Managing information policy

All our staff and volunteers must make sure they collect and use personal information appropriately and store it safely

Approved: 28 September 2019
Version: 2
Content owner: Data protection

At Girlguiding we use personal data and information every day

We couldn’t operate without it - and all our Girlguiding staff and volunteers must make sure they collect and use information appropriately and store it safely.

This policy is a legal requirement and it protects the privacy of our members, volunteers, customers and employees.

The Managing Information Policy sets out how Girlguiding aims to make sure all our information is managed appropriately. It must be followed by all volunteers and staff who handle Girlguiding information and personal data.

What do we use personal data and information for?

Girlguiding needs to keep personal data about many people including; its employees, young members, volunteers, customers, supporters, ambassadors and donors in order to:

  • Deliver guiding services to girls and young women
  • Safely recruit and develop volunteers and employees
  • Pay employees
  • Safeguard young people and vulnerable adults
  • Monitor performance
  • Monitor health and safety
  • Manage other functions helping us to give guiding services to our members
  • Collect and process personal data to ensure that Girlguiding complies with its statutory obligations.

Why volunteers and employees must follow this policy

As a Girlguiding volunteer or employee you must follow all our policies and procedures, including this Managing Information Policy and the supporting procedures.

If you don’t follow this policy and its related procedures you may, as staff, have disciplinary proceedings applied or if you’re a volunteer, action under the managing concerns about volunteers policy.

While data protection legislation only applies to personal information, Girlguiding requires its volunteers and employees to follow this policy and its supporting procedures when processing any kind of information, personal or otherwise, belonging to Girlguiding. This is to ensure best practice at all times.

Does this policy apply to everyone at Girlguiding?

Yes. This policy applies to the entire Girlguiding organisation, including Girlguiding’s subsidiary, the Guide Association Trading Service Limited. References in this policy to ‘Girlguiding’ should be read as referring to both Girlguiding and the Guide Association Trading Service Limited collectively.

Definitions

See the section below for definitions of key terms referred to in this policy.

Data controller

Definition: A person or an organisation who alone, or with others, decides how and why collected data will be used.

Example: Girlguiding is the data controller for most personal data – like the GO records - used by staff and volunteers.

Data breach

Definition: An act or occurrence which causes the loss, destruction/erasure, alteration, unauthorised disclosure/sharing of, unauthorised access to, unauthorised use/ publication of personal data.

Example:

  • Emailing personal data (information) to the wrong person
  • Leaving personal data unsupervised or in a public place where others can access it

Data subject

Definition: A data subject is a living individual who is the subject of the personal data. 

Example:

  • A member
  • A young member
  • A donor
  • A parent

Personal data

Definition: Any information relating to an identifiable person (a ‘data subject’). Personal data also includes special category personal data: any permanent characteristics of a persons’ physical, physiological, genetic, mental, economic, cultural or social identity.

Example:

  • Name, address etc.
  • Telephone number
  • Email address, twitter handle
  • IP address
  • Photograph
  • Disability or health data
  • Ethnicity data

Data processing

Definition: The use, collection, storage and disposal of personal data.

Example:

  • Storing GO data
  • Sharing member information
  • Deleting information
  • Updating member records

GDPR

Definition: General data protection regulation.

Example: UK data protection legislation Data Protection Act 2018

What does this managing information policy cover?

  • Governance and compliance: the actions Girlguiding will take to make sure this policy is followed.
  • Data protection: how we make sure personal data is kept confidential and used appropriately.
  • Information security: how we keep information secure.
  • Records management: how we keep and dispose of records.  

See below for more information on these categories.

Who is accountable for this policy in Girlguiding, and responsible for it being followed across the organisation?

Board of Trustees (level 1)

The Board of Trustees will approve this policy and related policies and is ultimately accountable for compliance across Girlguiding. 

Executive Team – Girlguiding Directors (level 2)

The Executive Team allocates a person to be ultimately responsible for compliance across Girlguiding. This person is the Deputy CEO.

This person must have understanding of the relevant information governance legislation.

This person will be the point of contact with the Information Commissioner’s Office (ICO) and for any queries about the policy for employees, members, volunteers and the public.

Board of Trustees – Country and Region (level 3)

The Boards of Trustees in the Countries and Regions are accountable for compliance at Country/Region level.

Notifications under the General Data Protection Regulations

Girlguiding as a body corporate is registered as a Data Controller with the Information Commissioners Office (ICO).

