Diocese of Northampton – Registered Charity No. 234091
Version 2.0 23rd December 2020
DATA PROTECTION & SAFEGUARDING OFFICES
All references to “parent” includes a guardian, carer or person with parental authority.
As this is such a long document, click the main section headings to navigate to that section.
|1. SAFER USE OF TECHNOLOGY|
|1.1 New technologies, new opportunities|
|1.2 New technologies, new risks|
|1.3 The use of Church computer equipment to store information|
|1.4 Creating and managing church-related websites and social media pages|
|1.5 Accessibility of websites and social media pages|
|1.6 Access to the internet|
|1.7 Social media and social networking|
|1.8 Good practice in relation to Church-organised social networking|
|1.9 The use of social networking for communication with children and young people|
|1.10 Personal social networking accounts|
|1.11 Church websites and social media – monitoring and reporting|
|1.12 Administrators and Moderators|
|1.13 The use of email and/or texting (SMS)|
|1.13c Safer practice|
|1.13d “Sexting “|
|1.13e Response to Sexting|
|1.14 Newsletter Mailing Systems|
|1.15 Useful links and resources for internet safety|
|2. PHOTOGRAPHY AND FILMING POLICY|
|2.1 Impact of the General Data Protection Regulation|
|2.2 Data subjects’ rights|
|2.3 Privacy Notices and Consent|
|2.4 Informed consent|
|2.5 Consent for images of children and young people|
|2.6 Specific categories of at-risk individuals|
|2.7 Photography and filming by others at church activities|
|2.8 Professional and commissioned photographers|
|2.9 Inappropriate photography and filming|
|2.10 Storing & moving images safely|
|2.11 Timescales for use|
|2.12 Closed Circuit TV (CCTV)|
|2.14 Live streaming of Church services|
|3. USING VIDEO CONFERENCING PLATFORMS IN MINISTRY|
|3.1 Introductory remarks|
|3.2 General considerations when using online platforms for ministry|
|3.3 Setting up a meeting|
|3.4 Conducting the meeting|
|3.5 Choice of platform|
|4. CONTACT DETAILS|
1. Safer use of technology
1.1 New technologies, new opportunities
New technologies offer tremendous opportunities to reach, communicate, evangelize and engage with those involved in the Catholic Church and those in our communities who may have an interest in the Church. The internet, mobile phones, social networking, video-conferencing and other interactive services have transformed the way in which we live.
1.2 New technologies, new risks
Along with the many benefits of modern communication technologies, there are risks. The anonymity and sense of distance inherent in online communication can make it easier for people to say things they would perhaps not say in the presence of somebody, and to feel less remorseful about online harm caused. Incautious use of online meeting platforms can make them vulnerable to abuse or eavesdropping.
The online world makes it easier to engage in criminal offences and abuse. It enables easy creation of, access to, use and dissemination of pornographic and abusive images and videos, easy access to children and adults who are vulnerable for the purposes of grooming, ease of presenting as someone else and greater potential for online bullying, abuse and fraud.
1.3 The use of Church computer equipment to store information
The Diocesan policy and procedure (see https://northamptondiocese.org/download/acceptable-use-and-password-policy-v1-4/ ) on the use of its own computer equipment and the storage of information on personal computer equipment must be followed. Electronic records, like paper records, should be kept only in accordance with the record retention schedule. See https://northamptondiocese.org/download/parish-retention-policy-and-schedule/
1.4 Creating and managing church-related websites and social media pages
Websites or social media profile pages are useful means to engage large groups of young people. The development of websites and/or social-media presence for parishes, parish groups, initiatives and ”projects” should be in accordance with the following guidance:
- parish websites and social media profiles should be approved by the parish priest and should be disclosed to the Diocese;
- where there is user-generated content, the site should be moderated/ administered by a minimum of two adults;
- personal sites should not be used for diocesan or parish programmes; separate sites should be created for these;
- passwords and names of sites should be registered in an encrypted document in a central location in the parish and/or Diocese as appropriate. More than one adult should have access to this information.
- Content and views expressed on official websites and social media should always reflect Catholic values and should be universally appropriate to any possible user.
1.5 Accessibility of websites and social media pages
Websites need to be accessible to all and adjustments could include functions that change contrast, change text size or offer an audible alternative when viewing web pages. Churches should be leaders in good practice in this area.
Examples of such adjustments can be found at the DisabledGo/AccessAble website.
1.6 Access to the internet
Diocesan IT policy and procedure must always be followed. Where parishioners (esp. young people) [have access to the internet using Church computers, other electronic devices and WIFI as part of Church activities, the event leader has a duty to ensure that:
- use of the equipment and WIFI is supervised and/or monitored;
- measures are in place to ensure that the likelihood of accessing inappropriate materials is reduced e.g. firewalls, parental controls and software to filter out harmful or inappropriate material.
