Requirements
1.1 All church bodies must comply with relevant data protection legislation.
1.2 A privacy notice must be given to candidates at the start of the process.
1.3 Church bodies must maintain a record of pre-appointment checks for all individuals successfully appointed to roles that fall within the scope of this code.
1.4 Church bodies must also have in place a clear policy setting out the expectation of confidentiality amongst those involved in recruitment, which extends beyond the application process.
Data Protection
It is each church body’s responsibility to ensure that their entire safer recruitment and people management process is compliant with current data protection legislation. This begins from the point at which personal data belonging to a candidate is collected, through to how this is disposed, deleted or erased. Whilst this code signposts where data protection considerations should be incorporated into practice at appropriate points, it is not a data protection policy and church bodies must refer to local data protection policies and procedures, seeking guidance and advice from those responsible for data protection.
Privacy Notice
Any personal data processed during the recruitment and selection process will need to be covered by a privacy notice. This must be supplied to applicants at the start of the process so they know exactly what data will be processed and why, (i.e. for what purpose(s)) and the lawful basis/bases for processing such data, who it will be shared with, how long it will be retained and a person’s rights in relation to such data. If this information is to be retained once a person is appointed, this will need to be included in the same privacy notice or an additional privacy notice may be required for appointed candidates when they commence in a role, to cover other HR processing activities. Each church body is responsible for ensuring that all required privacy notices are in place and are kept up to date.
It is important that the church bodies ensure they have appropriate processes for managing this data which is compliant with specific ICO guidance on employee data. Church bodies must also put in place policies or processes for dealing with individual rights requests e.g. Subject Access Requests, from both current and previous employees regarding the data collected during the recruitment and selection process.
Record Keeping
It is important that any church body can reassure itself, as well as others, that all appropriate checks and processes have been undertaken and are kept up to date for individuals who occupy roles involving contact with children and/or vulnerable adults.
Records should be set up at the start of an appointment. Some records may be stored at parish level, some at diocese level – either way, church bodies must ensure they have a clear process for what is stored where and associated responsibilities. Whilst there are many software solutions for record keeping, a spreadsheet can be just as effective. The records should be used to track the items listed in the code requirements.
Church bodies must have an appropriate policy in place to ensure information is retained in line with current retention schedules and is reviewed regularly to keep it up to date.
Toolkit: Model Record Keeping template
Information Sharing
The Church of England Data Sharing Framework (January 2022) provides an overarching framework that governs data sharing between independent church bodies.
The documents that make up that framework enable church bodies (known as ‘Partners’ in the framework) to share personal data and special category data with one another where appropriate and lawful. Church bodies must adhere to the principles of the framework and their responsibilities within it.