DATA PROTECTION ACT 2018
(DIOCESE OF ACHONRY)
(DATA PROTECTION STATEMENT)
General Data Protection Regulation Overview
The General Data Protection Regulation (GDPR) took effect across Europe on 25th May 2018. It replaces the existing law on data protection and gives individuals more rights and protection in how their personal data is used by organisations. Personal data is information about a living person which is capable of identifying them (e.g. their name or address or phone numbers etc). From 25th May 2018, people need to give their consent. The consent must be clear and unambiguous. Consents need to be gathered if not already in existence. The parish of Keash recognises that good pastoral care and respect for the dignity of every person requires that personal data should be sourced, stored, processed and eventually disposed of in an appropriate manner and welcomes the essential principles underlying the GDPR.
Important Terms (Non Exhaustive)
– Personal Data is understood as “any information relating to an identified or identifiable natural person”.
– Data Processing refers to any activity undertaken involving interaction with a Data Subject’s personal data. Data Subjects are afforded far reaching rights under Data Protection legislation.
– A Data Subject is the natural person whose personal data is being processed.
– The Data Controller / Data Processor is the person or organisation involved in data processing activities. A large amount of responsibility is imposed on data processors and controllers under Data Protection legislation.
– The Data Protection Officer is the person nominated by the Diocese/Parish to support all activities in relation to Data Protection compliance.
– A data breach occurs where a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data which we as a Diocese have transmitted, stored or otherwise processed
Who is “Keash Parish”
Keash parish is a Roman Catholic Parish based in County Sligo, consisting of both Keash and Culfadda. Keash Parish forms part of the diocese of Achonry. Fr. Gabriel Murphy is the present parish priest. Keash parish is a controller responsible for personal data.
Has Keash Parish a Data Protection Officer (DPO)
The Diocese of Achonry (of which the parish of Keash forms part) has appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this data protection statement and our approach to Privacy. If you have any questions about this Data Protection Statement, including any request to exercise your legal rights, please contact the DPO using the details set out below:-
DPO Contact details:-
Ms. Darina Ryan-Pilkington at email@example.com or 0852848825.
How does this apply to the Parish of Keash
If you work or volunteer in an organisation that holds information about people, then this DOES apply to you. In practice most church organisations will be storing and using some personal information. Parishes must comply with their requirements, just like any other charity or organisation.
Informed, explicit and unambiguous consent are required in order for the Parish of Keash to process personal data, unless we (ie the Parish of Keash) are for example processing data in the legitimate interests of our Diocese or in compliance with Law. Where contact with a Parishioner falls outside of this e.g. an email address given for Parish Readers’ Rota is used to contact a Parishioner about an upcoming fundraising event, we have fallen outside the scope of legitimate interest and must instead seek the explicit consent of the Parishioner to gather and use their contact details. Data subjects are entitled to withdraw their consent at any time.
We define retention periods to determine how long we can store Personal Data in our Diocese. During the annual review, retention periods apply to hard and soft copies of all documents and files, as well as any back-ups which may exist. This means that archives and old storage devices/locations are also subject to the annual review. Under current legislation, all Data Subjects have the right to erasure, more commonly known as the “right to be forgotten”
When a data subject submits a Subject Access Request to receive a copy of all the information we hold on them, we must respond within one month of receiving the request. If information relating to the data subject references a third party we may not be required / allowed to disclose.
Data Protection in the Parish of Keash
Data Protection is embraced at all levels across our Parish. In our day to day activities, the following activities ensure that we are data aware and data compliant:
– All application and registration forms for lay ministry, fundraising activities, pilgrimages, etc., will now include a paragraph on consent, which will also mention how the Parishioner can “opt out” of receiving communication.
– Where a Parish / Diocese can categorically say that they will not contact a Parishioner for any other reason than that for which they have signed up, they do not have to gather consent.
– Absolutely all third party service providers and contractors must comply with current Data Protection legislation.
– When engaging in contract negotiations with any third parties who will be processing personal data on behalf of the Parish or Diocese, it will be ensured that they take a rigorous and proactive approach to maintaining data security.
– Contracts and Service Level Agreements will feature a paragraph on Data Protection to ensure our and our contractors’ compliance with legislation.