1.7 Social media and social networking
The internet has evolved to become an increasingly dynamic and interactive medium led by social networking services. The convergence of technical and communication platforms means that users can now interact with each other across multiple platforms and devices, such as mobile phones, games consoles, watches and PCs (laptops, notebooks, tablets etc.).
Social media includes any site or forum that enables sharing of any user-generated content. These services are very popular with children and young people and bring together pre-existing interactive technologies and tools (e.g. email, messaging, chat, blogs, photographs, music, videos, gaming, discussion forums) in a single service through, for example, Facebook, Twitter, Instagram, WhatsApp, Snapchat, Tik-tok, and live messaging services such as Facetime, Duo and Skype. It is the way in which these different technologies are used that makes them ‘social’.
1.8 Good practice in relation to Church-organised social networking:
- government guidelines recommend children under 13 years should not be using social media;
- all users should be made aware that their personal details e.g. name, address, school, passwords, e-mail address and telephone numbers are private and should not be disclosed unless approval is given by the event leader;
- all users should be made aware that they should never send images of themselves or others and should be wary of people misrepresenting themselves in chat rooms;
- all users should be aware that they should advise a leader about anything on line that makes them feel uncomfortable or concerns them;
- children and young people should be advised to always tell an adult they trust about communications that make them feel uncomfortable or where they have been asked to keep communication secret;
- children and young people should be made aware that they should advise a leader and their parent or carer of a request to meet up with someone they have met on line, not to make plans to do so without alerting an adult and never to go alone to such planned meetings;
- children and young people should be advised of a code of conduct for using chat rooms.
if a group, parish or other body decides that the most effective way of communicating with children or young people aged 13 or over is via a social networking site,
‘CHAT’ is a simple code that can be used for remembering some rules around the use of the internet and social media.
|C||= Careful – People online might not always be who they say they are.|
|H||= Hang – Hang on to your personal information. Never give out your home address or other personal information.|
|A||= Arranging – Arranging to meet can be dangerous. Never arrange to meet someone unless you are sure who they are and have met them previously|
|T||= Tell – Tell your friends or an adult if you find something that makes you feel uncomfortable.|
1.9 The use of social networking for communication with children and young people
The Diocesan requires that the following good-practice guidance on the use of social networking for communication with children and young people must be followed.
- if a group, parish or other body decides that the most effective way of communicating with children or young people aged 13 or over is via a social networking site, a custom account must be set up in the name of that group, parish or body;
- how the media is used should be made explicit to children and young people, and permission for communicating directly with children and young people via social media must be sought from parents using the Diocesan form.
- social media sanctioned by church organisations or personnel should be moderated by at least one adult trained in safeguarding procedures, and a minimum of two adults in total;
- parents should approve and have access to all sanctioned social networking that is directed at children and young people;
- children or young people should not be communicated with via social media for any other reason than the specific ministry for which parental consent was obtained;
- all communication, including online, between an adult and a child or young person should take place via the most public means of communication appropriate without jeopardising the prevailing data protection legislation;
- for matters that are sensitive or private, online communication should be avoided due to the possibility of misunderstanding and, if used, parents should be included.
1.10 Personal social networking accounts
The Diocesan policy and procedure on the use of personal social networking accounts must be followed. See Appendix 3 to the IT policy previously linked-to, which incorporates part of section 19.4 of the employee Handbook.
Many clergy, religious, lay persons, employed staff and volunteers have a personal online social networking presence via social media platforms, personal blogs and websites. As a member of the Church, personal social networking (e.g. Twitter or Facebook) should always reflect Catholic values and should contain content that is universally appropriate to any possible user. Whether public or private, all individuals should understand that they are witnessing to the faith through all their social networking, and personal views should be cited as such to avoid misunderstandings.
Although there may be reasonable overlap between the personal and spiritual realms in communications between adults (with full capacity) within the Church, this is never the case with children, young people or adults-at-risk.
It is never appropriate to use personal social media accounts, phone numbers or email addresses to contact children and young people (even over 13) without parental consent, or with adults who lack capacity to give their consent.
It is not appropriate to send or accept ‘friend requests’ from children, young people or adults who lack capacity to consent, from personal social media accounts.
The strictest of privacy settings should be activated on all personal social media accounts and individuals must take personal responsibility to ensure that their content is appropriate to those that can see it e.g. language, jokes, opinions.
1.11 Church websites and social media – monitoring and reporting
The Diocese commends the following good-practice guidance:
- suitably trained adults should be appointed to monitor the content of websites and act to remove offending material;
- any discovery of inappropriate use (of a safeguarding nature) of social networking sites, computers, email or texting should be reported to the Parish Safeguarding Representative or Safeguarding Coordinator who will report to the relevant person within the Diocese
- Unofficial sites that carry the Diocesan or parish name, crest or logo should be reported to the Diocesan Director of Communications, email@example.com , or Parish Priest. Any misinformation found on a site, such as Wikipedia, should also be reported to the Communications Director.
