Church in Wales (the ‘Church’) Personal Data Sharing GuidanceRelating to members, former members and persons connected with the ChurchIntroduction1.1 The Church recognises that the correct and lawful treatment of personal data is essential. Ensuring that any personal data processed within the Church is done so fairly, lawfully and securely will maintain confidence in the Church and will assist in the achievement of its aims. Protecting the confidentiality and integrity of personal data is a critical responsibility that the Church and its staff must take seriously at all times.1.2 The Church is a not-for-profit body with a religious aim. Within the Church there are a number of separate data controllers:(a) At parish level (i.e. individual churches) who will process personal data about Church members, office holders, former members and individuals who have a connection with the Church (e.g. for weddings, baptisms, funerals etc.) and Clergy;(b) At diocese level (i.e. diocese and diocesan boards of finance) who will process personal data about members, officer holders, other individuals connected with the Church, Clergy and staff;(c) The Bishops Offices who will process personal data about members, officer holders, other individuals connected with the Church, Clergy and staff; and(d) The Representative Body (including St. Padarn's and the staff of the Provincial Office) who will hold personal data about members, students, tenants, officer holders, other individuals connected with the Church, Clergy and staff.1.3 Each data controller within the Church is required to comply with data protection law and the data protection principles, in their own right (for further information on the data protection principles and what constitutes personal data see the Representative Body’s Data Protection Policy the RB infonet and at www.churchinwales.org.uk).1.4 The Church recognises that on occasion it will be necessary to share personal data between various controllers (i.e. parish churches, dioceses, Archdioceses, Bishops Offices and the Representative Body, within the Church, in order to facilitate the activities and operations of the Church and the various data controllers.1.5 This Guidance sets out how the Church seeks to put in place appropriate safeguards to protect personal data and to ensure that all individuals within the Church understand how and when it is appropriate to share personal data between the various data controllers within the Church.1.6 The aim of this Guidance is to:(a) ensure that personal data is shared fairly and lawfully, in accordance with the data protection principles and data protection laws;(b) that only personal data that needs to be shared in connection with the operations and activities of the Church is shared;(c) that personal data is only shared when it is necessary and appropriate to do so;(d) that personal data is shared on a ‘need to know’ basis and is not shared more widely than is necessary; and(e) that personal data is shared securely.Data Sharing within the Church2.1 Under data protection law personal data can only be shared when it is fair and lawful to do so. This requires:(a) Privacy information to be provided to the individual setting out how their personal data will be shared (see the Representative Body’s privacy information); and(b) A legal basis for sharing personal data.Personal data revealing religious beliefs2.2 Personal data which relevels an individual’s religious belief is special category data for the purposes of data protection law. The data controllers within the Church will be processing information about members, former members and persons connected with the Church, which by its nature, will reveal the religious beliefs of those individuals.2.3 The Church also recognises that the processing of such data is prohibited unless there is a specific legal basis for processing.2.4 Data protection law allows for the processing of special category data by a not-for-profit body with a religious aim, where it is necessary for the legitimate activities of the Church. For example, it will be necessary for parishes and diocese to share the personal data of office holders within the Church in order to facilitate meetings etc.2.5 Provided therefore, that sharing personal data of members, former members or persons connected with the Church is necessary and for legitimate reasons, then it can be shared between data controllers within the Church, subject to the appropriate safeguards set out in section 3 below.Other types of special category data2.6 Personal data revealing racial or ethnic origin, political opinions, data concerning sex life or sexual orientation or data concerning health are also types of special category personal data under data protection law and the processing of such data is prohibited unless there is a specific legal basis for processing.2.7 Other types of special category data about members, former members or other persons connected with the Church can be shared between data controllers within the Church only where:(a) It is necessary for the legitimate activities of the Church, for example where a priest provides details of a parishioner’s medical condition with another entity in order to organise hospital visits to the individual as part of pastoral care provided by the parish; and(b) The appropriate safeguards set out in section 3 are considered.2.8 Where it is not necessary for the legitimate activities of the Church to share such personal data, it will be necessary to obtain the explicit consent of the individual before