Collecting, using and destroying personal data

How to handle personal data in your Girlguiding role

Page last updated 1 October 2025.

See change log for recent updates to this webpage.

Find out what's changed and why in the most recent updates to this procedure

This page is part of our managing information procedure.

This procedure explains how to follow the managing information policy when handling personal data in your Girlguiding role.

Personal data is any information about a person, including names, addresses, phone numbers, images and characteristics of their identity.

This procedure is for volunteers. Girlguiding employees must use the staff procedure on the intranet.

Collecting personal data

The safest way to collect personal data is by using a Girlguiding form or directing people to input data into Girlguiding’s online platforms themselves. That way, you’ll only be collecting the information you need.

It’s important to always use the current version of the form you need, from the Girlguiding website. Don’t make your own versions of existing forms.

If you have to collect personal data in another way, for example by phone, in person or by email, you must:

  • Explain who you are and why you’re collecting personal data.
  • Include a link to Girlguiding’s privacy notice, or explain that this can be found on the website.
  • Be precise. Only ask for the information you need. Make short, clear notes or write directly onto a Girlguiding form or input into one of Girlguiding’s online platforms.
  • Collect information accurately. Read it back to the person to make sure it’s correct.
  • Make sure you’re somewhere private. If other people overhear you, it could be a data breach.
  • Use the BCC field if you’re emailing more than 1 person so you don’t share anyone’s email address.
  • Don’t ask for personal data on an existing email chain. Always create a new email, and don’t use that email chain to discuss anything else afterwards.
  • Use an up-to-date email address list. Getting email addresses from Girlguiding’s online platforms each time you need them is the best way to make sure they’re always up to date. This will stop you from accidentally emailing someone who’s left the unit or area. If you do decide to save email addresses in an email address book, make sure you only use it for your volunteering role and you update it regularly.
  • Delete the email once you’ve recorded the information on Girlguiding’s online platforms or no longer need it.

Back to top

Using personal data in your role

Personal data collected by Girlguiding and volunteers in their Girlguiding roles can only be used for the specific purpose it's collected for. This means data must only be used to help with the day-to-day running of Girlguiding and to allow volunteers and young members to take part in guiding activities.

Some examples of ways you can use personal data include:

  • Contacting parents or carers about arrangements for unit meetings and activities.
  • Letting young members, parents and carers know about Girlguiding’s rules and policies, and other conditions of membership.
  • Caring for young members and giving any medication or emergency treatment.
  • Informing volunteers, young members, parents and carers about events, activities and learning opportunities that support the guiding programme for girls and young women. For example, opportunities for international travel, adventures or skills development.
  • Planning Girlguiding events.

If you’re running a joint event with the Scouts or another organisation, where possible the personal data for Girlguiding volunteers and young members shouldn’t be shared with anyone from the other organisation. If this isn’t possible due to the type of event, for example a Gang Show, you must get additional consent before sharing any data collected for or by Girlguiding. You must make them aware what data you’re sharing and why, and how it will be used. We recommend sharing a copy of the other organisation’s privacy notice, which will explain how they handle personal data.

Unacceptable uses of personal data

You mustn’t:

  • Use personal data to communicate with people about activities not related to guiding. For example, you mustn’t send emails to parents or carers about another organisation or non-guiding activity you’re part of.
  • Share data with anyone else, including other Girlguiding volunteers, if you don’t have consent to do so.
  • Input personal data into any generative AI tool.
  • Continue to use data you got through Girlguiding if you change roles, move area or change unit, and no longer have access to this information.
  • Continue to use data you got through Girlguiding after you’ve left Girlguiding.

Using non-Girlguiding apps or online services

You must only use non-Girlguiding apps or online services if Girlguiding’s online platforms don’t have the necessary functions. This includes Online Guide Manager (OGM). This is because we don’t have consent to use personal data in this way, and we don’t know how safely personal data entered into other online services is stored, or how long it will be kept.

For example, other applications mustn’t be used to manage the unit member sign up process, training information, or to track achievements. But, it could be used to manage some event admin.

If you do decide to use another app or service, you must:

  • Minimise the amount of personal data recorded to reduce the risks.
  • Check the privacy notice and any other policies around security and data retention so you understand how the data you input will be stored and used.
  • Get consent from parents, carers and volunteers to use their personal data in this way.

