Parishes guidance – the Electoral Roll and GDPR
Many PCCs have raised concerns about the legal bases under GDPR for the processing of personal data required by the church electoral roll in accordance with the requirements set out in the Church Representation Rules (the “CRR”). Specifically, the NCI’s Legal and GDPR teams have been asked about the lack of a consent statement on the application form, so that the Parochial Church Council (PCC) can:
- a) collect and process the personal data on the form, which includes details of religious belief; and
- b) publish the electoral roll outside the church, (e.g. on a notice board), or on a church website.
This guidance is intended to clarify these issues, and to provide some guidance about the electoral roll.
Purposes of data processing
The lawful bases for processing the personal data contained in the church electoral roll come from the purposes for that processing, i.e. what we do with the personal data and why we are asking for it. In very broad terms, the key purposes are:
- To determine eligibility for attendance at the Annual Parochial Church Council Meeting, for various elections and for other church related matters, and;
- To create the electoral roll and administer the elections; and
- To publish the electoral roll.
All of the relevant purposes are set out in the CRR and PCCs must comply with these statutory requirements. Anyone who then applies to be put on the electoral roll should be made aware of all relevant requirements. This should be done by providing them with a privacy notice, (see paragraph headed “Privacy Notice” below).
There is no need to amend the relevant forms under the CRR, and the forms will not be changed to include consent. Consent is not necessary for the processing of personal data in relation to the church electoral roll, and PCCs should not be seeking consent because other lawful bases apply.
Lawful basis (Article 6)
The lawful basis for processing church electoral roll data can be found in Article 6(1)(c) – i.e. “processing is necessary for compliance with a legal obligation to which the controller is subject”. In other words, processing of personal data on the church electoral roll is required by law because the CRR (or other legislation) are statutory and impose legal obligations.
This also means that unless individuals provide the relevant data required by the form, they can’t participate in the processes/functions governed by the church electoral roll.
The CRR form and special category data (Article 9)
The personal data on the church electoral roll reveals a person’s religious belief and is therefore considered to be “special category” personal data, (i.e. sensitive). This means we also have to satisfy one of the conditions of processing set out in Article 9 GDPR, (as well as the Article 6 condition outlined above).
We can rely on Article 9(2)(d) GDPR, because the processing is a legitimate activity of a not-for-profit religious body, i.e. the Church of England, and only relates to members or former members.
Publication of the electoral roll
Under the CRR it is also a requirement to publish the roll for certain purposes. This is separate from the other two purposes, and so a different lawful basis is required for this processing.
As we have stated, the fact that an individual appears on the electoral roll means that these individuals are members of the Church of England, i.e. it reveals their religious belief. This means we have to have one lawful basis from Article 6 and one from Article 9.
The Article 6 lawful basis is that same as before – i.e. it is a legal obligation/requirement.
The Article 9 basis in relation to the publication of the roll is that the “processing relates to personal data which are manifestly made public by the data subject”, (Article 9(2)(e)).
Article 9(2)(e) is the lawful basis because where an individual applies to have his or her name enrolled on a church electoral roll, the automatic legal consequence of that is that certain data about that individual will be published. The individual is, therefore, by submitting his/her application form, manifestly making that data public; i.e. if a person takes an action, the consequence of which is that information relating to that action will become public, that person is deliberately making that information public.
The CRRs are clear. The roll will be published (see Part I Formation of Roll 1(8); Revision of Roll and Preparation of New Roll 2(1), 2(3) and 2(7)), and individuals should be aware of this. It may be necessary to draw their attention to the relevant paragraphs.
However, if an individual doesn’t want his/her address details to be made public, there are only two options:
- He/she can choose not to apply to be on the church electoral roll; or
- He/she can ask for his/her address details to be excluded due to specific and/or exceptional circumstances which might mean that the person might be at risk of harm if his/her address details were published. In such a case, the individual concerned should discuss his/her situation with the electoral officer or the diocesan office and it may be necessary to publish only his/her name. This is allowed for in the CRR Part I, 1(11) which states: – “…The roll shall where practicable contain a record of the address of every person whose name is entered on the roll, but failure to comply with this requirement shall not prejudice the validity of any entry on the roll…”
We have provided an electoral roll Privacy Notice which explains these issues for those individuals applying to the electoral roll. You will need to add your contact details but otherwise the Privacy Notice is ready for use, here: www.parishresources.org.uk/wp-content/uploads/Electoral-Roll-PN-2019.docx
You should publish this on your website and/or give it to people who request an application form.
If you need any further guidance, or have queries or concerns, please contact your diocesan data protection lead.