“We Can’t Because GDPR” The Catholic Church Edition
In the just over two years since GDPR has come into full effect, we’ve seen a significant rise in a particular kind of jobsworth blocking, where people and organizations with a clear lack of understanding of Data Protection law claim that the they can’t do their jobs because of GDPR. In a very large number of these claims, I end up ranting that “No, GDPR actually requires you to do the thing you are saying GDPR won’t let you do”.
The Irish Times this week reported that the NBSCCCI has called data protection law “a threat to the safety of children [which] has made their welfare difficult to guarantee”, and that its representations to ministers, government bodies, and the regulator both in Ireland and in Northern Ireland to change the laws and allow them to create and maintain a central database of data relating to criminal offenses have failed. Now, rather than putting a “reservation” on statistics regarding the numbers of allegations of clerical abuse reported to the board, they have refused to release statistics at all, claiming in a press release:
The National Board cannot, as it would previously have done, report information on the numbers of allegations made. Despite ongoing consultations and discussions in both jurisdictions, at the moment under GDPR there is legal doubt about the circumstances under which identifying information (relating to allegations of abuse against clerics or religious) can be shared with the National Board
However, this complaint from the NBSCCCI is not new. For the third year in a row now, we are hearing “We can’t because GDPR” from representatives of the Catholic Church.
In 2018, the Irish Times reported that the DPC informed the Catholic Church’s National Board for Safeguarding Children in Ireland that they required a legal basis to maintain a central database of priests facing child abuse allegations, as it is highly sensitive data involving allegations of criminal offenses, which should be handled by competent bodies set up to investigate and prosecute criminal offenses and for the purposes of safeguard children. In the face of repeated requests for special legal dispensation to control such a database, the Government and the DPC had reservations about granting “a private unregulated body . . . extensive powers to hold personal and sensitive data”, instead taking the position that the IBSCCCI’s remit could be met through ‘instruction, training, vetting,” and “consultation between religious bodies and Tusla”, which does have a lawful basis to process sensitive data on allegations of child abuse.
In 2019, second verse, same as the first. The Irish Times reported that, “The board has been lobbying the Data Protection Commissioner, and the Department of Justice, to grant it powers to maintain a central database of priests against whom abuse allegations have been made”, while claiming that GDPR created “significant obstacles for the board, as some religious bodies or dioceses were not sharing information due to privacy concerns”. They put their figures on reports “under reservation” due to “concerns over the reliability of the statistics”.
Purpose, Purpose Limitation, and Lawful Basis
But what is the NBSCCCI and what is their mission and remit? What is their role in safeguarding children in the Catholic Church? Why do they insist they need special legal dispensation to be controllers of a database and why have they spent the past few years lobbying ministers, government departments and the DPC looking for “delegated authority . . . to receive notification information relating to clerics and religious”? What is their intended purpose for processing this data?
The National Board for Safeguarding Children in the Catholic Church in Ireland Charity number CHY 18735 (or Coimirce, the limited company that NBSCCCI is a function of, which seems equally represented and described on the NBSCCCI website) lists as its three main functions:
- Advice and Support on case management
- Development of standards, policy, procedures and guidance on best practices for child safeguarding in the Catholic Church
- Monitoring and reporting on child safeguarding practices of its constituent members
A review the annual report shows that the bulk of activities conducted are indeed, training, promoting standards for best practice in safeguarding, and advising on case handling. These are activities in which as the Government said in 2018, issues can be resolved through “instruction, training, vetting,” and consultation between religious bodies and Tusla.
None of these activities require control of a centralized database of alleged criminal offenses, requiring access to such data suggests a function creep to activities outside of the scope of their remit.
“The National Board cannot, as it would previously have done, report information on the numbers of allegations made” . . . Because GDPR. Or specifically, their annual report claims they are “unable to furnish any information of value about the numbers of allegations made against Church personnel, as the information now provided to it by Church authorities is completely anonymised.” Of course, the worst example of the millstone of using anyonymised data that they mention is the possibility that an allegation may be double-recorded.
However, considering their remit is explicitly to provide training and develop standards and guidance on best practice, there appears to be nothing preventing the NBSCCCI from attempting to resolve the quality issue of potential double reporting through other quality improvement measures.
Ironically, the NBSCCCI could embrace the principles of GDPR and institute standards and best practices for case reporting according to GDPR requirements for Accuracy (fit for the required purposes of the Board’s mission) and Data Minimisation (ensuring that data reported is adequate for the purpose and limited to what is necessary), so that the NBSCCCI can provide quality information as to the number of cases reported and other statistical information for analysis. In other words, “physician, heal thyself!”
Given the recent enforcement actions by the DPC against Tusla for Data Protection breaches it is clear that the handling of this kind of sensitive special category data is something that the regulator takes extremely seriously. While Tusla has had significant failings in the past, a new management team seems to be finally starting to recognise more fully their obligations under data protection legislation.
A €75,000 fine will focus attention.
Perhaps the appropriate resolution to the risk that the Bishops have identified is for there to be a single reporting system for allegations of sexual abuse, with a single pathway for investigation through bodies with appropriate statutory remits to gather data and record evidence.
This would allow the NBSCCI to focus on its core remit of policy and procedure development and on the prevention of incidents as a valued body contributing to development of best practices in this often complex sector rather than trying to create a parallel system of reporting and investigation outside the legislated for structures of the State.