No CrossRef data available.
Article contents
No Secrets in the Church: The Implications of the Data Protection Act 1998
Published online by Cambridge University Press: 31 July 2008
Extract
The Data Protection Act 1998 came into force on 1 March 2000. It replaced the Data Protection Act 1984, and implements the EU Data Protection Directive 95/46/EC. This paper examines its implications for the Church.
- Type
- Articles
- Information
- Copyright
- Copyright © The Ecclesiastical Law Society 2003
References
1 This paper is based on a lecture delivered on 7 November 2001 as one of the Ecclesiastical Law Society London Lectures.Google Scholar
2 For the position under the Data Protection Act 1984, see Behrens, James, ‘Data Protection and the Church of England’ (1996) 4 Ecc LJ 470,Google Scholar and Behrens, James, Practical Church Management (Gracewing, 1996), chapter 12.Google Scholar
3 Freedom of Information Act 2000, ss 18(1), 87(2)(a).Google Scholar
4 Ibid. s 18(2); Freedom of Information Act 2000 (Commencement No 1 Order 2001, SI 2001/1637), art 2.
5 Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; Tel: 01625 545700; Fax: 01625 524510; Web: www.dataprotection. gov.uk.Google Scholar
6 See ‘The Data Protection Act 1998, A Guide for Parishes’ (London, Archbishops' Council of the Church of England, August 2001). This is available from Mrs Heather Roberts. Business Continuity Co-ordinator to the Archbishops' Council, Elizabeth House, 39 York Road, London SEI 7NQ; Tel: 020 7898 1178.Google Scholar
7 Data Protection Act 1998, s 36.Google Scholar
8 An employee is not a ‘data processor’ as defined in ibid, s 1(1).
9 Even if the chancellor's filing SYSTEM is entirely parish based, a filing SYSTEM which allows the chancellor to look up the name and address of the vicar of a particular parish is within the definition of a ‘relevant filing SYSTEM’ in ibid, s 1(1). If, as is likely. the chancellor keeps records of other names and addresses, then he should certainly be registered.
10 The same point can be made about registrars. It is arguable that a registrar's activities are not sufficiently independent of the bishop and the diocese so as to make the registrar a data controller rather than a data processor. The safer course is to notify.Google Scholar
11 The diocesan board of finance is a company, and so has legal personality: Diocesan Boards of Finance Measure 1925, s 1.Google Scholar
12 The diocesan parsonages board is a ‘body corporate’, and so has legal personality: Repair of Benefice Buildings Measure 1972, s 1(5).Google Scholar
13 See the definition of ‘data controller’ in the Data Protection Act 1998, s 1(1): ‘a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be. processed.’Google Scholar
14 Data Protection Act 1998, s 4(1), Sch 1.Google Scholar
15 Ibid, s 4(3), Sch 2. para 1.
16 Ibid, s 2.
17 Ibid, Sch 1. Pt I, para 1(b), Sch 3.
18 Ibid, Sch 3, para 4.
19 Parochial Church Council (Powers) Measure 1956, s 2; or. for a greater authority. Matt 28:19.Google Scholar
20 Whether a person is a ‘member’ of the Church of England is not always straightforward: see Behrens, James, Confirmation, Sacrament of Grace (Leominster. Gracewing, 1995), pp. 78–79.Google Scholar
21 Data Protection Act 1998, Sch 3, para 1. The expression ‘explicit consent’ is not defined in the Act. It is arguable that if the PCC holds data about non-members, this might be covered by Sch 3, para 7(b), as it is an exercise of the functions of the PCC under the Parochial Church Council (Powers) Measure 1956. s 2. But by far the safest course is to obtain the ‘explicit consent’ of non-church members when making records of their personal information.Google Scholar
22 Data Protection Act 1998, s 11.Google Scholar
23 I.e. by making a subject access request under ibid, s 7.
24 Ibid, s 8(6).
25 Ibid, Sch 1. Pt II, para 7.
26 Ibid, s4(3), Sch 4, para 1.
27 It is arguable that such a file contains not specific information about a person but simply general correspondence with or about that person. As against this, a file of complaints about an incumbent kept by a bishop is there to give the bishop specific information about the complaints made about that incumbent. The file is therefore part of a ‘relevant filing SYSTEM’, and is subject to the data protection principles.Google Scholar
28 Data Protection Act 1998, s 39, Sch 8, para 14(2)(a).Google Scholar
29 Ibid, s 33, Sch 8, Pt IV (paras 15–18).
30 The exemption for historical and statistical research still continues after 24 October 2007: ibid, Sch 8 Pt IV.
31 Ibid, Sch 1, Part II, paras 2(1) and 3 deal with the Who and why. Section 7 (of the Act itself, not the Schedule) deals with the what.
32 Ibid, s 27(2).
33 Ibid, s 7(2)(a). No special form is required.
34 Ibid, s 7(2)(b).
35 Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000, SI 2000/191, reg 3. There is no reason not to charge the full £10. Special fees are prescribed for particular types of data, such as credit reference details, and health and education records. These are not material to this paper.Google Scholar
36 Data Protection Act 1998, s 7(3). This is consistent with the need to ensure the information is not disclosed to the wrong person.Google Scholar
37 Ibid, s 7(8), (10). The forty days only start to run from the date the subject provides the information under s 7(3): see s 7(8) and the definition of ‘the relevant day’ in s7(10).
