PRAYERS for the sick are being restricted in Catholic churches in Scotland due to an EU shakeup of privacy rules.

Catholic churches across the country have begun banning the publication of the names of ill people in their bulletins, because it is feared it may breach the new personal data statutes.

The General Data Protection Regulation, which came into force on Friday is aimed at curbing US tech giants like Google and Facebook - but it has emerged that church leaders fear that they face crippling fines if they fall foul of the law.

The Catholic Archdiocese of Glasgow and of St Andrews and Edinburgh have been among the first to agree that publishing the names of sick people who need congregation prayers is not realistic.


But the Information Commissioner's Office which is responsible for enforcing the rules across the UK say churches may be taking things too far.

And the Church of Scotland said they see no problem in identifying any member of the congregation that needs prayed for.

An Archdiocese of Glasgow spokesman said: “The advice we have been given at the moment is that a person’s name should only appear in a parish sick list when they have given prior written permission.

"Obviously in the case where someone has been taken ill suddenly and without warning, such prior written permission is not a realistic option. "This would appear to be an unintended consequence of a much wider law which affects all organisations which hold data on individuals.

"It may be that as time passes a clearer picture will emerge about such issues, but for now we have been advised that it is best to be careful to avoid unintended breaches."

It is understood that the Archdiocese of St Andrews and Edinburgh concur with the advice.

It is understood church leaders took their lead from the Catholic Insurance Service Ltd whidh advise all eight Scottish Catholic diocese.

The parish bulletin of the Holy Family and St Ninian in Kirkintilloch, which is part of the Archdiocese of Glasgow has already told its congregation: “Parishes have been advised that names of the sick can no longer be published in the bulletin without the direct permission of the sick person to the parish priest.


"Names cannot be put on the sick list via a third party. All names on the present sick list will be removed next week."

The rules also raise questions about prayers for identified individuals during church services.

But a Church of Scotland spokesman said: "Guidance for congregations is that including the name of a member of the Church of Scotland, or member of the congregation, or regular attender of worship with the congregation, in an order of service so that person may be prayed for is a legitimate use of that person’s information and is in keeping with the provisions of the General Data Protection Regulation.

“It is however important to note that if any detailed health information was to be shared – including the nature of the illness – then consent would be required.”

The Free Church of Scotland were unable to state their position on the new rules until there was "further consultation which cannot take place until next week".

The ICO said churches do not need to seek consent to use the name of a member of a congregation as they already have an established association with them.

The regulator said Article 9(2)(d) of the GDPR "allows special categories of personal data, for example someone’s illness to be used by groups like churches and communication within that community".


An ICO spokesman said: “New data protection laws exist to give people more rights, more control and to build trust and confidence in those organisations who use and process their personal information. Not as a barrier to community organisations. The key part of deciding whether you need consent to contact people is your relationship with them.

“If, as an organisation, you have an existing relationship with someone, for instance that person is part of your church congregation or volunteers for your sports team, you would not need their consent to use basic personal information.

“Consent is not the only basis for using and sharing people’s personal data.”

The General Data Protection Regulation is a piece of EU legislation passed by the European Parliament in 2016 that gives greater power to regulators to penalise companies who mishandle personal data or are not transparent about how their business uses it.

For consumers, it brings new powers that require firms to obtain clear consent from users before processing their personal data, as well as grants users a right to easily access the information collected from them and transparency on how it is being used. The data includes a person's name, email address and phone number, and also internet browsing habits collected by website cookies.

Heavy fines for data misuse and breaches can reach £18 million or four per cent of global annual turnover, whichever is higher.

For tech giants such as Google and Facebook, this could mean the risk of fines running into the hundreds of millions.

Privacy campaigners have welcomed the regulation as a new step forward for online rights, but small firms have raised concerns about the burden of complying with the law.

GDPR standards will soon be enshrined in UK statute in the Data Protection Bill currently going through Parliament.