– Only suitable Authorised Persons have access to files and databases containing personal data. Where Employees or Volunteers carry out their work externally, due care will be taken in relation to the security of personal data.
– Access rights to files and databases containing personal data are regularly reviewed and updated.
– If Passwords are in use, they will be unique and not be shared.
– If Files are being saved in suitable folders on a PC, they will be protected where necessary and not readily accessible e.g. saved on desktop.
– Computers will be regularly locked when unattended or not in use.
– Email addresses which are used are those that have been assigned to them, avoiding unsafe platforms like Gmail or Yahoo.
– Email signatures will feature a confidentiality disclaimer.
– Printouts containing personal data are disposed of in an appropriate manner.
– Files containing Personal Data are regularly checked for accuracy and relevance. Any Personal Data which is no longer in use will be removed from files. Personal Data should only be retained for a period of time that is perceived to be reasonably necessary. Retention of Personal Data on a “just in case” basis poses a risk to GDPR compliance.
– Where databases and software solutions are provided by third party contractors, compliance is guaranteed through the SLA.
– Only Authorised Persons shall have access to files in the Accounts department. Where Employees or Volunteers carry out their work externally, due care will be taken in relation to the security of personal data.
– Retention periods for files kept in the Accounts department will be in line with Revenue requirements (See Payroll/Personnel Files below).
– Access to Accounts Files will be physically restricted by means of secured storage, e.g. locked filing cabinets or combination safes.
– Information relating to financial contributions received will continue to be treated in the strictest confidence to avoid potential data breaches.
– Invoices / Bills / Purchase Orders must be kept for a minimum of 6 years before being destroyed in line with Revenue requirements. Please note that this means six years after the transaction or project has been completed as opposed to started.
– Monthly/Annual reports sent from Parishes to the Diocesan Accounts department will be password protected and/or saved into a secured shared folder (if sent from a computer).
– Where accounts are managed by means of a software system, care will be taken to regularly change passwords in order to avoid unauthorised access. This is particularly important when Employees / Volunteers have external access to accounts e.g. from their own home.
Buildings, Property and Projects:
– Deeds and documents relating to property in the Parish or Diocese’s portfolio are retained by the Diocese. Access to these documents will be physically restricted by means of secured access, and only Authorised Persons shall have access to these files.
– Documents relating to ongoing or past building projects in the diocese shall be subject to the following retention periods:
o Tender documents, contracts and agreed specifications for minor and repair works to existing buildings should be retained for 6 years after completion of works.
o All documents relating to major building works should be retained indefinitely and transferred to the Diocesan archive.
o Any documents relating to Parish boundaries should be retained indefinitely and transferred to the Diocesan archive.
Payroll and Personnel Files:
– Due to the sensitive nature of Personnel File content, only Authorised Persons shall have access to Personnel Files, e.g. only the Parish Priest will have access to the Personnel Files for his Parish.
– Where Employees or Volunteers carry out their work externally, due care must still be taken in relation to the security of personal data.
– Access to Personnel Files will be physically restricted by means of secured storage, e.g. locked filing cabinets or combination safes.
– An annual check of the content of all Diocesan / Parish Personnel Files will be undertaken by the relevant Authorised Persons.
– The following retention periods will apply to Personnel file contents:
o Application details for candidates who were unsuccessful in a recruitment campaign should be kept for 12 months from date of rejection.
o Terms and conditions of employment must only be retained for the duration of employment. These records should be kept for no longer than 12 months after the cessation of employment.
o Payslips / proof that an employees was paid in line with the National Minimum wage should be kept for 6 years after cessation of employment.
o Records of weekly worked hours, the name and address of employee, the employee’s PPS numbers and a statement of their duties as prescribed under the Organisation of Working Times Act 1997 should be kept for 3 years after cessation of employment.
o Records relating to employees who were under the age of 18 (if applicable) for the period of their employment should be retained for a period of 3 years after cessation of employment.
o In cases of collective redundancies (if applicable), records should be retained for 3 years from the date of redundancy.
o Where an employee avails of parental or force majeure leave during the course of their employment, the Parental Leave Acts 1998-2006 provides for retention of records for 8 years from cessation of employment.
o Employee tax records must be kept for 6 years from cessation of employment.
o Signed Confidentiality Agreements should be kept for 6 years from cessation of employment.
o Where an employee is involved in a workplace accident, records of this should be kept for 10 years from cessation of employment.
