The mission of the church
Yes, I agree the mission of the church is to reconcile sinners with God and to bring back the lost sheep into the fold of God. The Church is a legal entity and can sue and be sued in its own name. The church has been law abiding and has complied with many laws of the lands in which it exists. It is only relevant and crucial that the church and especially its leadership understand the scope and application of Data Protection laws in the very jurisdictions it operates in.
Sorry, our church does not process personal data, so we are exempted from registration with the Data Protection Commission. The ONLY information we collect from our members are their names and phone numbers. I don’t think we are required to register.
This was the response from a lawyer of one of the churches. Obviously, the learned colleague did not understand the application of the Data Protection Act (Act 843) hence his initial response. When he got the right understanding of the application of the Act, its implementation, its material and territorial scope, his response changed.
Why is the church mandated to register?
Section 91(1) of the Data Protection Act states that: This Act binds the Republic. This means that every entity within the Ghanaian jurisdiction must register! The church (which is a legal entity) is mandated to register! Churches must fully endorse and adhere to the data protection laws and principles in order to be compliant. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transmission and storage of personal data. Employees and others who obtain, handle, process, transport, and store personal data for and on behalf of their churches must adhere to these principles.
Churches use personal data about living individuals for the purpose of general church administration, welfare and communication matters. All personal data, whether it is held on paper, on computer or other media, is subject to the data protection laws and therefore must be processed with the appropriate security safeguards according to the Data Protection Act. Churches process huge volumes of data, and their activities are heavily reliant on the use of personal data.
What is personal data?
The definition includes digital photographs and videos, where images are clear enough to enable individuals to be identified. Other examples of the sort of personal data commonly held by churches are: staff/payroll records; membership lists; baptismal records; information relating to pastoral care; information regarding those attending church activities; lists of children/young people attending Sunday schools, youth groups and creches; house visitations; welfare management; testimony recording; cell management; evangelism activities, Bible schools, counselling, marital counselling, naming ceremonies. It also includes records of those for whom the congregation holds contact details for various reasons, including volunteers working with children and young people and others, those attending churches, etc. These are examples only and there may be other types of personal data held. Churches with websites with a facility to collect data, such as a “contact us” form should be aware that the information supplied by any enquirer is personal data and will have to be held by the church in accordance with data protection law. Further, if a church uses cookies on its website to monitor browsing, it will be collecting personal data of that individual. Many activities in the church are handled by different people operating in different departments for different and specific purposes.
As an example, by virtue of being a member of the welfare team or committee, one would have access to personal data such as: the name, phone number, house number, medical information, financial information, next of kin, etc. about an individual. Some of these personal information are classified as special categories of personal data – in the Ghanaian data protection law, whiles other jurisdictional laws refer to them as sensitive personal data. The processing of these special categories requires that the controller (the church) puts in place the appropriate security safeguards to protect these personal data.
Who processes data in the church?
Processing is basically anything at all you do with personal data – it includes collecting, editing, storing, holding, disclosing, sharing, viewing, recording, listening, erasing, deleting etc. Individuals responsible for processing personal information in churches may include the Minister, Catechist, Presbyters, Elders, Deacons and Deaconesses, and other office bearers like treasurers, administrators, group leaders, Sunday school teachers and others.
The right of the data subjects (church members)
- Right to be informed: church members have the right to be informed about the collection and use of their personal data.
- Right to access: church members have the right to view and request copies of their personal data. This includes pictures, CCTV footage, tithe records, minutes of meetings, etc.
- Right to rectification: church members have the right to request inaccurate or outdated personal information be updated or corrected.
- Right to erasure: church members have the right to request their personal data to be deleted. Note that this is not an absolute right and may be subject to conditions being met or based on certain laws or regulations.
- Right to restrict processing: church members have the right to request the restriction or suppression of their personal data.
- Right to give and withdraw consent: church members have the right to withdraw previously given consent to process their personal data.
- Right to object: church members have the right to object to the processing of their personal data. This effectively means that the church member can stop or prevent the church from using their data.
- Right to object to automated processing: church members have the right to object to decisions being made with their data solely based on automated decision making or profiling.
- Right to complain: church members have the right to complain to the church leadership or complain to the Data Protection Commission (DPC) which is the supervisory authority with regards to data protection.
- Right to compensation: church members have the right to compensation from the church (data controller), where the individual suffers some form of damage or distress through actions or inactions of the church. .
The objective of the Data Protection Act is to protect the privacy of the individual (the church member) by regulating organizations that process personal data which includes the church.
Why is data protection important for your church?
Failure to comply with data protection can result in data breaches. It is your legal and moral duty to protect those you hold personal data about (church members). Data breaches can result in emotional, physical, and financial consequences for the affected data subjects. Additionally, the consequences of a data breach on your church could be substantial. Repercussions include damage to your reputation as well as penalties issued by the DPC. Data protection training, and registration with the DPC can help to demonstrate compliance, protect your members (data subjects) and avoid the devastating effects that a data breach could have on your church.
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact author ekgadasu@gmail.com or Mobile: +233-243913077