Good practice for unit records

• If you leave records at the meeting place they must be locked away. Personal data must not be displayed in any public place.
• If you store records at home, lock them away when not in use.
• Keep all computer records in a password-protected database or file. Do not use an obvious password and never write the password down. Keep a password-protected backup copy of the information in a separate, safe place.
• Check with each data subject that his/her record is correct at least once a year.
• Destroy out-of-date records by burning or shredding. Make sure out-of-date computer records are deleted from the database or file and any discs are completely destroyed.
• Do not give lists to non-guiding people or organisations such as churches unless you have gained permission from the girls' parents or guardians to do so. 
• Do not use your records for anything other than guiding purposes.
• Be prepared to show the girls, their parents or guardians and other adult Leaders what information you hold on them if they ask.
• Try to keep your records in a way that, while looking at one person's details, you are not revealing someone else's on the same page.
• Only record facts not opinions.
• Only collect the information you need to carry out your role as a Leader or Commissioner.
• If you keep lists of non-members, eg badge testers, then ensure that you have their approval to include them on a list.

Background

The latest Data Protection Act came into force at the beginning of March 2000. Key changes under the Act included:

• Extending the provision to include manual records.
• A new definition of Sensitive Personal Data.
• An individual right to prevent processing likely to cause damage or distress.
• An individual right to prevent processing for the purpose of direct marketing.
• New exemptions from notification and registration.
• A direct requirement on data controllers to comply with the data protection principles whether they are required to notify under the Data Protection Act or not.
• The Data Protection Registrar will now be called the Data Protection Commissioner and has powers of enforcement, a new duty to promote good practice and a power to issue codes.

Definitions

Data

Information processed by means of automatic equipment (computers, faxes etc) and/or recorded as part of a 'relevant filing system' and/or which constitutes an accessible record.

Personal data

Data about any living individual who can be identified from that data or from any other information held by the data controller.

Sensitive personal data

Explicit consent is required to hold information about:

• race and/or ethnicity
• political beliefs
• religious and similar beliefs
• trade union membership
• physical/mental health
• sexuality
• criminal convictions and offences.

Names, addresses, dates of birth and telephone numbers are not considered sensitive personal data.

Data processing

Obtaining, recording or holding personal data and 'carrying out any operation or set of operations on it.'

Data controller

The person or persons who determine the purposes and manner in which personal data is processed.

Data subject

Each individual whose information is held.

Relevant filing system

'Any set of information relating to individuals, that... is structured... in such a way that specific information relating to a particular individual is readily accessible.' In other words, any set of well-kept records whether on computer or not.

EEA

European Economic Area (the 15 EU member states plus Iceland, Liechtenstein and Norway).

Eight data-protection principles

Data must be:

• processed 'fairly and lawfully'
• obtained for a 'specified and lawful purpose'
• adequate, relevant and not excessive to that purpose
• accurate and up-to-date
• kept only for as long as required for the purpose for which it was obtained
• processed in accordance with the rights of data subjects
• secure - the level of security being proportionate to the level of harm that could result if unauthorised access occurs
• not transmitted outside the EEA without consent from the data subject.

Rights of data subjects

Data subjects have the right:

• To know that the information is held and the purpose for which it is held.
• To stop any automated processing (eg preference expressed that no data is held in computer system).
• To stop processing likely to cause 'substantial damage or distress'.
• To receive prompt replies to queries concerning data held about the subject. (If requests are received from data subjects, copies of their records must be made available within 40 days.)
• To prevent processing for the purposes of direct marketing.

Exemptions

Registration is now called notification and an exemption from notification has been provided for small clubs, voluntary organisations, church administration and some charities. This applies to all Guiding units, Districts, Divisions and Counties if your processing is only:

'for the purposes of establishing or maintaining membership or support for an association not established or conducted for profit or providing or administering activities for individuals who are either members of the body or association or have regular contact with it.' Those who employ staff are also exempt if their processing is for the purposes of recruitment, appointment, appraisal, discipline, salaries and pensions.

All those processing and using data on behalf of Girlguiding UK need to abide by the eight data protection principles and ensure the rights of data subjects are upheld.

For further information regarding exemption, transitional arrangements or other parts of the Act, visit the Data Protection website on www.dataprotection.gov.uk .

Data Protection Act 1998 and Girlguiding UK

Our current registration covers our use of data for five purposes:

• Personnel/employee administration
• Marketing and selling (including direct marketing to individuals)
• Purchaser/supplier administration
• Customer/client administration
• Membership administration

There are many Counties who have registered and the new exemptions may mean that this is no longer necessary.

Implications

Counties, Divisions, Districts and units may need to audit their manual information including card indexes etc, to ensure they comply with the eight principles and that any irrelevant or inaccurate records are removed.
Many Counties have removed the danger of different sets of records held at Division and District level by issuing each new Commissioner with a copy of the County records for her area and updating these annually. (Manual data held prior to October 1978 will have a longer exemption from some of the eight principles until 2007.)

Sensitive personal data

The following information, regularly held in guiding, is classed as Sensitive Personal Data: -

• Health
  Details of medical conditions such as asthma to enable Leaders to be prepared for medical emergencies and to avoid allergies.
• Disabilities
  Details of any disability, to enable integration and to access any special provision required.
• Religion/faith and race or ethnic origin
  To enable Leaders to ensure programmes and menus take account of cultural needs.
• Counties, Divisions and Districts should ensure that any internal forms which request sensitive personal data include explicit consent for that data to be held and that adequate procedures are in place for individuals to access their data.

Suggested wording

I understand information supplied on this form will be held in a database for membership administration purposes. I give explicit consent to details of my daughter's disabilities, health, religion/faith, race or ethnic origin being held confidentially within guiding.