Handling personal data
Use this procedure to make sure you are handling personal data lawfully
Personal data is used everywhere
Businesses and services around the world make use of information about people daily and because of that there are laws to protect how data is collected, used, saved, shared and destroyed. These laws make sure that people’s confidentiality is respected and prevent data being misused.
As a member or volunteer you’ll know we are always straightforward, honest and clear when we communicate with our members, parents and carers, or anyone else involved with us.
Who is responsible for carrying out this procedure?
Any Girlguiding member or volunteer aged 18 or over. If you are supervising a member or volunteer who is under 18 you are responsible for making sure they know to report breaches to you.
Why must I use this procedure?
When you handle personal data, you must do so lawfully. By using this procedure, you will make sure you are following both the Girlguiding managing information policy and UK legislation.
Breach of the data protection legislation:It’s important to understand that if you do not follow procedure your actions may make you personally liable for any data loss, disclosure or breach. Not following procedure is a breach of the managing information policy, the Girlguiding Code of conduct, and data protection legislation.
What is personal data?
Personal data is information that allows you to identify an individual. Examples are: name, address, date of birth, email address, social media handle, photos and videos. Personal data also includes things like a person’s religion, beliefs, health issues and gender identity.
How to handle data
Explore the sections below to find out what you need to do when handling data in different ways.
When you collect personal information about an individual you normally use one of these ways:
- You receive it in a Girlguiding data collection form
- You take information over the phone or by email.
- You take photographs or video.
How do I use a Girlguiding data collection form?
Our data collection forms (e.g. a starting form, consent from, a health form or a REN form) are all designed to comply with UK legislation.
- You must always use the current version of the form provided by Girlguiding.
- Do not make up your own local version as this is against Girlguiding policy.
- These forms are to be used for a specific purpose. This means:
- They only collect personal information needed for a specific purpose.
- They don’t collect any data which isn’t needed for that purpose.
- All of the questions on the forms are important. This means you must complete them all, even if you need to add ‘N/A’ or ‘prefer not to say’ as an answer.
- Once the activity has happened the purpose for the data is finished so you must securely destroy the form. See section below on destroying data.
You must keep all forms safe for the duration of the activity they have been completed for. If you take forms from one place to another keep them in a secure bag, with a zip or lock. When the forms are taken to location like an activity centre, keep them with a nominated person and in a secure place.
The most common data collection forms in use are the unit starter form, the activity/event consent form and the health form. You can find specific guidance for using each of these forms in our forms and resources section.
In exceptional circumstances, you may also be asked to participate in the collection of data if there is a complaint, or a safeguarding disclosure, allegation or concern. Find more information in A Safe Space.
How do I collect personal data by phone or in person?
Sometimes you need to collect personal information in person or by phone. Data protection legislation still applies when we collect personal face-to-face or over the phone. When making a call to collect personal information, you must explain who you are and why you are collecting the personal information. When you write down the information, check that what you have collected is accurate.
Whenever you collect personal information on a form, by phone or face to face it must be kept safe until it can be uploaded to GO (if necessary).
- Remember, be precise. Only ask for what you need and record it. Make clear and concise notes.
- Avoid discussing personal data in places where you may be overheard. If you allow personal data to be disclosed by talking in front of other people, you may cause a data breach.
- Make sure you’ve collected information accurately. Read it back to the person providing the data to ensure it is correct.
How do I collect personal data by email?
If you are asking for personal information by email, you must only use an email account which is not shared with anyone else, (including family members or other leaders or helpers in your unit). There are three reasons for this requirement:
- Just because someone else is involved with Girlguiding it doesn’t mean that they should have access to the same personal data as you.
- Secondly, a shared account does not allow for a person-to-person message to be sent. So if, for example, a complaint was made, there is no confidentiality.
- A joint email account which is used to collect personal data is a data security risk.
When you ask for data over email you must explain who you are and why you are collecting the data. Always use a new email, don’t ask for personal data on an existing chain and only send the email only to the person whose data you’re collecting.
When using email to collect personal information do not then use that email chain for discussing something else.
Girlguiding has to make sure that we do not retain personal data for longer than it is necessary and this includes any personal data we send or receive via email. So, if a parent has emailed you their new mobile number for example, once GO has been updated, delete the email.
Remember also to delete the email when you have finished using it, unless you are told to hold the information, for example as part of an ongoing complaint or safeguarding concern.
How do I take photographs or video in an appropriate way?
If you take a photograph or video of a person this is personal data. For this reason, Girlguiding asks for consent to use photographs on the unit starting form.
- Know who has given their consent, and who hasn’t. Do not use photographs of people who have not consented to this.
- You can’t use a photograph if there is not consent in place.
- Make sure anyone taking photographs of unit activities is aware of the photo permission preferences of the group.
