On May 25th 2018 significant changes to data protection laws are coming into force that replace the 1998 Act. You can find out more in details at the Information Commissioner’s Office.
DISCLAIMER: The information provided below is intended to introduce the subject but does not constitute legal advice. Be sure to get the appropriate qualified advice for your own situation.
In addition to the way Klemi helps churches comply with existing pre 2018 legislation, Klemi aims to help churches comply with GDPR in the following ways:
The Principle of Accountability
GDPR requires that you not only state you are compliant but demonstrate it. Here a tool like Klemi is a huge help. By having clergy and volunteers use a single, central platform you already have an agreed method for saving data, recording consent, and a pathway for removing data (in Klemi’s case – archiving and deleting). By holding your data centrally you are encouraging users away from storing data individually on PCs, usb drives, mobiles etc. , something they tend to do with less transparency and consistency in situations where there is no centralised data record. Because of the way it is designed Klemi requires certain data workflows which are easy to identify and audit.
Am I Processing Data Lawfully?
Processing involves operations like : collecting, editing, storing/holding, disclosing, sharing, archiving, viewing, recording, listening to, erasing/deleting. Under the GDPR you need to show that your data processing is done lawfully. This is important because the data churches collect will be classed as sensitive as it relates to religious belief. Some data processing can be done without explicit consent where the processing is done for “legitimate interests”. However these also need to be weighed up against any prejudice to the legitimate interests of the data subject. Klemi’s member tagging feature can help you identify on what basis you are holding information for that member (is it because they’re a kids holiday club contact or is it because they are on your church electoral roll, etc.) and therefore clarify what constitutes a fair usage of their data. You may need to record your users’ explicit consent to hold your data. Klemi allows you to do this using in each member record. You will need to create a privacy notice – more on that from the C of E website.
Consent needs to be freely given, specific, informed, unambiguous and able to be withdrawn, you also need to record how and when the consent was obtained. Klemi has three different consent fields – consent to hold information, consent information to be published in an address book, and parental consent for a child to attend a youth group. Klemi also keeps a record of when consent was given which you can access from the member profile. You should note that consent may not always be appropriate.
Data Protection Impact Assessment Information (DPIA)
A DPIA may be necessary. If you’re using Klemi here are some suggested questions/answers you might want to include in a Data Protection Impact Assessment – note these are only a guide and are very limited – they make a number of assumptions about your usage of Klemi which may not be accurate. Their purpose is to get you thinking about the appropriate answers in your context.
Name of Process: Collecting member data on Klemi
Purpose of Process: to have share access to contact details for church members between church staff so that members can be contacted where appropriate
Legal Basis: Legitimate Interests
Where does the data come from: Submissions from church members
In which locations does the processing take place: Online entry / Paper Submission via church adminstrator / Data is held on Klemi (in EU region)
Who is impacted by the processing: Staff, Church members
What is the process for deleting the data: Archiving on Klemi when members move away / deletion after x years. There’s more on Data retention here
Describe the process workflow: Members submit their information via paper forms or online and Staff transfer this information to Klemi software system.
What risks are there to the data subject: If data is accessed it may be copied and sensitive information such as religious affiliation, home address, and contact information may be shared with third parties.
What measures are currently in place to protect the subject and their rights: The Church Data Protection Officer controls access to klemi and therefore to user data. Only those with appropriate levels of responsibility are given such access.
What additional measures will you put in place to ensure all risks are covered: Organise training for Klemi users to understand what the risks are to user data
GDPR is a big topic and the above only touches the surface. You can find more at the Church of England Website , an extensive overview from the Methoists, a useful and thorough treatment by the Baptist church including a handy checklist at the end