Back to top

Storing personal data

Personal data must be stored safely and securely so it can’t be accessed by anyone else. Even if someone is involved with Girlguiding, it doesn’t mean they should have access to the same personal data as you.

Remember, if a subject access request is made, you must share any information you hold about the person. This includes anything sent or received by email or shared on social media.

All volunteers must agree to have their details recorded on Girlguiding’s online platforms to join the organisation. Parents and carers must also have their details recorded on Girlguiding’s online platforms for their child to be a young member.

All Girlguiding volunteers have access to our online platforms. But the information each person can see depends on their role. Only being able to see the information you need for your role lowers the risk of it being used incorrectly.

The level of access you’re given is personal to you. You must never share your login details with anyone else, even others in Girlguiding.

If you’ve collected information which needs to be recorded on our online platforms, keep it safe until you can do this. Once it’s recorded online, destroy or delete the physical or electronic copies of the information. Any information you can keep on our online platforms, should be kept there.

You can use your personal devices – your smartphone or tablet, for example – to store and use Girlguiding personal data. Try to only use 1 device, as this will reduce your risk of keeping out-of-date or inaccurate information. It’ll also make it easier to delete information regularly.

  • Make sure your device is password protected.
  • Regularly delete information you no longer need from your device, and from your cloud storage.
  • If you share your device with anyone else, make sure only you can access Girlguiding information.
  • Add a password to any email accounts or set up a separate profile only you can access.
  • Protect documents or folders by using passwords or limiting access to only those who need it.
  • If you’re using a work device be aware of what the IT team at your workplace may be able to access. Don’t save any personal data others could see.

Ideally information recorded on our online platforms shouldn’t be recorded anywhere else. But we know this isn’t always practical or possible. For example, if you don’t have internet access at your unit meeting place, you might need to keep some essential details on paper. But make sure it’s only what’s absolutely necessary and that you keep it up to date. It’s preferable to keep information on a laptop, tablet or phone if possible, as it’s easier to keep secure.

  • If you’re keeping personal data at home, make sure no one else can see it. Locking it away somewhere safe is always a good idea. If that’s not possible, pop it in a drawer or closed bag. Don’t leave any personal data in your car as you could lose it or someone could steal it.
  • If you need to take forms on a trip or to a unit meeting, a nominated volunteer should be in charge of keeping them safe. Use a secure bag, for example with a zip or lock. Make sure you never leave it unattended. Keep it in a safe place so you can easily access it, but others can’t see it.
  • If you keep personal data, like unit registers, at your unit meeting place make sure people from outside Girlguiding or volunteers without permission can’t access it. You could use a locked cupboard, with only unit leaders having keys. If people outside Girlguiding who use the same venue have access to the cupboard, you must take the data home with you every week and store it securely.

Keeping historical records in an archive

Under data protection law you’re allowed to keep some personal data for the long-term benefit of society. This means that if you have records showing the history of your unit or of guiding in your area, you can keep them as part of an archive without removing all personal data.

You must have a genuine purpose for your archive. For example, keeping a historic record of your unit’s history so people can look at it in years to come. But please remember this isn’t an excuse to keep everything, and you should minimise what you keep. Being clear about the purpose and vision for your archive will help you to establish what should and shouldn’t be included.

People can object to you using their personal data for an archive. If they do, you must show you aren’t putting the interests of the archive above the interests of the person in question.

In addition to having a clear purpose and parameters for what’s included in the archive, you can also protect personal data further. Do this by keeping records closed for an appropriate amount of time, restricting access to the archive and anonymising research.

For more information to help you manage your archives safely, check out the guide to archiving personal data (PDF, 1.12 MB) from The National Archives.

If you have any questions, speak to your local commissioner, country or region archivist, or email HQ at [email protected].

What to keep

You might want to keep:

  • Press cuttings.
  • Scrapbooks.
  • Unit log books.
  • Records of the history of your unit or guiding in your area. For example, programmes of events and details of projects you’ve done, like tree planting.
  • Photos to record the history of your unit or area. It’s fine to write names on them. But you shouldn’t record any other personal data, like addresses or dates of birth. If you’ve got lots of digital photos, just pick out the best ones. Find out more about handling photos and videos in your role.