- any forum that includes user-generated content should be moderated on a regular basis to prevent libellous, rude or inappropriate remarks so that the information can be removed;
- Add the CEOP help button to your site. The CEOP help button gives access to help on viruses, hacking, online bullying and enables reporting of people acting inappropriately online: see www.ceop.police.uk . (CEOP is the Child Exploitation and Online Protection command. )
1.12 Administrators and Moderators
The Diocese commends the following good practice guidance :
Adults moderating sites and adding user-generated content should take care:
- to appreciate that personal communication by church personnel reflects the Church;
- to write in the first person;
- not to claim to represent the official position of the organisation or the teachings of the Church, unless authorised to do so;
- to identify themselves with real, full names
- not to divulge confidential information about others;
- to avoid posting personal, political or negative content online;
- to ensure that text and photographs posted are in the public domain and not subject to copyright infringement;
- to not cite others, post photographs or videos of them or link to their material without their expresspermission;
- to practise Catholic teaching and morals always;
- always to report any form of bullying, trolling or libel to the Diocese, or parish
- always to report any concerns about any inappropriate behaviour online;
- always to report any suspected online grooming.
1.13 The use of email and texting (SMS)
The Diocese commends the following good practice guidance:
Emailing and texts (SMS) are a widely accepted and attractive means for communication that people of all ages rely upon. Benefits of communication by email and/or text include quick and easy communication without delays and reduced postage costs. All reference to texts includes messages sent using the Whats App platform or similar.
Email and/or text can be helpfully used in relation to Church activities to:
- send quick messages to individuals such as reminders about or changes of arrangements for activities;
- broadcast the same message to a wide-ranging audience such as promotion of an event.
1.13 a Consent
Written consent must be gained from adults-at-risk, or the parents of a child or young person under 16 years of age. For 13-15 year olds, the young person’s consent should also be sought, prior to the commencement of email and/or text messaging taking place.
When written consent is being sought the potential benefits and risks should be explained before the recipient decides on whether or not to receive email and/or text communication and a copy of the written consent should be retained.
Consent to be contacted by email and/or text can be withdrawn at any time and must be implemented without delay.
The following risks must always be considered:
- emails or texts not reaching the intended recipient;
- content sent in haste that cannot be retracted;
- storage of content as ‘records’;
- information not being sent securely via the internet.
1.13c Safer practice
Using Emails and/or texts to communicate with children, young people and adults-at-risk should only be done using an organisational account and organisational equipment. Personal telephones or accounts must not be used for communicating with children and young people or adults-at-risk .
A generic email address or telephone number associated with the role in question (voluntary or not) helps maintain appropriate boundaries.
Where more than one leader or helper needs to communicate with group members, it might be appropriate to set up a generic shared email account and have a shared mobile telephone. The benefits of this are that:
- communications can be easily reviewed by other leaders or helpers in the event of enquiries;
- the need for action on any matter can be easily shared and delegated;
- communications can be picked up in the event of sickness or other absence;
- all correspondence and data is stored securely in one place.
Email and/or texts should not be used to transmit person-identifiable information, confidential or other sensitive information.
Those to be included on group email addresses must give their consent (for age-of consent issues, e 1.13a above) to be included in group communications.
The BCc (blind-copy) field should be used for group emails to avoid recipients receiving the contact details of other recipients.
When sending messages, emails or texts to young people, parents, other group leaders and/or helper should be copied into all communication. All communications should be strictly related to a specific Church activity and not be personal conversations, or contain pictures, jokes or anything of a personal nature.
Emails or texts from young people, other than those directly related to your role within the Church or the activity you are concerned with, [modified here] should not be responded to.
The Safeguarding Representative or Safeguarding Coordinator should be advised if somebody receives any inappropriate texts, images or emails.
Copies of all texts, WhatsApp chats, personal messages and emails should be kept on file, or at least backed-up.
1.13d “Sexting “
It is an offence where a person above the age of 18 intentionally makes a sexual communication with an individual they do not reasonably believe to be over 16, for the purposes of sexual gratification, or, alternatively, where the communication is intended to elicit a sexual communication from the recipient.
There are many reasons why a young person might share a nude or semi-nude picture of themselves. They may want to ‘belong’ to a social group, interact with others and explore sexual feelings and get attention on social media. They may also find it difficult to refuse if someone asks them to send them one.
Once images are passed on electronically, control is lost over what happens to them, where they are posted and who sees them. Other people may use sexually explicit images of a minor to bully them, to blackmail them and to cause harm to them.
