IN THE past few months, there has been an increasing tide of emails and letters from charities and companies begging us to “stay in touch” after 25 May. Besides being the day we remember St Bede, that great collector of personal stories, it is the implementation date for the EU’s General Data Protection Regulation (GDPR) (News, Letters 9 March).
These messages are all part of an increasingly anxious response to a significant step in the development of privacy law. The Church of England has not been immune from anxiety: advice has been promulgated nationally and at diocesan level which ranges from the sensible and pragmatic, through the cautious, to the downright wrong.
It is high time for some reflection on all of this. Practically speaking, over-compliance risks needlessly restricting the Church’s interaction with the communities that it serves. More important, we need to think theologically.
We need to consider whether the “right to the protection of personal data”, on which GDPR is based, sets up an inherent conflict with the nature of a God whose essence is relational. If the Church is a mirror for revelation of God’s relationship with humanity, and Christ’s crucifixion is the ultimate example of openness to the world, how do we reconcile this with a right to retreat inwards behind privacy law?
At its best, this legislation allows us to construct a framework for treating others with respect. But, when it is used to build a “privacy wall” around each of us, to control what others see of us, and to reveal only what is chosen, it turns all the focus on to the individual, on to “me” and “my rights”. Here, privacy risks becoming an idol to be respected above all else.
Of course, there need to be reasonable controls on the use of data. The activities of Cambridge Analytica, mediated via Facebook and other social media, it has been alleged, may have distorted the results of the last United States presidential election, implicating those media in the manipulation of one of the most radical expressions of democratic will this century. That is a risk to our very society.
But, at a much more mundane level, we must not ignore the risk of elevating privacy to the level of an idol as we implement GDPR in the Church.
MUCH of the current anxiety comes from the nature of both our current Data Protection Act and the GDPR. We are used to rule-based lawmaking. For example, a red traffic light means stop, a green one means go, and there is a tiny bit of discretion about amber.
But privacy law is not like that: the “amber” area is very wide, and few things are definitively “red” or “green”. Instead, “data controllers” must uphold a series of rights and principles concerning personal information. Doing so is profoundly sensitive to context. As Richard Marbrow, until last year a senior member of staff at the Information Commissioner’s Office (ICO), said: “We are the department of ‘it depends’.”
The way to pragmatic compliance is to understand the law, to understand the specific context in which it is being applied, and to take, as the ICO says, “a risk-based approach to the likelihood and the severity of any adverse impact” on the people whose data is being processed. In contrast, the approach of some of the Church’s advice appears to be to minimise the privacy risk while permitting significant risk to the very mission of the organisation. Once again, privacy is elevated above all else.
Examples include burdensome processes for doing rotas and for contacting baptism and funeral families. It has been suggested that the cumbersome process of getting consent is necessary before communicating with people on the Electoral Roll; that holding data on the names of villagers so they can be invited to church events would be unlawful; and that the ICO might challenge a school that inserted church flyers into children’s school bags.
I have read one piece of diocesan advice that said that it was necessary to get consent for all data processing, and have come across another diocese telling the clergy that they need to opt in to receiving the monthly diocesan mailing. While we must comply with the law, all of these examples are over-cautious, and many are simply wrong.
SERIOUS theological work needs to be done on the tension between privacy law and a God of relationships. Meanwhile, in parishes, we need to question advice that hinders the mission of the Church, and ask “Is there a less burdensome way of achieving compliance?”
Those advising the Church need to immerse themselves in the detail of how data is used in parish life, and understand the real flexibility and the opportunity to respect people’s rights which exist in GDPR’s concept of “Privacy by Design”.
They then need to interrogate thoroughly both the quality and contextual understanding of the legal advice that they themselves are receiving. This can then be used to manage the tension between compliance risk and the real risk to the Church’s mission if we descend into an idolatrous pursuit of risk-minimisation and privacy rights above all else.
Adrian Beney is the lead partner for regulatory affairs at the fund-raising consultants More Partnership, and a Lay Canon of Tamale Cathedral, Ghana. He is married to a vicar.