The registration number is Z6907813 and the registration is reviewed annually. The Notification shall be reviewed annually by the Executive Team.

Data principles

Girlguiding is committed to ensuring the appropriate use and management of personal data. We follow the data protection principles and requirements to make sure that personal data is:

  • Processed lawfully, fairly and in a transparent manner in relation to the individual
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. For example, if you are collecting data to allow a girl to join Girlguiding it is not necessary to collect any personal data about her parents other than contact details. 
  • Accurate and, where necessary, kept up to date.
  • Not kept for longer than is necessary.
  • Processed in accordance with the rights of the data subject
  • Compliant with the data security principles set out in the Data Protection Act 2018.  

Legal basis for processing personal data

Girlguiding must have a legal basis to collect and use personal data. Within data protection law there are six legal bases. Girlguiding makes use of the most appropriate legal basis when processing different categories of personal data for different purposes. The Girlguiding privacy notice states what basis is used and when.

Data protection law - individual rights

Girlguiding respects your following rights as an individual:

  • The right of access 
  • The right of rectification
  • The right of erasure
  • The right to restrict processing
  • The right to object
  • The right of portability

For further information on your individual rights and how they are managed contact the Data Protection team.

As Girlguiding employees and volunteers, if you process data on behalf of Girlguiding you are responsible for making sure that data security is maintained, in line with the managing information policy and any related Girlguiding procedures.

Girlguiding will ensure that appropriate technical and organisational measures are in place to safeguard against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

Girlguiding has a duty to keep some employee, member and volunteer personal data for a period of time after they have left Girlguiding. This is mainly for legal reasons, but also for other purposes, for example so we can provide references and for historical and statistical research. Different categories of data will be kept for different periods of time.

Girlguiding will not keep personal data for longer than is necessary for the purpose it was originally collected for. This means that data will be destroyed or erased from our systems when it is no longer required.

What are Girlguiding’s responsibilities?

Girlguiding commits to:

  • Implement this Managing Information Policy and make sure it complies with data protection legislation.
  • Co-operate with the relevant regulatory bodies and name a contact point.
  • Ensure this policy is up to date.
  • Give appropriate guidance and training to Girlguiding employees and volunteers to help you to comply with this policy.
  • Make sure that personal data is destroyed safely (in line with Girlguiding’s data retention schedule).
  • Systematically identify and respond to any data protection queries which may arise. Handle all requests and complaints from data subjects relating to Girlguiding’s use of their personal data.
  • Use a risk-based approach to its processing activities. This will include the use of Data Protection Impact Assessments (DPIA) for any high-risk processing activities where necessary.
  • Maintain and be able to give the relevant regulatory bodies organisational records and evidence of the following practices:
    • Name and details of the organisation
    • Purposes of the data processing
    • Description of the categories of individuals and categories of personal data being processed
    • Categories of recipients of personal data when disclosed
    • Details of transfers to parties outside the European Union including documentation of the transfer mechanism safeguards in place 
    • Data Retention Schedule
    • Description of technical and organisational security measures

What are Girlguiding volunteer or staff responsibilities?

As a volunteer or member of Girlguiding employee, if you process personal data as part of your role you must:

  • Follow this policy and relevant procedures whenever personal data is being used for planning and delivering Girlguiding activities.
  • Follow Girlguiding procedures, guidance, and codes of practice about the collection and use of personal data.
  • Think about why you need to handle personal data and make sure you use as little data as you need to carry out your task.
  • Reduce as much as possible the likelihood of breach i.e. personal data being lost, inappropriately shared or disclosed, altered, destroyed, or published without permission, by maintaining good data handling practices with adequate control measures in place.
  • Report any data breaches to the Data Protection team immediately on discovery.
  • Establish, maintain and follow guidance around effective systems for reporting, monitoring and responding to any emergencies that could arise in relation to data protection.
  • Make sure that personal data is destroyed safely (in line with Girlguiding’s data retention schedule).
  • Inform your line manager (employee) or Commissioner (volunteers) and the data protection team at Girlguiding HQ immediately if you receive a request from a data subject for information held or used about them.

Exemptions - when does this data protection legislation not apply?

Some data is exempted from the provisions of data protection legislation. Examples include:

  • National security and the prevention or detection of crime.
  • The assessment of any tax or duty.
  • Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon Girlguiding.

You can find more information on exemption here.

Support with data protection 

You can find help and support in relation to data protection from Girlguiding HQ. Contact [email protected] or [email protected].