Advice on data protection during a crisis

Friday April 24th 2020

Photo by Markus Spiske on Unsplash

Central Church of Ireland has issued the following advice to protect again breaches of data.

Data breaches are more likely to occur in crises, in which we need to quickly respond to a situation or change how we work.  There may be more requirements to share personal data (e.g. for continuing to provide pastoral care and support) and more of our activities may need to be brought online, often by using social media more frequently.

The data protection page in Parish Resources provides a range of guidance to help parishes with this responsibility, especially in our current challenging times: www.ireland.anglican.org/gdpr

Some key pointers

Please ensure you have permission (consent) to use personal data before, for example, sharing a phone number, uploading a personal photo, or holding a virtual kids’ club.

Parishes need to consider data protection implications when planning for, installing or using any new technology, including recording equipment.  This can be done by completing a seven–step Data Protection Impact Assessment (ideally before installation but this can be done retrospectively if the system is already in place).  It’s important to undertake a DPIA prior to recording any services.  As part of this, you will need to outline how long these recordings will be kept, how will they be stored, and how will the data be protected from unauthorised access.

Remember: data protection is there to protect individual people and their data.  If there are no people attending a service, data protection is not an issue.  If there is only a small number of people (e.g. clergy and a church warden), once consent is sought (and recorded) no further action is required at this time.

Once church buildings begin to reopen, considerations about privacy will be ever more important.  Please consult the resources at www.ireland.anglican.org/gdpr for help with seeking consent from people taking part in services (e.g. the choir, those reading lessons, and children or adults at risk), and responding to requests from individuals for personal data which the parish may hold.

Data protection principles need to be followed at all times, especially during a crisis. If you need any guidance or support, please contact the Church of Ireland’s Data Protection Officer, Rebekah Fozzard, at: rebekah.fozzard@rcbdub.org.

Practical steps for protecting your parish

Devices

  • Take extra care that devices, such as USBs, phones, laptops, or tablets, are not lost or misplaced
  • Ensure your computer, laptop or other device, is used in a safe location e.g. where you can keep sight of it and minimise who else can view the screen (particularly if working with sensitive personal data)
  • Lock your device if you do have to leave it unattended for any reason
  • Make sure your devices are turned off, locked, or stored carefully when not in use
  • Use effective access controls (such as strong passwords)

Emails

  • Use work email accounts rather than personal ones for work–related emails involving personal data e.g. rectorparish@gmail.com
  • Try to avoid putting personal data into emails
  • Where possible, make sure any sensitive information included in an email is high level, and attachments are encrypted (where possible). Avoid using personal or confidential data in subject lines
  • Before sending an email, ensure you’re sending it to the correct recipient (particularly for emails involving large amounts of personal data or sensitive personal data)

Paper records

  • It’s important to remember that data protection applies to not only electronically stored or processed data, but also personal data in manual form (such as paper records) where it is, or is intended to be, part of filing system
  • Take steps to ensure the security and confidentiality of these records when working remotely such as by keeping them locked in a filing cabinet or drawer when not in use, disposing of them securely (e.g. shredding) when no longer needed, and making sure they are not left somewhere where they could be misplaced
  • If you’re dealing with records that contain special categories of personal data you should take extra care to ensure their security and confidentiality, and only remove such records from a secure location where it is strictly necessary
  • Where possible, keep a written record of which records and files have been taken home, in order to maintain good data access and governance practices

Back to latest news

Site Directory