LSP-I Appendix 3 - Data Protection

PART A

Prelature Safeguarding Policy (PSP)

Art. 252

See Article 5 (PSP Art. 6)

PART B

Regional Safeguarding Policy (RSP)

Art. 253  

See Article 49 (RSP Art. 28)

PART C

Local Safeguarding Policy – Ireland

C-I | Ecclesiastical

Art. 254 (Record Keeping: Introduction)

See NBSCCCI Guidance Appendix B

§1 Good record-keeping is an integral part of safeguarding children within the Catholic Church; it should not be considered to be an optional extra (see Article 129 and Article 130). There are many reasons why all those involved in safeguarding children should keep good records. These include:

a) helping to improve accountability;

b) demonstrating how decisions relating to safeguarding children are made;

c) supporting effective assessments;

d) providing documentary evidence of actions taken;

e) helping to identify risks, and demonstrating how those risks have been managed. Good record-keeping also helps to safeguard the rights of all concerned.

Why is record-keeping important?

§2 Below are the primary reasons for record-keeping, as well as the processes necessary to write and maintain accurate records. Also detailed are recommendations regarding information sharing, and retention and storage of sensitive data.

a) Doing so ensures accuracy of reporting information.

b) This can be for internal use, or it can be done in circumstances where there is the necessity to report and to be accountable to external stakeholders, e.g. courts, tribunals of inquiry, Gardaí, PSNI, Tulsa (the Child and Family Agency) and HSCT (Health and Social Care Trust). Creating written records as soon as practicable after the event avoids the possibilities of memory loss and the distortion of the information.

c) Doing so assists with decision-making and case management.

d) Accurately recording factual information facilitates an evaluation of the information and aids decision-making.

e) Doing so protects both the subjects of recording and the recorder by having an agreed and accurate record.

f) As far as possible, recorded information should be agreed, with the subject of the recording, as constituting an accurate record of what took place.

g) Doing so enables accountability.

h) All those who have responsibilities for safeguarding children within the Catholic Church should be and will be held accountable for their actions. Good recording is required as evidence that the safeguarding of children is treated as a priority, and that all steps have been taken to prevent and minimise risk and to manage allegations appropriately.

i) Doing so enables the proper tracking of complaints.

j) It is important that we demonstrate through our records that complainants have been listened to and responded to in a compassionate and caring way. It is therefore vital that accurate records are kept of all complaints received and of how these have been responded to.

k) Doing so allows for continuity where there are changes in personnel managing the case.

l) Safeguarding children can involve a number of people, including the Church authority and designated person. Personnel can also change over the course of managing a child abuse allegation. It is therefore important that good, factual details are maintained in writing to allow for a consistent and fair approach, a continuity of care for complainants, and the proper management of respondents, when required.

Art. 255 (Principles of good record-keeping)

See NBSCCCI Guidance Appendix B

§1 All records should be legible – preferably typed or word-processed.

§2 All entries should be signed, and the person’s name and job title should be printed alongside the entry.

§3 All records should be dated and timed in real time. These records should be generated in correct chronological order.

§4 A narrative should be constructed that sets out a chronology of events and references any correspondence.

§5 Records should be accurate and presented in such a way that the meaning is clear.

§6 Records should be factual and should not include unnecessary abbreviations, jargon, opinion or irrelevant speculation.

§7 Judgement should be used to decide what is recorded. Is it relevant? Is it as objective as possible? Are facts and any necessary opinions clearly distinguished?

§8 Records should identify any risks, and should show the action taken to manage these.

§9 Records must not be altered or destroyed without proper authorisation. If the need for alteration arises, both the fact of such authorisation and the alteration made to any original record or documentation should be signed and dated.

§10 Each Church authority will need to establish its own retention periods and destruction processes.

Art. 256 (Data Protection Officer)

See NBSCCCI Guidance Appendix B

§1 Each Church authority should appoint a Data Protection Officer (“DPO”) who will take charge of responsibility for data protection within that organisation.

§2 The DPO’s tasks are defined in the Data Protection Act 2018. Briefly these are to:

a) To inform and advise the Data Controller, its employees, and any associated Data Processors about their obligations to comply with the GDPR and other relevant data protection laws such as Part 3 of the Act;

b) To monitor compliance with data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits; and

c) To be the first point of contact for the Data Commission/Information Commissioner and for individuals whose data is being processed.

§3 The DPO with the Church authority should develop the necessary procedures and policies to ensure that the safe and secure processing of personal and sensitive data is in keeping with the principles of data protection. 

