Data protection People are crucial to your organisation, even if the difference you want to make is for animals, wildlife, the environment or things, you will come into contact with people including trustees/committee members/directors, staff, volunteers, donors, users, visitors and the public in general. As well as making sure that people are kept safe physically, mentally and financially it’s very important to protect their privacy, i.e. data protection. For many organisations it is important to them to protect people, including their privacy and so will do what they can to do so. However there is a lot of legal protection which is enshrined in three bits of legislation: Data Protection Act 2018 UK GDPR Privacy and Electronic Communications Regulations. These laws are policed by the Information Commissioner’s Office (ICO) who provides a lot of advice and support, where you need to report certain instances of privacy breaches and members of the public can complain. The ICO has a lot of guidance about how to comply and have a helpline 0303 123 1113. A good place to start is their section aimed at small businesses. They have an online self-assessment tool to help you assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Once you have completed each self-assessment checklist a short report will be created suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance. They also have a sheet of 5 top tips for charities. If you employ fewer than 50 staff, you can invite one of their expert advisors to check how well you’re doing and offer some tips. Paul Ticher specialises in training on data protection for the voluntary sector and has a number of very readable and useful guides. NCVO have a number of useful guides and templates. The Data Protection Network is a useful site for guides and keeping up to date with things. So to comply with the law and best practice you should: Decide who will be responsible for data protection Ultimately it will be the trustees/management committee/trustees who are responsible for data protection. Therefore they should regularly have reports on what the organisation is doing regarding legal and good practice and make sure that there are appropriate policies and procedures in place. Also they should be made aware of any serious breaches. As with many areas of responsibility they may delegate day to day management to a volunteer (including one of themselves) or to a member of staff. Data protection legislation sets out that statutory agencies and others that undertake large scale processing must have a Data Protection Officer who has statutory responsibilities (see ICO guidance). Most voluntary/community groups will not meet this requirement and so if you appoint someone you should call it something else so as not to cause confusion, e.g. Data Compliance Officer. However staff and volunteers also have an individual legal responsibility and can be fined. Therefore make sure that they are aware of the organisation’s responsibilities and their own (see 9.Make sure your staff and volunteers are aware and trained if necessary) Identify what personal data you have The law relates to personal data, that is information about a living person which is identifiable as being about them. It is also only about recorded information so not what may be in your head but will include electronic or paper records, e-mails, recordings, photographic and film images if people are identifiable in them. So it does not include information about an organisation (as long as it has its own legal identify such as a company or CIO or statutory body) but may cover individuals within that organisation. The information can include basic things like names and addresses, and also more complex or sensitive information such as ethnicity, criminal record, employment history, sexual orientation, and health information. Although data protection and confidentiality have overlaps confidentiality is broader so for instance will include organisations, information not written down (i.e. heard and passed on verbally) and information about people who have died. You will need to make sure that all personal data is: processed lawfully, fairly and in a transparent manner; processed for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary for the purposes for which it is being processed; accurate and, where necessary, up to date; not kept longer than necessary for the purposes for which it is being processed; processed in a secure manner, by using appropriate technical and organisational means; processed in keeping with the rights of data subjects regarding their personal data. Decide on the legal reason for holding it Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the GDPR, is met: the processing is necessary for a contract with the data subject (e.g. our contract with patents/carers to supply childcare or with employees) ; the processing is necessary to comply with a legal obligation (e.g. PAYE, HSE and Ofsted); the processing is necessary to protect someone’s life (this is called “vital interests” e.g. passing on medical information in an emergency); the processing is necessary to perform a task in the public interest, and the task has a clear basis in law; the processing is necessary for legitimate interests pursued by your organisation or another organisation, unless these are overridden by the interests, rights and freedoms of the data subject. If none of the other legal conditions apply, the processing will only be lawful if the data subject has given their clear consent. The ICO has an online lawful basis interactive guidance tool. Purpose c) is only used in life and death circumstances and d) is only really applicable to statutory agencies or those carrying out a statutory duty on their behalf. Many organisations have tended to use consent but it does have problems in that if someone removes their consent then you must delete all their data. If that person then complains or takes legal action you may not have any evidence to back up your case. Legitimate interest is likely to be the most used