You mustn’t keep:

  • Personal data collected through related administrative processes. This includes donor forms and information about researchers using the archive. These must be kept in line with our rules on data retention.

How to store your archive

You can store your archive physically or electronically. You must keep physical records securely locked away. You could keep digital records in a limited access, password protected cloud account, or on a device like a USB stick, protected with a password.

If you’ve got a mix of physical and digital records, you could keep the digital records on a password protected hard drive in the same place you keep the physical records.

Using and displaying archive collections

When using or displaying historic records you must consider the personal data included in or with these records, and whether it’s appropriate to share. For example, if displaying a collection of photos, you should avoid sharing the names of those featured. If you do want to share names as part of a display, try to only use first names and avoid other identifying information.

Back to top

Sharing personal data

When sharing personal data you must make sure:

  • You only contact volunteers and parents or carers using the contact details they’ve recorded on Girlguiding’s online platforms.
  • Volunteers, or parents or carers, agree to the sharing of the data. This includes sharing names or other identifying details in reports about your local guiding area. See below for examples of when this isn’t required.
  • You’re only sharing necessary information. For example, if you’re sharing information for a printed attendance list, don’t include addresses or dates of birth.
  • You’re only sharing a young member’s personal data with their parents or carers listed on Girlguiding’s online platform. For example, if a Brownie’s parent drops her off each week, but isn’t recorded on Girlguiding’s online platforms, you can’t share the Brownie’s address or phone number without getting permission from the parent or carer listed on her record.
  • You only share personal data for the purposes of managing Girlguiding membership. So, you can’t share one parent’s personal data, like their phone number, with the parent of another young member.

Sometimes personal data can be shared in a way that wasn’t agreed to and without getting permission first. There must be an important reason for this. It must also be in the interests of the person whose data you’re sharing.

Some examples include:

  • If you have a safeguarding concern, allegation or disclosure, you must share relevant personal data with the HQ safeguarding team when reporting this.
  • The HQ safeguarding team can share personal data if someone’s at immediate risk of harm. This could mean sharing the information with police, children’s services or other statutory agencies. For more information, contact the HQ data protection team at [email protected].
  • In a medical emergency you might need to share information about someone’s medication or health conditions.
  • After an accident or incident, you may need to share personal data with the HQ insurance team in line with the health, safety and welfare procedure.
  • If there’s a contractual requirement to share data in your professional capacity. For example, as a teacher you may have an obligation to report safeguarding concerns about students to the school as well as Girlguiding, even if the concern has come from a different setting.

Sharing information with the wrong person is a data breach and you must report it to the HQ data protection team. Find out more about reporting data breaches.

Remember, any personal data you share may be requested as part of a subject access request.

  • Double-check you’re emailing or speaking to the right person. Providing personal data to the wrong person is a data breach. If you’re speaking on the phone, it’s better if you can call them so you can be sure. If they call you, use caller ID to confirm their identity. If you’re not certain, hang up and call them back using a different phone.
  • Make sure no one else can hear or read the personal data. This would be a data breach.
  • When emailing personal data, send it as a password protected attachment rather than in the main body of the email. Don’t include the password for the attachment in the original email. Share the password in a different way, like in person, or by texting it. Only send a second email with the password if there’s no alternative.
  • When sending personal data by post, use a ‘tracked service’, such as special delivery.

Keeping personal data up to date

Keeping old or inaccurate information will make Girlguiding run less effectively and may even pose a serious risk to young members’ and volunteers’ safety. So it’s important you regularly review what you have.

If a parent or carer says the information on our online platforms is wrong, ask them to log in and update it, or do this for them.

Information on our online platforms must be updated as soon as possible any time someone changes roles or leaves Girlguiding. The unit team should do this for young members, and the commissioner for volunteers.

At the end of each term:

  • Check the information retention schedule.

At least once a year:

  • Check your details are up to date on our online platforms.
  • Confirm with parents and carers that their details and their child’s details are up to date on our online platforms.
  • Remind other volunteers to update their details on our online platforms.
  • Check the information you have saved anywhere else about parents and carers, young members and volunteers is still correct.

If you’ve had a lot of girls moving up to the next section, new starters or leavers you may need to review your data more often.

Back to top

Data retention and deleting or destroying personal data

Financial records must be kept for 7 years. This is the charity regulators’ rule. Read our finance procedure to find out more.