§4 In developing these policies the DPO and the Church authority should be mindful of the following:

a) The appointed Data Protection Officer should ensure that all records associated with these standards and guidance are reviewed on a periodic basis for the purposes of determining whether such records, in whole or in part, should be retained.

b) Ensuring that each file relating to a data subject should contain a checklist that provides for periodic reviews. The checklist should be signed and dated after completion of those reviews, with confirmation as to whether the records will be kept for a further period and the reason for same.

c) The assessment of danger or harm to children arising out of the destruction of the relevant records.

§5 Articles 37-39  of the General Data Protection Regulation (GDPR) detail the requirements around the designation of a Data Protection Officer,  (DPO) as well as their position and tasks under the GDPR. While, the GDPR does not define the professional qualities required or prescribe the training a DPO should undergo to be qualified to undertake the role, the Data Protection Commission  (DPC) and the Article 29 Working Party (whose GDPR related guidance was subsequently endorsed by the European Data Protection Board) have issued guidance on this matter. This allows organisations to decide on their DPO’s qualifications and training tailored to the context of the organisation’s data processing.

§6 Relevant skills and expertise for the DPO role include:

§7 The DPC provides a note on qualifications for DPOs with detailed guidance on this topic.

§8 Even where the GDPR does not specifically require the appointment of a DPO, it is highly encouraged by the European Data Protection Board (EDPB) as a matter of good practice and to demonstrate compliance. However, it is important to note that an organisation that appoints a DPO voluntarily must still comply with the full range of DPO requirements in the GDPR. 

Art. 257 (Data protection legislation)

See NBSCCCI Guidance Appendix B

§1 The General Data Protection Regulation (GDPR) came into effect in the EU on 25 May 2018. It has general application to the processing of personal data in the EU, setting out obligations on data controllers and processors, and providing strengthened protections for data subjects. 

§2 In Ireland, the national law, which, amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018.

§3 The EU General Data Protection Regulation has been retained in UK law (and in Northern Ireland) as the UK GDPR. On 28 June 2021, the EU approved “adequacy” decisions for the UK GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before, in the majority of circumstances. Both decisions are expected to last until 27 June 2025.

Access to information by data subject

§4 People have a right to know what personal information is held about them, by whom and for what purpose (See NBSCCCI Guidance 2.2D and 2.2E). This is detailed in data protection and human rights legislation. However, despite these rights, in certain circumstances such information can be shared with others.

§5 The data subject must be made aware of the creation of a safeguarding record. If the data subject seeks access to their record, the following should take place:

a) The contents of the file should be reviewed and assessed so that data belonging to third parties is redacted.

b) At an agreed time and place, the file should be made available for reading by the data subject, under the supervision of the bishop, superior or the designated liaison person.

c) The data subject can make notes, and can ask for notes to be included in the file. If agreed, an amendment can be made on the file note. The file manager should state in writing the reason for the amendment, and sign and date their written note. Any such amendments should also be signed and dated by the data subject.

§6 If there is a disagreement concerning the amendment of any file, the details of the disagreement should be recorded, signed and dated by the file manager and the data subject.

§7 For guidance on your obligations on data access in Ireland follow links: ROI or NI.

Art. 258 (Storage of data)

See NBSCCCI Guidance Appendix B

§1 It is important that all sensitive or confidential materials are retained in a case file and stored securely in a place designated by the data controller, i.e. the Church authority

§2 Files containing sensitive or confidential data should be locked away, and access to the relevant fireproof safe(s) or filing cabinet(s) and keys should be strictly controlled.

§3 Access to the files needs to be limited to people in named roles – i.e. the Church authority – and properly designated child safeguarding personnel, who either need to know about the information in those records, and/or who have a responsibility to manage the records.

§4 Any information of a sensitive and confidential nature – if stored electronically – must always be password protected.

§5 Arrangements need to be made for the contents of the relevant files, as well as their location and storage arrangements, to be passed on from outgoing data controllers to their successors.

§6 Other records with identifying personal information – e.g., centre records on activity enrolment and vetting, activity attendance records, consent forms, accident forms, etc. – must be stored in a secure locked cabinet in the relevant office of the centre.

C-II | Civil (Republic of Ireland)

See Data Protection (RoI)

Art. 259

See DPC Guide on Data Protection Basics

§1 Irish data protection law covers most situations in which information about somebody (the ‘personal data’ of a ‘data subject’) is used in some way (‘processed’) by some other person or organisation (the ‘controller’), other than in a purely personal context.

