The Norfolk and Norwich Christian community website


GDPR 750pb

Happy Birthday Gladys – just don’t say her name!   

Ian Boughton has been wondering whether the General Data Protection Regulation (GDPR) that came into force last year will restrict some church activities, and believes he has some answers.

Not for the first time, church activity has left me puzzled. In the porch of a North Norfolk market town church this week, I read something on the notice-board which held my attention for several minutes – indeed, I made a return trip to the church later to pick up a paper copy of the week’s newsletter and notice sheet, just to make sure I had read it correctly.
It said this:  "It is with regret that, after more than 35 years, it is no longer possible to acknowledge birthdays or anniversaries on the notice sheet.  I understand this is due to restrictions on personal information imposed by the data protection act."
My reaction was partly despair, and partly sympathy.  I despaired at the bureaucracy, and sympathised with the newsletter writer in that we are now bombarded with so many regulations that we can all be forgiven for not understanding them.
This local church is not alone in worrying about data protection – some months back the national press reported, quite gleefully, the case of the rector in London who said he had been told it was now illegal to pray for his parishioners, and certainly not out loud.  He said:  "I’ve been told we can’t pray for anyone who hasn’t given their written consent, which is just ridiculous."
This would be very inconvenient for another small town church in Norfolk, which has imaginatively created a 'virtual prayer room', which names those who are being prayed for, and why.  One can hardly imagine them having to interrupt work in the operating theatre to ask ‘Will you sign this consent form, so that we can pray for you?’ 
Is this all silly, or is it reasonable protection for individuals?  If marking birthdays and anniversaries is now banned, then bang goes Christmas, because we can't mention it?
On the one hand hand, we can all see a problem if a church's notices were to include something like "Happy birthday to Gladys Clotworthy, who is 95 today; she lives alone at 25 Church Road, but is always out at church on Sunday mornings, she leaves a key under the flowerpot for her carer, and since she won the lottery, her cash and bank card are in the tea caddy.  Her PIN is 1234".  This is sensitive personal information which should be protected.  
So, indeed, would be intimate personal information about the health problems of a sick parishioner, or indeed that someone living alone would be in hospital for several weeks – ‘this house is now available for burglary’!
But look at the second sentence of that church news item, beginning 'I understand...'   That actually means they don’t understand: it means the church in question doesn't know what the rules are and clearly, they don’t even know that the GDPR replaced the Data Protection Act. I don’t wish to sound critical, and indeed I am very sympathetic, if I say that they clearly don’t know what they’re talking about. And to be fair to them, the information available to them on various diocese websites is, frankly, not a lot of practical help.
So I spoke to the Information Commissioner’s Office (ICO). This is the UK’s independent authority set up to uphold information rights and data privacy for individuals. Surely, I asked, if church leaders only apply a little common sense, they can be sure that ‘acknowledging birthdays and anniversaries’ is hardly likely to get them dragged into court…or is it?
“GDPR sets out rules to follow when handling personal information,” replied the ICO. “As long as an organisation can identify a lawful basis for it, and is able to meet our principles, then the GDPR wouldn’t prevent a church from handling personal information about its parishioners in the same way as it would have done under the Data Protection Act 1998.
“The ‘legitimate interests’ rule can be used in situations where an organisation is using personal data in ways an individual would reasonably expect, are low-risk and won’t have a big impact on the individual.  So, for a church to use information which was provided by an individual in a way that the individual would expect as part of their involvement with the church, is likely to be covered under the ‘legitimate interests’ – it is for the church to satisfy itself that this is the case.”
Those GDPR principles require that personal data shall be: ‘adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed’.  So, saying that Gladys has a birthday is relevant what is necessary for reasonable church activity, in enabling fellow-parishioners to congratulate her. It is also reasonable to say that Joe Smith has broken his leg, because that is relevant to a necessary prayer, and if Joe is a churchgoer, then he will know that sick people are prayed for.
One has to be sympathetic with that church newsletter writer: it is so difficult to understand regulations and separate the rules from the nonsense. Even the Information Commissioner has acted to debunk some myths, such as the belief that the Data Protection Act stops parents from taking photos in schools (it doesn’t!).
And the ICO was tersely clear when the Daily Telegraph reported the case of an 11-year-old girl who sat her flute exam but was unable to find out whether she had passed, because the exam board cited the Data Protection Act and said that as the girl’s flute teacher had made the application for the exam, then only the teacher could know the result. The Information Commissioner’s Office said this was ‘clearly unfair’, which was a polite code for ‘plain stupid’.
And the ICO has indeed identified as a myth the idea that their regulations prevent priests from naming sick parishioners during church prayers. Quite reasonably, the regulator says that if sensitive personal information is avoided, the only likely problem might be if someone had specifically asked their minister not to be mentioned by name in prayers, or if the priest thought it likely that a person would not be happy about being publicly prayed for.
Equally sensibly, the Diocese of London has said:  "obviously there is room for pastoral judgment here. Many members of a church family will accept having prayer requests shared as a matter of course.”
So there is no need to panic. Use common sense, and you can wish Gladys a happy birthday in your newsletter without fear of being put behind bars.
The image above is courtesy of  https://pixabay.com

Ian Boughton is a musician and author and retired journalist who lives in Dilham in Norfolk. His latest book is “Are You With the Band?”  

The views carried here are those of the author, not of Network Norfolk, and are intended to stimulate constructive and good-natured debate between website users. 

We welcome your thoughts and comments, posted below, upon the ideas expressed here. 

Click here to read our forum and comment posting guidelines

To submit a story or to publicise an event please email: web@networknorwich.co.uk