PARISH DATA PROTECTION GUIDANCE FOR TOLLARD ROYAL
THIS PAGE CONTAINS ALL THE INFORMATION YOU NEED TO UNDERSTAND DATA PROTECTION IN TOLLARD ROYAL IN ACCORDANCE WITH GDPR
You can download a copy of this guidance here Tollard Royal and the General Data Protection Act
The village has several different groups that all use our ‘village directory’ mailing list:
- The Parish Council
- The Church
- The Social Committee
- Neighbourhood Watch
- Tollard Tattler
- Village email List
- Emergency telephone tree
- Whats App emergency and crime group
- Facebook Page
We are a small village of less than 120 residents, however we are NOT exempt from GDPR.
In very simple terms that means that every resident in Tollard Royal must ‘OPT IN’ to have their email and personal details used by any of the above groups. Our reality is that one email list called The Village Directory is used for all communications. That data base is currently held by the Chair and Clerk of the Parish Council on their personal computers. The village directory has also been uploaded into an online secure system called ’MAILCHIMP’ which we use for our village newsletter.
The village of Tollard Royal has not employed a specific Data Protection Officer. The responsibility is taken up by the Clerk to the Parish Council supported by the Chair of the Parish Council, the Neighbourhood Watch Co-ordinator and the Treasurer to the church.
One single consent has been gathered for all the above from parishioners.
What is the GDPR?
The EU’s General Data Protection Regulation (GDPR) is the culmination of four years of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for ‘free’ services.
In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that faily to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.
Explaining the jargon:
Personal data is information about a living individual which is capable of identifying that individual. Processing is anything done with/to personal data, including storing it. The data subject is the person about whom personal data are processed.The data controller is the person or organisation who determines the how and what of data processing, in a parish usually the incumbent or PCC.
One of the main changes to note is that the GDPR places a much greater emphasis on transparency, openness and the documents we as a village need to keep in order to show that we are complying with the legislation – This is incorporated within the idea of “accountability”.
Accountability – What is it and how does Tollard Royal comply?
The new accountability principle means that we must be able to show that we are complying with the principles. In essence, we cannot just state we are compliant; we have to prove it and provide evidence. To do this there are a number of actions we should take,
Consent
Tollard Royal relies on consent as the lawful basis for processing any personal data, you need to be aware that to be valid under the GDPR, consent must be freely given, specific, informed, unambiguous and able to be withdrawn. Also, we will need to record how and when the consent was obtained (and review this over time).
What does the really mean?
For example, we cannot use the personal data from the electoral roll to send mail to individuals about events at the church without seeking consent first. If we have not obtained consent from individuals to do this, we will not be able to use your personal data in this way. We will need to keep records of all consents received and periodically review them (e.g. every 5 years) to ensure that they are still valid.
You should note that consent may not be appropriate in every case. Remember there are other lawful bases for processing personal data. For example, you would not have to obtain consent to share the names of individuals on the Church Readers rota or after service tea/coffee rota with other church members. In that instance, the information is shared with others in order to carry out a service to other church members. Of course, if it was intended to share the names outside the church for another purpose, then we would need to obtain consent.
Parishes are highly unlikely to be required to have a Data Protection Officer. Data Protection Officers are required in certain circumstances, such as where organisations process sensitive (special category) personal data on a “large scale”. The processing of sensitive personal data by the PCC and/or incumbent is unlikely to be classed as “large scale”. However, we can make it clear who has access to the data and who is responsible for data protection issues, including providing support and guidance for others.
PARISH DATA AUDIT FOR TOLLARD ROYAL
THIS IS A REGISTER OF ALL TYPES OF PERSONAL DATA PROCESSED BY TOLLARD ROYAL IN ACCORDANCE WITH GDPR
Description | Why is the data held and what is it used for | Who | Basis for processing data (e.g. consent, legal obligation etc) | Who holds the data and who can access it? | What security controls are in place? | How long is data kept for? | Is this covered by our privacy notice? | ACTION REQUIRED |
Gift Aid Declarations | For claiming Gift Aid | PCC | Legal obligation | Processed by the PCC treasurer | Paper declarations kept in a filing cabinet. Spreadsheet on PC. | Six complete calendar years after last gift claimed on the declaration | Yes | Password protect the spreadsheet |
Electoral Roll | For running PCC Elections | PCC | Consent given by completion of form, legal obligation and public task | Held by Church Warden and made publically available on the church notice board. | No security as a public information | Reviewed each AGM | No | none |
Names and addresses, phone numbers, emails of PCC | For the functioning of the PCC | PCC | Consent given at election | Information is passed to the Diocese and can be published in any public place including parish magazine | No security | Reviewed each AGM | No | None |
52 Club | PCC fundraiser | PCC | Consent given when joining | Held by PCC Treasurer –names made public when drawn in church and then published in the Tollard Tattler | No Security | Annually on subscription | No | None |
Donors to the church | Tracking of donors | PCC | Consent given when making donation | Held by PCC Treasurer. Seen by independent examiner | Held of a data base by treasurer | Annually | Yes | Password protected spreadsheet |
Parish Register Baptisms Funerals and Weddings | Public Record | PCC | Manifestly made public Archived | Kept by the Churchwardens | On display in the church | Permanent record | No | |
Flower Rota/ caretaking rota/ reading list | PCC | No consent needed as this information is never shared and only used for the function of the church | On display on notice board. | As required | No | |||
Email List Telephone numbers Emergency Telephone Tree | For emergency planning | Parish council | Consent given on electronic consent form | Chair of the PC | Kept confidential shared only with residents of Tollard Royal and key stakeholders such as the unitary councillor for Tollard Royal Business. | Annually | Yes | Ensure email group is always Blind copied. |
Electoral roll Email list | Agenda and minute distribution | PC | Consent obtain by all villagers via an electronic form | Chair of pc and clerk | Held on personal computers | Reviewed every 5 years – new residents will be added ad hoc. Leavers removed | Yes | |
Councillors Email and phone | Council function | PC | Consent given at election | Clerk | Public On notice board and website | On election | No Public information | |
Village Directory Distribution list | Fish &Chip Notices Agenda’s Minutes | SC PCC PC NHW | Consent given by electronic form | PC chair & Clerk | Private Password protected login | Reviewed every 5 years – new residents will be added ad hoc. Leavers removed | Yes | Ensure email group is always Blind copied. |
Village Directory Distribution plus people who have subscribed to the newsletter list | Village newsletter Tollard Tattler | PC | Consent obtain by all villagers via an electronic form | Held on Mail Chimp – everyone can simply unsubscribe | Private Password protected login | As required | NO | Mail chimp does not reveal recipients |
Whats App Crime and Emergency Group | Neighbourhood watch | PC / NHW | Consent given on joining and can remove themselves from the group | Held on the administrators phone | Public to the group members | As required | No | |
Facebook Page | PC and NHW | PC / NHW | Consent given on joining and can remove themselves from the group | Held by administrator | Public page | S required | No Public page |