Data protection for churches is a very important topic since the introduction of GDPR in May 2018. In the past, it was common for churches to allow people on teams to know a little more information than was absolutely necessary, and in the majority of cases, this was perfectly fine. It made pastoral visits easier to arrange, contacting people easier, and so on.
With the changes implemented with GDPR, much more thought needs to be put into how personal data is handled.
Keeping Church Data Safe
Churches nowadays range from small congregations with one or two staff members – perhaps volunteers – to look after the admin side of things, to stadium-sized establishments with massive congregations and hundreds of people on teams.
Whichever end of the spectrum your church fits, the rules are the same. Don’t take data home with you. Don’t share data informally within the church, and don’t share it with anyone at all outside the church. If you need to share or obtain data, go through your line manager, who may be the pastor/priest/vicar/bishop/etc. If you can’t prove you have permission to hold data about someone, you should not have that data.
Failure to comply with these rules could result in a £10,000 fine in the UK, and that is not an insignificant amount.
When Data Can Be Shared
The requirement for sharing data must be limited to the requirements of the job at hand. If you want to send an email blast to everyone in church advertising a fundraising campaign, you can’t do it unless you have the express permission of the people you are emailing – and the same goes for if you are sending the message by post.
Think fundraising is the issue? Nope. You could send a message advertising your Sunday service…but only with permission! You will need either written or electronic acceptance of the receipt of communications from every person on your list.
You can do this through a tickbox online when they sign up to your email newsletter, or by asking them to update their details with a contact card – include a tickbox for allowing contact by post, phone call, etc.
You’ll also need to confirm (with another tick) that you are allowed to process their data. There’s no point in obtaining contact details or other information if you are not allowed to use it.
Any data you hold can be shared within the church providing it is for a particular purpose. If it is to send a card, to process a donation or anything of a legitimate nature, that’s fine. But if someone casually asks for a phone number, don’t pass it on, unless it is to complete a function of their position.
Never share personal data of any kind with someone outside of the people who work in the church office.
Keeping Data Safe
Personal data must be kept safe at all times. Anything held on an individual device such as a laptop or phone must be password protected, at least at the device level, and if data is stored outside the country the individuals must be made aware of this.
Some churches use Google Drive to store their data. This is good as it is password protected and encrypted to keep prying eyes out – unfortunately, it’s hosted in the USA. While this is not a problem per se, you must inform the people involved of this fact.
Paper data is also required to be secured. Once you have finished with a piece of paper – or simply leave your desk – the paper should either be destroyed (store it on a computer system if you need to) or securely locked away in a safe or lockable drawer/filing cabinet. This simply stops anyone from walking in and taking the information away with them.
The Basic Dos And Don’ts of GDPR for Churches
The GDPR legislation is long and complex, but this brief summary will set you on the right path. If in doubt, always consult a professional – this is for guidance only and does not constitute legal advice.
- DO NOT store any electronic data on a personal device, be it a laptop, phone, tablet, USB stick or anything else. Any and all of these devices must be approved by a senior member of the church or the IT team (as appropriate) before use.
- DO store files, documents, and data in a secure system (such as a server or on the church Google Drive system) and not anywhere else.
- DO use strong passwords (e.g. including numbers, capital letters, etc), or use passphrases made of multiple words.
- DO use encryption whenever it is possible. Encryption stops theft of information by snoopers.
- DO lock your screen every time you leave your device – including PCs. Pro-tip: use the shortcut WINDOWS+L on Windows machines or CTRL+SHIFT+POWER (CTRL+SHIFT+EJECT on older machines) on Macs to lock the screen quickly.
- DO use BCC fields when emailing multiple people so that you don’t inadvertently share email addresses.
- DO keep paper safe. Paper documents with data on them should not leave the church office. As soon as you have finished with any paper copies, they must either be locked away in a drawer or cabinet, or alternatively shredded.
- DO notify the Data Protection Manager (someone within your church should fill this role) in the event of a data security breach. There are time limits imposed on this – if you do not do it immediately, there could be a fine of up to £10,000 imposed.
In short:
KEEP DATA SECURE
DON’T SHARE DATA
REPORT ANY BREACHES