2.43 Guidance for Respondents on Access to Records Held by the Diocese
Article 8 of the EU Charter of Fundamental Rights states that:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority. This means that church authorities must inform a respondent of the Church body’s procedures in relation to how the church body protects personal information; processes the information in a fair way which ensures that the respondent is listened to and that is reported to the statutory authorities; and how the respondents information is processed upon conclusion of a statutory investigation during any subsequent canonical inquiry.
In sharing information with a Church body, a Church authority should advise a respondent that information will be kept secure and only shared with those who need to know. The Church authority must enable access to any information provided by the respondent and allow the correction of any factual inaccuracies.
- The Church authority should advise a respondent of their rights as follows:
- Access to anything written about by or concerning a respondent should be sought in writing to the data controller under article 15 of GDPR
- This should include any information on electronic or manual formats.
- The respondent should be asked for evidence of their identity
- The respondent should be advised that they can only access data about them and not any other third party
- The data controller must reply within 28 days of receipt of the request
- The Church authority as data controller should invite the respondent to meet sop that relevant personal data can be shared.
- The respondent should be advised that they can ask for a copy of the records
- The respondent must be advised that they can ask for the record to be corrected if it is factually incorrect
- The respondent can ask for their records to be destroyed. The Church body has a right to refuse if it is required to retain a record to demonstrate its engagement with and about you (in line with its data retention and destruction procedure).
- The respondent can ask for restrictions on the processing of their records
- The Church Authority as data controller will have to provide reasons for not complying with the respondent’s wishes
- GDPR states that the right to obtain a copy of personal data must not adversely affect the rights and freedoms of others. This means that the right cannot be used to access the personal data of other persons, i.e. third parties.