Q: Should we be concerned about the impact of GDPR to our Church?
A: Absolutely not! There is very limited impact to the local churches. The main impact will be our approach to handling Personal data going forward. We have explained in the GDPR letters issued to our members, Friends and Parents, how we intend to process their personal data. The Privacy Notice uploaded onto the NEC website and the FAQ’s, which will be publicised on the NEC website every Friday Afternoon also provides a broader explanation. Our intention is to continue to produce weekly FAQs up-to and including August 2018.
Q: If we opt out of completing the form to be added to the new members data base does this mean we are unable to maintain a current post in church or in the future?
A: Opt-in versus opt-out is one of the core principles of GDPR. In practice, this means that assumed consent cannot be given. Consent must be given willingly, freely and without coercion in order to be valid. It must be auditable (i.e. easy to track who recorded consent, how, and when) and explicit.
It is important to remember that consent is not the only legal basis for holding personal data or contacting people. If you can demonstrate another legal basis, you may not need consent.However, we recommend that you gather consent as well as you will be likely processing “special category data”
it is important to help our church member(s) understand that holding their personal data electronically or in paper-form is not something new to the church in which they attend or the NEC. The local church in which they attend and the NEC are carrying out their legal obligation in informing them of their rights under GDPR.GDPR is solely concerned with the processing of personal data not the post that an individual may currently hold or may be nominated to assume in the future.
Q: What are the implications for members who are opting out?
A: Opt-in versus opt-out is one of the core principles of GDPR. In practice, this means that assumed consent cannot be given. Consent must be given willingly, freely and without coercion in order to be valid. It must be auditable (i.e. easy to track who recorded consent, how, and when) and explicit.
It is important to remember that consent is not the only legal basis for holding personal data or contacting people. If you can demonstrate another legal basis, you may not need consent.However, we recommend that you gather consent as well as you will be likely processing “special category data”
it is important to help our church member(s) understand that holding their personal data electronically or in paper-form is not something new to the church in which they attend or the NEC. The local church in which they attend and the NEC are carrying out their legal obligation in informing them of their rights under GDPR.
Where possible meet with the individual on an individual basis to better understand their decision. If a group of church members decline to give consent, you may choose to hold a members meeting to look to answer their questions and allay their concerns. If they continue to decline to give consent, it is important to explain to them the legitimate basis for holding or processing their data. Please refer to the ‘GDPR Letter to members’ and the Privacy Notice uploaded onto the NEC website where examples are provided. Under GDPR a legitimate basis can supersede the individual’s right to give Consent.
Q: Should the Church clerk shred the old members list and ensure that all other members list currently held by Department heads are destroyed?
A: It is important to have an up to date church members list. Naturally old members list would be considered out of date in any event. At this stage the advice is to not destroy any documentation until the NEC’s Retention and Document Management Policy has been drafted and approved. Further guidance will follow in due course.
It is acceptable and good practice for all Department Heads and their assistant(s) to maintain up to date members list so as to aid their missionary and evangelistic work.
Q: Once parents have signed the parents form do they still need to sign when going on trips with Pathfinders etc or does the consent form cover every activity?
A: The consent form covers every youth activity offered by the church that they attend and the wider Church family such as the NEC. It is important to note that consent means that the parent accepts that once their child is a part of the Seventh Day Adventist family they will have access to a vast number of youth activities, events and information across the NEC.
Q: In respect of children, is it only the Elder for children’s and youth department who can have access to children’s contact details or can the AY leader and children’s coordinator also have access to the children’s details?
It is acceptable and good practice for all Department Heads and their assistant(s) to have access to the details of a child and youth so as to enhance the experience of their missionary and evangelistic work.
Q: I have just been informed that all church members personal data cannot be stored at home does this mean the church laptop that will be used to input the data cannot be used or stored at the church clerk’s home address?
A: Unacceptable storage of Personal data at the home of a Serving Church Officer relates in the main to paper-form.An electronic device such as a Laptop containing Personal Data is acceptable to use and to be stored at the home of a Serving Church Officer as long as extreme measures are in place such as passwords, encryption etc. It is advisable that such a device is not only password protected etc but securely stored in a lockable cabinet or equivalent. Access should be limited to Serving Church Board Members and their assistant(s). Where this is the case the Data Processor must comply with any relevant policies implemented by the NEC.
Q: With the changes that have come in, do we have to get rid of all the old members list that we have, or can we file them with the church records?
