Personal data can only be processed where there is a valid lawful basis for doing so.

According to the GDPR, there are six lawful bases for processing personal data:

• Consent
• Contract
• Legal obligation
• Vital interests
• Pulic task
• Legitimate interests

No single basis is ’better’ or more important than the others – the most appropriate basis depends on the purpose for which the data is being used.

Where that the PCC has a legal obligation to comply with the Church of England's safeguarding requirements, this is the most appropriate lawful basis.
 

Why is there a legal obligation?

The Church of England is the established church of the nation, and any measures passed by General Synod require Parliament’s approval to come into force.  This means that Church of England measures have the same force and effect as Acts of Parliament.

The Safeguarding (Code of Practice) Measure 2021  provides the framework for the PCC's legal obligation to comply with safeguarding guidance that has been approved by General Synod.

With regard to church volunteers and employees, the PCC has a legal obligation:

• To comply with the Safeguarding Learning and Development Framework 2024.
• To have due regard for the Safer Recruitment and People Management Guidance.

The Introduction to the latter states that:

"Failure by a member of the clergy to have “due regard” to House of Bishops’ safeguarding guidance is an act or omission which may be considered to be misconduct under the Clergy Discipline Measure 2003 (‘CDM’).  Failure by a licensed reader or lay worker to have due regard to House of Bishops’ safeguarding guidance may be grounds for the revocation of that licensed reader’s or lay worker’s licence by the bishop, and failure by a churchwarden or parochial church council (PCC) may result in an investigation being carried out by the Charity Commission and the churchwarden or PCC members may be subject to disqualification as charity trustees." 
 

Does a PCC need the consent of its volunteers?

No.

'Consent' is one of the six lawful bases for processing personal data (see above).  However, given that the PCC has a legal obligation to comply with the Church of England's safeguarding requirements, 'consent' is not appropriate for this purpose.

'Consent' can only be sought when an individual has a genuine choice about how their personal data is to be processed.  With regard to the processing of safeguarding information, the individual has no choice, and therefore consent should not be sought.

A volunteer does have the right to know how their personal data will be processed.  This is done via the PCC's Data Privacy Notice.
 

Can we share personal data with others?

Yes.

However, personal data can only be shared with others where there is a valid lawful basis for doing so.  This will depend upon the purpose for which the data is being shared.
 

Related pages

• Summary of the GDPR requirements
• What is the lawful basis for processing personal data?
• Does a PCC need a Data Privacy Notice?
• Does a PCC need a Data Processing Agreement?
• Is information ishared beyond our parish?