Re-opening Churches and Community Centres – how to stay compliant with data law

As lockdown eases, many people will be relieved that their parishes, mission communities and churches are able to re-open, but while this may be welcome news, there are certain challenges that come with it. One is the Track and Trace initiative and data protection.

Alongside social distancing and hygiene measures, organisations and businesses that are re-opening have been asked to record details of visitors. In this article we discuss how churches and community groups can do this whilst still complying with data protection laws.

What do you need to do if you’re reopening your church?

In order to comply with the Government guidance , all organisations have been asked to record the names and contact details of anyone who visits the premises or attends any services. These details must be recorded and kept for a period of 21 days. This includes:

• Public worship attendees;
• Attendees of life events (such as weddings and funerals); and
• Anyone who visits any premises (for example halls, offices or other enclosed spaces).

This should be done in a way that works for the church whilst complying with the guidance.

What do churches need to be aware of when following the new guidance?

While the guidance requires organisations to record the details of visitors, it also makes it clear that this obligation does not supersede the other legal responsibilities that an organisation has. The guidance has not been made a statutory exemption – meaning that data protection law still applies (in full) to the collection of data for Track and Trace.

All organisations have had to comply with data protection law for some time now, but many have either paid lip service to compliance or have not properly tackled the issue. It is imperative that all organisations and groups are compliant with GDPR, and this guidance does not change that. To comply with these laws – and also the guidance – this will require some changes to working practices, even for those organisations that were fully compliant.

How can churches and community groups comply with the guidance and GDPR?

Practicalities and needs mean that requirements will vary depending on circumstances and to that end, advice should be sought on how best to comply with data protection laws.

However, the following key steps and points are universal:

Privacy Impact Assessment

Before you collect visitor details, you will need to carry out a Privacy Impact Assessment (PIA). This must be completed whenever you implement a scheme which has an impact on personal data, and must include the legal basis on which you are collecting said data.

Retention Policy

You will need to have a retention policy in place which mandates the destruction of relevant data after 21 days. You will also need to ensure the data is destroyed after this period.

Data Storage

Whether kept electronically or in paper format, you will need to ensure that the data you collect from visitors is stored securely. Where data is kept electronically, you will need to check the terms of the providers you are using and ensure these terms are reflected in your own privacy policy. You will also need to conduct a PIA for such use.

Privacy Policy

As indicated above, you will need to update your privacy policy. You may want to consider uploading a copy on your website and making it available before people visit your venue.

Data Requests

Individuals that visit your venue will be able to request copies of the data you hold on them. In order to comply with the law, you will need to have a structure in place that enables you to respond to these requests whilst still protecting those individuals’ data.

You will need to make sure that the information you are supplying is given to the correct individual and you will need to confirm the identity of the person asking for their data, making sure that people’s personal data is not shared with just anyone who asks for it.

Are you using digital apps to maintain social distance?

Many churches may be considering using technology to help maintain social distancing for people in their building. Whilst there are clear benefits to this, such as digitally delivering services to avoid overcrowding, and reaching those that are vulnerable, there are certain things that will need to be considered in order to comply with data protection laws.

While the rules for using apps are well established, there is a risk that organisations that are new to these tools may overlook their legal obligations in the rush to get a system in place.

Key things churches and community groups will need to consider:

• Do you understand the terms and conditions on which the third party tool or app is made available? Do you understand how it will use and store the data it collects? This information will need to be communicated to your visitors;
• You will need to conduct a PIA in connection with your use of the app;
• You will need to ensure your privacy policy is updated regarding use of the app; and
• You will need to add relevant data to your Data Asset Inventory.

For further information, including support on the documents and actions required to help you meet your obligations, please feel free to get in touch. Specialist information on Church Law is also available on our website page here.