Skip to content →

Parish Council GDPR, Privacy and Accessibility



You can download a copy of this guidance here Tollard Royal and the General Data Protection Act

The village has several different groups that all use our ‘village directory’ mailing list:

  • The Parish Council
  • The Church
  • The Social Committee
  • Neighbourhood Watch
  • Tollard Tattler
  • Village email List
  • Emergency telephone tree
  • Whats App emergency and crime group
  • Facebook Page

We are a small village of less than 120 residents, however we are NOT exempt from GDPR.

In very simple terms that means that every resident in Tollard Royal must ‘OPT IN’ to have their email and personal details used by any of the above groups. Our reality is that one email list called The Village Directory is used for all communications. That data base is currently held by the Chair and Clerk of the Parish Council on their personal computers. The village directory has also been uploaded into an online secure system called ’MAILCHIMP’ which we use for our village newsletter.

The village of Tollard Royal has not employed a specific Data Protection Officer. The responsibility is taken up by the Clerk to the Parish Council supported by the Chair of the Parish Council, the Neighbourhood Watch Co-ordinator and the Treasurer to the church.

One single consent has been gathered for all the above from parishioners.

What is the GDPR?

The EU’s General Data Protection Regulation (GDPR) is the culmination of four years of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for ‘free’ services.

In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that faily to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.

Explaining the jargon:

Personal data is information about a living individual which is capable of identifying that individual. Processing is anything done with/to personal data, including storing it. The data subject is the person about whom personal data are processed.The data controller is the person or organisation who determines the how and what of data processing, in a parish usually the incumbent or PCC.

One of the main changes to note is that the GDPR places a much greater emphasis on transparency, openness and the documents we as a village need to keep in order to show that we are complying with the legislation – This is incorporated within the idea of “accountability”.

Accountability – What is it and how does Tollard Royal comply?

The new accountability principle means that we must be able to show that we are complying with the principles. In essence, we cannot just state we are compliant; we have to prove it and provide evidence. To do this there are a number of actions we should take,


Tollard Royal relies on consent as the lawful basis for processing any personal data, you need to be aware that to be valid under the GDPR, consent must be freely given, specific, informed, unambiguous and able to be withdrawn. Also, we will need to record how and when the consent was obtained (and review this over time).

What does the really mean?

For example, we cannot use the personal data from the electoral roll to send mail to individuals about events at the church without seeking consent first. If we have not obtained consent from individuals to do this, we will not be able to use your personal data in this way. We will need to keep records of all consents received and periodically review them (e.g. every 5 years) to ensure that they are still valid.

You should note that consent may not be appropriate in every case. Remember there are other lawful bases for processing personal data. For example, you would not have to obtain consent to share the names of individuals on the Church Readers rota or after service tea/coffee rota with other church members. In that instance, the information is shared with others in order to carry out a service to other church members. Of course, if it was intended to share the names outside the church for another purpose, then we would need to obtain consent.

Parishes are highly unlikely to be required to have a Data Protection Officer. Data Protection Officers are required in certain circumstances, such as where organisations process sensitive (special category) personal data on a “large scale”. The processing of sensitive personal data by the PCC and/or incumbent is unlikely to be classed as “large scale”. However, we can make it clear who has access to the data and who is responsible for data protection issues, including providing support and guidance for others.



DescriptionWhy is the data held and what is it used forWhoBasis for processing data (e.g. consent, legal obligation etc)Who holds the data and who can access it?What security controls are in place?How long is data kept for?Is this covered by our privacy notice?ACTION REQUIRED
Gift Aid DeclarationsFor claiming Gift AidPCCLegal obligationProcessed by the PCC treasurerPaper declarations kept in a filing cabinet. Spreadsheet on PC.Six complete calendar years after last gift claimed on the declarationYesPassword protect the spreadsheet
    Electoral Roll  For running PCC ElectionsPCCConsent given by completion of form, legal obligation and public taskHeld by Church Warden and made publically available on the church notice board.No security as a public informationReviewed each AGMNonone
    Names and addresses, phone numbers, emails of PCC  For the functioning of the PCCPCCConsent given at electionInformation is passed to the Diocese and can be published in any public place including parish magazineNo securityReviewed each AGMNoNone
52 Club      PCC fundraiserPCCConsent given when joiningHeld by PCC Treasurer –names made public when drawn in church and then published in the Tollard TattlerNo SecurityAnnually on subscriptionNoNone
Donors to the churchTracking of donorsPCCConsent given when making donationHeld by PCC Treasurer.   Seen by independent examinerHeld of a data base by treasurerAnnuallyYesPassword protected spreadsheet
    Parish Register Baptisms Funerals and WeddingsPublic RecordPCCManifestly made public   ArchivedKept by the ChurchwardensOn display in the churchPermanent recordNo 
Flower Rota/ caretaking rota/ reading list       PCCNo consent needed as this information is never shared and only used for the function of the church On display on notice board.As requiredNo 
Email List   Telephone numbers Emergency Telephone Tree    For emergency planningParish councilConsent given on electronic consent formChair of the PCKept confidential shared only with residents of Tollard Royal and key stakeholders such as the unitary councillor for Tollard Royal Business.AnnuallyYesEnsure email group is always Blind copied.
    Electoral roll Email list  Agenda and minute distributionPCConsent obtain by all villagers via an electronic formChair of pc and clerkHeld on personal computers    Reviewed every 5 years – new residents will be added ad hoc. Leavers removedYes 
Councillors   Email and phoneCouncil functionPCConsent given at electionClerkPublic   On notice board and websiteOn electionNo   Public information 
Village Directory Distribution listFish &Chip Notices   Agenda’s MinutesSC   PCC PC NHWConsent given by electronic formPC chair & ClerkPrivate   Password protected loginReviewed every 5 years – new residents will be added ad hoc. Leavers removedYesEnsure email group is always Blind copied.
Village Directory Distribution plus people who have subscribed to the newsletter listVillage newsletter Tollard Tattler    PCConsent obtain by all villagers via an electronic form    Held on Mail Chimp – everyone can simply unsubscribePrivate   Password protected loginAs requiredNOMail chimp does not reveal recipients
Whats App Crime and Emergency GroupNeighbourhood watchPC / NHWConsent given on joining and can remove themselves from the groupHeld on the administrators phonePublic to the group membersAs requiredNo 
Facebook PagePC and NHWPC / NHWConsent given on joining and can remove themselves from the groupHeld by administratorPublic pageS requiredNo   Public page