The Diocese

Welcome

The Diocese is committed to ensuring that Personal Data is properly and securely managed in accordance with the relevant data protection laws and believes this is an important part of achieving trust and confidence between the Diocese and those with whom it interacts.

All Diocesan services, vicariates, parishes, departments and agencies store, collect, use and process personal information about the people they interact with for a variety of purposes. This can include information about trustees, officers, parishioners, volunteers, clergy, religious, employees, contractors, suppliers and other third parties. The Diocese must therefore comply with laws that govern the way data is processed.

Data Protection and GDPR

The General Data Protection Regulation is a regulation in EU law which standardises how data can be processed, giving people more control over their data. It is intended to make it easier to understand how data is being used.

Following Brexit, this still applies to the UK as the GDPR was retained in domestic law as the ‘UK GDPR’ in 2021. In practice, there is little change to the core data protection principles, rights and obligations.

The Data Protection Act 2018 sets out the framework for data protection law in the UK. It sits alongside the GDPR and tailors how it applies. The regulatory body in the UK is the Information Commissioner’s Office (ICO).

Privacy Notice

The Diocesan Privacy Notice provides information on what personal data the Diocese may hold about you, how and why the Diocese may use your data and who it may be shared with.

Policy and Procedures

Data Protection Policy

This policy explains how the Diocese of Hexham and Newcastle protects personal data

Subject Access Requests

This policy and procedure explains how the Diocese will deal with any subject access requests.

To make a request, we encourage you to use a version of the form below which will provide us with the details we need to process your request efficiently. You can, however, also make a request by getting in touch using the contact details below.

Diocesan Subject Access Request Form: Word | PDF

Data Breach Policy

This policy and procedure explains how the Diocese will deal with data breaches.

Policy and Procedures

Parish Support

Data Protection shouldn’t be a barrier to parish ministry, but it is something we all need to be aware of to ensure we only use people’s data in ways that they would expect. The Data Protection Team is here to help support parishes by responding to any data protection queries, producing guidance, policy and template documentation and any other support as necessary. We encourage you to get in touch with us with any questions you may have using the contact details below.

Frequently Asked Questions

You can check whether we have already answered your query by reading our Frequently Asked Questions section. More comprehensive guidance is provided in the documents below.

Data Protection and GDPR: A guide for parishes

This guidance document provides information regarding data protection and GDPR for clergy, parish staff, parish volunteers and all those who regularly encounter personal data in their role.

Data Protection and GDPR: A quick guide

This quick guide to data protection and GDPR should be ready by all those who occasionally encounter personal data and anyone else who wants more information on how parishes may use personal data.

Data Audits (record of processing activities)

All parishes are required to keep a record of the data they process. The templates below can be used for this purpose. Provided is a blank template and an example of a completed audit, which can be adapted to suit the parish.

Data Audit Blank Template: Excel | Word
Data Audit Example: Excel | Word

Template Forms

The forms below can be used and adapted by parishes. Where required, the forms have appropriate consent wording, and all include the required privacy notice.

Template Forms

Access to Care Records

The Diocese of Hexham and Newcastle holds data in relation to several closed Catholic care homes including:

  • St Peter’s Home/School for Roman Catholic Boys, Gainford
  • St Joseph’s Industrial School for Roman Catholic Girls, Darlington
  • St Mary’s Home/School, Tudhoe
  • St Vincent’s Industrial School for Roman Catholic Boys, Newcastle

We also hold data in relation to the social work of the former Catholic Care North East and the Hexham and Newcastle Diocesan Rescue Society.

Accessing Your Own Care Data/Requests on behalf of a Living Person

To enquire about accessing your own data or make a request on behalf of someone living who was in care, it is recommended that you complete a version of the form below and send to us. Providing us with the information requested on the form allows us to deal with your request efficiently. You can also request the information by getting in touch using the contact details below.

Diocesan Care Record Subject Access Request Form: Word | PDF

Accessing the Information of a Deceased Person

It is possible to make a request to access the data of a deceased close family member: you will, however, need to provide evidence that the person is deceased and that you have a right to access their information.

To make a request for access to the data of a person who is deceased, it is recommended that you complete a version of the form below. Providing us with the information requested on the form allows us to deal with your request efficiently. You can also request the information by getting in touch using the contact details below.

Diocesan Care Record Deceased Access Form: Word | PDF

General Research

We can provide information for general research purposes. Please note that using advice from The National Archives, we have applied a ‘lifetime of individuals’ closure period. This is assumed to be 110 years but can be adjusted down from a known or assumed age.

You can request access to information by getting in touch using the contact details below.

Post 1982/Adoption Care File Access

For enquiries about those who entered into care after 1982 or for any adoption queries, please contact St Cuthbert’s Care by email or tel: 0191 228 0111.

Frequently Asked Questions

If you have any unanswered questions please review the ‘Frequently Asked Questions’ by topics below. If you are still unable to locate an answer to your question you can also ask us directly by getting in touch using the contact details below.

Contacting Parishioners and Volunteers

If the priest or member of the parish team wants to contact a parishioner with regards to parish matters, then that is fine as there is a legitimate interest in contacting that person.

No – the initial contact must come from the parish unless consent to pass details on has been obtained. The parish has a legitimate interest in contacting parishioners and can act in the interests of a third party (groups such as SVP or Legion of Mary). However, the information must be sent initially by the parish as it would not be appropriate to share personal details with the groups as people may not reasonably expect this.

No – we wouldn’t rely on consent as the basis to collect the contact details of volunteers. If we can’t contact people about their role, the parish can’t really function. It is best to give people choice about their contact preferences, however.

An example form for collecting contact details is available.

