Here we answer some of your burning questions, as we consider GDPR in a post-covid world:
Are we allowed to video our church services and upload them onto YouTube / our website?
Recording church services and watching them from home became “the norm” during, and for some time after, the pandemic. A key difference between recording a service during lockdown, and recording a service today, is the number of people who will be captured by the recording. During lockdown, a minister, worship leaders and a handful of others would have given their consent to the recording being shared i.e. the very nature of what they were doing was to record a service which was livestreamed to the congregation at home, so they were fully aware of this and consented to it.
Today, the entire congregation might be captured by the recording, including children, as well as visitors. It is therefore important that you make those present aware of the recording before you commence so that they are able to make a decision to be captured by the recording or move away if they do not want to be recorded. This could be done via an announcement at the start of the service (before recording commences), or signs could be displayed around the church. You may need to let them know where they can sit so as to not be captured by the recording. Particularly in a larger church or one that attracts lots of visitors, it would be wise to announce this weekly in order to ensure that any newcomers are aware. This is particularly important for adults at risk or children where there may be safeguarding concerns around their image being shared publicly.
Making people aware of the recording allows them to reduce the risk of an identifiable image of them being captured. Where an individual cannot be identified from a recording (perhaps because you can only see the back of their head) then any image of them would not constitute personal data.
Where an individual can be identifiable, it is their personal data. In practice, written consent is needed, but that may not be practical. Issues arise where personal data is used without a person’s knowledge or in ways they would not expect. Provided people are properly informed and are able to take steps to prevent their personal data being processed (for example by an identifiable image being captured), then it is unlikely that an issue will arise in practice, even if the necessary written consent has not been obtained.
The same principles apply to livestreaming by the church (even if not recorded), for example in order to allow people to remotely attend a memorial or wedding service.
What about individuals who may take photographs or videos during a service e.g. a baptism?
UK GDPR does not apply to domestic processing. That means that if an individual records a part of a service for their own personal use and it will remain on their personal device and not be shared, it will not be captured by GDPR. For safeguarding reasons, more than GDPR in this case, the church should ask individuals not to upload videos or images identifying others on their own personal social media accounts.
If the church wanted to use any of those photos or videos on its own website or social media platform, this would fall within the scope of GDPR because the church would then be processing that personal data. Whilst there may be exceptions (and advice should be sought on a case by case basis), as a general rule with photographs, written consent should be sought from anybody within the photograph who is clearly identifiable.
Can we take photos at events and put them on our social media platforms / websites?
If individuals are clearly identifiable within an image, then you should seek their written consent to process the image (whether simply storing it on your systems or uploading it onto a website). For photos showing a crowd where faces are not clearly identifiable, you may not need consent (but you would need to be confident that nobody was identifiable).
Even if you have made an announcement at the start of the day to explain that photographs are being taken, if you take images of identifiable individuals, you should get their individual consent to use those images. This could be done by providing a consent form in the moment, or afterwards. Depending on the nature of the event, consent may be even more important. For example, if a photograph is taken of an individual praying at a national day of prayer, this reveals their religious belief, which is a type of special category data. Usually, to process special category data, the church will require explicit consent from the individual. In any event, because an image will reveal aspects of a person’s ethnicity (which is also special category data), consent is needed.
Rather than obtain written consent every time you want to use a photograph of a person, you could seek consent (or confirmation of ongoing consent) from members of the church on a regular basis (perhaps every 2-3 years). This will give you confidence you can then use their images (assuming they don’t withdraw that consent).
For consent to be effective, individuals have to understand what they are consenting to. Someone may be aware that you are taking photos at an event, but they may not appreciate that you intend to put those photographs in the wider public domain (for example by putting on social media). You may want to consider including both options on your consent form i.e. consent for photographs to be used on internal platforms, such as private, closed church groups, or Sunday services and / or consent to use photographs on external platforms, such as public social media groups, the church website or promotional materials.
Are church WhatsApp groups our responsibility or the responsibility of others?
This depends on who has created the group and for what purpose.
Where a small, private prayer group has formed, this may be less likely to fall under the responsibility of the church because it should only discuss personal issues and would be considered “domestic processing”, which falls outside of the scope of GDPR.
If a group has been created for “church business” to discuss leadership or pastoral issues (particularly if it is being used by trustees or employees of the church), it is likely to fall under the responsibility of the church and the church may be the data controller of that data.
The same may apply to larger WhatsApp groups for ministries within the church e.g. homegroups, youth, toddler groups etc. The responsibility for these is likely to rest with the church, as it is likely that somebody within the church / under the church’s authority has created this for church use.
It is important that anyone joining a WhatsApp group is made aware of the purpose of the group and how their data will be used. Will the data be shared? Who with? On what grounds? That way, if a participant chooses to share something, they are fully informed as to who will receive that information. As well intentioned as it may seem, if someone shares something confidentially and has not asked for it to be shared more widely, that information must not be forwarded to others within the church because you do not have consent to do so.
It is worth remembering that if the church is the data controller of a WhatsApp group, then personal data requested by an individual under a subject access request may need to be disclosed. There can be wisdom in limiting the nature of information shared via WhatsApp, where it is particularly sensitive or you would not want it to be disclosed.
What about prayer chain messages?
It depends on how this is done. If an individual is texting or sending a message via WhatsApp to a group, then it’s their decision to share their data within that group. Also, if they have emailed you to ask you to share a prayer request (relating to them or a child they have parental responsibility for) with the church, they are thereby giving consent for that information to be shared. It is important that the limits of how the data is shared are acknowledged and adhered to – i.e. they know you will only email the church members about this, rather than a wider circle (or as otherwise agreed) and you stick to that.
