The Data Protection Act covers information held by any person, business or organisation about an individual.
Examples of data that places of worship hold could be details of parishioners who attend church regularly, details of church members who give charitable donations under the gift aid scheme and any employee’s details such as payroll details and their employment records.
As well as complying with the Act some organisations are required to register with the Information Commissioner Office (ICO), the body that regulates data protection in the UK. To establish whether your place of worship needs to register you can take an online assessment by visiting the ICO's website.
The Act applies to any use of personal data, which is referred to as processing. Processing includes using the data, for example sending out a mailing as well as obtaining, disposing and holding data.
The Act sets out eight principles under which personal data may only be obtained, held or disclosed to others if:
- Its use is fair and lawful;
- It is to be used only for specified purposes. Individuals should be told, in broad terms, what you are going to do with the information (unless it is obvious) before you use it and given the opportunity to opt out of it being so used;
- The information is adequate, relevant and not excessive in relation to the purpose for which it is to be used;
- It is accurate and up-to-date - so periodically all information held should be checked to ensure it remains accurate;
- The information is kept for no longer than necessary for the purpose - records of pastoral care discussions, for example, should not be kept for several years unless this can be justified;
- Individuals ‘subject access rights are honoured;
- It is kept securely - addresses and phone numbers should not be left where they are open to abuse, and access to more sensitive information should be particularly restricted by either computer passwords or locks on filing cabinets etc as appropriate;
- Information should not be transferred to any country outside Europe without adequate data protection being in place.
Note that the Information Commissioner Office has the power to impose financial penalties for non-compliance and therefore it is advisable to ensure that you have policies and training in place.
For more information on the principles of the Data Protection Act please follow the link to the Information Commissioner’s Office (ICO) website. http://www.ico.gov.uk/for_organisations/data_protection/the_guide.aspx