General

§2 The Data Protection Commission (DPC) is responsible for regulating different sets of laws, which cover different ways and circumstances in which personal data might be processed. These laws are set out on the DPC’s website.

§3 The ‘General Data Protection Regulation‘ (GDPR) is the law which applies to most kinds of processing of personal data and it applies directly in Ireland (and across the EU), along with further national rules set out in the Irish Data Protection Act 2018.

§4 However, the GDPR does not apply to the processing of personal data by an individual for ‘purely personal or household’ activities, with no connection to a professional or commercial activity. This is sometimes known as the ‘personal/household/domestic exemption’. This might cover activities such as correspondence, keeping an address book, or certain social networking, where these activities are purely personal. The GDPR would still apply to controllers who process personal data to facilitate these activities (such as a social network).

§5 Where processing takes place for law enforcement purposes (such as preventing or detecting crime) the GDPR does not apply, and instead the ‘Law Enforcement Directive’ (LED) covers these situations, the rules for which are found mainly in Part 5 of the Data Protection Act 2018 (which implements the LED into Irish law).

Personal data

§6 Personal data basically means any information about a living person, where that person either is identified or could be identified. Personal data can cover various types of information, such as name, date of birth, email address, phone number, address, physical characteristics, or location data – once it is clear to whom that information relates, or it is reasonably possible to find out.

a) Personal data doesn’t have to be in written form, it can also be information about what a data subject looks or sounds like, for example photos or audio or video recordings, but data protection law only applies where that information is processed by ‘automated means’ (such as electronically) or as part of some other sort of filing system.

b) Personal data can be information where the data subject is identified – “John’s favourite colour is blue” – or where they are ‘identifiable’ – “John’s sister’s favourite colour is blue” (where you don’t know his sister’s identity, but could find out using context and/or additional information).

c) Even where personal information is partially anonymised, or ‘pseudonymised’, but this could be reversed and the data subject could possibly be identified using additional information, it should still be considered personal data. However, if information is truly anonymised, irreversibly, and could not be traced back to an identified person, it is not considered personal data.

d) To determine whether a person is ‘identifiable’, particularly where the information about that person is pseudonymised, all the methods and information reasonably likely to be used by the controller or other person to identify someone, either directly or indirectly, have to be considered.

Sensitive personal data

§7 Certain types of sensitive personal data, called ‘special categories’, are subject to additional protection under the GDPR, and their processing is generally prohibited, except for where specific requirements are met (such as having explicit consent), as set out in detail in Article 9 GDPR. 

§8 The special categories are: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data processed to uniquely identify a person; data concerning health; and data concerning a person’s sex life or sexual orientation.

Data processing

§9 Data protection law governs situations where personal data are ‘processed’. Processing basically means using personal data in any way, including; collecting, storing, retrieving, consulting, disclosing or sharing with someone else, erasing, or destroying personal data. Although, as mentioned above, data protection law does not apply where this is done for purely personal or household activities.

Data Controller & Data Processor

§10 A ‘controller’ refers to a person, company, or other body that decides how and why a data subject’s personal data are processed. If two or more persons or entities decide how and why personal data are processed, they may be ‘joint controllers’, and they would both share responsibility for the data processing obligations. 

§11 A ‘processor’ refers to a person, company, or other body which processes personal data on behalf of a controller. They don’t decide how or why processing takes place, but instead carry out processing on the orders of a controller. 

§12 As mentioned above, if a person (but not a company or other body) decides how and why personal data are processed, and/or processes that data, but they only do so in a purely personal or household capacity, they will not be subject to the obligations of controllers under the GDPR or Data Protection Act 2018. 

§13 Regarding processing for the purposes of law enforcement, the specific rules in the LED and Part 5 of the Data Protection Act only apply to processing where the controller is a ‘competent authority’. This is defined as a public authority which is ‘competent’ for law enforcement purposes (such as the Gardaí or the Revenue Commissioners), or any other body which is authorised by law to exercise public authority and powers for law enforcement purposes. 

§14 Controllers have a range of obligations under data protection law, and in particular must comply with the principles of data protection, as found in Article 5 GDPR, ensuring personal data are: 

a) processed lawfully, fairly and transparently; 

b) processed for specific purposes; 

c) limited to what is necessary; 

d) kept accurate and up to date; 

e) stored for no longer than necessary; and 

f) protected against unauthorised or unlawful processing, accidental loss, destruction, or damage. 

