Managing information policy
All our staff and volunteers must make sure they collect and use personal information appropriately and store it safely
At Girlguiding we use personal data and information every day
We couldn’t operate without it. So all our Girlguiding staff and volunteers must make sure they collect and use information appropriately, and store it safely.
This is our legal requirement and it protects the privacy of our members, volunteers, customers and employees.
This public-facing policy sets out how Girlguiding aims to make sure all our information is managed appropriately. It must be followed by all volunteers and staff who handle Girlguiding information and personal data.
What do we use personal data and information for?
Girlguiding needs to keep personal data about its employees, young members, volunteers, customers, supporters and donors in order to:
- Deliver guiding services to girls and young women
- Safely recruit and develop volunteers and staff
- Pay employees
- Safeguard young people and vulnerable adults
- Monitor performance
- Monitor health and safety
- For many other functions helping us to give guiding services to our members.
- To collect and process personal data to ensure that Girlguiding complies with its statutory obligations.
Why volunteers and staff must follow this policy
As a Girlguiding volunteer or member of staff you must follow all our policies and procedures, including this information management policy. This is not part of the contract of employment for staff or the Code of Conduct for volunteers, but it is a condition of your employment or voluntary service.
If you don’t follow this policy and its related procedures you may, as staff, have disciplinary proceedings applied or if you’re a volunteer, action under the managing concerns about adult volunteers policy.
While data protection legislation only applies to personal data, Girlguiding requires its volunteers and staff to follow this policy and its supporting procedures when processing any kind of information, personal or otherwise belonging to Girlguiding. This is to ensure best practice at all times.
Does this policy apply to everyone at Girlguiding?
Yes. This policy applies to the entire Girlguiding organisation, including Girlguiding’s subsidiary, the Guide Association Trading Service Limited. References in this policy to ‘Girlguiding’ should be read as referring to both Girlguiding and the Guide Association Trading Service Limited collectively.
See the section below for definitions of key terms referred to in this policy.
Definition: A person or an organisation who alone, or with others, decides how and why collected data will be used.
Example: Girlguiding is the data controller for most personal data – like the GO records - used by staff and volunteers.
Definition: An act or occurrence which causes the loss, destruction/erasure, alteration, unauthorised disclosure/sharing of, unauthorised access to, unauthorised use/ publication of personal data.
- Emailing personal data (information) to the wrong person
- Leaving personal data unsupervised or in a public place where others can access it
Definition: A data subject is a living individual who is the subject of the personal data.
- A member
- A young member
- A donor
- A parent
Definition: Any information relating to an identifiable person (a ‘data subject’). Personal data also includes special category personal data: any permanent characteristics of a persons’ physical, physiological, genetic, mental, economic, cultural or social identity.
- Name, address etc.
- Telephone number
- Email address, twitter handle
- IP address
- Disability or health data
- Ethnicity data
Definition: The use, collection, storage and disposal of personal data.
• Storing GO data
• Sharing member information by email
• Shredding when information is no longer required
Definition: General data protection regulation.
Example: UK data protection legislation, enforceable in May 2018.
Definition: Where two or more (data) controllers jointly determine the purposes and means of processing, they shall be joint controllers.
Example: Employed staff for Countries and Regions are joint controllers with Girlguiding when using CRM /GO data.
What does this managing information policy cover?
This policy covers governance and compliance, data protection, informaiton security and records management. Explore these in more detail below.
This means the actions Girlguiding will take to make sure this policy is followed.
Who is accountable for this policy in Girlguiding, and responsible for it being followed across the organisation?
Board of Trustees (level 1)
The Board of Trustees will approve this policy and related policies, and is ultimately accountable for compliance across Girlguiding.
Executive Team – Girlguiding directors (level 2)
The Executive Team allocates a person to be ultimately responsible for compliance across Girlguiding. This person will be the Director of Commercial, Property and IT.
- This person must have understanding of the relevant information governance legislation.
- This person will be the point of contact with the Information Commissioner’s Office (ICO) and for any queries about the policy for staff, members, volunteers and the public.
Board of Trustees – Country and region (level 3)
The Boards of Trustees in the countries and regions are accountable for compliance at country/region level.
Notifications under the General Data Protection Regulations
Girlguiding as a body corporate is registered as a Data Controller with the Information Commissioners Office (ICO).
