Sharing personal data
How to share personal data safely and securely
Last reviewed: 6 July 2022
This guidance is part of our Managing information procedure.
As a Girlguiding volunteer with access to personal data, it’s important you know how to share it correctly.
What is personal data sharing?
Personal data sharing can be from:
- one person to another person. For example, a leader sharing information with another leader
- a person to an organisation. For example, a leader booking a place at an event
- an organisation to a person. For example, HQ sharing relevant information about a member with an investigator
- an organisation with itself. For example, different parts of Girlguiding sharing information
- an organisation to another organisation. For example, Girlguiding sharing information with the Scouts.
Data protection laws don’t stop us sharing personal data, but they do regulate how we do it.
You may need to share personal data while doing your Girlguiding role. You’ll need to make sure:
- volunteers, or parents or carers, agree to this. For example, you may know a young member has recently had a bereavement. But you shouldn’t share this with anyone else without their parent or carer’s permission. If you’re not sure whether it’s OK to share something, or you don’t feel comfortable asking, don’t share it
- you’re only sharing necessary information. For example, if you’re sharing information for a printed attendance list, don’t include addresses or dates of birth
- you’re only sharing a young member’s personal data with their parents or carers listed on GO. For example, if a Brownie’s parent drops her off each week, but isn’t on GO, you can’t share the Brownie’s address or phone number without getting permission from the parent or carer listed on her record
- you’re not sharing volunteer or member personal data that isn’t for the purposes of managing Girlguiding membership. So, you can’t share one parent’s personal data, like their phone number, with the parent of another young member.
Sometimes you can share information in a way that wasn’t agreed to and without getting permission first. There must be an important reason for this. It must also be in the interests of the person whose data you’re sharing. Some examples include:
- If you have a safeguarding concern, allegation or disclosure, you must share relevant personal data with the HQ Safeguarding team when reporting this.
- The HQ Safeguarding team can share personal data if someone’s at immediate risk of harm. This could mean sharing the information with police, children’s services or other statutory agencies. For more information, contact our Data Protection team.
- In a medical emergency you might need to share information about someone’s medication or health conditions.
- If there is a contractual requirement to share data in your professional capacity.
Sharing data safely
Only contact people using their contact details on GO.
- Make sure you double check you’re emailing the right person. Sending personal data to the wrong person is a data breach.
- Send personal data as a password protected attachment rather than in the main body of the email.
- You mustn’t include the password for the attachment in the original email. Share the password in a different way, like in person, or by texting it. Only send a second email with the password if there’s no alternative.
By phone or in person
- Confirm you’re speaking to the right person. If you’re speaking on the phone, it’s better if you can call them so you can be sure. If they call you, use caller ID to confirm their identity. If you’re not certain, hang up and call them back using a different phone.
- Make sure you’re both somewhere private. Other people overhearing personal data is a data breach.
- Double check the name and address on the envelope. If in doubt, contact the person you’re sending the information to first to confirm.
- Use a ‘tracked service’, such as special delivery.
Sharing information with the wrong person is a data breach and you must report it to the Data Protection team at HQ. Find out more about reporting data breaches.