§15 Controllers must also be able to demonstrate compliance with these principles, under the principle of accountability. 

§16 Under the principle of transparency, controllers should provide certain information to data subjects when they collect their personal data, such as: 

a) the identity of the controller; 

b) the contact details of the controller and 

c) (if they have one) their ‘data protection officer’ (DPO); 

d) the purposes and legal basis for the processing; 

e) who the data will be shared with; 

f) how long the data will be stored; and 

g) the existence of the data subject’s various rights. 

Data Subject

§17 If you want to exercise any of your rights as a data subject, the first step is to identify who the data controller is, and then to make your data subject request to them (more information on data subject rights and requests can be found below). If they don’t respond or don’t allow you to exercise your rights, or if you think there has been any other infringement of data protection law, you can contact the DPC.

Legal basis

§18 In data protection terms a legal basis (also referred to as a lawful basis or lawful reason) means the legal justification for the processing of personal data. A valid legal basis is required in all cases if a data subject’s personal data are to be lawfully processed in line with data protection law. 

§19 Under the GDPR, there are six possible legal bases for processing personal data, found in Article 6, namely:

a) Consent, 

b) Contractual, 

c) Necessity, 

d) Compliance with a legal obligation, 

e) Protecting vital interests,

f) Performance of an official or public task, and 

g) Legitimate interests (where the interest is not outweighed by the data subject’s). 

§20 There is no hierarchy or preferred option within this list, but instead all processing of personal data should be based on the legal basis which is most appropriate in the specific circumstances of that processing. Controllers should be aware that there may be different legal bases applicable to different types of processing of the same personal data. 

§21 It is important to note that ‘consent’, whilst perhaps the most well-known, is not the only legal basis for processing personal data – or even the most appropriate in many cases. Where consent is used, there are a number of special requirements for it to provide a valid legal basis for processing; it has to be 

a) specific, 

b) informed, and 

c) unambiguous, and it has to be 

d) freely given. 

§22 It must always be possible to withdraw consent after it has been granted; once it is withdrawn, the personal data cannot be processed any further on the basis of consent. 

§23 As mentioned above, under the GDPR, certain special categories of personal data should not be processed except in limited circumstances. Such processing requires both a legal basis under Article 6 GDPR, as well as meeting one of the exceptions in Article 9 (such as explicit consent or protection of vital interests) which allow such data to be processed. 

§24 It is the responsibility of every controller to identify which legal basis they are relying on for each type of processing of personal data they engage in. This information should be provided to data subjects, as part of the principle of transparency, and controllers should always be able to identify the legal basis they are relying on for processing if asked by a data subject or the DPC. 

§25 For controllers processing personal data for law enforcement purposes under the LED, the justification for such processing must either be that they have the consent of the data subject or that the processing is necessary for the performance of their functions for the purpose of ‘the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security’, or ‘the execution of criminal penalties’

C-III | Civil (Northern Ireland)

Art. 260 

See Data Protection (NI)

UK GDPR

§1 The EU GDPR has been incorporated into UK data protection law as the UK General Data Protection Regulation (UK GDPR). On 28 June 2021, the EU approved an “adequacy decision” for the UK GDPR. This approval is expected to last until 27 June 2025.

§2 In practice, there is little change in the UK GDPR vis-à-vis the core data protection principles, rights and obligations found in the EU GDPR. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

§3 The UK GDPR sits alongside the Data Protection Act 2018 (DPA 2018) with some technical amendments so that it works in a UK-only context. The UK GDPR applies to UK businesses, as well as to controllers and processors based outside the UK if their processing activities relate to:

a) offering goods or services to individuals in the UK, or

b) monitoring the behaviour of individuals taking place in the UK

§4 If you are based outside of the UK and you do not have a branch, office or another establishment in the UK, and you either offer goods or services to individuals in the UK or monitor the behaviour of individuals in the UK, the UK GDPR will require you to appoint a representative in the UK.

§5 The Information Commissioner's Office (ICO) is responsible for enforcing the data protection legislation in the UK. They have the power to carry out investigations and issue fines, and advise businesses on how to comply.


UK Lawful basis for processing of personal data

§6 To comply with the UK General Data Protection Regulation (UK GDPR), you must have a valid lawful basis in order to process personal data.

§7 There are six available lawful bases for processing. At least one of these must apply whenever you process personal data. Your purpose and relationship with the individual will dictate which basis will be most appropriate to use. The lawful bases for processing include:

Consent: This applies when the individual gives clear consent for you to process their personal data for a specific purpose. See more on obtaining and managing consent.

