Data protection and your church

Data protection and your church

Before computers made the distribution of data so easy protection of personal details was less of an issue however nowadays churches need to be really careful to manage their data and comply with the Data Protection Act (DPA).
Ultimately it is the church trustees who are the ‘data controllers’ and responsible for the data and they need to ensure that ‘data processors’ – (people such as the administrator who actually use the information) comply with the DPA.

Most churches are exempt from having to register with the Information Commissioner’s Office (ICO) so long as they:

“only process information necessary to establish or maintain membership or support; and
only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it; and
only share the information with people and organisations necessary to carry out the organisation’s activities; and
only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration.”

If you use CCTV on your premises for security reasons then you must register with the ICO. If you are not sure use the ICO’s self-assessment tool.
Data protection is a big and complex issue but here are a few key pointers some of which are easy to implement - others may take more time and effort.
Tell people what you are doing with their data
Contact forms or sign-up sheets for holiday clubs etc. should include a statement on how you will use the data. If you have an existing database you must contact everybody and tell them what data is being stored. This may sound like a big job but mail merge makes things easier. Information held by churches normally concerns religious beliefs it is classified as ‘sensitive personal data’ and you must have explicit permission to keep it. If not then you must delete it.
Make sure everyone knows their responsibilities
Anyone who uses the databases should be briefed on the importance of data protection and the legal requirements – why not put a summary of dos and don’ts at the top of the database?
Protect the data
This can be a very big issue for churches as many of those using the data use personal ‘family’ laptops or other devices. Even personal laptops should be password protected if they contain access to church data. Phones or tablets with church business emails or access to the church database should also be password protected. Files themselves should also be password protected.
It is a good idea that everyone who has access to sensitive data should have a church specific email addresses e.g. or This avoids sending information to shared ‘family’ accounts and allows the email address to be transferred from person to person over time.
Data protection also applies to paper records which should be kept in a locked filing cabinet. If you have a box of index cards on your desk or a contact list on the wall then make sure the office can be locked to prevent unauthorised access.
Following some recent guidance it is now perfectly acceptable to use cloud storage such as Dropbox or Google Drive to allow shared access by those who have permission to use it.
Only keep information as long as necessary
Do you really need to keep details of people who moved away five years ago or came to a holiday club when in 2011? If you are still in contact with them (and have their permission to be) then fine. If you have not used the information about someone for a couple of years and have no legal requirement to do so you should delete it. It is a good idea to sit down and write out what your rules are for keeping data and then get the trustees to agree to them as part of a policy.
Don’t pass on details
If for example the home-group coordinator legitimately needs a list of people’s phone numbers to ring everyone do not send the whole spreadsheet with all the addresses and details on it – strip out the data they need and let them have that.
Manage the data
A big issue is the proliferation of databases with different people having their own version (none of which are totally up to date). Whilst it is right that users of the data have different needs (for example a treasurer would need information about who has registered for Gift Aid, and the safeguarding officer needs a record of who has DBS checks) this does not mean everyone should have their own database. There are several on-line systems now which can hold a complete database but where restrictions can be used to only allow particular data to be seen by those who need it. Rural Ministries is currently looking at one of these systems, Planning Center Online, and we will let you know what we think in a future issue of e-news.

This article should only be taken as guidance. If you have specific questions we recommend that you contact the Information Commission’s Office for advice.

Nick Jones