A: It is important to always have an up to date church members list. Naturally an old members list would be considered out of date in any event. At this stage the advice is to not destroy any documentation until the NEC’s Retention and Document Management Policy has been drafted and approved. Further guidance will follow in due course.
Q: It appears that on the parents/guardians’ letter if consent is given – the consent is to the NEC contacting children direct. I know this is not the intention – but that comes across.
A: Thank you for the feedback. The point has been noted.
Q: Some members are saying that they are happy for the local church to hold their records on paper or electronically or on paper – but NOT for the NEC to hold them in any electronic form (paper is ok). The fear is that allowing the data to be on internet would allow for government access.
A: Opt-in versus opt-out is one of the core principles of GDPR. In practice, this means that assumed consent cannot be given. Consent must be given willingly, freely and without coercion in order to be valid. It must be auditable (i.e. easy to track who recorded consent, how, and when) and explicit.
It is important to remember that consent is not the only legal basis for holding personal data or contacting people. If you can demonstrate another legal basis, you may not need consent.However, we recommend that you gather consent as well as you will be likely processing “special category data”
it is important to help our church member(s) understand that holding their personal data electronically or in paper-form is not something new to the church in which they attend or the NEC. The local church in which they attend and the NEC are carrying out their legal obligation in informing them of their rights under GDPR.
Where possible meet with the individual on an individual basis to better understand their decision. If a group of church members decline to give consent, you may choose to hold a members meeting to look to answer their questions and allay their concerns. If they continue to decline to give consent, it is important to explain to them the legitimate basis for holding or processing their data. Please refer to the ‘GDPR Letter to members’ and the Privacy Notice uploaded onto the NEC website where examples are provided. Under GDPR a legitimate basis can supersede the individual’s right to give Consent.
Additionally, it is important to help our church members to understand the message does not relate to governmental access it is concerned with strengthening our existing data protection measures and to ensure that we as a church body are compliant with GDPR.
The North England Conference (NEC) has fully implemented a new centralised database system (ACMS) to enable them to do so. Please refer to the “Letter to Members” and the Privacy Notice uploaded on the NEC website for further details.
Q: Some members will only allow NEC or local church to contact via email – but not to hold addresses or phone numbers so as to not allow contact by address or phone. Those members tend not to have email addresses either.
A:Opt-in versus opt-out is one of the core principles of GDPR. In practice, this means that assumed consent cannot be given. Consent must be given willingly, freely and without coercion in order to be valid. It must be auditable (i.e. easy to track who recorded consent, how, and when) and explicit.
It is important to remember that consent is not the only legal basis for holding personal data or contacting people. If you can demonstrate another legal basis, you may not need consent.However, we recommend that you gather consent as well as you will be likely processing “special category data”
it is important to help our church member(s) understand that holding their personal data electronically or in paper-form is not something new to the church in which they attend or the NEC. The local church in which they attend and the NEC are carrying out their legal obligation in informing them of their rights under GDPR.
Where possible meet with the individual on an individual basis to better understand their decision. If a group of church members decline to give consent, you may choose to hold a members meeting to look to answer their questions and allay their concerns. If they continue to decline to give consent, it is important to explain to them the legitimate basis for holding or processing their personal data. Please refer to the ‘GDPR Letter to members’ and the Privacy Notice uploaded onto the NEC website where examples are provided. Under GDPR a legitimate basis can supersede the individual’s right to give Consent.
The impact of such limitation should be explained to the individual. Additionally, it is important to help our church member(s) understand that holding their personal data electronically or in paper-form is not something new to the church in which they attend or the NEC. The local church in which they attend and the NEC are carrying out their legal obligation in informing them of their rights under GDPR.
Q: Is there a GDPR manual for the churches to refer to?
A: No. At this stage the approach of the NEC is to provide guidance as and when requested. There are GDPR training dates scheduled throughout July 2018 for Church Clerks who are deemed as Data Controllers/Processors. There is very limited impact to the local churches. The main impact will be our approach to handling Personal data going forward. This is explained in the GDPR letters that were issued, the Privacy Notice uploaded onto the NEC website and the FAQ’s, which will be publicised on the NEC website every Friday Afternoon. This is intended to continue until August 2018.
Q: Some members (5) will not sign the letters in any way.