Contract: This applies when processing is necessary to deliver a contractual service to an individual, or because they have asked you to do something before entering into a contract (e.g., provide a quote).

Legal obligation: This applies when processing is necessary for you to comply with a common law or statutory obligation (not including contractual obligations). To rely on this ground, you should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation. See more on legal obligation.

Vital interests: This applies when processing is necessary to protect someone's life. However, you cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. See more on vital interests.

Public task: This applies when processing is necessary for you to perform a task in the public interest or for your official functions, both of which have a clear basis in law. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

Legitimate interest: This applies when processing is necessary to satisfy your own (or third party's) legitimate interest. It is likely to be most appropriate where you use people's data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. To rely on this ground, you must identify the interest, show that the processing is necessary to achieve it, and balance it against the individual's interests, rights and freedoms.

§8 Most lawful bases require that processing is 'necessary' for a specific purpose. In this sense, necessary means more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. If you can reasonably achieve the same purpose without the processing, it is unlikely that you will have a lawful basis.

§9 If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle of the UK GDPR.

§10 The lawful basis for your processing can also affect which rights are available to individuals. For example, consent will often provide the broadest set of rights that individuals can evoke against you. You must give them information about your lawful basis for processing in order to comply with the individual's right to be informed.

§11 You must determine your lawful basis before you begin processing. Your basis will depend on your specific purposes and the context of the processing. You should:

a) check that the processing is necessary for the relevant purpose

b) check that there is no other reasonable way to achieve this purpose

c) document why you chose a particular lawful basis - to demonstrate compliance

d) explain the purpose and the lawful basis for processing in your privacy notice

§12 If you're processing special category data or criminal offence data, you must identify and document both a lawful basis for processing and a special category condition for processing in compliance with the UK GDPR.

§13 Much will depend on what kind of processing you intend to do or whether you want to process the data for another purpose. You can use the ICO's interactive guidance tool to help you decide which lawful basis is likely to be most appropriate for your processing activities.

Retrospective change of the lawful basis

§14 It's important to determine your lawful basis correctly the first time. You should not swap to a different lawful basis at a later time without good reason. Switching lawful basis retrospectively is likely to be inherently unfair to the individual and can lead to breaches of accountability and transparency requirements.

§15 If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose. If you do need a new purpose, you will need to consider whether processing is fair and transparent, inform the individual about it, and document the change.

Documenting lawful basis

§16 To satisfy the UK GDPR's accountability principle, you must keep a record of:

a) which basis you are relying on for each processing purpose

b) a justification for why you believe the basis applies

§17 There is no standard form for this, but you must ensure that what you record sufficiently demonstrates that a lawful basis applies. Documenting will help you comply with accountability obligations and will also help you when writing your privacy notices.

Art. 261

Common Law

§1 The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent. In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client. It is irrelevant for example how old the patient/client is, or what the state of his/her mental health is; the duty still applies.

§2 Three circumstances making disclosure of confidential information lawful are:

a) where the individual to whom the information relates has consented

b) where disclosure is necessary to safeguard the individual, or others, or is in the public interest

c) where there is a legal duty to do so, for example a court order

§3 Therefore, under the common law, a health or social care provider wishing to disclose a patient’s/client’s personal information to anyone outside the team providing care should first seek the consent of that patient/client.

§4 Where this is not possible, an organisation may be able to rely on disclosure being in the overriding safeguarding interest of the individual or others or in the public interest. However, whether a disclosure is in the public interest is not a decision to be taken lightly. Solid justification is required before individual rights are set aside and specialist or legal advice should be sought before the information is disclosed. Any decision to disclose should be fully documented.

§5 Disclosures required by court order should be referred to the organisation’s legal advisors as promptly as possible, so that any necessary representations may be made to the court, for example to limit the information requested.

§6 If a disclosure is made which is not permitted under common law the patient/client could possibly bring a legal action not only against the organisation but also against the individual responsible for the breach. 

Records management considerations

§7 All persons involved in the records management function should be aware of their responsibility for maintaining confidentiality of records.

a) Employees should only have access to those parts of the record required to carry out their role.

b) Requests for records access by other staff members should be logged and periodically audited.

c) Particular care should be taken during the transportation of health and social care records outside of the organisational site, for example security envelopes and approved carriers should be used where necessary.

§8 Further support

a) Information commissioner 

b) Department of Health, Social Services and Public Safety (DHSSPS)