but you need to balance your need to keep the data with any loss of privacy. DPN have some useful guidance. Decide when you will update and how long you hold the data for The principles above dictate that any information is kept up to date and only for as long as necessary. A good rule of thumb is that any information needs to be checked at least once every three years. If you have ongoing contact with individuals then this is easy. However perhaps you need to decide how you will check up on information about people you have infrequent contact with. As well as keeping accurate, up to date information you must only keep it for the minimum time possible to carry out your purposes. Some of these times may be set in law (for instance keeping records of payments to individuals for 6 years) or good practice. DPN have a comprehensive guide to legal and good practice retention times for different sorts of data held. Document If you are ever investigated you will need to show that you have documented your decisions about why you hold your data etc (1-4 above). Such a document is sometimes called Records of Processing Activities (RoPA). It is also a good management document and should be updated regularly. We have a template you can use. Agree a data protection policy It is important that everyone involved in your group knows how to help protect people’s privacy. To help with this, it can be useful to write a Data Protection Policy outlining your commitments to data protection. It is also useful to write some specific procedures which provide details of how you will ensure your policy is upheld. Your policy and procedures should reflect the way you actually do things, so it is better not to just use an “off-the-shelf” version. You can start with our templates (a simple one for small groups and a more detailed version) and using these steps individualise it with how and why your group collects, stores, uses and deletes data. Tell those you hold data on that you do You are required to tell people about the data you keep on them: People should know enough about what is being done with their data and their rights. Information must be accessible and understandable. If information is too complex then the objective will not be achieved Decide what to tell up front (i.e. on first contact) and later on May need to be ‘granular’ and perhaps different statements for different groups of people (e.g. staff, trustees/committee members/directors, volunteers, suppliers, donors, etc.) If people have more limited understanding then use appropriate versions, in particular children. These statements are usually called Privacy Notices. They should include: who you are what information is being collected who is collecting it how is it collected why is it being collected and legal basis (if legitimate interest explain) how will it be used (include for what specific operations and means of communications) how long it will be kept for who will it be shared with what will be the effect on the individuals concerned is the intended use likely to cause individuals to complain right to withdraw consent or object (if under legitimate interest) other individual rights (e.g. subject access, correction, to be forgotten) right to complain to ICO The key objective is so data subjects clearly understand why, how and their rights so its needs to be as simple as possible. The ICO have some detailed guidance with checklists and a simple template. We have a template for staff and users. Once you have drafted your Notice ask yourself Is it easy to read and in understandable English? Is it clear about what data is being held, why and how will be used? Is it clear about your rights? Would you sign up to it? Would your great Aunty Jane? Review storage, security and deletion of the data If your group keeps personal data you must make sure that it is secure and can only be seen by those who need to see it. So if it’s in hard copy it should be locked away, preferably in something that cannot be easily moved (e.g. a filing cabinet). Computers should be password protected and if a laptop encrypted (organisations have been fined for not doing so and should be an option on the machine). You should have up-to-date software to protect them from malware and viruses. You should also consider backing up digital information physically or in the cloud. That would mean if you face a data hack, you could still alert the individuals and let them know what’s happened but also not lose their data if it’s been wiped (on purpose or accidentally). If your group stores personal data on the internet (e.g. attached to emails, in Google Drive, in Dropbox, in MailChimp etc) you should check that the companies storing the data comply with GDPR regulations and that the data is not transferred outside of the EU (this is still the case despite Brexit). Avoid keeping data for the group on an ad-hoc basis in personal phones and address books. If you write down someone’s details when you are out and about, add them to a central list and then delete them from your private phone or address book. This is important because if you receive a Subject Access Request (see 10) you must search all recorded material and disclose it and if that is scattered in many places can become a mammoth task to check and report. Once you have finished using personal data for the purpose it was collected for, it should be deleted. It should not be kept indefinitely just in case you want to use it again but don’t know what for. When you delete data, make sure it cannot be accessed by someone else so use an app or tool on your computer (if deleting files manually make sure you empty the recycle or trash bins/folders and any backups). If deleting paper records use a high quality shredder. You should also delete people’s data when they ask you to, unless you need to keep it because of a specific legal obligation. If you send out emails to a list of contacts, you must put information at the end of every email explaining how to unsubscribe from the list. If you use an email newsletter provider this will