The registration number is: Z6907813 Annual renewal date: July 2018
The Notification shall be reviewed annually by the Executive Team.
Data protection means how we make sure personal data is kept confidential and used appropriately.
Girlguiding is committed to ensuring the appropriate use and management of personal information. We follow the data protection principles and requirements to make sure that personal data is:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject. Find out more in our handling personal data procedure.
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. See our privacy notice.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. For example, If you are collecting data to allow a girl to join Girlguiding it is not necessary to collect any personal data about her parents other than contact details
- Accurate and, where necessary, kept up to date.
- Not kept for longer than is necessary.
- Processed in accordance with the rights of the data subject.
- Compliant with the data security principles set out in the updated GDPR legislation.
Legal basis for processing personal data
Girlguiding must have a legal basis to collect and use personal data, within data protection law there are six legal bases. Girlguiding makes use of the most appropriate legal basis when processing different categories of personal data for different purposes. The Girlguiding privacy notice states what basis is used and when.
Data protection law – an individual’s rights
Girlguiding respects your following rights as an individual:
- The right of access
- The right of rectification
- The right of erasure
- The right to restrict processing
- The right to object
- The right of portability
Find out more in our personal data requests procedure.
Girlguiding has a duty to keep some employee, member and volunteer personal data for a period of time after they have left Girlguiding. This is mainly for legal reasons, but also for other purposes, for example so we can provide references and for historical and statistical research. Different categories of data will be kept for different periods of time.
Girlguiding will not keep personal data for longer than is necessary for the purpose it was originally collected for. This means that data will be destroyed or erased from our systems when it is no longer required. See the data retention framework.
As Girlguiding staff and volunteers, if you process information on behalf of Girlguiding you are responsible for making sure that data security is maintained, in line with the managing information policy and any related Girlguiding procedures.
Girlguiding will ensure that appropriate technical and organisational measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
What are Girlguiding’s responsibilities?
Girlguiding commits to:
- Implement this information management policy and make sure it complies with data protection legislation.
- Co-operate with the relevant regulatory bodies and name a contact point.
- Ensure this policy is up to date.
- Give appropriate guidance and training to Girlguiding employees and volunteers to help you to comply with this policy.
- Make sure that personal data is destroyed safely (in line with Girlguiding’s data retention schedule).
- Systematically identify and respond to any data protection queries which may arise.
- Handle all requests and complaints from data subjects relating to Girlguiding’s use of their personal data.
- Use a risk-based approach to its processing activities. This will include the use of data protection impact assessments (DPIA) for high-risk processing activities where necessary.
- Maintain and be able to give the relevant regulatory bodies organisational records and evidence of the following practices:
- Name and details of the organisation
- Purposes of the data processing
- Description of the categories of individuals and categories of personal data being processed
- Categories of recipients of personal data when disclosed
- Details of transfers to parties outside the European Union including documentation of the transfer mechanism safeguards in place
- Data retention schedules
- Description of technical and organisational security measures
What are Girlguiding volunteer or staff responsibilities?
As a volunteer or member of Girlguiding staff, if you process personal data as part of your role you must:
- Follow this policy and relevant procedures whenever personal data is being used for planning and delivering Girlguiding activities.
- Follow Girlguiding procedures, guidance and codes of practice about the collection and use of personal data.
- Think about why you need to handle personal data and make sure you use as little data as you need to carry out your task.
- Reduce as much as possible the likelihood of breach i.e. personal data being lost, inappropriately shared or disclosed, altered, destroyed, or published without permission, by maintaining good data handling practices with adequate control measures in place
- Report any data breaches to the Data Protection team immediately on discovery
- Establish, maintain and follow guidance around effective systems for reporting, monitoring and responding to any emergencies that could arise in relation to data protection
- Make sure that personal data is destroyed safely (in line with Girlguiding’s data retention schedule)
- Inform your line manager (staff) or Commissioner (volunteers) and the data protection team immediately if you receive a request from a data subject for information held or used about them
Exemptions – when does this data protection legislation not apply?
Some data is exempted from the provisions of data protection legislation. Examples include:
- National security and the prevention or detection of crime.
- The assessment of any tax or duty.
- Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Girlguiding.
Girlguiding policies and procedures are reviewed and updated from time to time as part of a review cycle.