2.44 Guidance for Complainants on Access to Records Held by a Church Body
Article 8 of the EU Charter of Fundamental Rights states that:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority. This means that church authorities must inform a complainant of the Church body’s procedures in relation to how the church body protects personal information; processes the information in a fair way which ensures that the complainant is listened to and that is reported to the statutory authorities; and how the complainants information is processed upon conclusion of a statutory investigation during any subsequent canonical inquiry.
In sharing information with a Church body, a Church authority should advise a complainant that information will be kept secure and only shared with those who need to know. The Church authority must enable access to any information provided by the complainant and allow the correction of any factual inaccuracies.
- The Church authority should advise a complainant of their rights as follows:
- Access to anything written about by or concerning a complainant should be sought in writing to the data controller under article 15 of GDPR
- This should include any information on electronic or manual formats.
- The complainant should be asked for evidence of their identity
- The complainant should be advised that they can only access data about them and not any other third party
- The data controller must reply within 28 days of receipt of the request
- The Church authority as data controller should invite the complainant to meet sop that relevant personal data can be shared.
- The complainant should be advised that they can ask for a copy of the records
- The complainant must be advised that they can ask for the record to be corrected if it is factually incorrect
- The complainant can ask for their records to be destroyed. The Church body has a right to refuse if it is required to retain a record to demonstrate its engagement with and about you (in line with its data retention and destruction procedure).
- The complainant can ask for restrictions on the processing of their records
- The Church authority as data controller will have to provide reasons for not complying with the complainant’s wishes
- GDPR states that the right to obtain a copy of personal data must not adversely affect the rights and freedoms of others. This means that the right cannot be used to access the personal data of other persons, i.e. third parties.