– A common sense approach will also be taken. Personnel files should contain only factual information pertaining to a person’s employment, and should not contain any notes or subjective opinions in relation to any of the records mentioned above.
Child Safeguarding Files:
– Only Authorised Persons shall have access to Safeguarding Information, e.g. the Bishop, Chancellor, Director of Safeguarding and Designated Liaison Officer.
– Access to the files will be physically restricted by means of secured storage, e.g. locked filing cabinets or combination safes. This same level of security is applied to all Safeguarding related documents in archives.
– Safeguarding records are held in perpetuity. This includes the information recorded in each Parish’s sacristy register.
– In general, a common sense approach to the contents of documents related to Safeguarding must be taken. These records should contain only factual and relevant information, and should not contain any personal notes or subjective opinions.
– An annual check of the content of all Diocesan / Parish Safeguarding records will be undertaken by the relevant Authorised Persons.
Parish Files and Records:
– Only Authorised Persons shall have access to files containing Personal Data at a Parish level, e.g. the Parish Priest and/or Secretary.
– Access to these files will be physically restricted by means of secured storage, e.g. locked filing cabinets or combination safes. Particular care will be taken in relation to Safeguarding files.
– An annual check of the content of files containing Personal Data will be undertaken by the relevant Authorised Persons. This content check will ensure that information held in each Parish is relevant, accurate and not being retained for longer than necessary.
– The following retention periods will apply to Parish Files and Records – every effort will be made to keep this list accurate and up to date:
o Safeguarding files, e.g. application forms: Held in perpetuity.
o Parish Sacramental Registers: Parish Sacramental Registers have a permanent reference and should be held in perpetuity.
o Sacramental Application Forms: Sacramental Application Forms are intended for the purpose of facilitating sacramental preparation, celebration and registration.
o HR/Personnel Files: Please see Policy on Personnel File Management for specific information.
o Contact details and other personal data of lay ministers, fundraisers, etc.: these should only be retained for as long as the Parishioner is engaged in ministry or other activities on behalf of the Parish.
o Minutes from Meetings: Meeting minutes should only contain a factual account of what was discussed and agreed during a meeting, without referring to opinions expressed by individuals. Minutes should be kept for as long as is deemed reasonably necessary. During the annual content check, the Authorised Person for the Parish or Diocese should use their judgement to decide on this. Keeping minutes on a “just in case” basis poses a risk to GDPR compliance.
o Records of one to one meetings: Insofar as is possible, please apply the same logic as above.
o Records of contributions and donations: these should be anonymised insofar as is practical, and access to contributor details should only be assigned to Authorised Persons. These details should be kept for as long as is deemed reasonably necessary, giving due consideration to Revenue requirements.
o Correspondence to and from parishioners or others about the activity of the parish: details of correspondence must only be retained where and for as long as is reasonably necessary.
CCTV, Webcams and Livestreaming: (not applicable at present)
– It is not advised that anyone record celebrations or ceremonies which take place in the church and if they do so, they take responsibility for it themselves.
– CCTV recording takes place in order to detect intruders, and will not be used for the purposes of monitoring employees or volunteers.
– All buildings and surrounding areas covered in the scope of CCTV cameras will be clearly outlined on a Risk Assessment / overview which will be made available upon request.
– Notices will be put in place to inform all potential Data Subjects of the presence and purpose of CCTV cameras.
– CCTV footage will be retained for a period of 30 days, unless required for the purposes of an investigation.
– Outsourced CCTV services must comply with the above requirements.
– Webcams and Livestreaming have been introduced solely as an alternative means for Parishioners to enjoy the celebration of Mass and the Sacraments. Webcams in Churches are not used to monitor Employees or Parishioners.
– Notices will be put in place to inform all potential Data Subjects of the presence and purpose of the webcams. The scope of the webcam(s) will be indicated at the entrance to the Church, to afford Parishioners the opportunity to “opt out” of streaming or recording.
