Volunteers and Data Protection

From VolunteerWiki
Jump to: navigation, search

The law on data protection tells you what you should do when you collect, use, store or do anything else with people’s personal data. Most volunteer-involving organisations hold information on their staff, volunteers and perhaps their clients. This information is likely to be personal data and may also include sensitive data. The new GDPR legislation gives greater rights to individuals on how organisations use and store their data. It's a big area and this guide is designed to give you a basic introduction. There's more on the ICO's web pages for small organisations and for charities. If your organisation is very small you might find the ICO's advice for micro-business owners useful.

If your organisation processes personal data you will have to register with the Information Commissioner's office unless you are exempt. See www.ico.gov.uk for more information.

Looking after your data is an important part of your responsibility to your staff, volunteers and clients.

General Data Protection Regulations

As of 25th May 2018 GDPR replaces the Data Protection Act 1998. It’s an extension of existing Data Protection legislation that gives greater protection and rights to individuals about how their data is processed. Even after Brexit, the government intends to keep UK data protection legislation aligned with GDPR. GDPR talks about individuals as data subjects. GDPR gives more detail about what is regarded as personal data. For example, personal data now includes things like someone's IP address. The GDPR refers to sensitive personal data as “special categories of personal data”.

Does it apply to you?

GDPR applies to any organisation that processes, collects, stores or uses information about an identifiable person.

To ensure you're compliant with the GDPR someone should take the lead in your organisation. That person should stay informed on data protection and understand your organisation's processes - how data flows in and out of your organisation.

You might have heard of a 'Data Protection Officer'. Under GDPR an organisation only needs to formally give someone this role under certain circumstances, e.g. if it carries out large scale processing of special categories of data (sensitive personal data).

GDPR applies to volunteers in the same way as any other individual. In other words, volunteers may be data processors, dealing with other people's personal data, and they will also be data subjects because you process personal information about them. Your volunteers will need to understand your organisation's policies and procedures and the importance of data protection, data security and confidentiality.

Remember that GDPR applies to both electronic and paper-based data.

GDPR principles

  • You have to be fair, lawful and transparent when you process personal data.
  • Only collect and use personal data for specific, explicit and legitimate purposes.
  • Data must be adequate, relevant and limited to what is necessary.
  • Keep data accurate and up to date.
  • Only keep data for as long as is necessary.
  • Keep data secure. Ensure paper-based personal data is locked away. Electronic data should be password-protected, encrypted and/or restricted to only those people who need to use it.

Some GDPR key features

Data Controllers - these are the people that define the purpose and method of processing personal data. This will probably be your organisation.

Data Processors - this is any person who's responsible for processing personal data on behalf of the controller. You are legal responsible for the data you deal with.

As a Data Controller, your organisation might outsource some of its data processing to a third party or you might share data with another organisation, for example using a shared system. Where this happens you must have a written contract in place describing the Data Controller's and the Data Processor's responsibilities and liabilities.

Privacy by Design - when you start something new, whether it's a new project or building a system, you should ensure that protecting personal data is an integral part from the start.

Data Audits - make sure you have a record of all the data you hold, why you hold it, if you have permission to hold it, who can access it, who it's shared with and how long you keep it. This helps you consider the risks and prioritise what actions to take.

According to GDPR, as at April 2018, smaller organisations must document processing activities that:

  • are not occasional; or
  • could result in a risk to the rights and freedoms of individuals; or
  • involve processing special categories of data (sensitive data) or criminal conviction and offence data.

Lawful Basis - your organisation needs to decide on your lawful basis for processing personal data and tell people what this is in your Privacy Policy. You'll need to decide on an extra 'additional condition' for processing sensitive data, and also for processing criminal conviction data. Read more about this on the ICO's website.

Data Breaches - a personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. Personal data breaches can be accidental or deliberate. Examples of a personal data breach are:

  • personal data is lost, destroyed, corrupted or disclosed;
  • someone accesses the data or passes it on without proper authorisation;
  • the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

You should have a procedure in place describing what to do if there is a data breach. If there is a risk that the data breach will cause emotional distress, physical or material damage, or negatively affect an individuals’ rights and freedoms, you must report this to the ICO within 72 hours. You may also have to inform the individuals.

Individuals' Rights

The GDPR gives individuals rights over how their information is used. The eight rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object;
  8. Rights in relation to automated decision making and profiling.

What does this mean for us?

Have a written privacy notice. This tells individuals about how you will use their information. You should make the privacy notice clear and concise and have it available at the point of collecting the information. This might be at the end of the volunteer application form or if someone is submitting an online form, via a link to a privacy notice on your website.

When deciding on your policy for the length of time you keep volunteer records after a volunteer disengages, there are likely to be common-sense factors to consider such as how often volunteers re-engage with you and whether you need to keep records to be able to produce reports.

If you wish to retain information for monitoring and evaluation purposes, you can anonymise data so that a record no longer contains personal identifiable information.

You may decide to retain a volunteer record longer than your normal retention period if you deem it necessary for safeguarding reasons.

Be prepared for a subject access request. You should have a plan in place so you're prepared if someone wants to view, correct or delete the personal data you hold on them.

Know how to deal with a data breach. A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. Personal data breaches can be accidental or deliberate. Examples of a personal data breach are:

  • personal data is lost, destroyed, corrupted or disclosed;
  • someone accesses the data or passes it on without proper authorisation;
  • the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

You should have a procedure in place that outlines what to do if there is a data breach. Depending on the circumstances you may have to report the breach to the ICO within 72 hours, and you may also have to inform the individuals whose data has been affected.

Know your 'lawful basis'. Your organisation needs to decide on your lawful basis for processing personal data and tell people what this is in your Privacy Policy. You'll need to decide on an extra 'additional condition' for processing sensitive data. If you process criminal conviction data as part of volunteer recruitment then you can do this legally . Read more about this on the ICO's website.

Data sharing contracts. Your organisation might outsource some of its data processing to a third party or it might share data with another organisation, for example using a shared system. Where this happens you must have a written contract in place describing the Data Controller's and the Data Processor's responsibilities and liabilities.

Do a data audit. Make a record of all the personal data you hold, why you hold it, if you have permission to hold it, who can access it, who it's shared with and how long you keep it. This helps you consider the risks and prioritise what actions to take to keep personal data safe. According to GDPR, as at April 2018, smaller organisations must document processing activities that:

  • are not occasional; or
  • could result in a risk to the rights and freedoms of individuals; or
  • involve processing special categories of data (sensitive data) or criminal conviction and offence data.

Other GDPR terms

Data Controllers: these are the people that define the purpose and method of processing personal data. This will probably be your organisation.

Data Processors: this is any person who's responsible for processing personal data on behalf of the controller. You are legally responsible for the data you deal with.

Privacy by Design: when you start a new project or build a new system, you should ensure that protecting personal data is part of the design from the start.

Help us to improve VolunteerWiki

We would be really pleased if you can help us to improve VolunteerWiki's content by answering just two questions clicking here

If you would like to donate to us please click on the donate button below and you will be redirected to a secure PayPal window where you can make your donation.

The donations we receive will help us to cover the cost of maintaining and updating VolunteerWiki, a free and highly valuable volunteer management resource, helping organisations to improve their volunteer involvement practices.

More help?

If you would like more help or advice please contact Volunteer Edinburgh on 0131 225 0630 or email: hello@volunteeredinburgh.org.uk
Or you can drop in and see us:
Volunteer Edinburgh
222 Leith Walk, EH6 5EQ

Retrieved from "https://volunteerwiki.org.uk/index.php?title=Volunteers_and_Data_Protection&oldid=1623"