General Data Protection Regulation (GDPR)
Wifaqul Ulama Public Affairs (Department)
In the Name of Allah, the Most Gracious, the Most Merciful.
As-salāmu ‘alaykum wa-rahmatullāhi wa-barakātuh (Peace, Blessings & Mercy of Allah be upon You).
This statement is being issued on the 27th of April 2018 and supersedes all previous statements on the subject.
What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. Since Britain is (still) part of EU, GDPR applies to and is relevant to all British citizens.
GDPR is stricter to the currently enofrecable regulations as set out in Data Protection Act 1998.
What is “Personal Data”?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Then there are special categories of personal data which are as follows:
- The racial or ethnic origin of the subject;
- The subject’s political opinions;
- The subject’s religious beliefs or beliefs of a similar nature;
- Whether the subject is a member of a trade union;
- Information on the subject’s physical or mental health condition;
- Information on the subject’s sexual life;
- The commission or alleged commission of an offence by the data subject; and
- Information relating to the commission or alleged commission of an offence by the data subject.
How does this affect us?
There are many examples where personal data may be kept at your Mosque or Maktab or Islamic School or Institute as follows:
- Br Khalid Khan of 191 London Avenue donates to our Mosque every Ramadhan
- Nikah of Aisha Siddique d/o Abdullah Siddique was performed on the 13th of June 2018.
- Aisha Abdullah born 19th of March 2008 is a student at the Hifz class of Madrasa Qasimul-uloom
- Tweet “8 year old Huzaifa Patel came first in his Hifdh Class at Madrasa Qasimul-uloom at our Mosque”
- Facebook: “Pictures of 8 year old Huzaifa Patel with his teachers and family holding a certificate and a gift”
What steps do we need to take?
When there is a need for to collect/process personal data, you need to be carefull and comply with GDPR. There are a few steps which need to be taken by your organisation.
- Data Protection Officer (DPO): Appoint someone as a data protection officer for your organisation. This is not a legal requirement for a charity but it is a good idea to give a single person the responsibility. They should ensure that the rest of the steps are followed;
- Awareness: Your organisation, all the stakeholders and (in general) everybody concerned needs to be made aware that the law is changing. You need to place highest priority on the need to collect, protect and the “right to protect” personal data;
- Why? Your reasons for the need to collect or process data need to be reviewed. Why do you collect it and is it necessary? Where does the data come from? Who do you share it with?
- Storage? Your organisation needs to have a policy to explicitly dictate how personal data is stored and secured. If you store personal data electronically, your policy needs to be state how it is stored and what mechanisms are taken to ensure that it is safe. If the personal data is stored in printed format (paper etc) the policy needs to state how it is stored and secured;
- Data Breach? In the (unfortunate) event of a data breach at your organisation, your policy needs to state that how the data breach will be detected, investigated and reported;
- Individual Rights: Your organisation should have a policy stating how you will respond to and destroy any personal data which you hold;
- Consent: Your organisation should review your processes and incorporate a procedure on obtaining consent. Remember that consent cannot be a tick box and must be plainly and clearly spelled out and must be separate from the data which you are collecting. It must also be spelled out that the individuals have the right to withdraw their consent; and
- Children: GDPR places a lot of emphasis on collection of and procession personal data for children. Your organisation needs to ensure that parents/guardians are providing adequate consent and the data of children is protected. Your organisation also needs a way to verify the age of the child and verify parental responsibility.
What are some examples of obtaining consent?
There can be several examples of this and the most common examples are listed below. Remember that the consent needs to be separate, distinct, plain and easily understood.
I Aisha Siddique d/o Abdullah Siddique grant my consent to Masjid Abu-Bak’r to store my personal details for the purpose of conducting my Nikah (Islamic marriage). The information being collected is only for the purpose of verification of Nikah and I do not authorise it to be used for any other purpose.
See an example of Nikah certificate and compliance here.
I Abdullah Omar (DOB 01/01/1969) grant my consent to Masjid Abu-Bak’r to store my personal details for the purpose of attesting my passport. The information being collected is only for the purpose of verification of my passport application and I do not authorise it to be used for any other purpose. I also consent for this information to be provided to the Home Office and UK Border Agency (if and when requested).
I Aisha Siddique d/o Abdullah Siddique grant my consent to Masjid Abu-Bak’r to store personal details of my son Huzaifa Patel attending Madrasa Qasimul-uloom (Masjid Abu-Bak’r). I have provided his birth certificate as a proof of his age and as a proof of me being his mother. I consent to Madrasa Qasimul-uloom (Masjid Abu-Bak’r) storing his personal details for the purpose of his Islamic education and all administrative activities related to the school. I do not authorise it to be used for any other purpose.
I Aisha Siddique d/o Abdullah Siddique grant my consent to Masjid Abu-Bak’r to store my personal details for sending me emails. I have provided my personal data for the purpose of receiving emails from the Mosque. I do not authorise it to be used for any other purpose.