Data ProtectionThe purpose of the data protection legislation is to prevent wrong decisions about people being based on inaccurate data and unauthorised use of personal information. The Data Protection Act 1998 ("the 1998 Act" give individuals the right to know what information is held about them and provides a framework to ensure that personal information is handled properly.
All parishes collect personal information and are subject to the 1998 Act. A statutory requirement is that every organisation that processes personal information electronically must notify the Information Commissioner's Office (ICO), unless it is exempt. Failure to notify is a criminal offence. Notifications are required to be renewed annually and this can be done online and a fee of £35 is charged. Most PCCs will be able to claim the exemption from notification for small not-for-profit organisations (Further details of which are available on the Information Commissioner's website).
The Church of England's advice on Data Protection and taking care of parish records is available in pdf format by clicking here.
Dioceses are subject to the eight data protection principles and must manage all personal data against these principles:
1. Personal data shall be obtained and processed fairly and lawfully.
2. Personal data shall be obtained only for specified and lawful purposes and shall not be used for any other purpose.
3. Personal data should be adequate, relevant and not be more than is necessary to complete the task for which it was collected for. However, keeping records for historical and research purposes are a legitimate reason for keeping records.
4. Personal data shall be accurate and, where necessary, kept up-to-date.
5. Personal data should not be kept for longer than is necessary for completion of the task it was collected for.
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection legislation.
7. Personal data should be kept securely and safely with appropriate technical and organisational measures being taken against unauthorised or illegal processing, accidental loss or destruction of personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country ensures an adequate level of protection of the rights of data subjects.
The implication of these principles is that organisations should have procedures in place to cover the review of personal information held on files and databases. This means organisations must assess how long they need to keep information for, the purpose for which they are holding it and when it will be destroyed.
The 1998 Act also provides individuals with important rights, which include the right for individuals to find out what personal information is held on computer and in most paper records.
Should an individual or organisation feel they're being denied access to personal information to which they are entitled, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner's Office for help. Complaints are usually dealt with informally, but if this isn't possible, enforcement action can be taken.
Further information can be found on the Information Commissioners Website.