Data protection and data security

The storage of data whether on paper or digital often includes personally identifiable information. Your place of worship has a duty to keep any personal data it holds secure and ensure that it is used appropriately.

This page outlines the requirements for handling data and keeping it protected.

The Data Protection Act 2018 controls how personal information is used by organisations including churches.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles. They must make sure the information is:

  • Used fairly, lawfully and transparently;
  • Used for specified, explicit purposes;
  • Used in a way that is adequate, relevant and limited to only what is necessary;
  • Accurate and, where necessary, kept up to date;
  • Kept for no longer than is necessary;
  • Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.


There is stronger legal protection for more sensitive information, such as:

  • Race;
  • Ethnic background;
  • Political opinions;
  • Religious beliefs;
  • Trade union membership;
  • Genetics;biometrics (where used for identification);
  • Health;
  • Sex life or orientation.


There are separate safeguards for personal data relating to criminal convictions and offences.

Under the Data Protection Act 2018, every individual (including employees, church volunteers and members) has the right to find out what information about them has been stored. These include the right to:

  • Be informed about how their data is being used
  • Access personal data
  • Have incorrect data updated have data erased
  • Stop or restrict the processing of their data
  • Data portability (allowing them to obtain and reuse their data for different services)
  • Object to how their data is processed in certain circumstances


More information may be found by visiting the Information Commissioners Office Information

If you handle the personal data of individuals  (including employees, church volunteers and members), you will be considered, to be a controller of that data. For example, if you have third party contact details for the purposes of sending out newsletters (by post or email), or if you have contact details or personal information of employees, you will be classed as a controller of personal data.

Controllers must comply, and be able to demonstrate their compliance with, all the data protection principles as well as the other GDPR requirements.

The ICO provides useful and comprehensive guidance in respect of controller’s obligations

Data security is the practice of keeping data protected from corruption and unauthorised access. The focus behind data security is to ensure privacy while protecting personal or corporate data.

Why must you keep data secure?

The security of stored data can be threatened by acts such as:

  • Hacking - malicious people might gain access to your systems and alter or delete data;
  • Viruses - programmes that are created to cause a nuisance or damage computer systems;
  • Fraud - theft of sensitive data such as employee records or valuable intellectual property by hackers or even your own employees;
  • Data loss - caused by any of the above or by loss of hardware - e.g. loss or theft of a laptop.


All these threats have the potential to disrupt and cause damage to the running of your place of worship.


Computer and data security measures

  • Undertake a risk assessment and review security. It is good practice to do this when there is a change in circumstances such as when new equipment is purchased, or existing equipment is relocated;
  • It is advisable to ensure that computers and all sensitive data are protected by a password. Passwords should be as long as possible (usually eight characters minimum) and the password should contain numbers and letters. It is not advisable to use car registration numbers, dates of birth, pet names and other passwords that can easily be guessed. If you leave the computer on, using a password-protected screen saver can offer further protection;
  • Install and maintain up to date anti-virus software and firewalls;
  • Ensure computer data is regularly backed up and copies maintained off-site;
  • Control the use of the internet, downloading software, use of data encryption and memory sticks of any person using the computers;
  • Where possible avoid positioning computer equipment in view or by easily assessable windows;
  • Ensure users do not leave equipment unattended in public areas of the church or when working away from the premises;
  • Ensure users don't leave equipment in unattended vehicles, or walk through streets with items such as laptops in recognisable laptop bags;
  • Maintain a list of all serial numbers of computer equipment;
  • Avoid advertising the arrival of new equipment e.g. by leaving packaging in the grounds;
  • Produce a ‘Business Continuity Plan' (BCP) to assist in getting computer systems quickly back to normal after any security breach or loss.  

It is recommended that if you have any concerns about compliance with either the Data Protection Act or the General Data Protection Regulations, that you seek specialist legal advice.