Resources

The legal framework parishes work under

Every parish in the Diocese of Shrewsbury is part of the Shrewsbury Roman Catholic Diocesan Trust, charity number 234025. Under UK GDPR and the Data Protection Act 2018, the trust is the data controller. Parishes act as part of the controller, not as separate organisations. That has practical consequences for how data is held, shared and reported.

This guide covers the everyday questions parish priests, parish secretaries and finance committees ask the Curial Office. For anything unusual, write to curia@dioceseofshrewsbury.org and ask for the request to be passed to the data protection lead.

Lawful bases you can rely on

Every piece of personal data a parish holds must rest on a lawful basis. In a Catholic parish, four bases cover almost everything.

  • Legitimate interests. The parish keeps a record of parishioners, Mass intentions and rotas because it cannot function without them. This is the default basis for routine pastoral administration.
  • Consent. Marketing-style mailing lists, parish photo galleries and most uses of children's images need clear, recorded consent that can be withdrawn.
  • Legal obligation. Gift Aid records, safeguarding records and employment data are kept because the law requires it.
  • Vital interests. First-aid information held for an altar server's residential trip falls here.

Sacramental records

Baptism, confirmation, marriage and reception registers are kept indefinitely under the Code of Canon Law. UK GDPR recognises this. Sacramental registers may not be destroyed, redacted or sent to former parishioners on request, although a certified extract can be issued. Closed-parish registers are transferred to the Diocesan Archive at the Curial Offices in Prenton.

Sacramental records of living people are restricted. Genealogical enquiries about anyone potentially still alive are declined. Enquiries about deceased relatives go to the parish where the sacrament was celebrated, or to the archive if the parish has closed.

Mailing lists and the parish newsletter

If you send the parish bulletin by email, you need a sign-up step that records the date and the wording the person agreed to. Every email must contain an unsubscribe link, and unsubscribe requests must be honoured within seven days. The same applies to WhatsApp groups and text alerts.

You do not need consent to email a parishioner about a Mass they have already booked, a baptism preparation date or a confirmation rehearsal. That is legitimate interests.

Photographs and video

A wide shot of a packed church at the Easter Vigil does not normally need consent. A close portrait of an identifiable person, a recording of a child reading at Mass, or a photo used on the parish website does. Keep a simple consent form on file for anyone whose image is used in publicity, and treat children with extra care: written parental consent is needed before any image of an under-eighteen is published.

CCTV and signage

If the parish operates CCTV inside the church, hall or presbytery, you need clear signage at every entrance naming the controller (the parish, on behalf of the Shrewsbury Roman Catholic Diocesan Trust) and giving a contact email. Footage should be retained for no more than thirty days unless it has been requested by police or is needed for an active safeguarding case.

Subject Access Requests

A parishioner can ask in writing to see all the personal data the parish holds about them. The request must be answered within one calendar month of receipt. Send a copy of the request to curia@dioceseofshrewsbury.org the same day so the Curial Office can support the response and check whether other diocesan files are involved.

Reporting a data breach

A breach is any incident where personal data is lost, accessed by the wrong person or sent to the wrong address. Examples include an emailed parish list sent to an external address, a stolen laptop with parish records on it, or a paper register left on a train.

  1. Within twenty-four hours of becoming aware of the breach, email curia@dioceseofshrewsbury.org with a short factual account: what happened, when, who is affected and what you have done so far.
  2. The diocese decides whether the Information Commissioner's Office must be notified. The deadline for ICO notification is seventy-two hours, so the parish report must come in well inside that window.
  3. Do not contact affected parishioners until the diocese has agreed the wording.

Where to get help

For any data protection question that is not answered above, write to curia@dioceseofshrewsbury.org or telephone the Curial Office on 0151 652 9855. Simon Caldwell, the Communications Director, can be reached on simon.caldwell@dioceseofshrewsbury.org for questions about parish websites and publications.

More to explore

Regular Giving
Why Catholics Give
How to Onboard a New Parish Employee
How to Apply for Funding for a Parish Project
How to Claim Parish Expenses
How to Set Up Gift Aid for Parish Donations
The Catholic Diocese of
Shrewsbury
Serving the Catholic Church across Cheshire and Shropshire and parts of Greater Manchester, Merseyside and Derbyshire.
Diocese of Shrewsbury, Curial Offices, 2 Park Road South, Prenton, Wirral,
CH43 4UX
0151 6529855
info@dioceseofshrewsbury.org
PrivacyContact
Quick Links
News & StoriesEventsDiscover CatholicismBecome a Catholic
Find Anything
PlacesPeopleDocumentsResources
More
Our DioceseLourdes PilgrimageDonateCareers
Our Departments
Administration
Education
ChanceryChristian UnityCommunicationsMarriage TribunalMission & EvangelisationSafeguardingSchools SingingVocationsWorshipYouth Mission Team
© 2026 Shrewsbury Roman Catholic Diocesan Trust | 234025. All rights reserved.