GDPR – The General Data Protection Regulations


  1. These originally EU Regulations are now part of UK domestic law.
  2. They mean that every organisation that holds personal data on people must obey certain rules:
  • They must obtain the person’s permission to hold the information and cannot assume permission except in certain limited circumstances.
  • They must be clear about how they will use and safeguard the information they hold.
  • They must hold no more information than they need: they have to show a reason for keeping each item of personal information.   And
  • They must delete or safely destroy the information once they no longer require it.
  1. We need to appoint someone to be the ‘Data Controller’ for the church, who will be responsible for ensuring that the rules are observed, and someone to be the ‘Data Processor’, responsible for the handling of personal information.
  2. The Data Controller must review all the church’s policies for holding information and check that they are satisfactory.
  3. What information do we hold?
  4. The Ministers and the Pastoral Team hold the names, addresses, phone numbers and in some cases email addresses of those on the Congregational Roll. No other information should be recorded about, for example, the health conditions of individuals or about their marital or family circumstances.
  5. The Church Treasurer also holds information about names and addresses, though not for as many members, and in addition records how much those members give each week and whether or not they are taxpayers.
  6. The questions that need to be asked are:
  • Have members given permission for this information to be held?
  • Are there good reasons for holding it?
  • Is it held securely? And
  • Is it destroyed when it is no longer required?
  1. Organisations are allowed to assume that when people join as members they understand that the organisation will hold the information it needs to maintain contact with them. Likewise, in the case of the financial data it can properly be assumed that people understand that when they use envelopes or standing orders the money given will be recorded against their serial number, and that when they complete Gift Aid returns the Treasurer will hold that information to present to HMRC for audit if requested.  There is no need for us to ask for permission to hold this information.  It is expected, and there are good and self-evident reasons for holding it.
  2. The information must, however, be held securely. The degree of security can be proportionate to its sensitivity, and people’s names and addresses and the simple fact that they are members of the Methodist Church are not particularly sensitive.  However, phone numbers and email addresses are more sensitive, and it is therefore important that reasonable steps should be taken to protect them and that they should not be handed out to more officers of the church than is absolutely necessary.  Lists containing these details should be marked “FOR OFFICIAL CHURCH USE ONLY – NOT TO BE COPIED OR PASSED ON”.  Copies should be numbered and signed for on a register held by the Pastoral Co-ordinator, kept in a safe place and destroyed securely when they are no longer required.  The electronic master copy will be held under password protection on the Minister’s and/or Pastoral Co-ordinator’s personal computers and nowhere else.
  3. Personal financial information is held only by the Church Treasurer. The detail of weekly giving and other offerings is held on his computer in an anonymised form.  Annual totals are also published in anonymised form.  Gift Aid forms and the key to the anonymised records are held in paper files in the Treasurer’s study, where they are kept under lock and key.


  1. The Church Council is invited:

• To appoint someone to be the Data Controller for the church and to ask him or her to check that the church is complying with the GDPR and report annually to the Church Meeting.
• To agree that we do not need to ask church members’ permission to hold their contact details or records of giving, because it can properly be assumed that people understand that those are things we have to do to run the church. However, the Data Controller should make use of the Weekly Notices and/or the Church Magazine to inform members about the way in which their personal data is being handled and safeguarded.
• To appoint the Pastoral Co-ordinator, on behalf of the Minister, to maintain the record of names, addresses, phone numbers and email addresses for the whole congregation and to hand out only as much of that information is required to nominated individuals who will handle it in accordance with paragraph 8 above. The Pastoral Co-ordinator will be the designated ‘Data Processor’ for the church.
• To endorse the way in which the Church Treasurer currently handles personal financial information.

5th March 2019