- Do not use a photo of multiple people if one of them has not given consent. A good way to help the photographer identify this person, and not photograph them is by asking them to wear a badge or a rosette if appropriate. But be careful not to make this person feel singled out.
- When taking photographs on a personal device make sure the images are not being automatically backed up to your personal storage. This is a potential breach of data protection for retaining data.
- When you have finished using the photos remove/delete them from your device.
What other methods are there for data collection?
There are a few situations when you may need to collect information by another method, for example if you need to conduct a questionnaire or respond to a Facebook message.
As with other methods, you must comply with data protection law and Girlguiding policy and procedure. If you are unsure if a method of collecting data is appropriate please contact [email protected]@org.uk .
How do I keep data up to date?
When you collect personal data, you must make sure it is accurate and up to date. If you allow collected data to become out of date or inaccurate this is a breach of the data protection legislation. You must plan regular data accuracy reviews for members’ and guardians’ data.
You must also make sure your personal details, and those of other volunteers at your unit, are accurate and up to date on GO. You must review and correct if necessary at least once a year, but if you have had a lot of transitions, new starters or leavers you may need to do this accuracy review more often.
Accessing personal data
You must have authorised access to GO to use personal data collected by Girlguiding.
To make sure Girlguiding complies with UK law and keeps personal data safe, Girlguiding provides access to only the data that you need for your role. This lowers the risk of accidently using data incorrectly. The specific GO access you are given is personal to you and must not be shared with anyone else, even if they are a member of Girlguiding.
Using personal data
When you use personal data collected by Girlguiding, you can only use it for the specific purpose it was collected for. Girlguiding collects personal data for the purposes of administrating membership of Girlguiding and enabling members to participate in guiding activities.
Guiding activities are:
- contacting people about arrangements for their daughter’s unit meetings and associated activities
- informing members and parents about Girlguiding’s rules and policies, including our uniform and other conditions of membership
- recording people’s achievements and awards earned in guiding;
- caring for members and administering any medication or emergency treatment;
- informing members and parents about events, activities, and learning opportunities that support the guiding programme for girls and young women, like opportunities for international travel, adventure or skills development. These can include opportunities and product offers from third parties.
A shared email address should not be used to collect personal information, but a shared email address in use by more than one leader within a unit can be used for sending emails to parents for Guiding purposes, with information about events, changes to meeting detail etc.
For more details on what you can and cannot use personal data for see Girlguiding’s privacy statement.
Unacceptable uses of GO data includes
You must not use GO data to communicate with people about non-guiding related activities or share data with third parties without consent. For example, you must not:
- Use GO data to communicate with people about another organisation or any other non-guiding activity that you are a part of.
- Add GO data into a third party applications or on-line services such as on-line Guide Manager (OGM) or Instagram accounts.
- Share GO data with anyone else, including other Girlguiding volunteers, if you do not have consent to do so.
If you’re not sure, ask us first at [email protected]
What about marketing?
You must only use an individual’s personal data to contact them for the reason they agreed when they provided their contact details. This means you can send messages that support this reason, like details about meetings or upcoming events.
You cannot send a message which advertises a product or recommends a local shop, because this is considered marketing. Data protection legislation requires that you have consent from an individual to receive these kinds of marketing emails.
What about fundraising?
If you want to talk about fundraising activities by email, be aware that there are specific regulations within data protection legislation which apply. The law only allows Girlguiding to send fundraising emails to people who have specifically said that they agree for us to do so.
Unless an individual has agreed to be sent fundraising materials by email, you cannot send it.
This includes either
- The message being sent as a specific email telling them about the fundraisings idea
- Or as a message which is included within a newsletter. See our privacy notice.
So how can you promote your fundraising activity? Remember, this regulation does not mean you cannot promote fundraising activities within a unit. It only applies when sending fundraising materials by email. You are still free to give flyers and hand out information at a unit meeting.
Using financial data
A volunteer who is a unit leader is responsible for looking after the financial records of your unit. The majority of this financial data is not personal data, but there will be references to individuals within these records, (for example, the names of those who have paid subs) so that particular data is personal data.
Because of this you must apply the same data security measures to financial records as to other forms of personal data. You must, for example, password-protect these documents to keep them safe if sending them by email or storing them on a device. Remember, you should only keep financial data for seven years. See the data retention framework.
What is data sharing?
What we mean by ‘data sharing’ is when we disclose person information in a number of ways:
- One person to another person, like a leader sharing with another leader
- A person to an organisation, for example a leader booking attendance at an event
- An organisation with itself, like HQ sharing personal information with Trading
- An organisation to another organisation, for example Girlguiding sharing with the Scouts
Data protection legislation doesn't prevent the sharing of personal information but it does regulate it. When there is a need to share personal data - for example when booking an event – you must make sure the sharing complies with data protection legislation.