1.13e Response to sexting
If you become aware that children or young people under your care or influence may be engaged in sexting, seek to ensure that the behaviour ceases immediately, inform the young people involved and their parents of the legal status of the activity and refer to the Safeguarding Coordinator to assess whether it ought to be reported to the police and children’s social care.
If an adult is involved in sexting with a young person, the matter must be immediately reported to the police. If someone sends an unsolicited and unwanted sext, whatever their age, report it to the Safeguarding Coordinator in the first instance so that consideration can be given as to whether the matter should be reported to the police.
1.14 Newsletter Mailing Systems
A potential way of managing bulk communications and protecting personal data is to use a newsletter mailing facility such as Mailchimp. The issuing of newsletters should be in accordance with the principles in this policy, and the fact that someone has consented to be e-mailed for parish admin purposes does not mean that you can include them in a bulk newsletter mail-out. Specific consent should be obtained to cover the communication made and an option to ‘opt-out’ of receiving further emails should be included on each communication.
1.15 Useful links and resources for internet safety
The UK Council for Child Internet Safety (UKCCIS) is a voluntary organisation chaired by Ministers from the Home Office. UKCCIS brings together over 180 organisations and individuals from government, industry, law enforcement, academia, charities and parenting groups. Some of the organisations UKCCIS works with include: Cisco, Apple, Sony, Research in Motion, the four largest internet service providers, Facebook and Microsoft.
The Child Exploitation and Online Protection Centre (CEOP) has numerous resources for parents and carers and children using the internet; there are several video tutorials on the THINKUKNOW site which is part of CEOP.
Stop It Now! reaches out to adults concerned about their own behaviour towards children, or that of someone they know, as well as professionals, survivors and protective adults. Stop It Now! runs a Freephone confidential helpline.
‘Parents Protect‘ is a site to help parents, carers and other protective adults with information and advice to help them prevent child sexual abuse.
Catholic Youth Work has detailed guidelines on the use of social networking sites.
Internet Matters gives advice on parental controls and is a great way of preventing children accessing unsuitable content online.
Childnet International is a multi-lingual resource site which has a guide on protecting your privacy on ‘Facebook’.
The NSPCC has useful resources for keeping children safe online including sections on Cyberbullying, Sexting, Reporting and Monitoring.
2. Photography and filming
This section constitutes the Diocesan policy on the use of photography and filming and must be followed, taking into account Data Protection requirements.
2.1 Impact of the General Data Protection Regulation EU 2016(679) (“GDPR”)
Whenever a person’s image is captured, be it by camera, video, web camera, mobile phone, or CCTV, and that person can be identified, the image is likely to be considered personal data. (This includes “screenshots”. ) This means that the image must be processed in line with the Data Protection principles. “Processing” means anything that is done to the image, e.g. recording it, using it, editing it or sharing it –or even deleting it !
For the Church to use images of people that enable those people to be identified, we need a lawful basis to do so , under Article 6 of the GDPR: this is likely to be one of the following (there are others) :-
- The person (or parent) has provided their consent to the processing of the image/personal data for one or more specific purpose; OR
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the “controller”* (e.g. preventing or detecting a crime or catching an offender (this is relevant when using CCTV cameras)). OR
- the photographs are necessary for the purposes of the legitimate interests pursued by the controller (e.g. educational purposes) or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the person which require protection of personal data, in particular where the data subject is a child or vulnerable adult.
(* the term “controller “ will usually mean the Diocese, and its parishes as part of it)
2.2 Data subjects’ rights
Individuals have several rights under the GDPR in relation to how their information is processed. These include the right to:
- Request a copy of the personal data (including images) held about them; this is known as a Subject Access Request (Article 15 of the GDPR);
- Prevent their personal data being used in a way which causes them unwarranted damage or distress (Article 21 of the GDPR);
- Prevent their personal data being used for direct marketing purposes (Article 21 of the GDPR);
- Receive compensation if they have suffered material or non-material damage as a result of their personal data not being processed in accordance with the DPA (Article 82 of the GDPR);
- Have inaccurate or misleading information held about them corrected or destroyed (Article 16 and 17 of the GDPR).
The Diocese has appointed a Data Protection Manager (contact details at end) who will be able to deal with these situations as they arise.
More general information can be obtained from the Information Commissioner’s Office website
2.3 Privacy Notices and Consent
The GDPR states that personal data must be processed fairly, lawfully and in a transparent manner. To comply with this, if the Church wants to take an image (e.g. photograph) of someone or to record their activity, they need, as far as is practicable, to tell the person:
- That photography and/or filming will take place;
- Why images will be taken;
- What will be done with them;
- Who may see them;
- Any non-obvious consequences; for example, if the photograph and/or film is going to be used on a website, in a newsletter, or on a televised programme.
This notification is known as a privacy notice. Privacy notices must be concise, transparent, intelligible and easily accessible in terms of language used. Privacy notices must be issued at the time the images are collected and always before they are used.