such personal information is shared with another data controller within the Church.Data sharing within the Church (appropriate safeguards)3.1 In order to ensure that only personal data that needs to be, is shared between the data controllers within the Church, the following appropriate safeguards should be considered before personal data is shared:(a) What is the information that needs to be shared?The personal data of members, former members and persons connected with the Church, should only be shared between data controllers within the Church where it is necessary in the course of the legitimate activities of the Church, and only personal data that is relevant to that activity should be shared. Sharing personal data where it is not necessary in the course of the legitimate activities of the Church, will mean that personal data is processed unlawfully (unless the explicit consent of the individual has been sought).The Church considers that it is appropriate to restrict the sharing of personal data between data controllers. The sharing of personal data between a Parish and the relevant Diocese or Diocesan Board of Finance and between the Parish and/or relevant Diocese/Diocesan Board of Finance and the Representative Body will be required in the course of the Church’s legitimate activities. The Church does not envisage however, that it will be necessary in the course of its legitimate activities for the personal data of members, former members and persons connected with the Church to be shared between various Parishes, or between the various Diocese or Diocesan Boards of Finance, except in exceptional circumstances.Consideration must be given therefore to what (if any) personal data it is necessary and appropriate to share in the circumstances.(b) Can the objective be achieved without sharing the data or by anonymising it?Consideration should be given to whether it is necessary to share the relevant personal data at all or whether the activity or aim in question can be facilitated or achieved by providing the data in an anonymised form.(c) Who requires access to the shared personal data?Personal data should be shared on a ‘need to know’ basis, meaning personal data should only be shared with the other data controllers within Church who need it, and only relevant individuals within those other data controllers should have access to it.(d) When should personal data be shared?As outlined in (a) above, personal data should only be shared (without the explicit consent of the individual) when it is necessary in relation to a specific legitimate activity of the Church.(e) How should data be shared?Should there be any security surrounding transmission e.g. only shared between Church in Wales e-mail addresses rather than personal e-mail addresses.Data sharing outside the Church in Wales4.1 The personal data of members, former members or persons who have regular contact with the Church should only be shared outside the Church in Wales where the explicit consent of the individual has been obtained.4.2 In order to be valid, consent under data protection law must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. This means that:(a) The individual will need to be informed with whom outside the Church in Wales it is proposed that their personal data will be shared and the reason for it.(b) The individual will need to provide a signature or provide some other affirmative indication (e.g. ticking a box) that they are happy for their personal data to be shared in this way.(c) That consent should be documented by the relevant data controller.4.3 The explicit consent of the individual will be needed where personal data is:(a) To be put on the website for example where it is included in parish newsletters or bulletin boards;(b) Sent to a publisher e.g. in relation to a parish newsletter or year book;(c) Posted in a public place e.g. church hall noticeboard;Data sharing required by law or other protocol5.1 In certain circumstances, it will be a legal requirement for data controllers with the Church to share the personal data of members, former members or persons who are connected with the Church.5.2 In other instances, provision may have been made for personal data to be shared by data controllers outside the Church in Wales in accordance with a data sharing protocol e.g. the Wales Accord on the Sharing of Personal Information (WASPI).5.3 There may also be instances where an exemption applies to the personal data which will allow it to be shared outside the Church with 3rd parties without the consent of the individual. For example where it is necessary to share the personal data for the prevention or detection of crime.5.4 Nothing in this guidance note should prejudice the sharing of personal data in the circumstances outlined above, provided that the sharing of personal data is in accordance with the data protection principles and data protection laws.The following documents are available to download:Church in Wales Data Protection Policy (Word)RB Data Retention Policy (Word)Subject Access Request (Word)Individual’s Rights (Word)Personal Data Breach (Word)Privacy NoticesStaff Pension Scheme (Word)St Padarns Students (Word)Clergy/Former Clergy/Members/Tenants/Donors/individuals/users of our website; Members of the Governing Body; tenants; donors; individuals who contact us with enquiries or complaints; users of our website; individuals who feature in our newsletters or articles; individuals who we engage to provide services to us; and individuals who engage with us on social media. (Word)