Theft of information is now the modern-day burglary, with seven tenths of frauds being cyber-related. The Regulator, the Information Commissioner’s Office (‘ICO’), has also seen an increase in its monitoring and enforcement powers which include the ability to issue enforcement notices, criminal sanctions and fines of up to £500,000. For a charity, the risk of not only a financial penalty but of the reputational damage resulting from a publicised breach of the Data Protection Act 1998 is significant.
A breach could occur through, for example, the theft of a laptop, the loss of an unencrypted electronic device or the mistaken transfer of data, if the information lost, stolen or transferred contains personal data.
The charity trustees of a congregation are ultimately responsible for compliance in this area.
EU Data Protection Directive 95/46/EEC was designed to protect the privacy of all personal data collected for or about citizens of the EU especially as it relates to processing, using or exchanging such data. The UK implements that Directive through the Data Protection Act 1998. The Directive is being replaced by a new General Data Protection Regulation, which will come into force across the EU in May 2018. Updated advice and guidance will be issued over the next year so as to facilitate ongoing compliance with the law in this area.
A Church of Scotland congregation is a ‘Data Processor’ in terms of the Act. As such, congregations process ‘Sensitive Personal Data’ about individuals connected with the congregation, referred to in the legislation as ‘Data Subjects’. The data is ‘Sensitive’ as it is indicative of a person’s religious beliefs. In addition, congregations may also be holding financial data and health/other information from a pastoral care perspective.
Anyone who processes personal information must comply with the eight data protection principles contained within the Act. Information must:
- Be processed fairly and lawfully
- Be obtained for specific and lawful purposes
- Be kept accurate and up to date
- Be adequate, relevant and not excessive
- Not be kept for longer than is necessary
- Be processed in accordance with the rights of data subjects
- Be kept secure to prevent unauthorised processing and accidental loss, damage or destruction
- Not be transferred to any country outside the EEA unless certain considerations apply
The way forward
It is likely that your Presbytery Clerk, as Data Controller for the congregations within the Presbytery bounds, will ask each congregation to appoint an individual as the Data Protection Representative. It is therefore suggested that congregations appoint an office bearer to implement the following:
1. Implement a Data Protection Policy
2. Consent for Personal Data
3. Information Security Risk Assessment
4. Information Security & Encryption
5. Subject Access Request
7. If There Is a Breach…