The Data Protection Act 1998 replaces the Data Protection Act 1984. The new Act extends the provisions of the previous Act to much paper-based material, and introduces a category of sensitive personal date.
All data relating to a person must be kept in line with the following principles.
Data should be:
The Data Protection Registrar has been replaced by a Data Protection Commissioner, and registration with the Registrar's Office has been replaced by a process of notification. Notification is to be renewed every year, rather than every three years as for registration. A fee remains payable.
All data controllers processing personal data on a computer (or other automated equipment) should notify the Commissioner unless they are able to take advantage of the exemptions (see below). Failure to notify is a criminal offence. Data controllers are those persons or bodies who control or use the data in question. For parochial records this would normally by the PCC, for other records kept personally by the incumbent, he or she is the data controller. Any person or body that merely processes data for a data controller is classified as a computer bureau and does not need to notify.
There is no requirement to notify if data is kept in paper based files BUT ALL DATA MUST STILL BE KEPT AND PROCESSED IN LINE WITH THE ABOVE PRINCIPLES.
Those persons or bodies previously classified as data users under the old Act become data controllers, but if they were previously registered they need not take any action to notify the Commissioner. They will be sent a form so to do at the time they would normally renew their registration.
PCCs, incumbents, archdeacons, bishops, the London Diocesan Fund and the London Diocesan Boards for Schools are separate legal entities under the Act and are required to notify separately. However, if data is held and processed in line with the normal administration of the parish PCCs should not need to notify. The same exemption from notification will normally apply to an incumbent unless pastoral care records are held on a computer. If a parish keeps records above and beyond "normal administration" then the advice of the Data Protection Commissioner's office should be sought.
Any individual about whom data is kept is allowed to request access to all data relating to them. This must be complied with within 40 days and can be subject to a maximum fee of £10 (correct at 31 July 2009). All data held about an individual REGARDLESS OF THE FORMAT (i.e. including paper based records) should be disclosed, including job references and any other personnel records, but subject to various exceptions. All information under the control of the PCC, incumbent or other data controller must be revealed REGARDLESS OF WHO ACTUALLY KEEPS THE DATA. If the PCC secretary, the PCC treasurer and the electoral roll officer all keep separate records they must all be included in the response to the subject access request. It is not the individual's responsibility to ask each person.
When revealing data that includes data relevant to another person you must be careful not to reveal the identity of that other person without their consent. For example, in a reference you could replace "The Revd John Smith said …" with the Revd XY said …"
The Act introduces a new category:
Greater consent and a higher level of security is required from the individual concerned to keep records concerning the following subjects:
In assessing whether a record should be kept, the data controller (normally the incumbent or PCC) should assess the purpose for which it is kept. They should then determine in relation to the purpose whether the data is relevant and no more than is required to meet the purpose. They should then ask if the data is current and up to date, and whether it is still required for the purpose. If these conditions are not met the data should be deleted.
The data controller must further ensure that the data is kept securely and not disclosed to a third party without consent, or transferred to any country without adequate data protection. This is particularly important with the increased use of email to distribute information.
Further information can be obtained from the Synod Office at London Diocesan House (020 7932 1228) or the Data Protection Commissioner's office (01625 545740).