happen automatically. If you send ordinary emails to a list of people, create an email signature which tells people who they should contact to be removed from the list. Make sure your staff and volunteers are aware and trained if necessary If anyone – staff or volunteer – gets it wrong in how they handle data about the people you are in contact with it’s the organisation that gets the blame. We could be talking about using the data in unapproved ways, sharing it when it shouldn’t be shared, taking insufficient care of the data when they are working from home or out of the office, or making mistakes in what they record and how they record it. Although many organisations can’t afford the time and money for training enforcement action has been taken by the Information Commissioner against charities for failing to train staff and volunteers appropriately, so the risk is real – including the possibility of significant fines. Even a volunteer-run HIV support group was fined £250 when they sent out an email to their several hundred group members that contained the private email addresses of everyone in the group. So make sure you make your staff and volunteers aware of your and their responsibilities for data protection matters when they start but also remind them from time to time. Make sure they know and understand your data protection policy and procedures, and that these are clear about what they can and cannot do. Regularly review them to make sure that they are doable and effective. If you do want to do some training there are several FREE short online courses including Virtual College. Since much data is lost due to poor cyber security it’s a good idea to make staff and volunteers aware of good practice in this area. The National Cyber Security Centre has a range of good guidance, including some aimed at charities. They also have a free online course good for staff and volunteers. Get ready for any access requests or breaches/loss of data People have a right (see ICO guidance) to: understand what data organisations have about them and how it is being used see that information and get their own copy of it to use however they want correct the information if it is wrong ask for it to be deleted or limit how it is used complain if they don’t like things an organisation is doing with their data. Therefore individuals have a right to be given a copy of their data, and information about how it is being used. This must be provided within one month of a request (called a Subject Access Request (SAR), see the ICO guidance). They also have a right to have their information amended or deleted within one month of a request (unless you need to keep it for legal reasons). The rules can be complicated: potentially you have to go through all your records (including, for example, emails) to find any reference to the person who has made the request and then go through all the material to decide which information. Then you have to decide does it have to be disclosed (most of it) and which should be withheld, perhaps because it breaks the confidentiality of someone else. For correction and deletion again you need to decide if it can be deleted (usually but depends on what purpose you are holding it so again check the ICO guidance). To help identify data, make sure you know where data is being stored, and by who. Also individuals have the right to complain to you and also directly to the ICO (a right you need to tell them in your Privacy Notice). Get your staff and volunteers to pass the request to someone who can look into it properly rather than trying to sort it out just because they are the one who received the request (one good reason to appoint a Data Compliance Officer). There are lots of ways that a group might have a “data breach” (see ICO guidance). These include, for example: Theft of a laptop or phone with contact details stored in it Accidentally sending an email with everyone’s email addresses visible Sending personal information to the wrong recipient by mistake (e.g. attaching the wrong document) Losing a paper sign-up sheet on which people have written their names and addresses The most important thing is to recognise if something has gone wrong, so that you can take steps to reduce the impact it will have, and to avoid it happening again in future. Try to keep data protection in mind, so that you notice if there has been a possible data breach. If you have a data breach, the first thing to do is try to get the data back. For example, if you have accidentally emailed someone’s details to the wrong person, contact that person and ask them to delete the information. The next step depends on whether the data breach is likely to have a significant impact on someone’s life. If it is not likely to have an impact, you should still record that it has happened internally and take steps to avoid it happening again. Some data breaches are more serious though, and need to be reported to the person whose data is affected and to the ICO within 72 hours (the ICO has guidance and a self-assessment tool to help you decide if it needs reporting). Remember that it is much better for the ICO to hear about your data breach from you than from someone else. They are very helpful and understanding and will give clear and independent advice. This will show them that you are a responsible organisation that takes data protection seriously, which makes it less likely they will have significant concerns about you or issue a penalty fine. Remember that large fines are not intended for small groups, but that data protection is for everyone. Decide if you need to register with the ICO. Organisations that process personal data all need to pay a data protection fee to the ICO, unless they are exempt. Small community groups that are volunteer led and only keep information about their members/users will be exempt, for others you will need to consider if you meet the definition or not. You can use ICO’s quick self-assessment tool. Your group will be exempt from paying a data protection fee if the group: Is not-for-profit; and