Personal data mustn’t be kept for longer than necessary. This means thinking about the reason data was collected, and once it has been used for that purpose, deleting or destroying it.

Personal data held on Girlguiding online platforms is managed by Girlguiding and kept in line with internal retention agreements. By keeping personal data on our online platforms, you won’t need to take steps to delete or destroy this in the future.

The data you hold locally, on paper or electronically, is the responsibility of local volunteers and should be kept in line with the provided retention schedule. If personal data is kept for a different amount of time, you must have a reason for this.

For anything not included in the list below, it’s up to you to decide how long it’s appropriate to keep it for.

How long to keep forms and other information

In the event of an accident, incident, safeguarding or other concern, you may need to provide relevant forms and other information to the Girlguiding HQ teams looking into what has happened. Personal data shared with HQ teams will be kept in line with internal data retention schedules, and you’ll be advised on when the information you hold can be deleted or destroyed.

Any records being kept permanently must be reviewed to make sure the minimum amount of personal data is included, and that there’s a record for why they’re being kept. As with any documents containing personal data, access must be limited so that only those who need to see the information can. Records should be reviewed regularly to make sure that the decision to keep something permanently is still correct.

Unit information

  • Adjustment plans and wellbeing action plans: duration of the plan being in place. This could be the duration of an event, or the length of time someone is in the unit.
  • Annual unit risk assessment: until an updated risk assessment is completed. Copies of previous risk assessments may be kept longer with personal data removed.
  • External visitors form: 1 month.
  • New starter forms: check details on each page of the form.
  • Pregnancy risk assessments and personal emergency evacuation plans: duration of risk assessment or plan being in place.
  • Records of badges and other achievements: duration of section affiliation.
  • Registers: 1 year.

Events

  • Emergency contact list: duration of the event.
  • Event and activity risk assessment: 1 year from the end of the event. Copies of previous risk assessments may be kept longer with personal data removed.
  • Health form: duration of the event. If medical treatment or medication administered, 1 month from end of event.
  • Home contact form: duration of the event.
  • Information and consent forms: 1 month from the end of the event.
  • Medication record: duration of the event. If medical treatment or medication administered, 1 month from end of event.
  • Paper REN forms: 1 year from end of the event.

Safeguarding, complaints, accidents and incidents

  • Incident review form: 1 year from the date of the incident.
  • Notification of accident or incident forms and related documents: when the HQ insurance team has confirmed they’ve been received, they can be deleted.
  • Safeguarding, complaints and compliance cases and concerns: volunteers involved in managing or investigating concerns must send all the data they hold to the relevant HQ team and delete any copies once the case is closed.

Finances, governance and legal

  • All financial records, including accounts and Gift Aid records, must be kept for at least 7 years. This is the charity regulator’s rule.
  • Commercial contracts, partnerships and licenses: at least 7 years.
  • Hire agreements: 3 years after the agreement has ended. If an accident occurred during the hiring, the hire agreement should be shared with the HQ insurance team when the accident is reported.
  • Meeting minutes and records of decisions made: a minimum of 6 years, or permanently.
  • Property documents, including deeds and sales contracts: permanently.
  • Property risk assessments and safety records: until updated risk assessments or records are completed. Copies of previous risk assessments and records may be kept longer with personal data removed.
  • Strategy or project documents and reports: depending on the subject these may be kept permanently.

Deleting and destroying personal data

When deleting electronic records, make sure to include emails and backup cloud storage. Check the help tab on your email or cloud storage provider to find out how to permanently delete things.

When destroying physical documents use a shredder, if possible, as this is more secure.

Another option is to remove or anonymise personal data in a larger document, rather than deleting the whole document. This may be a good approach if the information might be helpful for future planning, for example, when organising a similar event.

Back to top

Change log

  • October 2025 – new version published.

Back to top

More on day-to-day guiding

Running your unit

From unit finances to working as a team - advice and support to help you run guiding in your local area

Delivering our programme and activities

Specialist frameworks and practical guidance to help you provide girls with a programme that supports their development

Policies

All our policies A-Z – from adult volunteers and adult members policy to speaking up policy

Learning and development

All the skills you need to give girls the best guiding experiences - from leading and safeguarding to narrowboating.