Collecting, using and destroying personal data

Find out what you need to do when handling personal data

Last updated 26 April 2024

This guidance is part of our managing information procedure.

As a Girlguiding volunteer youll collect and use personal data all the time. So it’s important you know how to do this correctly. 

Collecting personal data 

You might collect personal data about young members and other adult volunteers in lots of ways. For example: 

  • By using a Girlguiding form. 
  • By phone. 
  • In person. 
  • By email. 

Photos and videos are also a type of personal data. Check out our guidance on handling photos and videos. 

Using a Girlguiding form 

It’s important to always use the current version of the formyou need, from the Girlguiding website. Don’t make your own versions of forms.  

The most common data collection forms you’ll use are: 

  • New starter form. 
  • Information and consent form. 
  • Health form. 
  • Residential event notification (REN) form. 

Please make sure you use the right form when collecting data. 

If someone can’t fill in a form or put information into GO themselves, you may need to collect personal data by phone or in person. You should treat the information you collect just as carefully as any other personal data.  

Make sure you: 

  • explain who you are and why you’re collecting personal data 
  • be precise. Only ask for the information you need. Make short, clear notes or write directly onto a form 
  • collect information accurately. Read it back to the person to make sure it’s correct 
  • are somewhere private any time you talk about personal data. If other people overhear you, it could be a data breach. 

If you can’t collect personal data through a Girlguiding form, in person or over the phone, you can use email.  

It’s very easy to accidentally send an email with personal data in it, like email addresses or sensitive information, to the wrong person. So it’s important to be extra careful and get into good email habits. You should also think about which email account to use. 

Make sure you: 

  • use the BCC field if you’re emailing more than one person so you don’t share anyone’s email address  
  • explain who you are and why you’re collecting the data 
  • don’t ask for personal data on an existing email chain. Always create a new email, and don’t use that email chain to discuss anything else afterwards  
  • use an up to date email address list. Getting email addresses from GO each time you need them is the best way to make sure they’re always up to date. This will stop you from accidentally emailing someone who’s left the unit or area. If you do decide to save email addresses in an email address book, make sure you only use it for your volunteering role and you update it regularly. 
  • delete the email once you’ve recorded the information on GO or no longer need it 

Storing personal data 

Once you’ve collected personal data, you need to store it safely and securely. This means nobody else should be able to see it. Even if someone is involved with Girlguiding, it doesn’t mean they should have access to the same personal data as you. 

  • If you need to upload the information you’ve collected onto GO, keep it safe until you can do this. Once it’s on GO, destroy or delete the relevant parts of the form, notes or email you used to collect the information. Any information you can keep on GO, should be kept on GO. 
  • If you’re keeping personal data at home, make sure your family and friends can’t see it. Locking it away somewhere safe is always a good idea. If that’s not possible, pop it in a drawer or closed bag. Don’t leave any personal data in your car as you could lose it or someone could steal it. 
  • If you need to take forms on a trip or to a unit meeting, a nominated volunteer should be in charge of keeping them safe. Use a secure bag, for example with a zip or lock. Make sure you never leave it unattended. Keep it in a safe place so you can easily access it, but others can’t see it. 
  • If you want to keep personal data, like unit registers, at your unit meeting place you must make sure people from outside Girlguiding and volunteers without permission to see it can’t access it. You could use a locked cupboard, with only unit leaders having keys. If people outside Girlguiding who use the same venue have access to the cupboard, you’ll need to take the data home with you every week and store it securely.

The amount of time you should keep data for varies, depending on what you use it for. Our information retention schedule (see table below) explains how long you need to keep different files. Find out more about destroying information further down this page. 

Accessing and using personal data 

Personal data on GO 

All volunteers must agree to have their details recorded on GO to join Girlguiding. Parents and carers must also have their details recorded on GO for their child to be a member. 

All Girlguiding volunteers have access to GO. But the information each person can see depends on their role. Only being able to see the information you need for your role lowers the risk of it being used incorrectly.  

