Wednesday, 25 April 2018

Clergy Blue Files and Data Protection

Updated Friday

During the recent IICSA hearings, much was made of the way personal files of Church of England clergy were handled in the past. But what about the present?

The guidelines for bishops and their staff about the handling of clergy personal files are very clearly set out in a document dated April 2013, Personal Files relating to Clergy - Guidance for bishops and their staff which is available online here.

This document reflects the data protection legislation in force at the time it was written. New legislation on this subject comes into force on 25 May 2018, so the document will need to be updated soon, if it has not already happened. But the current guidelines are quite clearly stated and updating to the latest requirements will not be difficult.

However, it’s not at all clear that they are being consistently implemented across all dioceses. The evidence for this assertion is contained in a recently published article by Colin Coward: Clergy Blue Files and the illegal behaviour of bishops and their chaplains. This reports on recent email exchanges between a small number of chaplains to diocesan bishops.

Emails between four bishops’ chaplains asking questions about whether priests can be shown their Clergy Current Status Letter (CCSL) have been sent to me. Clergy Current Status Letters are sent by the bishop of the diocese from where a priest is moving to the bishop of the diocese to which they are moving. The emails show that some bishops and their chaplains have not read or do not understand the “Guidance for bishops and their staff Approved by the House of Bishops on 13th March 2013” concerning “Personal Files Relating to Clergy”…

Update

Colin has posted a follow-up article: The Church of England’s systemically abusive culture which includes a letter he has written to the archbishops about all this, as well as discussing several other recent events.

Posted by Simon Sarmiento on Wednesday, 25 April 2018 at 3:37pm BST | TrackBack
You can make a Permalink to this if you like
Categorised as: Church of England
Comments

It seems the document was updated in Nov 2017, stating "In spring 2018 there will be a new edition of this document to take account of changes introduced by the GDPR."

Posted by: JayKay on Wednesday, 25 April 2018 at 6:16pm BST

I will comment later on the emails etc but first I must challenge his view that the Guidance is good. I think it is decidedly poor. Take the requirement to record baptismal certificate. If someone has undergone gender reassignment, because the Church won't replace these, it will necessarily reveal that the minister has undergone gender reassignment. If the minister has a Gender Recognition Certificate then, if the bishop allows a member of his staff to access the file he won't just breach the Data Protection Act (which in these circumstances prohibits even internal disclosures) but he may commit a criminal offence under s22 of the Gender Recognition Act. There are religious exemptions but they are not comprehensive.

I suspect if I parse the Guidance carefully there are all sorts of issues surrounding sensitive personal data. The 7th principle requires, for example, that both technical and organisational measures are in place to secure personal data. Organisational includes sufficient training and it is clear from the emails that the Guidance isn't meeting that obligation.

So I disagree with Colin. The Guidance is in my opinion (and it is a subject on which I have in the past provided professional advice to organisations) highly deficient.

Posted by: Kate on Wednesday, 25 April 2018 at 8:00pm BST

Kate, I defer to your wisdom about the Guidance. I was judging it in comparison with other Church of England documents and statements - the letter by William Nye sent to TEC, for example, which is tendentious in the extreme. I look forward to your further parsing of the Guidance. I note that you describe it as highly deficient - things are worse than I thought.

Posted by: Colin Coward on Wednesday, 25 April 2018 at 9:50pm BST

Colin, no worse perhaps than in many organisations but in a lot of places it does little more than copy the wording in the legislation. Compare it with guidance produced by, for example, the Equality and Human Rights Commission which interspersed the text with examples to make the guidance understandable.

Posted by: Kate on Wednesday, 25 April 2018 at 11:13pm BST

There are several areas in the Guidance which concern me, but there is one glaring gap. It seems that bishops are the data controllers but there is a paucity of guidance on this, for example no guidance (unless it is elsewhere) on the responsibility to report breaches and, I would suggest, not enough guidance for a bishop to meet his/her responsibilities for security, including computer security.

Also, I checked the registrations of several bishops on the ICO register eg Durham and Norwich. They say they process the personal data of parishioners but don't mention processing the personal data of clergy

.

Posted by: Kate on Thursday, 26 April 2018 at 12:11am BST

I always call mine a Study rather than an Office as we already have what's called a "Parish Office" housed in the stable block of the Old Rectory.

Posted by: Father David on Thursday, 26 April 2018 at 4:32am BST

There is a new version which was agreed by the House of Bishops in November 2017. There is also new guidance on DPA/GDPR which is currently in preparation. However, the sheer wrongheadedness, woodenness and stupidity of some of the comments by bishops' chaplains in the stuff leaked by Colin Coward is jaw-dropping. They clearly need some training!

If operated properly, the Guidance is fit for purpose,and works well with the DPA and the ICO Guidance on subject access requests. When the full suite of material that will bring all the documentation into line with GDPR is in place, I hope that Bishops' Chaplains will receive some proper training on blue files and compliance. It's a question I shall be asking!

Posted by: Pete Broadbent on Thursday, 26 April 2018 at 7:53am BST

One thing that is missing from this guidance (if I have understood it correctly) is the question of *who* is authorised to generate 'data' for a cleric's blue file - and what is the criteria for its inclusion in blue files?

For example, I arrive in Diocese A from Diocese B, and the file is passed on in the usual way. But, after some time in Diocese B, the Bishop of Diocese C (who knew me when I was a student some 25 years previously), writes to the Bishop of Diocese B, offering his opinion of my character and warning Bishop B that I might be prone to this-or-that. Does this letter go on file? And, if it does, is it an example of what happens when one of the emails admits 'I simply take out of the Blue File anything that is not the priest in question's data'?

Put simply, what so-called 'soft' information (for which the Church is notorious) is in a priest's blue file, that the Bishop and his staff have seen, but the priest in question never will? And, if I know it is there, but am not seeing it, what do I do? More to the point, what action can be taken against the person who originally generated this 'hidden' data?

Posted by: Paul Jamieson on Thursday, 26 April 2018 at 8:58am BST

There are three answers to Paul Jamieson's questions: (a) Yes; (b) that would be an ecumenical matter; and (c) I'm really so very sorry... but it's 'out of time'!

From what I'm picking up on the grapevine, those who have served in the Sherborne Episcopal Area in a previous era should be asking to see *everything* in their blue file - especially any 'notes' that might have been included. It would seem that not every bishop is as transparent as Pete Broadbent.

Posted by: Will Richards on Thursday, 26 April 2018 at 11:08am BST

Paul, headteachers do the same with teachers
Very often something bland is sent in writing 'for the file' but anything more than that is revealed over the telephone.

Posted by: Kate on Thursday, 26 April 2018 at 11:10am BST
Post a comment









Remember personal info?

Please note that comments are limited to 400 words. Comments that are longer than 400 words will not be approved.

Cookies are used to remember your personal information between visits to the site. This information is stored on your computer and used to refill the text boxes on your next visit. Any cookie is deleted if you select 'No'. By ticking 'Yes' you agree to this use of a cookie by this site. No third-party cookies are used, and cookies are not used for analytical, advertising, or other purposes.