In the Name of Allah, the Most Gra­cious, the Most Mer­ci­ful.

As-salā­mu ‘alaykum wa-rah­mat­ul­lāhi wa-barakā­tuh (Peace, Bless­ings & Mer­cy of Allah be upon You).

This state­ment is being issued on the 27th of April 2018 and super­sedes all pre­vi­ous state­ments on the sub­ject.

What is GDPR?

The Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) (EU) 2016/679 is a reg­u­la­tion in EU law on data pro­tec­tion and pri­va­cy for all indi­vid­u­als with­in the Euro­pean Union. Since Britain is (still) part of EU, GDPR applies to and is rel­e­vant to all British cit­i­zens.

GDPR is stricter to the cur­rent­ly enofre­ca­ble reg­u­la­tions as set out in Data Pro­tec­tion Act 1998.

What is “Personal Data”?

The GDPR applies to ‘per­son­al data’ mean­ing any infor­ma­tion relat­ing to an iden­ti­fi­able per­son who can be direct­ly or indi­rect­ly iden­ti­fied in par­tic­u­lar by ref­er­ence to an iden­ti­fi­er.

This def­i­n­i­tion pro­vides for a wide range of per­son­al iden­ti­fiers to con­sti­tute per­son­al data, includ­ing name, iden­ti­fi­ca­tion num­ber, loca­tion data or online iden­ti­fi­er, reflect­ing changes in tech­nol­o­gy and the way organ­i­sa­tions col­lect infor­ma­tion about peo­ple.

The GDPR applies to both auto­mat­ed per­son­al data and to man­u­al fil­ing sys­tems where per­son­al data are acces­si­ble accord­ing to spe­cif­ic cri­te­ria. This could include chrono­log­i­cal­ly ordered sets of man­u­al records con­tain­ing per­son­al data.

Per­son­al data that has been pseu­do­nymised – eg key-cod­ed – can fall with­in the scope of the GDPR depend­ing on how dif­fi­cult it is to attribute the pseu­do­nym to a par­tic­u­lar indi­vid­ual.

Then there are spe­cial cat­e­gories of per­son­al data which are as fol­lows:

  1. The racial or eth­nic ori­gin of the sub­ject;
  2. The subject’s polit­i­cal opin­ions;
  3. The subject’s reli­gious beliefs or beliefs of a sim­i­lar nature;
  4. Whether the sub­ject is a mem­ber of a trade union;
  5. Infor­ma­tion on the subject’s phys­i­cal or men­tal health con­di­tion;
  6. Infor­ma­tion on the subject’s sex­u­al life;
  7. The com­mis­sion or alleged com­mis­sion of an offence by the data sub­ject; and
  8. Infor­ma­tion relat­ing to the com­mis­sion or alleged com­mis­sion of an offence by the data sub­ject.

How does this affect us?

There are many exam­ples where per­son­al data may be kept at your Mosque or Mak­tab or Islam­ic School or Insti­tute as fol­lows:

  • Br Khalid Khan of 191 Lon­don Avenue donates to our Mosque every Ramad­han
  • Nikah of Aisha Sid­dique d/o Abdul­lah Sid­dique was per­formed on the 13th of June 2018.
  • Aisha Abdul­lah born 19th of March 2008 is a stu­dent at the Hifz class of Madrasa Qasimul-uloom
  • Tweet “8 year old Huza­ifa Patel came first in his Hifdh Class at Madrasa Qasimul-uloom at our Mosque”
  • Face­book: “Pic­tures of 8 year old Huza­ifa Patel with his teach­ers and fam­i­ly hold­ing a cer­tifi­cate and a gift”

What steps do we need to take?

When there is a need for to collect/process per­son­al data, you need to be care­full and com­ply with GDPR. There are a few steps which need to be tak­en by your organ­i­sa­tion.