A: Opt-in versus opt-out is one of the core principles of GDPR. In practice, this means that assumed consent cannot be given. Consent must be given willingly, freely and without coercion in order to be valid. It must be auditable (i.e. easy to track who recorded consent, how, and when) and explicit.
It is important to remember that consent is not the only legal basis for holding data or contacting people. If you can demonstrate another legal basis, you may not need consent.However, we recommend that you gather consent as well as you will be likely processing “special category data”
it is important to help our church member(s) understand that holding their personal data electronically or in paper-form is not something new to the church in which they attend or the NEC. The local church in which they attend and the NEC are carrying out their legal obligation in informing them of their rights under GDPR.
Where possible meet with the individual on an individual basis to better understand their decision. If a group of church members decline to give consent, you may choose to hold a members meeting to look to answer their questions and allay their concerns. If they continue to decline to give consent, it is important to explain to them the legitimate basis for holding or processing their data. Please refer to the ‘GDPR Letter to members’ and the Privacy Notice uploaded onto the NEC website where examples are provided. Under GDPR a legitimate basis can supersede the individual’s right to give Consent.
Q: Do you have a PowerPoint which explains what GDPR is and how it affects the church?
A: No. There is very limited impact to the local churches. The main impact will be our approach to handling Personal data going forward. This is explained in the GDPR letters that were issued, the Privacy Notice uploaded onto the NEC website and the FAQ’s, which will be publicised on the NEC website every Friday Afternoon. This is intended to continue until August 2018.
Q: How will matters of church discipline be managed, can the member refuse to disclose or allow information to be shared?
A: There will be no change to how disciplinary matters is managed currently. A member can object to disclosure of information to be shared. However, for ‘legitimate’ reasons or in some cases for ‘legal’ reasons it is extremely unlikely an objection from a Church member would be successful.
Q: Can Serving Church Board Members and their assistant(s) retain Personal Data for their own Department?
A: Yes. All serving Church Board Members and their assistant(s) are encouraged and expected to maintain the records of personal data for their own Department so as to continue the work of the gospel.
Q: Children aged over 13 years which form should they complete?
A: If they are a member, the consent form attached to the letter to members should be used. If they are not yet baptised it is acceptable to use the Consent form attached to the letter to Friends. However, it is advisable to speak to the child’s parent if appropriate, and possible to glean their preference so as not to cause offense.
Q: If a member, board member/serving officer chooses not to complete a form for themselves or their children not even to opt out where does it leave the church?
A: Opt-in versus opt-out is one of the core principles of GDPR. In practice, this means that assumed consent cannot be given. Consent must be given willingly, freely and without coercion in order to be valid. It must be auditable (i.e. easy to track who recorded consent, how, and when) and explicit.
It is important to remember that consent is not the only legal basis for holding personal data or contacting people. If you can demonstrate another legal basis, you may not need consent.However, we recommend that you gather consent as well as you will be likely processing “special category data”
it is important to help our church member(s) understand that holding their personal data electronically or in paper-form is not something new to the church in which they attend or the NEC. The local church in which they attend and the NEC are carrying out their legal obligation in informing them of their rights under GDPR.
If a member chooses not to opt in or decline to give consent for the purposes of maintaining contact with them, where possible meet with the individual on an individual basis to better understand their decision. If a group of church members decline to give consent, you may choose to hold a members meeting to look to answer their questions and allay their concerns. If they continue to decline to give consent, it is important to explain the legitimate basis for holding or processing their data. Please refer to the ‘GDPR Letter to Members’ and the Privacy Notice uploaded on the NEC website where examples are provided. Under GDPR a legitimate basis can supersede the individual’s right to give Consent.
Q: We handed out the forms yesterday during service as we only got the emails last week. However, some of the members were given the visitor's form to complete. Does it matter that they were given the visitors forms as both forms are the same only that one state 'member letter'. If not, then we will have to give them the correct ones.
A: There is no considered detriment in issuing the Visitors Consent Form to a Church member. However, it is important that the Church Member receives the correct letter as there are slight different key messages.
Q: According to GDPR should the Pastors contact details alone feature on the Church Bulletin?
A: GDPR is not that prescriptive concerning matters such as this. A Serving Church Officer should have a clear understanding that when accepting and assuming a church post it means having broad responsibilities including being accessible and contactable.
Q: If I have questions on the NEC’s approach to GDPR, where shall I submit this?
A: All questions should and can be submitted to gdpr@necadventist.org.uk