The level of GO access you’re given is personal to you. You must never share your login details with anyone else, even other Girlguiding members. 

Ideally information on GO should stay on GO. But we know this isn’t always practical or possible. For example, if you don’t have internet access at your unit meeting place, you might need to keep some essential details on paper. But make sure it’s only what’s absolutely necessary and that you keep it up to date. It’s preferable to keep information on a laptop, tablet or phone if possible, as it’s easier to keep secure.  

Using electronic devices 

You can use your personal devices – your smartphone or tablet, for example – to process Girlguiding personal data. Try to only use one device, as this will reduce your risk of keeping out of date or inaccurate information. It’ll also make it easier to delete information regularly.  

  • Make sure your device is password protected. 
  • Regularly delete information you no longer need from your device, and from your cloud storage. 
  • If you share your device with other family members or children, make sure only you can access Girlguiding information. 
  • Add a password to any email accounts or documents, or set up a separate profile only you can access. 
  • If you’re using a work device be aware of what the IT team at your workplace may be able to access. Don’t save any personal data others could see. 

Keeping information up to date 

Once you’ve collected personal data, you need to make sure you keep it up to date. Keeping old or inaccurate information will make Girlguiding run less effectively and may even pose a serious risk to young members’ and volunteers’ safety. So it’s important you regularly review what you have. 

If a parent or carer says the information you have on GO is wrong, ask them to log in and update it, or do this for them.  

GO needs to be updated as soon as possible any time someone changes roles or leaves Girlguiding. The unit team should do this for young members, and the commissioner for volunteers.  

At the end of each term: 

  • Check the information retention schedule.  

At least once a year: 

  • Check your details are up to date on GO. 
  • Confirm with parents and carers that their details and their child’s details are up to date on GO. 
  • Remind other volunteers to update their details on GO. 
  • Check the information you have saved anywhere else about parents and carers, young members and volunteers is still correct. 

If you’ve had a lot of girls moving up to the next section, new starters or leavers you may need to review your data more often. 

Using personal data  

Personal data Girlguiding collects can only be used for the specific purpose we collected it for. This means we must only use it to help with the day-to-day running of Girlguiding and to allow members to take part in guiding activities. 

Some examples of ways you can use data include: 

  • Contacting parents or carers about arrangements for unit meetings and activities. 
  • Letting members, parents and carers know about Girlguiding’s rules and policies, and other conditions of membership. 
  • Caring for members and giving any medication or emergency treatment. 
  • Letting members, parents and carers know about events, activities and learning opportunities that support the guiding programme for girls and young women. For example, opportunities for international travel, adventures or skills development. 
  • Planning Girlguiding events. 

If you’re running a joint event with the Scouts or another organisation, you can’t share data collected for or by Girlguiding without getting additional consent from the people attending. You’ll need to make them aware what data you’re sharing and why, and how it will be used. 

Unacceptable uses of personal data 

You mustn’t: 

  • Use personal data to communicate with people about activities not related to guiding. For example, you can’t send emails to parents or carers about another organisation or non-guiding activity you’re part of 
  • Add personal data into another app or online service like Online Guide Manager (OGM) to manage unit administration if GO has the functionality to do this. For example, other applications mustn’t be used to manage the unit member sign up process, training information, or to track achievements, but could be used to manage some event admin  
  • Share data with anyone else, including other Girlguiding volunteers, if you don’t have consent to do so 
  • Continue to use data you get from GO or through Girlguiding if you change roles, move area or change unit, and no longer have access to this information 
  • Continue to use data you get from GO or through Girlguiding after you’ve left Girlguiding.

How long can I keep personal data for?

This table lays out our unit data retention schedule ie. how long you should keep different types of data for under GDPR.

