Volunteer Centre Logo
Volunteer Centre Edinburgh, UK

Data Protection

Introduction

Most volunteer involving organisations hold information on their staff, volunteers and perhaps their clients. This information is likely to be personal data, and therefore subject to the 1998 Data Protection Act. Data protection legislation has been around since 1984. This has been strengthened by the 1998 Data Protection Act, which gives rights to Data Subjects and creates a framework of good practice for those holding personal data. The Act does not suggest that you have a right to hold personal data. It implies, rather, that you need to qualify to do so under the terms of the Act. This is a very brief guide to the main parts of the Act.

What is personal data?

‘Personal’ refers to data about identifiable, living, individuals. It does not apply to information about companies or organisations, or to completely anonymous information. If you can identify individuals from the information that you hold, then it is ‘personal’, and the Act applies.

‘Data’ is information:

  • Held on computer
  • Held in relevant manual files
  • Information intended for those systems (e.g. questionnaire forms)
  • Certain other information held by government and local government agencies

Who is responsible for the Data?

The ‘Data Controller’ is ultimately responsible for dealing with personal data in the appropriate manner. In most cases the organisation or managing committee will be the ‘Data Controller’, while individual staff and volunteers handling that data act as agents of the data controller. Where two organisations share data, they need to be careful to identify their responsibilities clearly - it may be best to put these in writing.

What are your duties under the act?

There are eight principles of good practice under the Act. These apply to all Data Controllers, whether or not they have to register with the Data Protection Commissioner. Data must be:

  • Fairly and lawfully processed
  • Processed only for specified and lawful purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept longer than necessary for purpose specified
  • Processed in accordance with the rights of the data subject
  • Secure from the point of collection through to disposal
  • Not transferred to countries without adequate protection of data subjects (e.g. the Internet)

When are you allowed to process data?

The 1998 Act states that personal data should be processed fairly and lawfully. Processing of data can only be carried out where at least one of the following applies:

  • The Data Subject has given consent
  • Processing is necessary to fulfil contractual obligations to which the Data Subject is party
  • Processing is necessary due to legal obligation
  • Processing is necessary to protect the vital interests of the Data Subject
  • Processing is necessary for various judicial and government functions
  • Processing is in the legitimate interests of the Data Controller, unless it conflicts with the Data Subject’s rights, interests and freedoms

Most voluntary organisations will be able to meet at least one of these criteria. There are special rules for Sensitive Data.

Sensitive Data

This is information about:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs or similar
  • Trade union membership
  • Physical or mental health
  • Sex life
  • Alleged criminality/criminality

The intention of the 1998 Act is that, wherever possible, to process sensitive data, one should obtain the explicit consent of the data subject. Data Controllers need to meet at least one of the following conditions:

  • There is explicit consent
  • There is a legal obligation to process data in connection with employment
  • The data is in the vital interests of the data subject or another person, or it is reasonable to proceed without it
  • You are processing data for organisations with religious, political, trade union, or philosophical aims. This does NOT apply to most voluntary organisations in this context.
  • The data has been made public by the Data Subject
  • You are processing data in connection with giving legal advice or representation
  • You are processing data in connection with certain judicial or government functions
  • You are processing data in connection with medical care and are bound by a practitioner’s duty of confidentiality
  • You are processing data in order to monitor equal opportunities
  • You are processing data in connection with giving confidential counselling, advice, support or other services, and can’t obtain permission, or it is reasonable to proceed without it
  • You are processing data in connection with various insurance activities

Security

You need to have ‘appropriate’ security to guard against:

  • Anyone seeing the information that shouldn’t
  • Data getting damaged, lost or destroyed

Getting security right is like risk assessment. You should consider the harm that might be caused, how easily it could come to harm, and how great the damage might be. Most measures are fairly common sense, though extra guidance can be found in the rather complex British Standard 7799.

Suggestions for controlling access:

  • Be clear with staff and volunteers about what they should or should not have access to.
  • Train staff on data security.
  • Keep confidential files locked away.
  • Don’t allow unauthorised people to be left alone with personal data
  • Clear away personal data before leaving the office (and letting the cleaners in).
  • Encrypt and password-protect databases and e-mail.
  • Keep track of personal data that people take out of the office.
  • When you delete files ensure that they’ve left the system (i.e. empty recycle bin).
  • Change passwords regularly.
  • Require external contractors to treat information confidentially.
  • Shred manual files.
  • Suggestions for avoiding loss or damage:
  • Keep backups of electronic data.
  • Protect manual files and backups from fire.
  • Protect against computer viruses.
  • Don’t take stuff out of the office unless it’s a secure copy.
  • Ensure that all staff know what not to delete (you’d be surprised!).

Notification

If you are a Data Controller, you need to notify the Data Commissioner about the information you hold and its purposes, and your security measures, unless you are exempt. Remember though, that even if you are exempt from Notification, you are still subject to the legislation, and must treat your data accordingly.

Exemptions include:

  • Data that is held entirely manually
  • Data held for ‘core business purposes’, e.g. personnel administration including payroll and volunteers, accounts, customer/ supplier records, marketing, membership records

All such data should be strictly ‘necessary to the purpose’ to qualify for exemption. Failure to notify, where it is required, is an offence. The Data Controller should notify the Data Protection Commission by phone: 01625 545740, or go to www.dpr.gov.uk. Notification costs £35.

Rights of the Data Subject

Data Subjects have the right to make a ‘Subject Access Request’. You can charge up to £10 for answering this request. This request, made in writing (letter, fax, or e-mail) entitles the Data Subject to:

  • Description of the data being processed
  • An explanation of why the data is being processed
  • A copy of all the data you hold on them
  • A description of the source of the data
  • A description of potential recipients of the data

The Data Subject has the right to prevent processing likely to cause damage or distress, and prevent processing for the purposes of direct marketing.

Note

This factsheet is intended as an introduction only. It refers to definitions which we haven’t had room to explore here, but which you’ll need to look at if you’re taking Data Protection seriously. Check out the contacts/ publications opposite for clarification.

Terms

Data Controller: a person who, alone, jointly, or in common with others, determines the purposes for which, and the manner in which, personal data is processed.

Data Processor: a person other than an employee of the Data Controller who processes data on behalf of the Data Controller.

Data Protection Commissioner: official responsible for enforcing Data Protection law (previously know as the DP registrar).

Data Subject: a person whose personal data is processed.

Manual Records: personal data held on a relevant filing system: a set of information, not on a computer, organised in such a way that information relating to individuals is readily accessible.

Notification: process of informing the Data Protection Commissioner about data held by the data controller that is subject to the 1998 Act.

Processing: recording, holding, obtaining data or information or operating upon the data in such a way as to change, disclose, use, combine, arrange, erase or disseminate it (etc).

Relevant filing system: see Manual Records.

More information

Data Protection for Voluntary Organisations, Paul Ticher (www.dsc.org.uk £14.95 ISBN 1 903991 19 6)

Data Protection Commissioner: Call 01625 545745 for information, or try www.dataprotection.gov.uk

Data Protection Act: Get a copy of the act from HMSO: www.hmso.gov.uk/acts/acts1998/19980029.htm

Notification Self Assessment Guide: Download from http://www.dpr.gov.uk/downloads/selfassess.pdf (.pdf)

Volunteer Centre Edinburgh: Get copies of this and other Volunteer Centre Edinburgh factsheets from www.volunteeredinburgh.org.uk

See also:

Sample policy on the secure handling, use, storage and retention of disclosure information

Sample guidance on confidentiality

[Updated Nov 2002]

BECOME RICHER. WORK FOR NOTHING.