. A personal data breach may have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. there would be when a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. a risk of distress or harm caused to individuals if personal data is stored. The Union has not included any specific guidance relating to cloud computing but recommend strong passwords are used, and changed regularly, ensuring different passwords are used for different files/sites. Cyber security is a bit of a minefield and the union has tried to adopt a common sense approach to matters rather than complicate things. Recommendations for strong passwords include a mix of alphanumeric characters with numbers, symbols and capital letters helps to strengthen a password. Should personal data be lost or hacked then having it password protected is a level of mitigation should there be a serious breach and it has to be reported to the ICO.
With regard to the SNU Privacy Statement I wonder whether any consideration has been given to producing a statement specifically for churches and centres? Expand There will not be a separate privacy statement for churches as this should apply across the organisation consistently. Providing different privacy statements for the different parts of the union would create confusion