38 Ibid, s 42(1).
39 Ibid, s 40(1).
40 Ibid, s 7(4).
41 Ibid, s 8.
42 Ibid, s 7(4)(a).
43 Ibid, s 7(4)(b).
44 Ibid, s 7(6)(a), (d).
45 See the words ‘who can be identified from that information’ in ibid, s 7(4).
46 Ibid, s 37, Sch 7, para 1.
47 Thus, for example, the appointment of a new assistant curate is an appointment to an office. Assistant curates are not employees: Coker v Diocese of Southwark [1998] ICR 140, (1998) 5 Ecc LJ 68, CA.Google Scholar
48 The Data Protection Act 1998, An Introduction (Office of the Information Commissioner, 1998), section 3.1.Google Scholar
49 Data Protection Act 1998, s 7(4)(b). Section 7(6) sets out considerations to help decide whether it is reasonable in a particular case to disclose the contents of the reference.Google Scholar
50 Data Protection Act 1998 Subject Access Rights and Third Party Information (The Office of the Information Commissioner, 2000) highlights the difficulties faced by a person who has received a subject access request where the third party has refused consent for disclosure. The guide is available on the Office of the Information Commissioner's web site http://www.dataprotection.gov.uk/.Google Scholar
51 Compare, for example, the exemption for personal data processed for the purpose of judicial appointments and honours (Data Protection Act 1998, Sch 7, para 3), and personal data processed for the purpose of Crown or Ministerial appointments (Sch 7 para 4, as implemented by the Data Protection (Crown Appointments) Order 2000, SI 2000/416). In both these cases, data is exempt both when it is given and when it is received. There is no logical reason why references for these public appointments should be treated differently from references for ordinary employments and appointments.Google Scholar
52 It is noteworthy that the Explanatory Note to the Data Protection (Crown Appointments) Order 2000, SI 2000/416, states that the Order ‘contributes to the implementation of’ the Directive, even though the effect of the Order is to remove the right of subject access in the case of the crown appointments listed in the Order.Google Scholar
53 Enforcement notices are made under the Data Protection Act 1998, s 40. There is a right of appeal from an enforcement notice to the Information Tribunal under s48, and a further appeal from the Information Tribunal to the High Court on a point of law under s 49(6).Google Scholar
54 Sheila Cameron QC, ‘Data Protection Act 1998 Confidential References’ (24 July 2001, unpublished).Google Scholar
55 In the House of Lords, the government was asked to introduce an amendment to the legislation to include confidential references received by the data controller. The government minister, Lord Falconer, replied stating ‘we believe that normally, unless there is a special situation, that [section 7(4)] would mean that references from another person to the data controller would not have to be disclosed, which would seem adequate protection under the circumstances’. Section 7(4) is the section stating that sources of information do not normally have to be disclosed. I am grateful to Anna James of Lee Bolton & Lee for drawing my attention to this.Google Scholar
56 Data Protection Act 1998, Sch 2, para 5(c), (d).Google Scholar
57 I.e. both the right to know whether there is any information about you. and the right to know what it says about you.Google Scholar
58 This presumably refers to Westminster Abbey and St George's Chapel, Windsor, and not to the three Chapels Royal (St James' Palace, St Peter ad Vincula in the Tower of London, and Hampton Court Palace). The three Chapels Royal have a Dean and a Sub-Dean, but no Canons: see the Report of the Review Group on the Royal Peculiars (London, Church House Publishing, 2001), chapter 6. The report is also available at www.open.gov.uk/lcd/majrep/royalp.htm.Google Scholar
59 Some non-ecclesiastical Crown appointments are also mentioned in the Data Protection (Crown Appointments) Order 2000, SI 2000/416.Google Scholar
60 Clause 35 of the draft Clergy Discipline Measure imposes a duty on the archbishops acting jointly to compile and maintain what is now known as the ‘Caution List’.Google Scholar
61 Data Protection Act 1998, s 31(2)(a)(iii), (3)(a).Google Scholar
62 Ibid, s31(3)(c).
63 The Data Protection Act 1998, An Introduction (Office of the Information Commissioner, 1998), sections 2.4 and 2.2.4.Google Scholar
64 Data Protection Act 1998, s 33(3).Google Scholar
65 Ibid, s 33(1).
66 Ibid, s 33(4). Processing for research purposes requires that the results of the research or any resulting statistics are not made available in a form which identifies people mentioned in the files.
67 The Data Protection Act 1998 recognises that files may be disclosed to a person who is mentioned in the files, in the context of research: s 33(5)(b), Sch 8, para 18(b).Google Scholar
68 See e.g. Eph 4: 17–32.Google Scholar
69 Prov 11: 13.Google Scholar
70 The problem about employee references is not limited to clergy appointments. It affects all parish lay employments as well. But I see its institutional danger at the diocesan level.Google Scholar