The Diocese can provide specific consent forms incorporating GDPR privacy notices for use when the taking of photographs and films in the future is predictable, such as for a First Communion or Confirmation Mass. It is recognised, however, that there is not always an opportunity to give, or ask people to sign, formal notices on all occasions where photographs are being taken.
If photography or filming is going to take place, people should, at the least, be told beforehand ( by e.g. an audible public announcement, or prominent signage at points of entry) and given the opportunity to object or simply move out of the picture. If they choose not to do so, this may be taken as “implied consent”, though it is not a 100% defence. This is particularly important if the images are to be used on a website, social media or publication.
It will not be considered legally “fair or lawful” if images are collected for one reason (like an ID card) and then later are used for something completely unconnected (like a website thumbnail), without going back and gaining consent for the additional use – or being able to rely on another processing ground in the GDPR for that additional use.
Issuing a privacy notice is not the same as asking for consent.
2.4 Informed consent
The person giving consent must understand why their image is being used, who may see it and any implications that may result from using or disclosing the image. If opportunity allows, it is good practice to explain to people what are the implications and risks to them, in the proposed use of the image . They may not understand, for example, that images published on the Internet can be seen all over the world and may be mis-used by unscrupulous persons. Consent must be clearly given. Consent can be expressed either verbally or in writing but written consent is preferable (and should be retained in accordance with the data retention policy if practicable), because it reduces the scope for subsequent dispute, and provides the Controller with evidence that consent was given.
Individuals have the right to withdraw or limit consent at any time.
2.5 Consent for images of children and young people
Consent for using images of children and young people under the age of 13 must be sought from parents (this includes those with legal responsibility for the child). Young people over 13 years of age are usually considered to be competent to give Data Protection consent, and so consent must be sought from them directly ; but it will be prudent, and is recommended by our insurers, also to obtain parental consent for anyone aged 13-15. This must be done if there is any doubt about the maturity and understanding of the young person.
A template consent clause for incorporation in other forms is located on the Diocesan Website.
If an image is published without the consent of the individual or parent when consent should have been obtained, a complaint can be made to the Information Commissioner’s Office. In some cases, as with any improper use of personal data, this could result in a fine, enforcement action and damages being awarded to the complainant. Even if it has not been possible, in the circumstances, to obtain consent and process the images with 100% compliance, the Diocese and parish have to be able to show that they have taken all reasonable measures to ensure compliance with the GDPR
2.6 Specific categories of at-risk individuals
Those responsible for controlling photography and filming at parish level need to be aware that there may be some individuals in their community who have powerful reasons not to be photographed or identified . These can include celebrities and politicians ; convicted offenders being rehabilitated; victims of domestic abuse or stalking, separated parents where the other parent is trying to find out the whereabouts of them or their children, people from other religions who may be persecuted by their family for converting to Catholicism, or migrant refugees who may be in danger from their homeland regime. We do not need to ban all photography to protect individuals in such rare cases, and hopefully they will have made themselves known to their parish priest, but being aware of such scenarios reinforces the need to respect the privacy of all individuals.
The vocabulary of “at-risk-individuals “, coined for this document, is to be distinguished from the statutory term “adults-at-risk.”, (s.42 Care Act 2014) which has replaced the former terminology of “vulnerable adults”
2.7 Photography and filming by others at activities
The Data Protection Act 2018 (DPA) and the GDPR do not prevent parents or other family members from photographing their children at activities. Event hosts are entitled to decide whether or not they allow photography to take place on their premises, However, it should not be generally banned “for fear of breaching the GDPR”. When taking photographs for purely personal or domestic purposes, parents do not need to obtain the permission of the other parents whose child appears in the picture.
However, a possibly harmful scenario can arise when parishioners attending events take pictures of other people’s children with their own phones or cameras and then upload them to their own social media pages, outside the control of the parish. The Diocese recommends “awareness raising” by pulpit announcements to make it clear that putting photos of other people’s children, or of at-risk individuals as exemplified above, onto the Internet, is not permitted without specific consent, and that “casual photographers” must approach those whose images they have captured recognisably – whether in the background or as members of a group – and show them the photo, explain what they intend to do with it and ask if they have any objections. If the photographer is only going to keep the picture for their own domestic purposes, and not upload or publish it, there is no need to take these steps
2.8 Professional and commissioned photographers
This section applies to anyone who is contracted , requested or commissioned to take photographs at a parish event on behalf of the parish If there is an agreement or understanding that the photographs will be made available for viewing and purchase by parishioners and others , the parish must recognise that the photographer is entitled to be rewarded for their time and skills, which includes retaining ownership (for a while) of the photographs offered for sale. At the same time the photographer must acknowledge that they are dealing with potentially sensitive images and personal data of people (including children) for whose protection the parish and Diocese are responsible.
