Data protection

The law on data protection tells you what you should do when you collect, use, store or do anything else with people’s personal data. Most volunteer involving organisations hold information on their staff, volunteers and perhaps their clients. This information is likely to be personal data and may also include sensitive data. The new GDPR legislation gives greater rights to individuals on how organisations use and store their data. It's a big area and this guide is designed to give you a basic introduction. There's more on the ICO's web pages for small organisations and for charities. If your organisation is very small you might find the ICO's advice for micro business owners useful. 

If your organisation processes personal data, you will have to register with the Information Commissioner's office unless you are exempt. Visit ICO for more information. 

Looking after your data is an important part of your responsibility to your staff, volunteers and clients. 

General Data Protection Regulations 

As of 25th May 2018 GDPR replaces the Data Protection Act 1998. It’s an extension of existing Data Protection legislation that gives greater protection and rights to individuals about how their data is processed. Even after Brexit, the government intends to keep UK data protection legislation aligned with GDPR. GDPR talks about individuals as data subjects. GDPR gives more detail about what is regarded as personal data. For example, personal data now includes things like someone's IP address. The GDPR refers to sensitive personal data as “special categories of personal data”. 

Does it apply to you? 

GDPR applies to any organisation that processes, collects, stores or uses information about an identifiable person. 

To ensure you're compliant with the GDPR someone should take the lead in your organisation. That person should stay informed on data protection and understand your organisation's processes - how data flows in and out of your organisation. 

GDPR applies to volunteers in the same way as any other individual. In other words, volunteers may be data processors, dealing with other people's personal data, and they will also be data subjects, because you process personal information about them. Your volunteers will need to understand your organisation's policies and procedures and the importance of data protection, data security and confidentiality. 

Remember that GDPR applies to both electronic and paper based data. 

GDPR principles 

  • You have to be fair, lawful and transparent when you process personal data. 
  • Only collect and use personal data for specific, explicit and legitimate purposes. 
  • Data must be adequate, relevant and limited to what is necessary. 
  • Keep data accurate and up to date. 
  • Only keep data for as long as is necessary. 
  • Keep data secure. Ensure paper based personal data is locked away. Electronic data should be password-protected, encrypted and/or restricted to only those people who need to use it. 

Some GDPR key features 

Data Controllers 

These are the people that define the purpose and method of processing personal data. This will probably be your organisation. 

Data Processors 

This is any person who's responsible for processing personal data on behalf of the controller. You are legal responsible for the data you deal with. 

Privacy by Design 

When you start something new, whether it's a new project or building a system, you should ensure that protecting personal data is an integral part from the start. 

Data Audits 

Make sure you have a record of all the data you hold, why you hold it, if you have permission to hold it, who can access it, who it's shared with and how long you keep it. This helps you consider the risks and prioritise what actions to take. 

According to GDPR, as at April 2018, smaller organisations must document processing activities that: 

  • are not occasional; or 
  • could result in a risk to the rights and freedoms of individuals; or 
  • involve processing special categories of data (sensitive data) or criminal conviction and offence data. 

Lawful Basis 

your organisation needs to decide on your lawful basis for processing personal data and tell people what this is in your Privacy Policy. You'll need to decide on an extra 'additional condition' for processing sensitive data, and also for processing criminal conviction data. Read more about this on the ICO's website. 

Data Breaches 

a personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. Personal data breaches can be accidental or deliberate. Examples of a personal data breach are: 

  • personal data is lost, destroyed, corrupted or disclosed; 
  • someone accesses the data or passes it on without proper authorisation; 
  • the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. 

You should have a procedure in place describing what to do if there is a data breach. If there is a risk that the data breach will cause emotional distress, physical or material damage, or negatively affect an individuals’ rights and freedoms, you must report this to the ICO within 72 hours. You may also have to inform the individuals. 

Individuals' Rights 

The GDPR gives individuals rights over how their information is used. The eight rights are: 

  1. The right to be informed 
  2. The right of access 
  3. The right to rectification 
  4. The right to erasure 
  5. The right to restrict processing 
  6. The right to data portability 
  7. The right to object; 
  8. Rights in relation to automated decision making and profiling. 

What does this mean for you? 

Have a written privacy notice

This tells individuals about how you will use their information. You should make the privacy notice clear and concise and have it available at the point of collecting the information. This might be at the end of an application form or if someone is submitting an online form, via a link to a privacy notice on your website. 

Be prepared for a subject access request 

You should have a plan in place so you're prepared if someone wants to view, correct or delete the personal data you hold on them. 

Know how to deal with a data breach

A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. Personal data breaches can be accidental or deliberate. Examples of a personal data breach are: 

  • personal data is lost, destroyed, corrupted or disclosed; 
  • someone accesses the data or passes it on without proper authorisation; 
  • the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. 

You should have a procedure in place that outlines what to do if there is a data breach. Depending on the circumstances you may have to report the breach to the ICO within 72 hours, and you may also have to inform the individuals whose data has been affected. 

Know your 'lawful basis'

Your organisation needs to decide on your lawful basis for processing personal data and tell people what this is in your Privacy Policy. You'll need to decide on an extra 'additional condition' for processing sensitive data. If you process criminal conviction data as part of volunteer recruitment then you can do this legally . Read more about this on the ICO's website. 

Do a data audit

Make a record of all the personal data you hold, why you hold it, if you have permission to hold it, who can access it, who it's shared with and how long you keep it. This helps you consider the risks and prioritise what actions to take to keep personal data safe. According to GDPR, as at April 2018, smaller organisations must document processing activities that: 

  • are not occasional; or 
  • could result in a risk to the rights and freedoms of individuals; or 
  • involve processing special categories of data (sensitive data) or criminal conviction and offence data. 

Sample Privacy Notice 

Organisation privacy notice

What information do we collect?  

We collect information when you … [for example, apply to join the scheme]  

How we’ll use this information  

We use this information so that … [for example, we can contact you in connection with the scheme and give you ongoing support].  

We will only pass on your information to third parties with your agreement.  

or

As part of this service we work with X organisation and we share information with them so that... [explain why and how you share personal data].  

We’ll store this information in … [for example, secure paper files, our internal database or a system that is shared with or owned by X].  

How long we’ll keep your information for  

We’ll keep your information on file for … [for example, for one year after the scheme ends or you working with us ends]  

Your rights  

You have the right to request a copy of the information that we hold about you. You can ask us to amend or delete your personal information or to stop using it.  

If you would like a copy of some or all of your personal information, please email …. or write to us at ………  

[Signed by:  

Date:  

If you need to evidence consent, then add a sign and date section. You'll need to evidence consent if consent is your lawful basis for processing, or if you're processing sensitive data, or if you are passing personal data on to third parties].