General Data Protection Requirements
Recommendations for Parishes
Parish E-mail Address
This must be a dedicated email account, and not a priest’s personal e-mail address that is also used for parish business. This allows for a proper separation and security of data and ensures that people’s personal data does not move when a priest moves. It also protects the priest’s personal data. Priests are strongly advised to have their own device which is a separate entity from the parish device.
Make sure you are sending the e-mail to the correct recipient. If there is more than one recipient the bcc option must be used. (Applicable to Group e-mail addresses also). This will stop other people’s e-mail addresses appearing.
If you are replying to an e-mail that has been copied to other people consider who you are replying to: the sender and all those copied in or just the sender.
If you are attaching files which contain personal data to the email, these should ideally be password protected, and the password sent by a different means of communication e.g. phone call.
Ensure all the virus protections, fire walls and any other precautionary measure are valid and in place. This includes personal devices which you connect to your parish internet connection, even if these devices do not store any parish or diocesan data.
Higher security types of passwords must be used if you have a smart phone linked to parish emails or files stored in the cloud.
Automatic ‘time-out screen locks’ with a password should be enabled on all electronic equipment that has access to diocesan or parish data.
Files stored on computers and electronic devices (or those stored elsewhere which can be accessed through an electronic device) should be password protected. This would especially include items with personal information on such as sick lists, sacramental programme participants’ details, employee details, gift aid information.
Diocesan Data Privacy Notices.
This is on the Diocesan Website in both full and condensed versions. Reference to this notice should also be made on parish websites. A reference note should also be added to Sacramental Requests Forms (see below).
Any rota displayed in our buildings should not normally show any personal contact details. Contact details should only be collected and distributed from and to the named people on the rota, plus the parish office.
The contact details of parishioners, volunteers and other people whom we have contact with should be kept out of general sight, and not shared without permission.
Should be kept in a safe and secure place, (preferably a safe with which should be fire resistant to prevent possible loss of personal data).
- Any requests to view parish registers which may refer to a living person should normally be refused; however, an individual has the right to know what information the Diocese holds on them.
- If a person requests to see their own entry in a register (and proof of identity is given), then that person may be shown his/her personal entry. Any other entries that are on the same page should be covered over. Note that people have a right to know what data we hold on them, rather than an absolute right to view a register. The person may also be provided with a copy of the information or it may be read out to them.
- Requests to change amend or delete information in the parish registers must be refused (except perhaps to correct simple errors such as a misspelled name where a marginal note can be added).
- Registers less than 100 years old should not be deposited in public records offices.
Issuing Sacramental Certificates
Requests for a copy of register entries for an adult should be issued only to the person the information pertains to. The request therefore should normally be made by that individual and the person issuing the certificate should be satisfied that the
applicant is the person to whom the data refers. Requests are often made over the phone or by e-mail and there is still the need to verify the validity.
Consideration should be given to what the information is when deciding to send documents through the post. This applies to within the UK/EEA/other countries.
Requests for baptism certificates (and the completion of Supplementary Information Forms) as part of an application for a school place should only be accepted from the parent/guardian of the child concerned. The person issuing the certificate should be satisfied that the person making the request is the parent/guardian of the child. In some cases, it may be appropriate to simply state in writing that an individual has been baptised as a Catholic, rather than issuing a full copy of a baptismal entry.
Subject Access Requests
If there is uncertainty about the validity of a request for information or the request is broad-sweeping, then a referral should be made to the Data Protection Officer.
Requests for Information under the Freedom of Information Act.
The Freedom of Information Act does not apply to the Diocese.
Sample Texts on Application Forms for Sacramental Preparation
Application forms for Baptism must show information similar to the following.
“By making this request you are agreeing to your child’s name and date of birth, parents’ name and address, and godparents’ names being entered as a permanent and unalterable record in the parish register. Your child’s name may also be shown
on the parish weekly newsletter. Please see the privacy notice on the website of Lancaster Diocese. The information you provide will not be shared with third parties”.
Invitation to Join a Sacramental Preparation Programme.
“Please note that when you enrol your child on (enter date) you will be asked to provide contact information and any medical condition that your child has. This and any other information will be retained by the parish for the sole use of contacting
you in an emergency or to receive reminders of sessions. (Group messages may be used with your express permission). The forms with all this information will be kept for the duration of the programme and plus a further ten years (see below). It
will not be used for any other purpose or be shared with anybody outside the Catechists’ group. (For Confirmation, a Parish Register will show details of name and date of receipt of the Sacrament, and notification sent to the parish of baptism).
Please also see the privacy notice on the website of Lancaster Diocese”. Forms should be kept for ten (10) years after the event. (as advised by the Safeguarding Office.)
Notices stating that CCTV is in operation should be on display in prominent positions around the premises, especially at entry points to areas covered by CCTV. The notices should be GDPR compliant and give contact information for any queries and state that the system is operated by Lancaster Diocese.
Follow the guidelines issued by the Safeguarding Office and consult your Parish Safeguarding Representative.