- It will be expected of the photographer, and should form part of any agreement with them , that any catalogue, gallery or viewing platform whereby potential purchasers can see the photographs before purchase, will be secured by a password only made available to parishioners and parents, so that the photographs are not available for general public view – especially online The photographer should be able to satisfy the parish that their procedures for distribution and storage of photographs are secure and compliant with the Data Protection regulations applicable to their business or to them as individuals .
- When a sufficient time has elapsed for any likely orders to have been received ( this period, should be defined by agreement with the photographer at the outset ) the photographer should transfer to the parish all original digital images, whereupon ownership of those images passes to the parish, and the photographer should confirm that no parish images remain on any device of theirs . This is to prevent large numbers of potentially sensitive images remaining on a third party’s computer when there is no need or purpose for them to do so. It will be for the parish to assess whether there is any justifiable reason for the images to be retained on its own devices
- Any arrangement with a professional or volunteer photographer to take pictures at parish events should be governed by a clear written Agreement signed off on behalf of the parish and by the photographer
2.9 Inappropriate photography and filming
When taking photographs or filming children and young people, the photographer must make sure that the children and young people are appropriately dressed. Photography of children in beachwear, PE or swimming / ballet costumes should be avoided except in appropriate circumstances, for example a swimming performance review. Attention should also be paid to using appropriate camera angles and the use of zoom and cropping for all types of photography or filming.
If someone is suspected of taking inappropriate or unauthorised images, they should be asked to stop and leave the site. The incident should be recorded and, if appropriate, reported to the Police.
It is illegal to take, store or disseminate sexually explicit images and videos of a child under the age of 18 (Sexual Offences Act, 2003).
A young person or an adult is breaking the law if they:
- Take an explicit image or video of themselves or a friend;
- Share an explicit image or video of a child (anyone under 18), even if it is shared between children of the same age;
- Possess, download or store an explicit image or video of a child (anyone under 18), even if the child gave their permission for it to be created
2.10 Storing & moving images safely
Images, especially of children and young people, should not be stored long-term on un-encrypted portable equipment such as cameras, laptops, tablets, memory sticks and mobile phones. This means that photographs and films should be transferred onto a secure electronic location, and deleted from portable devices at the earliest opportunity available.
Storing personal information on these devices is not considered secure –simply because they are at greater risk of loss or theft. The Information Commissioner does not look favourably on organisations which permit personal data to be stored unnecessarily on portable or unencrypted equipment. If collections of personal images have to be passed around, memory sticks and unsecured e-mail should never be used for this purpose.
2.11 Timescales for retention
There is no official guidance on retention periods for images, so it is up to each individual parish to decide how long they need to keep images and how they are going to securely destroy them when they are no longer needed. If a parish decides the images are required for historical purposes, for example in the archives, these can be retained for as long as is considered reasonable and necessary.
Subjects should be informed about the length of time that a given image or film will be kept and used. A typical period is between 3-5 years. It will be Good Practice to label folders or collections of images with a delete-by date.
If the parish wishes to prolong the period of use of the image or film, they will need to request the permission of the subject or parent as appropriate to do so.
If the parish wishes to use the image (or film) for a different purpose and in a different manner than originally stated, they will need to request the permission of the subject or parent as appropriate to do so
Files should be checked regularly for the purpose of destroying images that have expired, and ensuring that they are removed from circulation.
2.12 Closed Circuit TV (CCTV)
The DPA and GDPR apply to the use of CCTV where the images identify individuals (or car number–plates, which theoretically allow drivers to be identified). The Information Commissioner’s Office has produced a Code of Practice https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-practice.pdf for organisations and businesses that use CCTV. The Surveillance Camera Commissioner has also produced a Code of Practice https://www.gov.uk/government/publications/surveillance-camera-code-of-practice (However, both codes require to be updated in light of the GDPR).
All parishes and Dioceses should endeavour to comply with these codes to make sure they do not breach the DPA when setting up cameras or when using or disclosing the images recorded. The Codes of Practice covers areas such as, positioning cameras, storing and viewing the images, disclosure, retention and responsibilities. It also includes information about an individual’s right to see the images, under the DPA, GDPR and the Freedom of Information Act 2000.
2.13 Live streaming of church services
The live streaming of Mass and other services allows the Church to reach a congregation that is not able to attend church in person. In addition to being able to reach a wider audience,, live streaming can give people support and companionship and help them feel more connected to their church community. To address potential safeguarding and data-privacy issues, the following steps should be taken:
- Congregations should be told in advance (notice board, announcements, pew sheets, website) which services are streamed and which parts of the church building are visible on the streaming;
- Children and adults-at-risk should only be filmed with their consent and/or the consent of parents for children (young people of 13 and over should also give their own consent); “Adults-at-risk” here may include “at-risk individuals” as defined in s.2.6 above).
