Data Protection

If the priest or member of the parish team wants to contact a parishioner with regards to parish matters, then that is fine as there is a legitimate interest in contacting that person.

No – the initial contact must come from the parish unless consent to pass details on has been obtained. The parish has a legitimate interest in contacting parishioners and can act in the interests of a third party (groups such as SVP or Legion of Mary). However, the information must be sent initially by the parish as it would not be appropriate to share personal details with the groups as people may not reasonably expect this.

No – we wouldn’t rely on consent as the basis to collect the contact details of volunteers. If we can’t contact people about their role, the parish can’t really function. It is best to give people choice about their contact preferences, however.

An example form for collecting contact details is available.

It would be reasonable to assume that in the case of a bereaved parishioner or family, due to their relationship with the clergy member, that he would offer support at this time. That may come in the form of a phone call or the offer of a visit. The parishioner(s) would likely expect that their data would be used to facilitate this purpose.

However, it would not be appropriate for their personal details to be passed on to a member of the bereavement team (or any other group/individual) to make the first contact on behalf of the parish. As this will require sharing personal data, the parishioner in question would first have to give their consent to the parish priest or deacon, whether verbal or written, for him to be able to instruct a member of the team to get in touch.

If this is not possible, an invitation could be posted to the person from the parish inviting them to get in touch if they need support with information on who they should contact.

At this point, it would also be suitable for the person contacting them to allow the person to decide if they wish to be contacted again, e.g. for further support or for the purposes or arranging an anniversary Mass for the person who has died.

It is highly important that in this situation where people may find contact from an unfamiliar person very intrusive, that it is handled sensitively as possible and with the utmost regard for their personal freedoms.

You can only contact people on the parish register about events if you have consent to do so. This can be seen as marketing and therefore consent is needed. You must also only contact them in the ways they have consented to.

An example Keeping in Touch form is available.

If the sick list is published in any way, e.g. in the parish newsletter or on the parish website, consent should be obtained.

A simple form can be used for the individual to provide consent. If a form is not appropriate for the situation, consent can also be given verbally by the individual. A note of this verbal consent should be made as evidence. Consent can also be withdrawn verbally.

If an adult does not have the mental capacity to consent, a close family member who you know to have the correct authority to do so, or someone who has a health and wellbeing power of attorney may give consent on their behalf.

Similarly with Mass intentions, for all those living, the submission of the intention if published should be with consent or consent of a third party as detailed above. Those that wish to submit for another person can be listed as a private intention.

A sample consent form is available.

No – there is little benefit to removing information that has already been made publicly available. It would not be practical to amend or destroy information that has already been seen and is in the public domain.

To be able to pass on personal contact details, you must check with the person first and gain consent. If it is likely you will want to be able to share contact details of volunteers with other volunteers you should ask all volunteers to complete a consent form (or give verbal consent that you record) in which they are given a choice as to who has access to their information.

An example rota consent form is available.

It is best practice to confirm with your volunteers if you are going to display their name in a public place. This could be a case of obtaining their verbal consent to do so and making a record of this.

The parish has a legitimate interest in sending the parents of those baptised the school prospectus as they can act in the interests of a third party (the school). However, the information must be sent by the parish as it would not be appropriate to share the details with the school as parents may not reasonably expect this.

Should you need to send any data outside of the UK/European Economic Area, for example, sending information to another Diocese about a couple wishing to marry abroad, you should gain explicit consent from the data subject.

If leaving forms at the back of church for people to complete, make sure that if they contain personal data, there is somewhere secure for the forms to be deposited. This could be in the form of a secure box, they could be posted through the door of the presbytery or you could ask for them to be handed to an assigned person.

Any information with parishioners’ name and address on should not be left unattended in church. A volunteer could hand out anything of this nature or allow people to access the items on request.

Any person has a right to make a request for a copy of their personal data. This is known as making a Subject Access Request (SAR). The request may be made by email, letter, social media or verbally.

If you receive a request you must notify the Data Protection Lead immediately on
0191 243 3317 or by email at data.protection@diocesehn.org.uk.

Requests for data, such as a copy of a baptism certificate, do not constitute a subject access request and can be dealt with locally as currently. However, you should make reasonable efforts to ensure you provide these only to the person named on the certificate (or the parent/guardian in the case of those under 12) and ensure you have verified their identity.

No because the registers reveal information about people’s religious beliefs, the Bishops’ Conference require that they are closed for 110 years to the public following advice from the Catholic Archives Society. Individuals may only access data about themselves and not about third parties during this period. This can be provided as long as no data about other subjects is revealed in the process.

A data breach occurs when a security incident leads to the loss, destruction, alteration or unauthorised disclosure of personal data. Examples of a breach in a parish include:

• An email containing personal data is sent to the wrong person or people.
• A batch of records containing personal data is lost.
• A device holding personal data is lost or stolen.
• A third party has gained access to a parish computer.
• A break in of a secure room has occurred and personal data is missing or may have been accessed.

The person who has identified the breach must contact the Data Protection Lead immediately on 0191 243 3317.

A Retention Schedule for Parishes has been produced. If you have any questions regarding this, please contact the Data Protection Lead.

Any paperwork that contains personal data should be securely shredded using a cross-cut shredder or you can use a shredding service who will provide a certificate of destruction.

Taking photos for personal use is not covered by data protection laws or GDPR so technically it is fine to do so. However, the parish priest giving Mass or person running an event may decide that it isn’t appropriate to have photography depending on what the occasion is and if it may be a distraction for people attending.

You may also want to remind people to check it is okay to post photographs on social media of other people’s children. This is a sensible policy, but it’s not a data protection issue because the law doesn’t cover private social media posts shared with friends and family.

Taking photos, recording footage and live streaming in churches or at parish events on behalf of the parish are considered as processing personal data and can potentially reveal sensitive information about a person (religious beliefs) and therefore consideration should be given to how these are used.

Please see the ‘Photos, Recording and Live Streaming’ section of the Data Protection and GDPR: A Guide for Parishes handbook for more information on this.

If you wish to do so you must make sure that you have the explicit consent of the children’s parents or guardian.