Document

Guideline retention period

Reason

New starter forms for Rainbows, Brownies and Guides
  • Pages 3, 4 and 5 (personal details) to be retained until data entered into Girlguiding membership database (GO)
  • Page 6 (permission for activities in local area) to be retained for duration of section affiliation + 1 year 
  • Page 7 (Gift Aid) to be retained for 7 years

Operational policy

HMRC tax audit

New starter form for 14-17-year olds
  • Pages 3 and 4 (personal details) to be retained until data entered into Girlguiding membership database (GO)
  • Page 5 (permission for activities in local area) to be retained for duration of section affiliation + 1 year
  • Page 6 (Gift Aid) to be retained for 7 years

Operational policy

HMRC tax audit

New starter form for 13-year-old young external volunteers
  • Pages 3, 4 and 5 (personal details) to be retained until data entered into Girlguiding membership database (GO)
  • Page 6 (permission for activities in local area) to be retained for duration of section affiliation + 1 year
Operational policy
Information and consent  forms (‘consent forms’) 1 month from date of event Safeguarding
Health forms Duration of event. If medical treatment or medication administered, 1 month from date of event  
Unit registers / attendance records 1 year Safeguarding
Notification of accident or incident forms and documents relevant to incident, including accident or incident witness statement forms Retain at unit level until insurance team at HQ has confirmed they have received a copy of the form and relevant documents Organisational policy
Residential event notification and approval forms (REN forms) 1 year from date of event Membership compliance
Event and activity risk assessment 1 year from date of event  
Home contact agreement/role outline Duration of event  
International residential permission to plan form Until event has taken place Membership compliance
Unit meeting minutes 6 years after the expiry of the year in which the minutes were taken Organisational policy

Incident review form

1 year from the date of the incident

Organisational policy

 

 

Deleting and destroying information 

Our information retention schedule (see table above) lets you know how long you should keep different documents.  

What you can keep: 

  • Current records. Make sure you store these securely.  
  • Some historic records. Find out more about what you can keep in an archive below. 

What you can’t keep: 

  • Old forms. This includes health forms, unless you need to pass them on to HQ because they relate to an incident or safeguarding concern. Once you pass them on you should delete or destroy them. 
  • Contact lists.  
  • Photos you don’t have permissions for. Find out more about photos and videos.

If you move to a new area, or leave Girlguiding, you must hand over all your historic records to another leader or your commissioner. If you change role, check if you should still have access to historic records and hand them over if necessary. 

Destroying forms 

You need to destroy forms after you’ve used them for their specific purpose. You can shred or rip them so no one can put them back together and read them.  

You should delete electronic forms, including from your email and cloud storage. Check the help tab on your email or cloud storage provider to find out how to permanently delete things. 

Financial records 

Your volunteering role may involve dealing with your unit or level’s finances. These financial records will include some personal data. For example, the names of girls who’ve paid subs or filled out Gift Aid declaration forms. You must treat financial records the same as all other personal data.  

You need to keep financial records for seven years – this is the charity regulators’ rule. Read our finance procedure to find out more. 

Keeping historical records in an archive 

You might have records that show the history of your unit or of guiding in your area. You can keep these as part of an archive. 

You must have a genuine purpose for your archive. For example, keeping a historic record of your unit’s history so people can look at it in years to come. But please remember this isn’t an excuse to keep everything, and you should minimise what you keep. 

People can object to you using their personal data for an archive. If they do, you’ll need to show you aren’t putting the interests of the archive above the interests of the person in question.  

You can store your archive physically or electronically. You should keep physical records securely locked away. You could keep digital records in a limited access, password protected cloud account, or on a device like a USB stick, protected with a password. 

If you’ve got a mix of physical and digital records, you could keep the digital records on a password protected hard drive in the same place you keep the physical records. 

You might want to keep: 

  • Press cuttings. 
  • Scrapbooks.
  • Records of the history of your unit or Guiding in your area. For example, programmes of events and details of projects you’ve done, like tree planting. 
  • Photos to record the history of your unit or area. It’s fine to write names on them. But you shouldn’t record any other personal data, like addresses or dates of birth. If you’ve got lots of digital photos, just pick out the best ones. 

Any questions? 

If there’s anything you’re not sure about, contact us at [email protected].