It would be reasonable to assume that in the case of a bereaved parishioner or family, due to their relationship with the clergy member, that he would offer support at this time. That may come in the form of a phone call or the offer of a visit. The parishioner(s) would likely expect that their data would be used to facilitate this purpose.

However, it would not be appropriate for their personal details to be passed on to a member of the bereavement team (or any other group/individual) to make the first contact on behalf of the parish. As this will require sharing personal data, the parishioner in question would first have to give their consent to the parish priest or deacon, whether verbal or written, for him to be able to instruct a member of the team to get in touch.

If this is not possible, an invitation could be posted to the person from the parish inviting them to get in touch if they need support with information on who they should contact.

At this point, it would also be suitable for the person contacting them to allow the person to decide if they wish to be contacted again, e.g. for further support or for the purposes or arranging an anniversary Mass for the person who has died.

It is highly important that in this situation where people may find contact from an unfamiliar person very intrusive, that it is handled sensitively as possible and with the utmost regard for their personal freedoms.

You can only contact people on the parish register about events if you have consent to do so. This can be seen as marketing and therefore consent is needed. You must also only contact them in the ways they have consented to.

An example Keeping in Touch form is available.

Parish Ministry

If the sick list is published in any way, e.g. in the parish newsletter or on the parish website, consent should be obtained.

A simple form can be used for the individual to provide consent. If a form is not appropriate for the situation, consent can also be given verbally by the individual. A note of this verbal consent should be made as evidence. Consent can also be withdrawn verbally.

If an adult does not have the mental capacity to consent, a close family member who you know to have the correct authority to do so, or someone who has a health and wellbeing power of attorney may give consent on their behalf.

Similarly with Mass intentions, for all those living, the submission of the intention if published should be with consent or consent of a third party as detailed above. Those that wish to submit for another person can be listed as a private intention.

A sample consent form is available.

No – there is little benefit to removing information that has already been made publicly available. It would not be practical to amend or destroy information that has already been seen and is in the public domain.

Sharing Personal Data

To be able to pass on personal contact details, you must check with the person first and gain consent. If it is likely you will want to be able to share contact details of volunteers with other volunteers you should ask all volunteers to complete a consent form (or give verbal consent that you record) in which they are given a choice as to who has access to their information.

An example rota consent form is available.

It is best practice to confirm with your volunteers if you are going to display their name in a public place. This could be a case of obtaining their verbal consent to do so and making a record of this.

The parish has a legitimate interest in sending the parents of those baptised the school prospectus as they can act in the interests of a third party (the school). However, the information must be sent by the parish as it would not be appropriate to share the details with the school as parents may not reasonably expect this.

Should you need to send any data outside of the UK/European Economic Area, for example, sending information to another Diocese about a couple wishing to marry abroad, you should gain explicit consent from the data subject.

If leaving forms at the back of church for people to complete, make sure that if they contain personal data, there is somewhere secure for the forms to be deposited. This could be in the form of a secure box, they could be posted through the door of the presbytery or you could ask for them to be handed to an assigned person.

Any information with parishioners’ name and address on should not be left unattended in church. A volunteer could hand out anything of this nature or allow people to access the items on request.

Requests for Personal Data

Any person has a right to make a request for a copy of their personal data. This is known as making a Subject Access Request (SAR). The request may be made by email, letter, social media or verbally.

If you receive a request you must notify the Data Protection Lead immediately on
0191 243 3317 or by email at data.protection@diocesehn.org.uk.

Requests for data, such as a copy of a baptism certificate, do not constitute a subject access request and can be dealt with locally as currently. However, you should make reasonable efforts to ensure you provide these only to the person named on the certificate (or the parent/guardian in the case of those under 12) and ensure you have verified their identity.

No because the registers reveal information about people’s religious beliefs, the Bishops’ Conference require that they are closed for 110 years to the public following advice from the Catholic Archives Society. Individuals may only access data about themselves and not about third parties during this period. This can be provided as long as no data about other subjects is revealed in the process.

Data Breaches

A data breach occurs when a security incident leads to the loss, destruction, alteration or unauthorised disclosure of personal data. Examples of a breach in a parish include:

  • An email containing personal data is sent to the wrong person or people.
  • A batch of records containing personal data is lost.
  • A device holding personal data is lost or stolen.
  • A third party has gained access to a parish computer.
  • A break in of a secure room has occurred and personal data is missing or may have been accessed.

The person who has identified the breach must contact the Data Protection Lead immediately on 0191 243 3317.

Retention of Parish Data

A Retention Schedule for Parishes has been produced. If you have any questions regarding this, please contact the Data Protection Lead.

Any paperwork that contains personal data should be securely shredded using a cross-cut shredder or you can use a shredding service who will provide a certificate of destruction.

Photography

Taking photos for personal use is not covered by data protection laws or GDPR so technically it is fine to do so. However, the parish priest giving Mass or person running an event may decide that it isn’t appropriate to have photography depending on what the occasion is and if it may be a distraction for people attending.

You may also want to remind people to check it is okay to post photographs on social media of other people’s children. This is a sensible policy, but it’s not a data protection issue because the law doesn’t cover private social media posts shared with friends and family.

Taking photos, recording footage and live streaming in churches or at parish events on behalf of the parish are considered as processing personal data and can potentially reveal sensitive information about a person (religious beliefs) and therefore consideration should be given to how these are used.

Please see the ‘Photos, Recording and Live Streaming’ section of the Data Protection and GDPR: A Guide for Parishes handbook for more information on this.

If you wish to do so you must make sure that you have the explicit consent of the children’s parents or guardian.

Contact Us

Data Protection Lead and Data Protection Support Manager

Catherine Joyce

Tel: 0191 243 3317

Email: data.protection@diocesehn.org.uk