Volunteers and Data Protection
The law on data protection tells you what you should do when you collect, use, store or do anything else with people’s personal data. Most volunteer involving organisations hold information on their staff, volunteers and perhaps their clients. This information is likely to be personal data and may also include sensitive data. The new GDPR legislation gives greater rights to individuals on how organisations use and store their data. It's a big area and this guide is designed to give you a basic introduction. There's more on the ICO's web pages for small organisations and for charities. If your organisation is very small you might find the ICO's advice for micro business owners useful.
If your organisation processes personal data you will have to register with the Information Commissioner's office unless you are exempt. See www.ico.gov.uk for more information.
Looking after your data is an important part of your responsibility to your staff, volunteers and clients.
General Data Protection Regulations
As of 25th May 2018 GDPR replaces the Data Protection Act 1998. It’s an extension of existing Data Protection legislation that gives greater protection and rights to individuals about how their data is processed. Even after Brexit, the government intends to keep UK data protection legislation aligned with GDPR. GDPR talks about individuals as data subjects. GDPR gives more detail about what is regarded as personal data. For example, personal data now includes things like someone's IP address. The GDPR refers to sensitive personal data as “special categories of personal data”.
Does it apply to you?
GDPR applies to any organisation that processes, collects, stores or uses information about an identifiable person.
To ensure you're compliant with the GDPR someone should take the lead in your organisation. That person should stay informed on data protection and understand your organisation's processes - how data flows in and out of your organisation.
You might have heard of a 'Data Protection Officer'. Under GDPR an organisation only needs to formally give someone this role under certain circumstances, e.g. if it carries out large scale processing of special categories of data (sensitive personal data).
GDPR applies to volunteers in the same way as any other individual. In other words volunteers may be data processors, dealing with other people's personal data, and they will also be data subjects, because you process personal information about them. Your volunteers will need to understand your organisation's policies and procedures and the importance of data protection, data security and confidentiality.
Remember that GDPR applies to both electronic and paper based data.
- You have to be fair, lawful and transparent when you process personal data.
- Only collect and use personal data for specific, explicit and legitimate purposes.
- Data must be adequate, relevant and limited to what is necessary.
- Keep data accurate and up to date.
- Only keep data for as long as is necessary.
- Keep data secure. Ensure paper based personal data is locked away. Electronic data should be password-protected, encrypted and/or restricted to only those people who need to use it.
The GDPR gives individuals rights over how their information is used. The eight rights are: the right to be informed;;the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; rights in relation to automated decision making and profiling.
What does this mean for us?
Have a written privacy notice. This tells individuals about how you will use their information. You should make the privacy notice clear and concise and have it available at the point of collecting the information. This might be at the end of the volunteer application form or if someone is submitting an online form, via a link to a privacy notice on your website.
Be prepared for a subject access request. You should have a plan in place so you're prepared if someone wants to view, correct or delete the personal data you hold on them.
Know how to deal with a data breach. A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. Personal data breaches can be accidental or deliberate. Examples of a personal data breach are:
- personal data is lost, destroyed, corrupted or disclosed;
- someone accesses the data or passes it on without proper authorisation;
- the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
You should have a procedure in place that outlines what to do if there is a data breach. Depending on the circumstances you may have to report the breach to the ICO within 72 hours, and you may also have to inform the individuals whose data has been affected.
Data sharing contracts. Your organisation might outsource some of its data processing to a third party or it might share data with another organisation, for example using a shared system. Where this happens you must have a written contract in place describing the Data Controller's and the Data Processor's responsibilities and liabilities.
Do a data audit. Make a record of all the personal data you hold, why you hold it, if you have permission to hold it, who can access it, who it's shared with and how long you keep it. This helps you consider the risks and prioritise what actions to take to keep personal data safe. According to GDPR, as at April 2018, smaller organisations must document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve processing special categories of data (sensitive data) or criminal conviction and offence data.
Other GDPR terms
Data Controllers: these are the people that define the purpose and method of processing personal data. This will probably be your organisation.
Data Processors: this is any person who's responsible for processing personal data on behalf of the controller. You are legally responsible for the data you deal with.
Privacy by Design: when you start a new project or build a new system, you should ensure that protecting personal data is part of the design from the start.
If you would like more help or advice please contact Volunteer Edinburgh on 0131 225 0630 or email: firstname.lastname@example.org
Or you can drop in and see us:
222 Leith Walk, EH6 5EQ