The following guidelines will help you share data within the law:
- You can share personal information for purposes of administering and managing Girlguiding membership. This was agreed by the parent/carer on the Starting form. For example, you can share personal information for making event bookings or you can share personal details with another leader if a young member is moving up.
- You can't share personal information of a member or young member with a person making a random request. This includes other parents and other Girlguiding volunteers. This would not be for administering or managing Girlguiding membership, so we couldn't share data under these circumstances. You can only share a member’s personal information if a request is made if the person making the request is listed as GO contact. For example: If a Brownies' father isn't listed as a GO contact but they ask for her address or phone number, you can't share this without first checking with the listed GO contact.
- When you do share data, only provide the least amount of information necessary. For example, if the data is to be used for a printed attendance list, consider just including young member’s first names or their initial and family name.
- In exceptional circumstances, you can share data in a way that wasn’t agreed to. To justify this type of sharing, the circumstances will need to be very specific. For example, it must be within the vital interests of an individual, for instance if you are sharing personal data in a medical emergency.
- In exceptional circumstances such as safeguarding cases, Girlguiding members are able to share information with the HQ safeguarding team when it is in the public interest to do so, such as passing on an allegation or a disclosure.
Remember! All requests to share data with the police need to be referred to the safeguarding department at HQ before you share. Contact [email protected]
How do I share personal data by phone or in person?
The following steps are a guide on how to do this:
- You can only share data for a specific purpose which has been agreed when the personal data was collected, for example to book an event or activity.
- Make sure you are sharing personal data with the person you are expecting. Try to call them, or if they call you use caller id to confirm you are talking to the correct person.
- Only share the least amount of personal data necessary.
- Try to make sure that you cannot be overheard making the call. If the call is in a public place, being overheard sharing personal data would be a data breach.
How do I share personal data by email?
- If you are sending personal data by email you must send the information as an attachment in a password-protected document, it is not to be in the text of the email.
- You must call or text the recipient to give the password. Do not include the password in the email or send a second email with the password in it.
- When sending emails to multiple people do not put all the email addresses in the ‘to’ field. This would mean everyone will be able to see everybody else’s email addresses, which is personal information. Use the BCC field on the email address bar to send an email to more than one person so people can’t see each other’s addresses.
How do I share personal data through online forms?
When you book events or activities you may need to use on online booking form instead of talking to someone over the phone or sending an email. The same rules apply to this method of sharing data:
- You can only share data for a specific purpose which has been agreed with the parent/carer when the personal data was collected, for example to book an event or activity.
- Make sure the website is correct.
- Only share the least amount of personal data necessary.
How do I share personal data by post?
- If you need to share data by post - for example to send documents to HQ - you must use a postal service that is tracked and signed for, such as special delivery.
- If you are sending a large amount of personal data, relating to more than 10 people, please contact [email protected] to confirm the best way to send the data.
How should I download personal data?
- If you do need to download an electronic list on to a laptop or a tablet where you can’t access GO, make sure the document is password-protected.
- Remember to use the least amount of data necessary and delete the file when you have finished using it.
- Printing GO data should only be done when absolutely necessary, for example if your meeting hall has no WiFi access and you can’t use a laptop or tablet. When the purpose for which the document has been printed for is finished, you must destroy the document to keep the data safe.
- Remember also to delete the downloaded copy of the data when it is no longer needed. Check you don’t have another copy in the “downloads” folder on your computer.
- If you share your computer or other device with anyone then you must make sure they cannot access Girlguiding data. If you collect personal data on an account shared with a family member for example, and they read the personal data you collected, you have caused a data breach.
The majority of Girlguiding forms are used for a specific purpose, like seeking parental consent for a trip to the adventure park. Once the trip is over, the purpose for the document has been completed and the form should be destroyed.
At Girlguiding we only need to keep personal data when the law requires us to do so. There is only a minimum amount of personal data which needs to be kept by units. This includes unit financial records and risk assessments.
See the keeping data table for how long you should keep different types of data.
How do I destroy forms?
Because forms are designed for a specific purpose, when that purpose is finished you must securely destroy the form by shredding or ripping it so that it could not be put back together and read. You must not put whole documents into your bin as this is not secure.
Don’t risk breaking the law!
If you do not follow this procedure you and Girlguiding are at risk of being in breach of data protection requirements.
When must I keep a form, and not destroy it?
If there is an accident or incident at an event or activity, you must copy the relevant documents, consent form, health form, witness form etc, and send the originals to the insurance department at HQ.
You will need to keep a copy of the forms until HQ confirms that they’ve received the originals. Then destroy your copies.
If there is a safeguarding allegation, disclosure or concern, you must send the relevant documents, witness forms, photographs, handwritten notes for example, to the safeguarding HQ team immediately.
Girlguiding policies and procedures are reviewed and updated from time to time as part of a review cycle.