- Parents of young people likely to be filmed (e.g. altar-severs, readers) should be informed in writing of the intention to stream, including what will be filmed, why the filming is taking place and how it will be used. This should include any intention to retain a copy of the filming for future editing or use, or to leave it visible as a recording on e.g. YouTube or Facebook; if a recording is left, the time period should be decided- on and deletion executed when it expires.
- Parents should be given the option of withholding consent to their child participating in parts of a service where they will be filmed;
- Where consent is withheld, every effort should be made for the child or adult-at-risk to participate while out of the view of the cameras. This may include being encouraged to participate in an alternative, unfilmed service, if appropriate.
Where a recording is made and kept, the time period for retention should be decided and deletion implemented after its expiry
Where copyrighted music is going to be sung, or played from recordings, as part of a streamed service, a parish will probably need an additional licence from CCLI or ”One License”. (sic). Please consult the Data Protection Manager for advice, There is some good guidance from the Church of England at https://www.cofe-worcester.org.uk/parish-support/legal-matters/christian-copyright-licensing.php
3. Guidance on using video-conferencing platforms for ministry
3.1 Introductory remarks
Online meeting platforms like Zoom, Skype, Teams etc, and other new technologies, offer tremendous opportunities to reach, communicate, evangelize and engage with those involved in the Catholic Church, and have helped us cope with the restrictions on traditional physical meetings during the pandemic. The use of technology and social media platforms has the potential to transform the way in which we can communicate and continue with some forms of ministry at this difficult time. Keeping everyone safe whilst using these platforms is essential, and as it is a new experience for many, it is important to understand how to implement some simple steps that can contribute towards keeping people safe online.
All platforms that bring people together have the potential to present a risk to users, especially children, and adults-at-risk. As users of these platforms, we have a responsibility to ensure that our communications are as secure and private as they can be. This general guidance is designed to help the Diocese safeguard the welfare of any person involved in activities organised in the name of the Catholic Church whilst using
online platforms and social media. With regard to videoconferencing specifically, the Diocese commends the national good-practice guidance following:-
3.2 General considerations when using online platforms for ministry
These notes contemplate the repeated and regular use of an online platform for some aspect of Church ministry, whether it is for Finance Committee meetings or a catechetical or youth group
It is recommended that research is undertaken in relation to safety and security concerns for the platform you choose, to enable you to consider any issues and possible alternatives; do not rush into it !
Be aware that different platforms have different restrictions in relation to age, so ensure you take account of age restrictions within the terms and conditions of use of your chosen platform; there is a good summary of the age-related policies of the main meeting platforms at https://www.saferinternet.org.uk/blog/video-conferencing-children-safeguarding-and-privacy-overview
Once the platform is selected, it is advisable to set up a custom account in the name of the group, parish or body, accessible to more than one person who can act as ‘administrator’, using a strong password. Avoid individual volunteers hosting meetings on their own private accounts.
Ensure that the administrator/host is aware of the settings that will maximise security and that they are confident and competent in using them.
Communication should always be via an organisational account and organisational equipment. A generic email address or telephone number associated with the group, accessible to more than one person who can act as administrator, helps maintain appropriate boundaries. The benefits of this are that:
- communications can be easily reviewed by other leaders or helpers in the event of enquiries;
- the need for action on any matter can be easily shared and delegated;
- communications can be picked up in the event of sickness or other absence;
- all correspondence and data is stored securely in one place.
It is not appropriate to use personal social media accounts, phone numbers or email addresses to contact participants, without the consent of those legally able to give it.
Permission for involving children and young people aged under 13 years in online meetings must be sought from parents [ see paras.1.13a and 2.5 for more on age of consent” ].
For adults who lack capacity to consent, consent must be given by a person who has the legal authority e.g. enduring power of attorney for health and welfare, to make the decision on the person’s behalf;
Communication via online platforms should not be for any other reason other than the specific ministry for which consent was obtained.
For matters that are sensitive or private, online meetings should be avoided due to the possibility of misunderstanding and, if used, two adults should be present along with the individual being met, and where appropriate, parents or carers should be included where to do so would not cause harm to the individual concerned.
Information should be circulated to parents and carers about the platform being used, including how to download the application and any key issues they need to be aware of.
Clear information should be provided to parents and carers about the purpose of any online activity, the range of people participating e.g. children, adults, mixed, and the names and contact details of those responsible for the activity.
Parents and carers should be encouraged to ensure that participation takes place in a place visible to others within the household and not within bedrooms or other closed spaces
There should be two adult facilitators during online ministry to children, adults at risk or who are otherwise vulnerable, one of whom must be trained in safeguarding policies and procedures.
