This was the response from a lawyer of one of the churches. Obviously, the learned colleague did not understand the application of the Data Protection Act (Act 843) hence his initial response. When he got the right understanding of the application of the Act, its implementation, its material and territorial scope, his response changed.
Why is the church mandated to register?
Section 91(1) of the Data Protection Act states that: This Act binds the Republic. This means that every entity within the Ghanaian jurisdiction must register! The church (which is alegal entity) is mandated to register! Churches must fully endorse and adhere to the data protection laws and principles in order to be compliant. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transmission and storage of personal data. Employees and others who obtain, handle, process, transport and store personal data for and on behalf of their churches must adhere to these principles.
Churches use personal data about living individuals for the purpose of general church administration, welfare and communication matters. All personal data, whether it is held on paper, on computer or other media, is subject to the data protection laws and therefore must be processed with the appropriate security safeguards according to the Data Protection Act. Churches process huge volumes of data, and their activities are heavily reliant on the use of personal data.
What is personal data?
Personal data is any information relating to a living individual (the data subject) who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s (the church’s) possession or likely to come into its possession.
The definition includes digital photographs and videos, where images are clear enough to enable individuals to be identified. Other examples of the sort of personal data commonly held by churches are staff/payroll records; membership lists; baptismal records; information relating to pastoral care; information regarding those attending church activities; lists of children/young people attending Sunday schools, youth groups and creches; house visitations; welfare management; testimony recording; cell management; evangelism activities, Bible schools, counselling, marital counselling, naming ceremonies. It also includes records of those for whom the congregation holds contact details for various reasons, including volunteers working with children and young people and others, those attending churches, etc.
Those were examples only and there may be other types of personal data held. Churches with websites with a facility to collect data, such as a “contact us” form should be aware that the information supplied by any enquirer is personal data and will have to be held by the church in accordance with data protection law.
As an example, by virtue of being a member of the welfare team or committee, one would have access to personal data such as: the name, phone number, house number, medical information, financial information, next of kin, etc. about an individual. Some of these personal information are classified as special categories of personal data – in the Ghanaian data protection law, whiles other jurisdictional laws refer to them as sensitive personal data. The processing of these special categories requires that the controller (the church) puts in place the appropriate security safeguards to protect these personal data.
Who processes data in the church?
Processing is basically anything at all you do with personal data – it includes collecting, editing, storing, holding, disclosing, sharing, viewing, recording, listening, erasing, deleting etc. Individuals responsible for processing personal information in churches may include the Minister, Catechist, Presbyters, Elders, Deacons and Deaconesses, and other office bearers like treasurers, administrators, group leaders, Sunday school teachers and others.
The right of the data subjects (church members)
The objective of the Data Protection Act is to protect the privacy of the individual (the church member) by regulating organizations that process personal data which includes the church.
Why is data protection important for your church?
Failure to comply with data protection can result in data breaches. It is your legal and moral duty to protect those you hold personal data about (church members). Data breaches can result in emotional, physical, and financial consequences for the affected data subjects. Additionally, the consequences of a data breach on your church could be substantial. Repercussions include damage to your reputation as well as penalties issued by the DPC. Data protection training, and registration with the DPC can help to demonstrate compliance, protect your members (data subjects) and avoid the devastating effects that a data breach could have on your church.
Author: Emmanuel K. Gadasu (Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact author [email protected] or Mobile: +233-243913077