– Recordings of a small number of celebrations will be retained for one month, e.g. Christmas. In these instances, the Parish Priest will make an announce at the beginning of the celebration to ensure the consent of Parishioners present. Where children or vulnerable adults are taking part in a celebration, consent and/or parental consent will be sought in advance.
– Outsourced Webcam and Livestreaming services must comply with the above requirements.
Social Media and Websites
– Social Media sites e.g. Facebook or Instagram operated by the Parish or Diocese should have restricted edit access.
– Posts or photographs which contain personal data must have the prior consent of the Data Subject before being posted on social media or websites.
– Posts or photographs which contain personal data must be deleted or archived after one year. If the information is archived, suitable location and access must be defined.
Requests for Certificates
Copies of certificates held in the Parish or Diocesan offices can only be requested in writing and registers are not to be made accessible to the public. These written requests should be destroyed once processed. If we have any doubts regarding the identity of the person requesting the information, reasonable means should be used to confirm identity. The “100-year rule” will be used to reasonably assume whether someone is dead or still protected by Data Protection legislation.
Special Conditions for religious not-for-profit bodies
While we will rely on consent for most of our communications, there will be some data processing we will want to do as part of normal church management for which we will not need to gain specific consent for that particular action – holding lists of group members, for example. This is covered by a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
Subject Access Requests
Subject Access Requests must be received in writing and referred immediately upon receipt to the Data Protection Officer. If a SAR is made verbally, please advise the Data Subject to send their request in writing to a suitable postal or email address. The DPO can be informed via phone or email of the SAR, and should be forwarded a copy of the written request as soon as possible. The DPO will then work together with the impacted Diocese / Parish to ensure that the SAR is completed at no cost to the Data Subject, within one month of receipt. Certain exceptions will apply, whereby the Diocese/Parish may not be required or legally permitted to release certain data, but this will be discussed and clarified with the DPO and, where necessary, the Diocese’s appointed legal counsel. If you have any doubts regarding the identity of the person requesting the information, reasonable means should be used to confirm identity.
Right to Rectification
All Data Subjects have the right to have their information updated or removed where it is not accurate, provided it will not impact on the rights and freedoms of another natural person. Again, these requests should be received in writing and processed at the earliest convenience. If we have any doubts regarding the identity of the person requesting the information, reasonable means should be used to confirm identity.
Data Protection Impact Assessments
DPIAs should form the basis for all new processes in the Diocese which will involve data processes. DPIAs are similar to Risk Assessments, in that they will identify the potential challenges posed by implementing new processes, and also identify potential solutions to offset these challenges. The DPO can provide a DPIA checklist.
First and foremost, we must all be completely committed to the avoidance under all circumstances of Data Breaches. Data Breaches must be reported to the Office of the Data Protection Commissioner within 72 hours, unless the breach poses no risk to the rights or freedoms of any natural person. Where we do not report the breach within 72 hours, we must inform the Data Protection Commissioner of the reasons for the delay.
All third party service providers associated with the Diocese are obliged to comply with this requirement.
Right to Erasure
All Data Subjects have a right to be forgotten, where requested. This can pose certain difficulties for the diocese under Canon Law. The Right to Erasure cannot be invoked in cases of legal disputes or investigations, e.g. in Child Safeguarding matters. Where a Parishioner, for example, requests to be forgotten by virtue of leaving the Catholic Church, it is our current understanding that we may retain certain factual records, e.g. entries on baptismal records. This may be subject to change following future guidance from the Data Protection Commissioner.
Annual reviews should be completed at times which are practical and convenient for the Parish or Diocese, but must be completed. To this end, the Parish or Diocese may choose to split their full Annual Review over three separate review periods, which is facilitated in the annual review template. The responsibility for full completion will lie with the Parish or Diocese themselves.
If you need further clarification or information on anything outlined above, please contact:
– Data Protection Commissioner (Ireland) – http://gdprandyou.ie/
– The Information Commissioner (UK) – www.ico.org.uk
– European Parliament – www.eugdpr.org/
For all queries relating to the above, please contact the Diocesan Data Protection Officer, Darina Ryan-Pilkington, at firstname.lastname@example.org or 0852848825.