See the remarks on copyright issues over recorded or published music at the end of the Live-streaming section above (2.13). These also apply to incorporating copyright music or indeed videos in online ministry. Churches using Zoom to stream services or host meetings need both the CCLI Streaming Licence and the “PRS for Music” Limited Online Music Licence (LOML). This is because Zoom doesn’t currently have an agreement with PRS for Music as YouTube and Facebook do.
3.3 Setting up a meeting
- Set up a registration system to log the details of those who want to attend so that they can be sent a private message, securely by email or other closed-group system with a randomly generated link and the password. Ensure that this is copied to parents and carers as well;
- If using meeting ID’s, instead of one-click links, to host public events, ensure you use the randomly generated ID at the time of scheduling the meeting, rather than your personal meeting ID which is given when you create an account with the platform; (this may apply only to the Zoom platform)
- Ensure that your joining instructions provide information on the ‘rules of engagement’ which include:
- when and how participants can speak/contribute;
- how they should present themselves on screen (i.e. dressed appropriately, backgrounds);
- how to interact with others how and when participants can leave the meeting;
- what to do in respect of rejoining if internet connections fail;
- that contributions must be respectful and individuals must take personal responsibility to
ensure that their content is appropriate to those participating e.g. language, jokes, opinions;
- how to report anything of concern or anything that makes them feel uncomfortable.
- Whether participants can all “share screens” or contribute to Chat
- Obtain in advance any agreement to audio or visual recording of the meeting. For children or individuals who lack capacity, consent must be obtained from the person legally able to provide this. Those giving consent must be informed of the purpose the recording will be used for and for how long it will be retained. If images are being captured, this is probably personal data and must be handled in line with the GDPR (see under Photography and Filming, above). If material is going to be used for a different purpose than the original intention, the new purpose must be explained and consent obtained.
3.4 Conducting the meeting (some of these points may apply only to the Zoom platform)
- Set up a ‘waiting room’ so that the meeting host chooses when to admit people and can restrict entry to only those who are invited;
- Lock the meeting once all expected attendees have “arrived “ and it has started;
- Where possible position yourself in front of a neutral background, and not with a daylit window at your back;
- Remind participants of the agreed rules of engagement;
- Use Host’s capacity to Mute attendees and ask them to hold their hand up if they want to speak and unmute themselves;
- Keep screen-sharing restricted to the host, unless previously decided otherwise, and limit ”Chat” to the host only, if this seems necessary to avoid separate conversations taking place during the session;
- If you have consent to share screen-shots taken during the meeting, ensure that the meeting ID at top left is not visible to an external audience;
- Do not post, discuss or request personal information that is unrelated to the purpose of the meeting e.g. private email addresses, birthdays, phone numbers; you may balance the pastoral benefit of birthday greetings against the minor risk of ID theft or grooming info
- Never accept or open files, or reply to any instant messages or contacts, phone calls, video call or screen-sharing request from someone that you do not know or have not invited into the online meeting;
- The Host should be familiar with the immediate steps to be taken if an intruder ( e.g. “Zoom bomber” ) manages to get into the meeting , and the participants should have been warned, in a first-time briefing, that if this occurs the meeting will be immediately closed and entry codes sent out for another meeting. Ensure any incident involving inappropriate behaviour is recorded and responded to in line with policies and procedures;
- When meetings close, the platform should be closed to all. Nobody, other than the meeting facilitators should be asked to remain on-line for a one-to-one conversation without others being present.
3.5 Choice of platform
At the time of writing this policy, there is no clear recommendation from safeguarding or security experts about which platform is safest to use; in the early months of 2020 the highly popular platform Zoom was found to have many security issues, giving rise to the unsavoury practice of “Zoom bombing”, but its developers have responded to these and the platform now requires passwords for meetings by default. If your version has been upgraded to 5.0 or later, it should feature an adequate level of encryption which restores most of its security competitiveness with Microsoft Teams, Skype, and Google Meet. More important than the choice of one platform or another is the well-informed use by the host of the inbuilt privacy and security settings.
The National Cyber Security Centre has done a thorough listing of the security and safety principles that should be applied in choosing a videoconferencing platform , although regrettably they have not yet done an assessment of Zoom , and the article here dates back to April 2020, which is a long time ago given the pace of change in recent months . https://www.ncsc.gov.uk/guidance/video-conferencing-services-using-them-securely
4. Contact details for all enquiries
The Data Protection Manager, Brin Dunsire, e-mail firstname.lastname@example.org , tel: 01494 865574 or via 01604 712605.
For all safeguarding-related enquiries and concerns: the Safeguarding Coordinator, Danielle Dixon, email email@example.com Tel: 01604 723514. Mobile in emergencies; 07833 050628
Version 2.0 (final for trustees) as of 23rd Dec 2020
Adopted by the trustees on 12th January 2021
Due for review on 31st January 2022