Safer Places of Worship

Data Protection & Data Security

The storage of data whether on paper or digital often includes personally identifiable information. Your place of worship has a duty to keep any personal data it holds secure and ensure that it is used appropriately.

This page outlines the requirements for handling data and keeping it protected.



The Data Protection Act covers information held by any person, business or organisation about an individual.

Examples of data that places of worship hold could be details of parishioners who attend church regularly, details of church members who give charitable donations under the gift aid scheme and any employee’s details such as payroll details and their employment records.

As well as complying with the Act some organisations are required to register with the Information Commissioner Office (ICO), the body that regulates data protection in the UK. To establish whether your place of worship needs to register you can take an online assessment by visiting the ICO's website.

The Act

The Act applies to any use of personal data, which is referred to as processing. Processing includes using the data, for example sending out a mailing as well as obtaining, disposing and holding data.

The Act sets out eight principles under which personal data may only be obtained, held or disclosed to others if:

  1. Its use is fair and lawful;
  2. It is to be used only for specified purposes. Individuals should be told, in broad terms, what you are going to do with the information (unless it is obvious) before you use it and given the opportunity to opt out of it being so used;
  3. The information is adequate, relevant and not excessive in relation to the purpose for which it is to be used;
  4. It is accurate and up-to-date - so periodically all information held should be checked to ensure it remains accurate;
  5. The information is kept for no longer than necessary for the purpose - records of pastoral care discussions, for example, should not be kept for several years unless this can be justified;
  6. Individuals ‘subject access rights are honoured;
  7. It is kept securely - addresses and phone numbers should not be left where they are open to abuse, and access to more sensitive information should be particularly restricted by either computer passwords or locks on filing cabinets etc as appropriate;
  8. Information should not be transferred to any country outside Europe without adequate data protection being in place.

Note that the Information Commissioner Office has the power to impose financial penalties for non-compliance and therefore it is advisable to ensure that you have policies and training in place.

For more information on the principles of the Data Protection Act please follow the link to the Information Commissioner’s Office (ICO) website. http://www.ico.gov.uk/for_organisations/data_protection/the_guide.aspx

Data security is the practice of keeping data protected from corruption and unauthorised access. The focus behind data security is to ensure privacy while protecting personal or corporate data.

Data is the raw form of information stored on our computer databases, networks and files. Data can be anything of interest that can be read or otherwise interpreted in human form.

Why must you keep data secure?

The security of stored data can be threatened by acts such as:.

  • hacking - malicious people might gain access to your systems and alter or delete data;
  • viruses - programmes that are created to cause a nuisance or damage computer systems;
  • fraud - theft of sensitive data such as employee records or valuable intellectual property by hackers or even your own employees;
  • data loss - caused by any of the above or by loss of hardware - e.g. loss or theft of a laptop.

All of these threats have the potential to disrupt and cause damage to the running of your place of worship.

Computer and data security measures

  • undertake a risk assessment and review security. It is good practice to do this when there is a change in circumstances such as when new equipment is purchased or existing equipment is relocated;
  • it is advisable to ensure that computers and all sensitive data are protected by a password. Passwords should be as long as possible (usually eight characters minimum) and the password should contain numbers and letters. It is not advisable to use car registration numbers, dates of birth, pet names and other passwords that can easily be guessed. If you leave the computer on, using a password-protected screen saver can offer further protection;
  • installing and maintaining up to date anti-virus software and firewalls;
  • ensuring computer data is regularly backed up and copies maintained off site;
  • control the use of the internet, downloading software, use of data encryption and memory sticks of any person using the computers;
  • where possible avoid positioning computer equipment in view or by easily assessable windows;
  • ensuring users do not leave equipment unattended in public areas of the church or when working away from the premises;
  • ensuring users don't leave equipment in unattended vehicles, or walk through streets with items such as laptops in recognisable laptop bags;
  • maintain a list of all serial numbers and installed locations of computer equipment;
  • avoid advertising the arrival of new equipment by not leaving packaging in grounds;
  • producing a ‘Business Continuity Plan' (BCP) to assist in getting computer systems quickly back to normal after any security breach or loss.