Prayers for the sick may breach GDPR, Church fears
THE Church of England has told its parishes not to publish prayer requests for the sick without their permission following the introduction of new EU data laws.
The General Data Protection Regulation (GDPR), which came into force yesterday, has caused chaos as small firms, charities and religious organisations struggle to interpret the rules.
The Church of England’s guidance tells parishes that consent should be obtained if “names and reasons for the prayer request are recorded and published on the church website or in a parish newsletter”.
But the Information Commissioner’s Office (ICO) said organisations should not see the rules as a “barrier” and churches would be free to use information relating to someone who was part of a congregation.
Organisations that break GDPR rules can be fined up to 4 per cent of their turnover by privacy watchdogs.
Schools have also reported concerns that they can no longer hold or pass on medical information about pupils.
Declan Kelly, the lead adviser for the Church of England on GDPR, said permission would be needed “if the information were to be published on a website, leaflet or social media”.
The diocese of London clarified its GDPR guidance on Thursday after some priests were left under the impression that they could not pray for people without their consent. “There is no obstacle, under the GDPR, to
spoken prayers in church,” a spokesman said.
“In sensitive situations in which somebody is highly likely to be unhappy about having their name and/or other information shared, we do warmly advise seeking their agreement, and refraining from sharing their information in print where consent can’t be obtained.”
In a situation where one individual wants to light a candle for another and leave a note with their details, the new guidance says, the church must “try to ensure that consent is obtained, particularly in our multi-cultural society where people may object to being prayed for”.
A spokesman for the ICO said: “If, as an organisation, you have an existing relationship with someone, for instance that person is part of your church congregation or volunteers for your sports team, you would not need their consent to use basic personal information. Consent is not the only basis for using and sharing people’s personal data.”
Andrew Charlesworth, of the University of Bristol law school, said the Church was “erring on the side of caution”.
“We’re dealing with quite a complex piece of legislation, it’s quite a sensitive area.
“If your mum or your nan is seriously ill, you may not take the publication of that very well,” he said.
Mr Charlesworth said that consumers should not expect emails from organisations to “stop immediately” as they struggled to get to grips with the new rules. He added that schools should have no concerns about sharing medical information where necessary to keep children safe, but should keep parents informed about the data they held and why.
The Daily Telegraph was also contacted by Age Concern Forest of Dean, a small charity providing meals on wheels services to elderly and vulnerable people, which believed following a phone call with the ICO’S GDPR helpline that it needed to send a two-page letter to each client outlining the provisions of the Data Protection Act and asking permission to continue to hold their data.
As many of the charity’s clients have dementia or other disabilities, this would have posed a major threat to its services.
Following intervention by this newspaper, the ICO telephoned the Age Concern branch to tell them that they did not need to gain people’s consent to continue providing them with meals on wheels.
‘If your mum or your nan is seriously ill, you may not take the publication of that very well’