Data protection
What is data protection?
This section provides an introduction to data protection and how it applies to your organisation. This is a detailed topic and the steps your organisation needs to take will depend upon your circumstances. We have drawn this information from guidance provided by the Information Commissioner’s Office (ICO) and you should refer to their website for detailed guidance which will help your organisation put in place the necessary requirements.
Data protection is about ensuring people can trust you to use their data fairly and responsibly.
If your organisation collects information about individuals for any reason you will need to comply with data protection legislation.
The UK data protection regime is set out in the Data Protection Act 2018, along with the UK GDPR. It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.
The law applies to any ‘processing of personal data’, and will include most businesses and organisations, whatever their size. It applies to data stored digitally and paper based records if they are part of a filing system.
The ICO regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.
What is personal data?
Understanding what we mean by ‘personal data’ is quite complicated. The ICO’s guidance explains that:
Personal data means information about a particular living individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public official or member of the public
It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
It doesn’t cover truly anonymous information – but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.
A person’s name and address is an example of personal data but it could also include other things such as a car registration number, National Insurance number, or an image of the person on CCTV.
The most sensitive types of personal data have extra protection and you may only process them in limited circumstances. This includes criminal conviction and offences data and the list of ‘special categories of personal data’ set out below:
- Race
- Ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where this is used for identification purposes)
- Health data
- Sex life
- Sexual orientation
You can find out more about personal data in the ICO’s guidance.
Data protection principles
You will need to understand the data protection principles set out in the legislation and apply them to the work of your organisation. The key principles are:
- Lawfulness, fairness and transparency – you have a legal basis for collecting personal data and deal with it fairly, openly and honestly
- Purpose limitation – personal data is collected for specified, explicit and legitimate purposes, and not processed in any manner that is incompatible with those purposes;
- Data minimisation – personal data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accuracy – you take all reasonable steps to ensure the personal data you hold is not incorrect or misleading and update it when necessary.
- Storage limitation – personal data is kept for no longer than is necessary
- Integrity and confidentiality (security) – you have appropriate security measures in place to protect the personal data you hold.
- Accountability – this overarching principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
These principles should lie at the heart of your approach to processing personal data. You can find more information about the principles on the ICO’s website.
Getting data protection right
Voluntary organisations need to comply with data protection requirements to safeguard the people that they are involved with. There is a risk to the reputation of the organisation if you fail to follow the requirements and the ICO can impose financial penalties for a breach of the rules.
To ensure that you are complying with your responsibilities we would recommend that you visit the ICO’s section for small organisations. This includes checklists and templates that you can use, and information relating to topics that require more detailed consideration such as working with children, fundraising and direct marketing.
WCVA have created a GDPR Toolkit that contains a suite of template policy documents which you can adapt to cover your data protection requirements. To obtain a copy of the GDPR Toolkit which is free to voluntary organisations based in Wales please email [email protected]
Other sources of information
NCVO – Steps to improve your data protection in your organisation