1 / 31

Data Protection for Church of Scotland Congregations

Learn about data protection laws, case studies, recommendations, data security, and more to ensure confidentiality and compliance.

vdossantos
Download Presentation

Data Protection for Church of Scotland Congregations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection for Church of Scotland Congregations

  2. This evening's session • What is Data Protection • Case studies • Recommendations • Data security • Questions

  3. Data Protection: It’s the new Health and Safety law…

  4. Some reasons for having ‘Data Protection’ legislation Information is… everywhere!

  5. Ask yourselves the following • Who has personal information about you, what do they hold and how is it used? • Have you ever been contacted directly by a company and wondered how it came to have your details? • Have you ever been a victim of identity fraud? • Why do ‘criminals’ want access to your data?

  6. Some reasons for having ‘Data Protection’ legislation • To safeguard personal privacy. • To prevent information about individuals from being used unfairly or fraudulently. • To ensure that bodies which hold personal information respect confidentiality and observe good practice. • To give individuals the right to know what information is held about them.

  7. What does this mean for the Congregations? • The Church is a body which holds personal information about individuals. • As office bearers you are charity trustees and so you have an obligation to behave responsibly in relation to the information that is held. • The Church must observe good practice and also abide by the provisions of the Data Protection Act 1998, where it applies to use of personal data.

  8. The Data Protection Act 1998 Key Themes Transparency Choice DataQuality Security Individualrights

  9. What is ‘Personal Data’? Data Information Information which relates to a living individual identified: – from that data – from that data and other information which is or is likely to be in the possession of the Data Controller – held electronically or manually in a relevant filing system E.g. Name, job title, telephone number, email address, date of birth, postal address.

  10. Sensitive Personal Data Personal Data consisting of information on: • racial or ethnic origin • political opinions • religious or similar beliefs • trade union details • health data • sexual orientation data • offences or alleged offences • court proceedings

  11. Who are Data Subjects? • The Individual to whom Personal Data relates, for example: • An Employee • A Job applicant • A Former employee • A Minister • An Office Bearer • A Committee Member • A Church Member • An adherent

  12. Data Processing Processing is handling data in any way: – collecting personal data; – storing in a database; – ordering in a filing system; – editing data records; – transmission onwards to a third party. • Including public availability of data • A “Data Processor” any person or organisation who processes personal data on behalf of the data controller

  13. Data Controller • Data Controller: is a person or organisation that determines the purposes for which and the manner in which personal data will be processed. • For congregations this is the Presbytery Clerk. • It is necessary to notify the Information Commissioner on an annual basis.

  14. The Basics The Act does not prohibit the use or distribution of information, rather it governs the way information and people are treated.

  15. The Basics What are the 8 data protection principles?

  16. Data Protection Principles • Be processed fairly and lawfully; • Be obtained for specific and lawful purposes; • Be kept accurate and up to date; • Be adequate, relevant and not excessive in relation to the purpose for which it is used;

  17. Data Protection Principles • Not be kept for longer than is necessary for the purpose for which it is used; • Be processed in accordance with the rights of Data Subjects; • Be kept secure to prevent unauthorised processing and accidental loss, damage or destruction; and • Not be transferred to any country outside the EEA.

  18. Sanctions?

  19. The Information Commissioner’s Office • “The UK’s Independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” • The ICO: • Promotes good practice, • Produces guidance on various topics, • Makes rulings on complaints against organisations, and • Takes action where there are breaches of the Act.

  20. The Information Commissioner • Enforcement Notices • Criminal Sanctions • Fines – up to £500,000 • Brighton and Sussex NHS Trust: £375,000 • Ealing Council £80,000 Hounslow Council £70,000 A4e Limited £60,000 • Norwood Ravenswood £70,000

  21. Don’t get caught out!

  22. Recommendations for Congregations The ICO Study Areas of Good Practice: Areas for Improvement: • Password security • Clear Desk Policy • Home working? • IT Security features • Training • Access to IT • Building Security • Confidential Waste • Implement a Data Protection Policy

  23. Recommendations for Congregations DATA PROTECTION PACK FOR CONGREGATIONS http://www.churchofscotland.org.uk/resources/subjects/law_circulars

  24. Recommendations • Adopt and implement a Data Protection Policy. • Begin the process of obtaining consent for all people you have data for. Put in place consent forms for new members. • Data Audit and Risk Assessment. • Data security and encryption.

  25. Recommendations for Congregations Conduct an audit of your current data handling: • Take time and care to draw up a list of all areas of Church life where personal data is held and used. • For each of these, consider whether you can observe better practice in line with the eight principles, the areas of good practice and areas of improvement in the ICO Report. • Always take special care over any data which would be classed as ‘sensitive’. • Do not use data for any ‘broader’ purpose, without first consulting the Presbytery Clerk.

  26. Recommendations for Congregations Carry out a review of any historical records that your congregation holds, in either electronic or manual form. • Archive any records that you are obliged to keep – e.g. minute books and baptismal registers. • Consider deleting or destroying any records that are no longer required. Take care over how you dispose of these. • Consider deleting any information that you would be embarrassed to disclose if you received a ‘data request’.

  27. Data Security • Storage of Data, paper and electronic • Data Encryption • More than password protection • Password Strength • Passphrases, special characters • Whole machine or just a USB stick? • Two types of encryption

  28. BUT what happens if the worst happens and there is actually a data protection breach??

  29. DON’T PANIC!

  30. Any Questions?

More Related