  1. Data Pro­tec­tion Offi­cer (DPO): Appoint some­one as a data pro­tec­tion offi­cer for your organ­i­sa­tion. This is not a legal require­ment for a char­i­ty but it is a good idea to give a sin­gle per­son the respon­si­bil­i­ty. They should ensure that the rest of the steps are fol­lowed;
  2. Aware­ness: Your organ­i­sa­tion, all the stake­hold­ers and (in gen­er­al) every­body con­cerned needs to be made aware that the law is chang­ing. You need to place high­est pri­or­i­ty on the need to col­lect, pro­tect and the “right to pro­tect” per­son­al data;
  3. Why? Your rea­sons for the need to col­lect or process data need to be reviewed. Why do you col­lect it and is it nec­es­sary? Where does the data come from? Who do you share it with?
  4. Stor­age? Your organ­i­sa­tion needs to have a pol­i­cy to explic­it­ly dic­tate how per­son­al data is stored and secured. If you store per­son­al data elec­tron­i­cal­ly, your pol­i­cy needs to be state how it is stored and what mech­a­nisms are tak­en to ensure that it is safe. If the per­son­al data is stored in print­ed for­mat (paper etc) the pol­i­cy needs to state how it is stored and secured;
  5. Data Breach? In the (unfor­tu­nate) event of a data breach at your organ­i­sa­tion, your pol­i­cy needs to state that how the data breach will be detect­ed, inves­ti­gat­ed and report­ed; 
  6. Pri­va­cy Pol­i­cy: Your organ­i­sa­tion needs to have a pri­va­cy pol­i­cy incor­po­rat­ing GDP;
  7. Indi­vid­ual Rights: Your organ­i­sa­tion should have a pol­i­cy stat­ing how you will respond to and destroy any per­son­al data which you hold;
  8. Con­sent: Your organ­i­sa­tion should review your process­es and incor­po­rate a pro­ce­dure on obtain­ing con­sent. Remem­ber that con­sent can­not be a tick box and must be plain­ly and clear­ly spelled out and must be sep­a­rate from the data which you are col­lect­ing. It must also be spelled out that the indi­vid­u­als have the right to with­draw their con­sent; and
  9. Chil­dren: GDPR places a lot of empha­sis on col­lec­tion of and pro­ces­sion per­son­al data for chil­dren. Your organ­i­sa­tion needs to ensure that parents/guardians are pro­vid­ing ade­quate con­sent and the data of chil­dren is pro­tect­ed. Your organ­i­sa­tion also needs a way to ver­i­fy the age of the child and ver­i­fy parental respon­si­bil­i­ty.

What are some examples of obtaining consent?

There can be sev­er­al exam­ples of this and the most com­mon exam­ples are list­ed below. Remem­ber that the con­sent needs to be sep­a­rate, dis­tinct, plain and eas­i­ly under­stood.

Nikah Consent:

I Aisha Sid­dique d/o Abdul­lah Sid­dique grant my con­sent to Masjid Abu-Bak’r to store my per­son­al details for the pur­pose of con­duct­ing my Nikah (Islam­ic mar­riage). The infor­ma­tion being col­lect­ed is only for the pur­pose of ver­i­fi­ca­tion of Nikah and I do not autho­rise it to be used for any oth­er pur­pose.

See an exam­ple of Nikah cer­tifi­cate and com­pli­ance here. 

Passport verification/attestation:

I Abdul­lah Omar (DOB 01/01/1969) grant my con­sent to Masjid Abu-Bak’r to store my per­son­al details for the pur­pose of attest­ing my pass­port. The infor­ma­tion being col­lect­ed is only for the pur­pose of ver­i­fi­ca­tion of my pass­port appli­ca­tion and I do not autho­rise it to be used for any oth­er pur­pose. I also con­sent for this infor­ma­tion to be pro­vid­ed to the Home Office and UK Bor­der Agency (if and when request­ed).

Madrasa/Islamic School:

I Aisha Sid­dique d/o Abdul­lah Sid­dique grant my con­sent to Masjid Abu-Bak’r to store per­son­al details of my son Huza­ifa Patel attend­ing Madrasa Qasimul-uloom (Masjid Abu-Bak’r). I have pro­vid­ed his birth cer­tifi­cate as a proof of his age and as a proof of me being his moth­er. I con­sent to Madrasa Qasimul-uloom (Masjid Abu-Bak’r) stor­ing his per­son­al details for the pur­pose of his Islam­ic edu­ca­tion and all admin­is­tra­tive activ­i­ties relat­ed to the school. I do not autho­rise it to be used for any oth­er pur­pose.

Email Lists:

I Aisha Sid­dique d/o Abdul­lah Sid­dique grant my con­sent to Masjid Abu-Bak’r to store my per­son­al details for send­ing me emails. I have pro­vid­ed my per­son­al data for the pur­pose of receiv­ing emails from the Mosque. I do not autho­rise it to be used for any oth­er pur­pose.