Only collects, stores or uses personal data for group activities and/or membership. For most voluntary/community groups the fee will be £40/year (£35 if you pay by Direct Debit) if your annual income is less than £632,000 or have no more than 10 members of staff. Other things to be aware of Controllers and processors When it comes to GDPR it’s important to understand two terms that identify different parties’ relationship with the data: Controllers — they decide the purpose and means of processing data (e.g. if your charity takes phone numbers to ask for more donations in future) Processors — they process the data on behalf of the controller (e.g. external call centre that rings people to seek donations for your charity) For example, suppose you have the details of staff that you pass onto a payroll service to sort out their pay and report to HMRC. You’re likely a data controller and the company a processor. As a controller, you hold the highest responsibility to comply with the GDPR principles. You must ensure your processors do as well. Sometimes you may be working in partnership with another organisation (including statutory bodies) and because you jointly decide on the purpose and means you may be joint controllers. In this case you need a very good agreement to spell out roles and responsibilities, as well as making it clear to those you hold data on. Sharing personal data with others You should request explicit consent if you wish to share personal data with third parties, (unless you need to do so to fulfil a contract, comply with the law, protect someone’s life or fulfil a public task). Third parties might be other organisations, but they might also be members of your own group. Each individual in a group is separate from the group itself, and data should not be shared with group members to use in a personal capacity without explicit consent. You should take care not to accidentally share personal data, including with other members of the group. For example, if you send an email to everyone on your mailing list, do not simply type all the email addresses into the “To” field. By doing this you are actually sharing all the email addresses with everyone on the list. Use the “Bcc” field instead. This hides everyone’s email addresses. Data should only be open to those who need to see it. The ICO have fined people who have accessed data within their organisation they were not entitled to view Marketing Direct marketing does not just refer to selling products or services to individuals, it includes the promotional activities of voluntary and community groups such as your aims and ideals as well. So communications that tell people about yourself, your services, training, becoming a member, etc. are all covered by this definition even if they are free. Also, asking for permission to market by email, IS marketing too! Responding to a request for information, advice, contacts etc. is not marketing but is called a ‘service’ message. However any response must not contain something that could be seen to be ‘marketing’. For instance replying to someone’s request about volunteering or a particular service is a service message but if you talk about your membership, ask for a donation or an unrelated service that will be marketing. If so you need to follow data protection law. ICO has detailed guidance and a 30 minute webinar that looks at direct marketing for charities. If you are marketing then you must also comply with PECR (Privacy and Electronic Communications Regulations). There are specific rules on: Marketing calls, emails, texts and faxes Cookies (and similar technologies) Keeping communications services secure Customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings The ICO has some guidance. PECR stipulates that you must not send marketing emails or texts to ’individual subscribers’ without specific consent. Telephone marketing You cannot make unsolicited telephone calls to an individual or organisation who has told you they do not want your calls or any numbers on the Telephone Preference Service list unless the individual or organisation has told you they do not, for the time being, object. Automated calls You cannot make automated calls (pre-recorded phone messages) without getting the individual’s or organisation’s permission first. Electronic mail (email, text, voice, picture and video messages) You cannot send unsolicited marketing by electronic mail without getting the individual’s permission first. PECR refers to ‘individual subscriber’. This means you can send direct marketing emails or texts to any corporate body such as a charitable company, company, CIC, CIO and most statutory bodies because they are not an individual. You must still say who we are and give a valid address for the recipients to unsubscribe from your communications. If they are an individual, sole trader, unincorporated body (many voluntary and community groups) then they are covered by PECR i.e. an ‘individual subscriber’. However if the ‘corporate’ e-mail address includes a person’s name (generally [email protected]) then they will be covered by GDPR and you will need to be able to show a ‘legitimate interest’ in contacting them (e.g. that the communication is relevant to their role/position in the organisation and that the risk to their privacy is low). Fundraising and data protection Data protection covers all organisations, no matter how big or small your organisation or what sector you work in. So, if you are working in an organisation that fundraises and takes donations from members of the public, you will want to know the answers to the following: What are my responsibilities in handling personal data of supporters? How and when can I contact supporters? Do I need to get consent for all communications? What policies and procedures should we have in place? ICO has a webpage with links to guidance. This resource from the Chartered Institute of Fundraising is a starting point for fundraisers, to help them understand the key parts of data protection regulation in relation to direct marketing.