What are the main differences from the 1984 Act?
Do I need to notify (register) and if so how?
What are the restrictions on the use of personal data?
What are subject access rights and how do they operate?
When did this all come into effect?
What do I therefore need to do to comply with the Act?
What are the penalties for not complying with the Act?
Why do I need to read this?

The Data Protection Act 1998 has substantial implications for the Church of England which affect every parish. The Act is designed to protect the rights of identifiable living individuals concerning information about them (known as personal data). It covers basic factual information (such as names and addresses) and expressions of opinion (such as in references). The following important advice should be sufficient to enable most parishes to comply with the Act.

What are the main differences from the 1984 Act?
The new Act extends data protection to much of the personal data held in paperbased files (it previously applied only to information on computer). It also requires greater security where data is classified as sensitive (which includes a person's religious affiliation) and where information is passed beyond the European Union either directly or by being placed on the internet.

Do I need to notify (register) and if so how?
Notification used to be known as registration and is the process whereby a data controller informs the Data Protection Commissioner (DPC) that they are processing (handling) personal data. Each incumbent and each PCC is considered to be a data controller since they are separate legal entities who will be processing personal data. Each needs to decide whether they need to notify.

PCCs should be exempt from notification.

Incumbents (or priests-in-charge) should not need to notify unless records of pastoral care discussions (relating to beliefs, relationships, opinions etc. rather than dates of birth/baptism and other factual information) are held on computer.

It should be stressed that, even if the PCC and/or incumbent are exempt from notification, the remainder of the Act still applies to them and everyone in the parish handling personal data.

To notify, you should telephone the DPC notification helpline (01625-545740). You will be asked certain questions and then sent a form to complete and return with a fee of £35 (payable annually).

Those who are already registered under the 1984 Act need do nothing until asked by the DPC to convert their registration into a notification. You will be asked if you have an information security policy but should not get into trouble for not having one as this is primarily aimed at larger organisations; at parish level the application of common sense should be sufficient.

What are the restrictions on the use of personal data?
The Act sets out eight principles under which personal data may only be obtained, held or disclosed to others if:-

1. Its use is fair and lawful.
2. It is to be used only for specified purposes. Individuals should be told, in broad terms, what you are going to do with the information (unless it is obvious) before you use it and given the opportunity to opt out of it being so used.
3. The information is adequate, relevant and not excessive in relation to the purpose for which it is to be used.
4. It is accurate and up-to-date - so periodically all information held should be checked to ensure it remains accurate.
5. The information is kept for no longer than necessary for the purpose - records of pastoral care discussions, for example, should not be kept for several years unless this can be justified.
6. Individuals' subject access rights are honoured - see later.
7. It is kept securely - addresses and phone numbers should not be left where they are open to abuse, and access to more sensitive information should be particularly restricted by either computer passwords or locks on filing cabinets etc. as appropriate.
8. Information should not be transferred to any country outside Europe without adequate data protection being in place.

What are subject access rights and how do they operate?
From 24 October 2001 an individual has the right to receive a copy of most paperbased information held about them by that organisation ('data controller') within 40 days of making that request. You may charge a fee of up to £10 for providing it.

This covers all information held on computer and any correspondence and other papers from which that information might be deemed to be reasonably accessible. You do not, therefore, have to scour through minutes etc. for any mention of the individual but you would have to produce accessible information held by any church officers.

The general principle is that as much information as possible should be shared with the individual. There are, however, limited categories of material that you may withhold from the individual in the interests of protecting the rights of other individuals to privacy and for the protection of crime etc. You are able to withhold any references that you have given (but not any you have received).

When sharing with an individual the information that you hold about them, you must remove anything which would identify a third party. You may also be entitled to hold back information containing serious allegations (for example, of child abuse) if to reveal that information would compromise the proper investigation of those allegations. In such cases you should always seek advice from your diocesan registrar or diocesan office.

When did this all come into effect?
The Act came into effect on 1 March 2000. The new provisions of the Act (such as the extension to paper-based files) only applied from 24 October 2001. There was a limited extension to 2007 for paper-based files but there is no protection from subject access requests after October 2001.

What do I therefore need to do to comply with the Act?
Incumbents and PCCs should:-

1. Identify a person responsible for compliance with the Act.
2. Identify who holds what data and ensure clergy/parish administrators/ youth leaders etc. are all aware of the requirements and only record information that could be shared if a subject access request is made.
3. Work out whether or not you need to notify and do so if necessary.
4. Destroy material that you cannot justify still holding, especially if making the information available to the individual(s) concerned would create difficulties (but do bear in mind the archivists of the future).
5. Inform people broadly what information is held about them and the purposes for which it is used (for example if individuals' contact details appear on a parish web site this must be stated, and an opt-out offered). Also specify who should be contacted with any queries - this could be through a paragraph in a newssheet and/or on the church noticeboard.

What are the penalties for not complying with the Act?
An individual has the right to complain to the DPC if they believe you have not handled their data properly. The DPC would then investigate and may require you to comply. Criminal offences apply in certain cases and the courts may impose fines. This, however, is most unlikely if you have made genuine attempts to comply with the legislation. You also need to bear in mind the pastoral difficulty that may result from honouring subject access requests if appropriate care has not been taken in
what is kept on files.

Where do I seek further advice if I need it?
In the first instance please contact your diocesan data protection officer at your Diocesan Office. If you wish to seek advice from the Data Protection Commissioner's office direct, their general helpline number is 01625-545745 and their web site
address is www.dataprotection.gov.uk

This guide has been issued by the Archbishops' Council of the Church of England and is the product of liaison with dioceses and with the Data Protection Commissioner's office.

No guide of this length can be comprehensive and you are advised to obtain further advice if appropriate. Liability rests with each legal entity concerned