|
|
|
The Data Protection Act
To help local churches comply with Data Protection Legislation
THE DATA PROTECTION ACT has been extended and now covers the keeping of all records both electronically and on paper.
UNDER NEW LEGISLATION the ruling of the past few years
that ‘local congregations of the United Reformed Church storing information on computer or disk and who are members of a Provincial (Synod) Trust need not register with the Data Protection Registrar (now called the Information Commissioner) providing that Provincial (Synod) Trust has registered’ NO LONGER APPLIES.
However for most local churches the observance of principles of fair practice will mean that there will be no need to register individually.
To comply with Data Protection Legislation the following principles must be met and these apply to all those holding data in any form whatsoever:
i) All processing of personal data must be fair and should meet the following conditions:
a) The person concerned (the data subject) has given consent.
or is being used:
b) to carry out a contract to which that person subject is a parry, c) to meet a legal obligation of the data controller (ie the person responsible for the keeping of the record). d) to protect the vital interests of the person concerned
e) for various judicial and government functions.
f) in the legitimate interests of the data controller (unless it causes harm to the rights, freedom or
legitimate interests of the person concerned).
ii) Personal data can only be collected and used for specified purpose(s).
iii) The data must be adequate, relevant and not excessive.
iv) The data must be accurate and up to date.
v) The data must not be held longer than necessary,
vi) The data subject’s rights must be respected.
vii) You must have appropriate security.
Please note that special rules apply to the transfer of data abroad and are not dealt with in this leaflet.
What to do to ensure that your church complies with the legislation:
Draw up a policy.
This should cover such items as:
why the information is to be held including any secondary use that will be made of it;
what kind of information is to be held;
whether any information is being collected without the knowledge of the person concerned; what types of disclosure that are likely to be made; how you intend to ensure that the information held is accurate; how long you will need to keep the information; what level of confidentiality will be applied; any special security measures that apply;
ENSURE THAT THOSE WHO HAVE ACCESS TO THE DATA KNOW EXACTLY WHAT THEY ARE ALLOWED TO DO WITH PEOPLE’S INFORMATION.
ENSURE THAT ANYONE ABOUT WHOM YOU HOLD INFORMATION KNOWS THAT IT IS HELD, WHAT IT IS USED FOR AND TO WHOM YOU MIGHT PASS IT ON.
GET CONSENT WHEREVER POSSIBLE FOR HOLDING PEOPLE’S INFORMATION AND GET EXPLICIT CONSENT IN WRITING IF ANY DETAIL COULD BE CLASSED AS SENSITIVE. The definition of Sensitive Information includes racial or ethnic origin, religious or political beliefs, Trade Union membership, health, sex-life or criminal record.
MAKE SURE THAT PEOPLE ARE OFFERED THE CHANCE TO OPT OUT OF RECEIVING ANY DIRECT MAILING, INCLUDING FUND RAISING. DESIGN OR MODIFY YOUR SYSTEM SO THAT ANYONE MAY HAVE ACCESS TO THEIR OWN RECORD WITHOUT BEING ABLE TO VIEW OTHER RECORDS.
I MAKE APPROPRIATE SECURITY ARRANGEMENTS FOR I BOTH MANUAL AND COMPUTER SYSTEMS.
As a minimum these should include passwords for computer systems and secure storage for manual records.
ARCHIVE OR DELETE RECORDS REGULARLY.
A brief guide for those handling personal data
When you HOLD personal data remember: It can only be used for the purposes for which it was originally obtained.
You have to take good care of it.
You have to use it fairly.
You must ensure that it is adequate, relevant, not excessive, accurate, up to date and not being held
longer than necessary. You are committing an offence if you get access to personal data you are not authorised to see, or if you
disclose such data to other people. You are committing an offence if you sell personal data you are not entitled to.
When you OBTAIN personal data remember: You must not deceive or mislead anyone.
You must ensure that the person concerned knows that you are collecting the data and why and how it
may be used. If the data is provided from someone other than the individual concerned (the DATA SUBJECT) you must ensure that the Data Subject knows that you are using their data and why and how it will be used.
You may have to get consent from the Data Subject to use their data, particularly if it is in any of the sensitive areas of racial or ethnic origin, religious or political beliefs, Trade Union membership, health, sex-life or criminal record. I When you DISCLOSE personal data remember You must check that the disclosure fits the purpose(s) for which the data is being held.
You must check that the person you are disclosing it to is authorised to have it.
You must check that the Data Subject is aware that this type of disclosure is possible or that there is an overriding reason, such as a legal obligation.
If you put personal data on the WEB you will need consent from the data subject. Data subjects have rights too !Data can only be used if consent is given- but you can explain the consequences of withholding it. Data cannot be used for direct mailing of any goods or services if the person concerned has refused permission. If you are phoning people at home for direct marketing purposes you must check that the number you are calling is not on a barred number register. Data subjects can ask to see ALL the personal data you hold on them, including manual files.
Remember the responsibility is yours!
For further information and advice about Data Protection, please contact the Secretary for Communication, 86 Tavistock Place, London WC1H 9RT
The United Reformed Church is grateful to Paul Ticher, Information Management in Voluntary Organisations, for his help and advice and to the Office of the Information Commissioner for checking the accuracy of the information.
|
|